Category Archives: Hacking
An interesting and fun way to teach ethical hacking.
Control-Alt-Hack is based on Steve Jackson Games’ Ninja Burger, but from the characters to the mission cards to the entropy cards, the demystification of white hat computer security is the name of this game. Game co-designer, security researcher, and University of Washington Computer Security and Privacy Research Lab honorary member Adam Shostack said at the Black Hat 2012 confab here that when it comes to teaching ethical hacking, also known as white hat hacking, not enough educators “use carrots, not sticks.”
“Humor creates an open atmosphere,” that helps break down the shyness of learning, he said during the conference session about the game. He explained that people are more likely to ask questions about things that they think they should’ve already learned if it’s part of a game.
Games, he noted, have a spectrum from being as easy to learn as Go or dice games, all the way through Dungeons and Dragons or Settlers of Catan. Choosing a game to base Control-Alt-Hack on that involved humor and a bit of complexity would help keep the subject matter interesting for the target audience of teens and young adults.
In Control-Alt-Hack, you work as a researcher for a computer security company that gets hired to stress-test other companies. The deck of 156 cards includes 16 “person” cards to give you an identity during the game. The characters were given realistic traits, so there are no stereotypes of the obese, unkempt researcher covered in potato chip debris and pizza grease. Instead, you can play as one of eight men or eight women who have interests as varied as martial arts or rock climbing, and all are snazzily dressed in their artwork.
Look for it on store shelves later this year.
- Control-Alt-Hack: Can You Teach Hacking with a Card Game? (tomshardware.com)
- Card Game Turns You Into a White Hat Hacker (pcworld.com)
- Old-school card game delves into the dark world of computer security breaches (geekwire.com)
The dark art of iOS app hacking presented at Black Hat.
There are three ways to hack an iOS app. One involves a zero-day exploit, a previously-unknown security hole. These are rare but not unheard of for iOS apps. The other two involve getting physical access to the phone, Zdziarski said.
“You can infect the phone without a passphrase. The virus or bit of code sits on the phone, waiting for the user to unlock it.” Or, he explained, “Give me two minutes with somebody’s phone and I can dump the entire file system from it.” From there, he said he could look at apps for an exploit to take advantage of remotely.
He argued that this could become a serious problem as iPhones and iPads continue to increase in popularity. Enterprise use of iOS is growing, he said, as is government use.
All due to a double-edged sword.
The problem, Zdziarski explained, comes from the double-edged sword that is the iOS monoculture. It has benefits, he said, including a reduced attack surface, rapid prototyping, and fewer holes to blame on the developer. But, he added, its homogeneous attack surface means that if you can hack one iOS device, you can hack nearly all. (While it’s true that there are different versions of iOS in use, there are significantly fewer than the different flavors of Android.)
Zdziarski noted that security has become an afterthought for iOS app developers, since they’re trusting Apple’s iOS Keychain and runtime to be secure. Keychain is the iOS feature that stores passwords, certificates, and other security-related items under encryption. “Anybody with freely available open source tools can get around that encryption now,” said Zdziarski, who said the encryption has been busted for two years. Zdziarski also showed how he didn’t even have to have the passcode to an iPhone to break its encryption. With a phone in his possession, he was able to drop a small piece of code from his computer onto the otherwise-locked phone. The code sits on the iPhone idle until the owner enters in the passcode, decrypting the file system and giving the malicious code access to the entire file system. “Developers are not turning on the encryption for most of their apps, and most users defer to a four-digit PIN, or a simple keyboard friendly passphrase.” So, although the phone’s operating system may be protected, the level of data security on the phone presumes that iOS won’t be hacked.
A great illustration of how developers need to understand the need for security trumps all.
- 19% Of iOS Apps Access Your Address Book Without Your Permission… Until iOS 6 [Report] (cultofmac.com)
- Apple investigating iOS in-app purchase hack (zdnet.com)
Another day, another set of cracking tools.
Cryptography specialist Moxie Marlinspike released tools at Defcon today for easily cracking passwords in wireless and virtual private networks that use a popular encryption protocol based on an algorithm from Microsoft called MS-CHAPv2, news that will no doubt worry many a network administrator.The tools crack WPA2 Wi-Fi Protected Access and VPN passwords used by corporations and organizations running networks that are protected by the PPTP Point-to-Point Tunneling Protocol, which uses MS-CHAPv2 for authentication.ChapCrack captures the MS-CHAPv2 handshakes, or SSL Secure Sockets Layer negotiation communications, and converts them to a token that can be submitted to CloudCracker.It takes less than a day for the service to return results in the form of another token that is plugged back into ChapCrack where the DES Data Encryption Standard keys are cracked. With that data, someone can see all of the information traveling across the Wi-Fi network, including sensitive corporate e-mails and passwords, and use passwords that were revealed to log in to corporate networks.The tools are designed for penetration testers and network auditors to use to check the security of their WPA2 protected networks and VPNs, but they may well be used by people who want to steal data and get unauthorized access to networks.
