Your security, networking, programming, and application news source.
Google

Tuesday, December 27, 2011

Antisec Gives Christmas Present to the Public, Massivly Owning Stratfor's Servers

Stratfor, <(Wiki)Strategic Forecasting, Inc.>, is a global intelligence company founded in Texas in 1996. They are known for publishing security newsletters to the public. They also provide custom intelligence reports for clients such as major corporations, the U.S. military, and international government agencies.

The Antisec wing of Anonymous, revealed Saturday, on Christmas Eve, that they had compromised several("four") Stratfor servers and posted credit card details of a few Stratfor customers on IRC servers. Stratfor's site is still down with after being <(mirror)defaced>. The group claims plans to dump up to 200 gigabytes worth of data leading up to New Year’s Eve. Participants estimated they had already donated between $500,000 and $1,000,000 to charities fraudulently.

A Antisec participant explains motive for the attack, stating, “That there will be repercussions for when you choose to betray the people and side with the rich ruling classes.”

The biggest revelation seems to be how terribly insecure the security intelligence firm's servers were. Claims were made that Stratfor saved client data in clear text and even stored card security codes, a practice prohibited by credit card companies.

Stratfor, known for their secrecy and big name secret clients, has their proported client list posted (Although, some claim it may only be a subscriber list.)

<Proported client list (pastebin)>


Quinn Norton (December 26, 2011)
<Wired.com - Antisec Hits Private Intel Firm; Million of Docs Allegedly Lifted>

Thursday, December 8, 2011

Another CA Compromised

itworld.com
Lucian Constantin, IDG News Service (December 08, 2011)

<Dutch SSL certificate provider Gemnet investigates website compromise>

Saturday, November 19, 2011

[Video Link] Facebook Social XSS by Copy-Paste

Matt Jones (November 19, 2011)
(Video hosted on Facebook as public in Matt's gallery)

<Facebook Social XSS by Copy-Paste>

[Link] US Water Utility Pump Destroyed After Hack

PCMag.com
Chloe Albanesius (November 18, 2011)

<Illinois Water Utility Pump Destroyed After Hack>

Friday, October 28, 2011

[Link] SQL Injection Start to Finish Example

(Moderate SQL understanding expected)

Mathy Vanhoef (October 26, 2011)

<Exploiting 'INSERT INTO' SQL Injections Ninja Style >

Tuesday, October 25, 2011

Wednesday, October 19, 2011

[Links] More Surfaces On German State Sponsored Trojan

Secure List (Kaspersky Lab) - Tillmann Werner (October 18, 2011)

<Secure List - Federal Trojan's got a "Big Brother">


F-Secure - Sean (October 11, 2011)

<F-Secure - More Info on German State Backdoor: Case R2D2>

Thursday, October 13, 2011

Dennis Ritchie, creator of the C programming language dead at 70

Rumors that Dennis Ritchie had passed have been confirmed. Dennis was known for developing the C programming language and being a key developer of the UNIX operating system. He was 70 years old. <Dennis Ritchie (wiki)>

Wednesday, October 12, 2011

Sunday, October 9, 2011

European Hacker Group Analyzes Germany's Federally Sponsored Trojan

A European hacker group, <Chaos Computer Club> (site mostly in German), has published an analysis of Germany's federally sponsored trojan, used by German police forces, revealing it's functionality may violate guidelines set by Germany's constitutional court ("Bundesverfassungsgericht").

(Oct 8, 2011)
<Chaos Computer Club analyzes government malware (English)>

ZDNet later published the following article which summarizes the situation well, adding background and <confirmation from F-Secure's analysis>.

(Ed Bott October 8, 2011)
<(ZDNet)German government accused of spying on citizens with state-sponsored Trojan>

Sunday, October 2, 2011

Payload Anatomy of InMotion Hosting Defacements

The Attack


<InMotion Hosting> was hacked leaving more than 70,000 websites compromised on the weekend of September 23, 2011. One of many news articles that covered the attack:

(Article by Jack Phillips Sep 29, 2011)
<The Epoch Times: Hosting Firm InMotion Hacked, Thousands of Websites Defaced>

The Defacement


This attack appears to be a host-wide defacement. The defaced websites had hacked-by pages added to their site which credited "TiGER-M@TE":

(This is a screen shot of the defacement page, index.php )

From the perspective of the customer, there were no access, web, or ftp log entries. A file named hacked_page was dropped in to the root www directory and was propagated to all the immediate sub-directories as index.php.

