Friday, December 6, 2013

Still No Clues In The Million Dollar Bitcoin Heist

Late November 2013, thieves stole more than US $1 million in Bitcoins from Danish Bitcoin exchange and online wallet service BIPS. The company was first attacked on 15 and 17 November through a distributed denial-of-service (DDoS) attack that appears to have laid the groundwork for a subsequent attack that disabled BIPS security systems. According to the company, the initial DDoS attacks were "found to originate from Russia and neighboring countries." This facilitated the theft of the Bitcoins. Two other significant Bitcoin thefts have occurred recently, an Australian online wallet service lost US $1.4 million in Bitcoins, and a Chinese exchange lost more than $4 million. The US Senate is now attmpting to legislate Bitcoin.

Tuesday, December 3, 2013

Government Must Improve its Cybersecurity, Technology Council Report Says

According to a report from a presidential technology council, the US government is not setting a good example in cybersecurity.  The report comes from the President's Council of Advisors on Science and Technology.  According to the report, "the Federal Government rarely follows accepted best practices."   The report further states that "Cybersecurity will not be achieved by a collection of static precautions, it requires a set of processes that continuously couple information about an evolving threat to defensive reactions and  responses."

You may read a complete copy of the report at: http://www.whitehouse.gov/sites/default/files/microsites/ostp/PCAST/pcast_cybersecurity_nov-2013.pdf

Saturday, November 30, 2013

Prevalent Malware: November 2013 Edition

Sourcefire has compiled the list of this month’s most prevalent malware files.  The list provides the hash checkup values for each file as well as a link to the entry on virustotal.  To assist computer forensics analysts or incident responders, the list provides the file name and the fake publisher claimed by the malware.  Some notable examples of the identified malware files include:

SHA 256:
ca24a8f7c04fe15a758f3360c8e5619205c53807bfc65f82c028cdf808bf2189
MD5:
ec63f649f7090f885ebd4770ffb92fcb
VirusTotal:
https://www.virustotal.com/en/file/CA24A8F7C04FE15A758F3360C8E5619205C53807BFC65F82C028CDF808BF2189/analysis/
Typical Filename: UpdateTask.exe
Claimed Product: W32.Trojan.16l1
Claimed Publisher: None
SHA 256:
b2cad8322db85f67db6ea074d00c2ed56ce1fa92952d07b70baac249fa18236d
MD5:
249a44dcfa2500eb1c020e33a3e9f25b
VirusTotal:
https://www.virustotal.com/en/file/B2CAD8322DB85F67DB6EA074D00C2ED56CE1FA92952D07B70BAAC249FA18236D/analysis/
Typical Filename: FlashPlayerUpdateService.exe
Claimed Product: W32.Downloader:AgentASEBTrj.16mc.1201
Claimed Publisher: None

You may obtain a more complete list from Sourcefire or read a longer version of the list from AVM Technology Cybersecurity.

Recent Vulnerabilities With Available Exploits: November 2013 Edition

The list of recent vulnerabilities for which exploits are available is out.  This list was created to assist system administrators and computer incident responders in prioritization of their remediation activities.  This list can also help computer forensics experts in correctly identifying some of these exploits.

A few notable exploits identified include:

ID:     CVE-2013-3918
Title:  Microsoft ActiveX Controls “InformationCardSigninHelper Class”
Out-of-Bounds Memory Access Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the
InformationCardSigninHelper Class ActiveX control.  Specifically the
issue occurs in the way “InformationCardSigninHelper Class” ActiveX
control (icardie.dll) is loaded into Internet Explorer and causes system
state corruption.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID:     CVE-2013-3906
Title:  Microsoft Graphics Component Could Allow Remote Code Execution
Vendor: Microsoft
Description: Remote exploitation of a memory corruption vulnerability
in multiple Microsoft products could allow attackers to execute
arbitrary code on the targeted host. The issue occurs with how the TIFF
codec in Microsoft’s graphics component handles crafted TIFF files.
Processing crafted TIFF files can corrupt system memory and create an
exploitable condition.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID:     Not Available
Title:  D-Link Authentication Security Bypass Vulnerability
Vendor: D-Link
Description: A remote exploitation of a design error vulnerability in
D-Link Systems Inc.’s routers could allow attackers to bypass
authentication security restrictions. The router allows any user with a
Web browser having the user agent string
“xmlset_roodkcableoj28840ybtide” to gain access to the Web interface of
the device without the requirement for any authentication credentials.
Affects D-Link Firmware v1.13 and other versions may also be affected.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

The entire list is available from Qualys or you may read more at the AVM Technology, LLC blog.

Tuesday, March 5, 2013

More Java Zero-Day Exploits

A Polish security firm discovered two new vulnerabilities to add to this year's list of Java zero day bugs.  The two newly found vulnerabilities are referred to as “issue 54” and “issue 55."  Apparently, one of the flaws fixed in Oracle’s recent patches for Java is under attack and when that bug is paired with another, separate vulnerability, the sandbox in the latest build of Java can be bypassed.  There is already code being distributed to exploit the vulnerability.  On the plus side, it appears that the vulnerability only affects Java’s SE 7 software and is associated with a problem with Java Reflection API.  Speaking of Java zero-day vulnerabilities, SecurityObscurity has a post dedicated to CVE-2013-0422.


Thursday, January 3, 2013

Internet Explorer Zero-Day Flaw Continues



This attack uses Adobe Flash to exploit a vulnerability in Internet Explorer 8.  Microsoft claims that the vulnerability only affects Internet Explorer 6-8 and that people using Internet Explorer 9-10 are not impacted.  The attack involves the targeted compromise of legitimate websites thought to be of interest to or frequented by end users who belong to organizations that attackers wish to infiltrate.

The network penetration testing community already has the tools to test for it.  There is now a Metasploit module (ie_cdwnbindinfo_uaf) that emulates this attack.  This also menas that the vulnerability will be exploited rapidly, users are encouraged to take immediate mitigation steps. Users running Windoes XP should use a browser other than Internet Explorer and corporate security staff should review Microsoft’s recommendations to build a layered defence to protect staff.  Microsoft's workaround options can be found at:
http://technet.microsoft.com/en-us/security/advisory/2794220
and at:
Microsoft FixIt workaround:
http://support.microsoft.com/kb/2794220

Tuesday, December 18, 2012

Samsung Galaxy SIII and Note II Can Be Easily Hacked


A serious exploit that affects certain Exynos devices has been found.  It appears that the Samsung kernel allows read and write access to all physical memory on the device, including the kernel itself.  In essence, the kernel is the "brain" of the operating system.  With this vulnerability, it is easy for anyone to obtain root access to the device and also makes it possible to execute code code injections and RAM dumps from apps containing malware available in the Google Play store.

The exploit appears to work on any device running a Exynos 4210 or 4412 processor.  We have previously seen other vulnerabilities in Samsung Galaxy devices.  This one, in particular, is very dangerous given the amount of malware-infected apps in the Google Play store.