Yet another reason for businesses that haven’t done so yet to move beyond PPTP and Windows XP
- Stronger password hashing in .NET with Microsoft’s universal providers (troyhunt.com)
- Wireless Internet Security (techhelpertoday.wordpress.com)
Scanning for BGP hosts that are vulnerable? From the ISC:
ISC reader Yew Chuan reports that he is seeing a steady increase in probes to tcp/79 (“finger”). Our own DShield sensors confirm this observation, as is visible on the image below. It’s been a while since we last had exploit attempts on tcp/79, and hardly anybody is using/running “finger” anymore these days. So .. what’s up? Anyone got packets?
Update 1330 UTC: Scanning for tcp/79 has been seen by many ISC readers, and most say the IP blocks it originated from are in China and Taiwan. No packets yet – looks like everyone has tcp/79 blocked, and only recorded the initial “SYN”.
For more info from the comments check out: ISC Diary | What’s up with port 79 ?.
Another successful sting:
The FBI orchestrated a two-year cybercrime sting that resulted in 24 arrests, with some alleged hackers facing more than 20 years in prison for allegedly profiting from stolen information such as credit card and bank account numbers, law enforcement authorities announced today.
The U.S attorney’s office in Manhattan and the FBI announced the arrests and provided details of the sting operation, which involved FBI agents posing as hackers while the bureau set up a fake “carding” forum, according to the press release (see the full release below). Carding is the term for crimes associated with exploiting stolen personal information for profit. The forums helped “carders” communicate and, in some cases, find mailing addresses — usually empty apartments or houses — for products purchased with stolen credit-card data.
- Global financial cybercrime sting yields 24 arrests (money.cnn.com)
- FBI arrests six British ‘hackers’ in ‘biggest ever’ undercover sting into global online fraud (dailymail.co.uk)
- Huge Hacking Group Busted in FBI Sting Operation (jdjournal.com)
A computer trojan targeting online banking software is rapidly spreading and evolving thanks to the open source development model being utilized by its creators.
Called Citadel, the new piece of malware is based on ZeuS, one of the oldest and most popular online banking Trojans. ZeuS was abandoned by its creator in late 2010, and its source code leaked online a few months later.
Since its public release, the ZeuS source code has served as base for the development other Trojans, including Ice IX and now Citadel.
“Seculert’s Research Lab discovered the first indication of a Citadel botnet on December 17th, 2011,” the security company said Wednesday in a blog post. “The level of adoption and development of Citadel is rapidly growing.”
Seculert has identified over 20 botnets that use different versions of this Trojan. “Each version added new modules and features, some of which were submitted by the Citadel customers themselves,” the company said.
The most interesting aspect of Citadel is its development process, which is similar to the ones behind community-supported open source projects. “Similar to legitimate software companies, the Citadel authors provide their customers with a User Manual, Release Notes and a License Agreement,” Seculert said.
Like its parent, Citadel is sold as a crimeware toolkit on the underground market. The tookit allows fraudsters to customize the Trojan according to their needs and command and control infrastructure.
However, the Citadel authors went even further and developed an online platform where customers can request features, report bugs, and even contribute modules.
So is a new trend in malware being seen? Seculert believes it is.
The security company believes that the success of this Trojan could drive other malware writers to adopt the open source model. “This recent development may be an indication of a trend in malware evolution,” Seculert said.
- Researchers Warn:Trojan evolving through ‘open source’ development (netsecurityit.wordpress.com)
- Collaboration Fuels Rapdid Growth of Citadel Trojan (krebsonsecurity.com)
Thanks to “Man in the Browser”, even up-to-date anti-virus software combined with the latest generation of online banking security doesn’t protect those using online banking.
A test witnessed as part of a BBC Click investigation suggests even those with up-to-date anti-virus software could be at risk.
There is no specific risk to any one individual bank.
In the test the majority of web security software on standard settings did not spot that a previously unseen piece of malware created in the software testing lab was behaving suspiciously.
The threat does not strike until the user visits particular websites.
Called a Man in the Browser (MitB) attack, the malware lives in the web browser and can get between the user and the website, altering what is seen and changing details of what is being entered.
Some versions of the MitB will change payment details and amounts and also change on-screen balances to hide its activities.
With the additional security devices, the risk of fraud is only present for one transaction, and only if the customer falls for the “training exercise”.
“The man in the browser attack is a very focused, very specific, advanced threat, specifically focused against banking,” said Daniel Brett, of malware testing lab S21sec.
“[Although] many products won’t pick this up, they’ve got a much bigger scope, they’re having to defend against all the viruses since the beginning of time.”
Every time a new update to the malware is released, it takes the security companies a number of weeks to learn how to spot it – to learn its common features.
But one security company did privately concede that, if this threat had come from a source not known to be bad and started communicating with a web address also not on the black-list of “bad” sites – until they had discovered and analysed it – it probably would have beaten their protection.
