NewsBytes Aug-Sept<br />Ashwin Patil<br />GCIH,RHCE,CCNA<br />2+ in Infosec<br />
Announcements<br /><ul><li>Malcon 2011 : Call for Paper </li></ul>http://malcon.org/cfp/<br />Venue: Mumbai , Nov -2011<br /><ul><li>CFP for nullcon 2012 (Tritiya) is open!!!</li></ul>http://nullcon.net/cfp-nullcon/<br />Venue : Goa, Feb -2012<br /><ul><li>Cocon</li></ul>http://www.informationsecurityday.com/c0c0n/<br />Venue: Cochin (Kochi), 7 and 8 Oct -2011<br />
Stop reading and Patch your Browser first<br /><ul><li>DigiNotar is a Dutch Certificate Authority. They sell SSL certificates.
Also works with govt on its PKI implementations
Certificate Authority (CA):: Issues Digital certificates a.k.a Trusted third Party
Damage : Issued fraud certificates for nearly 531 domains
List Includes :</li></ul>*.*.com *.microsoft.com Comodo Root CA Globalsign Root CA<br />*.*.org *.mozilla.orgCybertrust Root CA Thawte Root CA<br />*.google *.torproject.orgDigicert Root CA Verisign Root CA<br />login.live.comlogin.yahoo.com Equifax Root CA addons.mozilla.org<br />twitter.com *.skype.comwww.update.micsrosoft.com<br /><ul><li> Browsers : Mozilla, Chrome,IE and Safari – Pulled it from CA store in latest versions</li></ul>-- Fsecure ,threatpost blogs<br />
Don’t want to break add ons ..<br />-- Mozilla Blog<br />
who and How ?<br /><ul><li>Called himself Comodohacker : Claimed the attack via Pastebin
Twitter Account : @ichsunx2</li></ul>Fox-It Security Firm Audit<br />Operation Black Tulip Incident Report revealed:<br /><ul><li>No secure central network logging is in place.
All CA [Certificate Authority] servers : Members of one Windows domain</li></ul>Possible to access them all using one obtained user/password combination. The [domain] password was not very strong and could easily be brute-forced.<br /><ul><li>Strong indications that the CA-servers were accessible over the network from the management LAN.
The software installed on the public web servers was outdated and not patched.
No antivirus protection was present on the investigated servers.
Domain admin Password of CA network shared by Comodohacker: Pr0d@dm1n </li></ul>-- SANS isc diary, pastebin<br />
Hushhh Nothing left to trust ?<br /><ul><li>Dutch Regulator Bars DigiNotar From Issuing Qualified Certificates
Avg. browser trust more than 600 CAs , bad history of not doing their job correctly</li></ul>Blackhat/Defcon talk:: <br />SSL and the Future of Authenticity<br />By Moxie Marlinspike:<br />Talk about replacing CA infrastructure<br />Issue with SSL : Authencity<br />Idea : Download the presented SSL certificate directly <br /> and then ask a series of trusted notaries to download the certificate <br /> and give it to you as well.<br />Convergence : Browser Addon. http://convergence.io/<br />--Threatpost<br />
Who is reading the email that you just sent<br /><ul><li>Peter Kim and Garret Gee of the Godai Group – Paper about doppelganger domains
Doppelganger Domains: Register a domain that`s like your target except for a typo.
Over 6 months – Grabbed 1,20,00 emails - 20 GB of data from fortune 500 companies
Email with sensitive info sent with typo or missing dot landed in wrong hands
Domain MITM : Set up email servers on typosquated domain and relay mail to correct recepient.
Exploit uses a hidden code (U+202E) that overrides </li></ul>right-to-left characters to display an executable file as something entirely different.<br />e.g. making jpg.exe to look safer like Photo_D18727_Collexe.jpg<br /><ul><li>Do not open attachment from unknown sources even if they look safer.
IE 9 – Application Reputation : Warns users of potentially dangerous files downloaded from internet.</li></ul>-- Avast Blogs<br />
Morto : RDP Worm<br /><ul><li> Infects Windows workstation and server with new spreading vector : RDP
Once infected, starts scanning local network for machines with RDP enabled
Try logging in with Administrator through list of common passwords
Copy itself to target machines via windows shares
Monitor traffic spike in logs on port 3389.</li></ul>-- Sectechno<br />
Mobile Phone monitoring service found<br /><ul><li> Chinese website offers mobile phone monitoring tools and services to customers access to the site’s backend to retrieve information.
Linux Breaches<br /><ul><li>Attackers have compromised a number of servers at kernel.org that house the Linux kernel source code and were able to modify a number of files and log user activity on the machines
Inserteda Trojan startup file into the startup scripts rc3.d on one of the servers so that it would run whenever the machine was started.
Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified.
Kernel source code repositories are not affected
Week later linux.com, linuxfoundation.org taken offline due to a security breach</li></ul>-- h-online,linux.com<br />
Life After Anonymous<br /><ul><li>Interview with the former Hacker @SparkyBlaze from Anonymous crew
Taken by Cisco employee who runs @CiscoSecuritytwitter account
Biggest Issue : Social Engineering </li></ul>“ It all comes down to lies, everyone does it and some people get good at it.”<br /><ul><li>Advice : Stay away from Black Hat hacking .</li></ul>-- Cisco security Blogs<br />
News Overview<br /><ul><li>awmproxy.net- Provides anonymisation proxies rent computers infected with the TDL4Bot for use.
Downloaded utorrent client between 4:10 am to 6:20 am Pacific time on 13thsept- You Are INFECTED with malware
Web server compromised, replaced windows executable with malware
Mebromi- new Rootkit discovered by Chinese AV vendor 360 targetting mainly Award BIOS users.
Persists even if harddrive is physically replaced.
OWADE (Offline Windows Analyzer and Data Extractor) : Cloud based forensics
Threat Modeling Tool v3.1.8, MiniFuzz Tool v1.5.5, RegExFuzz Tool v1.1.0 : </li></ul> Updated SDL tools by Microsoft<br /><ul><li>Data-sound-poc: Exfilterate data out of network over a voice connection
fuzzdb: Open Source database of malicious and malformed input test cases.
OSForensics: OS Forensics tool for digital investigations.
minibis: Automated malware analysis based on paper "Mass Malware Analysis: A Do-It-Yourself Kit“
WebSurgery: Web Application Security Testing Suite</li></li></ul><li>Security Reading <br /><ul><li>Understanding and Selecting SIEM/Log Management (PDF)