What seems to be happening in many intrusion cases is that an IP located in China has been associated with the attack. The immediate assumption, often by inexperienced persons involved in the investigation, is that someone in China, most likely state-sponsored, targeted their incredibly important information.
via Tech Insight: Attribution Is Much More Than A Source IP – Dark Reading.
Published on Jan 29, 2013
Belkin WeMo with latest firmware. Able to gain full root access and send commands including changing the state of connected device via flaw in UPnP implementation. Chose a small desk lamp and simple on/off sequence due to safety concerns. Real world this could be a fan or space heater and rapidly turn on/off without limitation. Updates with PoC soon to come.
via Belkin WeMo remote shell and rapid state change exploit – YouTube.
Stuff like this amaze me. Again. Just because you can put an IP stack on something doesn’t mean you should! Below is a video showing how to break in to this device that simply controls an electric outlet. He uses Backtrack 5 to break in. Backtrack is a very useful set of security research tools. The video inspires me to fire up my copy and break into something. 🙂
As part of the demonstration, Cui inserted and removed a small external circuit board from the phone’s Ethernet port — a move he asserted could be accomplished by someone left alone inside a corporate office for a few seconds. He then used his own smartphone to capture every word spoken near the VoIP phone, even though it was still “on-hook.”
via Security Researcher Compromises Cisco VoIP Phones With Vulnerability – Dark Reading.
Security researchers have identified a botnet controlled by its creators over the Tor anonymity network. It’s likely that other botnet operators will adopt this approach, according to the team from vulnerability assessment and penetration testing firm Rapid7.
“One countermeasure that companies or ISPs could eventually enforce in their firewall is to drop all packets that originate from known TOR nodes, in order to minimize the amount of potentially malicious traffic they receive,” Botezatu said. “Of course, they might also end up blacklisting a number of legit Tor users looking for anonymity.”
When I am analyzing network activity generated by malware, I am most interested in HTTP get/posts, the addresses the malware is communicating with, and the data that was actually sent or received.
via Extracting Data from Network Captures pcap with Perl « Mick’s Mix.
Chaosreader is a Perl script that takes a pcap file as its argument and will create communication summaries in a report format. It will also pull data from the tcp streams (within the pcap) and re-assemble the actual files.
Blacksheep compares memory dumps from each monitored system, first creating lists of kernel memory modules that are then sorted and compared, calculating the distance that each list of modules is from the others. The system then compares each byte of a modules’ code with other systems to find differences that could indicate changes inserted by a rootkit. Blacksheep also conduct memory crawling to catch changes to kernel data and checks five different kernel entry points for signs of changes.
via Finding Rootkits By Monitoring For ‘Black Sheep’ – Dark Reading.
The technique exploits web sessions protected by the Secure Sockets Layer and Transport Layer Security protocols when they use one of two data-compression schemes designed to reduce network congestion or the time it takes for webpages to load. Short for Compression Ratio Info-leak Made Easy, CRIME works only when both the browser and server support TLS compression or SPDY, an open networking protocol used by both Google and Twitter. Microsoft’s Internet Explorer, Google’s Chrome and Mozilla’s Firefox browsers are all believed to be immune to the attack, but at time of writing smartphone browsers and a myriad of other applications that rely on TLS are believed to remain vulnerable.
via Crack in Internet’s foundation of trust allows HTTPS session hijacking | Ars Technica.
A side effect of compression, security experts have long known, is that it leaks clues about the encrypted contents. That means it provides a “side channel” to adversaries who have the ability to monitor the data. A research paper published in 2002 by John Kelsey looks eerily similar to CRIME, but only in retrospect.
The HoneyMap shows a real-time visualization of attacks against the Honeynet Project’s sensors deployed around the world. It leverages the internal data sharing protocol hpfeeds as its data source. Read this post to learn about the technical details and frequently asked questions. Before going into explanations, take a look at the map itself: map.honeynet.org!
One aspect of zero-day exploits use that’s made them tough to track and count has been how closely targeted they are. Unlike the mass malware infections that typically infect many thousands of machines using known vulnerabilties, the majority of the exploits in Symantec’s study only affected a handful of machines–All but four of the exploits infected less than 100 targets, and four were found on only one computer.
via Hackers Exploit ‘Zero-Day’ Bugs For 10 Months On Average Before They’re Exposed – Forbes.
Unsurprisingly, the study shows that hackers target common software like Microsoft Word, Flash and Adobe Reader. Sixteen of the 18 zero-day exploits discovered and analyzed in the study affected Microsoft and Adobe software.
The researchers, in conjunction with their research paper (PDF), released tools for decrypting RAT traffic and proof-of-concept exploits for the bugs they found. They found that the tools include weak, or no, encryption: Bandook, for example, uses obfuscation, not encryption, to protect its traffic between the victim’s machine and the C&C server.
via Popular RATs Found Riddled With Bugs, Weak Crypto – Dark Reading.
“A good understanding of their protocols is critical to network and system administrators deploying tools that can notice the presence of a RAT,” they said.
RAT = Remote Administrative Tool which is a tool used by the bad guys to snoop on a victim. To the victim this is more commonly referred to as a trojan.