75 Percent of Bluetooth Smart Locks Can Be Hacked

Posted on August 8, 2016 by mea

Twelve out of 16 Bluetooth smart locks examined could be unlocked by a remote attacker, a researcher said at the DEF CON hacker conference.

Source: 75 Percent of Bluetooth Smart Locks Can Be Hacked

The problems didn’t lie with the Bluetooth Low Energy protocol itself, Rose said, but in the way the locks implemented Bluetooth communications, or with a lock’s companion smartphone app. Four locks, for example, transmitted their user passwords in plaintext to smartphones, making it easy for anyone with a $100 Bluetooth sniffer to pluck the passwords out of thin air.

From: http://xkcd.com/538/

Microsoft Live Account Credentials Leaking From Windows 8 And Above

Posted on August 2, 2016 by mea

Basically, the default User Authentification Settings of Edge/Spartan (also Internet Explorer, Outlook) lets the browser connect to local network shares, but erroneously fail to block connections to remote shares. To exploit this, an attacker would simply set up a network share. An embedded image link that points to that network share is then sent to the victim, for example as part of an email or website. As soon as the prepped content is viewed inside a Microsoft product such as Edge/Spartan, Internet Explorer or Outlook, that software will try to connect to that share in order to download the image. Doing so, it will silently send the user’s Windows login username in plaintext along with the NTLMv2 hash of the login password to the attacker’s network share.

Source: Microsoft Live Account Credentials Leaking From Windows 8 And Above | Hackaday

Could antivirus software make your computer less safe?

Posted on July 8, 2016 by mea

Increasingly, attacks focus on social engineering or phishing that lures users onto compromised websites that can steal information or serve ransomware.

Those websites are so short-lived that antivirus software often doesn’t update fast enough to recognize them, Sjouwerman added.

Source: Could antivirus software make your computer less safe?

How to Compromise the Enterprise Endpoint

Posted on June 29, 2016 by mea

Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.

An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.

Source: Project Zero: How to Compromise the Enterprise Endpoint

ImageMagick Remote Command Execution Vulnerability

Posted on May 6, 2016 by mea

The vulnerability is very simple to exploit, an attacker only needs a image uploader tool that leverages ImageMagick. During our research we found many popular web applications and SaaS products vulnerable to it (people love gravatars), and we have been contacting them privately to get things patched. Unfortunately, even with all the media attention, not everyone is aware of this issue.

Source: ImageMagick Remote Command Execution Vulnerability – Sucuri Blog

Update From: ImageMagick Is On Fire — CVE-2016–3714

If you use ImageMagick or an affected library, we recommend you mitigate the known vulnerabilities by doing at least one of these two things (but preferably both!):

Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing. (see FAQ for more info)
Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”. The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.

My ImageMagick policy file is in /usr/lib64/ImageMagick-6.6.4/config/policy.xml Click the link to get the exact rules to add. I use ImageMagick with Gallery software but only admin has access to uploading images so this bug doesn’t matter for my use case.

How I Hacked Facebook, and Found Someone’s Backdoor Script

Posted on April 25, 2016 by mea

Here I’d like to explain some common security problems found in large corporations during pentesting by giving an example.

Source: How I Hacked Facebook, and Found Someone’s Backdoor Script | DEVCORE 戴夫寇爾

A brief summary, the hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use WGET every once in a while

Here’s how brothers rigged lotteries, authorities say

Posted on April 9, 2016 by mea

Examiners found out-of-place programs known as dynamic link libraries, or DLLs, that had been written onto the Wisconsin computer. The programs were designed to “redirect” a drawing if certain conditions were met, according to the complaint, helping orchestrate the outcome.

Source: Here’s how brothers rigged lotteries, authorities say

Trend Micro flaw could have allowed attacker to steal all passwords

Posted on January 12, 2016 by mea

Overall, Ormandy wrote that he found over 70 APIs exposed to the Internet, not all of which he had investigated for security issues. He suggested Trend should hire an external consultancy to audit the code.

Source: Trend Micro flaw could have allowed attacker to steal all passwords

Antivirus software could make your company more vulnerable

Posted on January 10, 2016 by mea

While these are mainly examples of using antivirus vulnerabilities to evade detection, there’s also a demand for remote code execution exploits affecting antivirus products and these are being sold by specialized brokers on the largely unregulated exploit market.

Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status “sold.”

Source: Antivirus software could make your company more vulnerable

On the Juniper backdoor

Posted on December 23, 2015 by mea

To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional — you be the judge! They then piggybacked on top of it to build a backdoor of their own, something they were able to do because all of the hard work had already been done for them. The end result was a period in which someone — maybe a foreign government — was able to decrypt Juniper traffic in the U.S. and around the world.

And all because Juniper had already paved the road.

Source: A Few Thoughts on Cryptographic Engineering: On the Juniper backdoor

One of the most serious concerns we raise during these meetings is the possibility that encryption backdoors could be subverted. Specifically, that a backdoor intended for law enforcement could somehow become a backdoor for people who we don’t trust to read our messages. Normally when we talk about this, we’re concerned about failures in storage of things like escrow keys. What this Juniper vulnerability illustrates is that the danger is much broader and more serious than that.

Bucktown Bell

Cut to the chase.

Tag Archives: exploit vector