The key in this cat-and-mouse game continues to be the user and how high they set want to set their security settings on anti-virus software. But even then NOTHING is 100% secure when it comes to data.
- Hackers outwit online banking identity security systems (annozijlstra.wordpress.com)
- Hackers may be able to ‘outwit’ online banking security devices (go.theregister.com)
- New ‘Man In The Browser’ Attack Bypasses Banks’ Two-Factor Authentication Systems (gizmodo.com.au)
Beware! There is a new trojan horse virus that not only raids your bank account, it reportedly covers it’s tracks as well.
The best way to protect yourself from an online financial scam is to diligently check your bank accounts. At least, until now.
Israeli-based Security firm Trusteer has found an elaborate new computer virus that not only helps fraudsters steal money from bank accounts — it also covers its tracks.
Think of a crime plot involving a spy who plans to break into a high-security building and begins by swapping out security camera video so guards don’t notice anything is amiss. Known as a surveillance camera hack, the technique has been used in dozens of movies.
A new version of the widely prevalent SpyEye Trojan horse works much the same way, only it swaps out banking Web pages rather than video, preventing account holders from noticing that their money is gone.
Here’s how it works:
The Trojan horse employs a powerful two-step process to commit the electronic crime. First, the virus lies in wait until a customer with an infected computer visits an online banking site, steals their login credentials and tricks the victim into divulging additional personal information such as debit card information. Then, after the stolen card number is used for a fraudulent purchase, the virus intercepts any further visits to the victim’s banking site and scrubs transaction records clean of any fraud. That prevents — or at least delays — consumers from discovering fraud and reporting it to the bank, buying the fraudster critical extra time to complete the crime.
Head to the source for additional details, including why this is a very scary tactic being employed.
- New Banking Malware Spends Your Money, Hides the Evidence [VIDEO] (mashable.com)
- SpyEye malware borrows Zeus trick to mask fraud (infoworld.com)
When it comes to malware exploits, Adobe’s Flash and PDF software can’t seem to catch a break recently.
Recently a vulnerability was found in both Mac and Windows versions of Adobe’s Acrobat and Reader products that could allow an attacker to crash the programs and gain control of the system. So far only attacks on Windows machines have been found, but Mac systems could be affected as well.
Now two similar vulnerabilities have been found in Adobe’s Flash Player, which likewise could result in arbitrary code being executed on the system.
Apparently the vulnerability bypasses antiexploitation features in Windows such as DEP and ASLR, and can get around the Internet Explorer sandbox (there is no information on how other browsers handle the issue).
While Intevydis has so far shown the exploit on Windows machines, apparently it works in OS X as well.
So far Adobe has only addressed these exploits for version 9.x of its Reader and Acrobat products for Windows; fixes for the other versions are due in about a month’s time. Adobe has not yet issued a response to the current findings regarding Flash Player.
If one heavily utilizes Adobe Flash Player, it may be wise to find an interim alternative to block unwanted Flash considering this:
Unlike malware that is directly downloaded to a system and scanned, these malware attempts run through the Flash Player or Adobe Reader programs themselves, making it harder for malware scanners to detect them.
So should Adobe be moving faster to address this issue or is the risk overstated?
- Two zero-day vulnerabilities found in Flash Player (infoworld.com)
- Adobe warns of attacks using Reader on Windows | Security – CNET News (fourbluehills.com)
- Adobe Releases Updates for Adobe Reader and Acrobat (netsecurityit.wordpress.com)
Overcoming stiff competition from MIT and Waterloo, Princeton won this year’s Facebook College Hackathon finals. Over the past few months, Facebook conducted run-off competitions at fourteen colleges across the United States and Canada, and this Friday held the finals at Facebook headquarters in Palo Alto. The Princeton team was the only one comprised mainly of women, and their winning project Color Me Bold allowed users to submit a photo of an outfit and receive instant, algorithmic fashion suggestions for how to improve its color scheme.
My personal favorite was MIT’s 2toBrowse, a Chrome extension that allowed two people on separate computers to both control active cursors and collaboratively browse the web. One users installs the extension, receives a special URL, and another can click it to instantly begin browsing together without having to download anything. The extension could help people teach their parents how to use a specific website, allow customer service departments to walk customers through solutions to problems, or provide entertainment.
The College Hackathon, also known as the Camp Hackathon, serves as a powerful recruiting tool for Facebook. By finding top young engineers and bringing them to the headquarters, Facebook increases the chance they’ll want to work for the company once they graduate — or drop-out like Facebook’s founders.
Go to the source to see some awesome video of the Facebook Hackathon.
- Facebook Holds All-Night Hackathon for College Teams [VIDEO] (mashable.com)
- Management Hackathon: Building Communities of Passion (news.dice.com)
- Granicus Hosts CityCampSF Hackathon to Promote Civic Innovation & Open Government (prweb.com)