<index.php contents>(pastebin.org)

Encoding


This PHP page contains only HTML and JavaScript. A close look at its contents shows that it uses some cleaver encoding in an attempt to avoid security fingerprinting, which could later allow for easy automated detection.

A common technique is to represent malicious JavaScript code in escaped hexadecimal character format, then pass that through JavaScript's unescape function at run time. First, this obscures the malicious code. With some small adjustments, the same encoded contents can be generated in many copies all uniquely different. But, with a little time one can decode the page's contents.

The unescape function decodes the URL escape character syntax as well as the JavaScript escape character syntax. The defacement page used both, one over top of the other:

found in index.php
(JavaScript escaped hexadecimal characters)

\x25\x33\x43\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34

unescape's to...
(URL escaped hexadecimal characters)

%3C%73%63%72%69%70%74

unescape's to...
(The start of an HTML tag that will contain the malicious JavaScript)

<script

This is not a new technique and is easily decoded after the fact. After coding up a quick tool I was able to decode the page:

<index.php decoded>(pastebin.org)
(The decoded contents are noted in JavaScript comments.)

I've created an open source tool for decoding escaped hex, <Unescape>, so you can follow along.

Analyzing this shows that this page has five parts of interest:
  • Connection to statistics tracking service
  • Window animation and color cycling
  • A base64 embedded GIF image (not hex-coded)
  • "Hacked" image
  • Playing of an embedded Flash file (apparently for auto playing audio)

Statistics tracking


Line #33 of the <decoded page> (line #11 originally) defines the function details. This function is set as an onclick event for the "TiGER-M@TE" text. The function open three web pages when triggered, two different statistics tracking service links at <zone-h> and one Google search of "Hacked by TiGER-M@TE" through <LMGTFY (Let Me Google That For You)> The statistics at zone-h can be viewed here:

<zone-h notifier: TIGER-M@TE>

<zone-h notifier: TIGER-M@TE special=1>

Window animation


Line #40 through #133 of the <decoded page> (also line #11 originally) defines a timed script of moving and resizing the browser window in some sort of animated show while cycling colors.

Embedded base64 GIF image


Line #148 of the <decoded page> (the end of line #11 originally) contains a GIF image embedded in the page using <base64(wiki)> encoding. This appears to merely be a faded line. As we'll seen next, maintaining image hosting seems like a challenge for the defacers.


"Hacked" image


Line #183 of the <decoded page> (then end of line #15 originally) is some encoded JavaScript to add an image tag to a small image of the word "Hacked". This <image is hosted on Fotonons.ru> but the tag is crafted to fall back on <the same image hosted at BayImg.com>. This seems to highlight the perceived difficulty of maintaining image hosting during the peak of the defacement activity.

Embedded flash audio


The code inside the "mp3 code starts from here" HTML comments turned out to be the most complicated. This part was encoded in multiple layers and revealed a custom character transformation function. First the contents had some key characters escaped with JavaScript hex characters, the entire resulting contents was escaped with URL escaped hexadecimal characters, then the resulting contents was additionally escaped with JavaScript hex characters. Pealing this away reveals a dF function which provided a custom transformation decoder for decoding the accompanying section of escaped data:

<index.php decoded dF function>(pastebin.org)

This decoder merely did some basic arithmetic to each character's value. The final results start at line 200 of the <decoded page>. This resulting code adds the following flash file to the page for auto-play:

http://77.247.69.68/.../By_TiGER-M@TE.swf

The host 77.247.69.68 <resolves> to <Rackhosting.com> in Denmark. The link, with its peculiar "..." directory, seemed dead as as soon as tested.

Variable Names


The "_0x9355" style of JavaScript variable names imply that many documents where intended to be generated with unique variable names. This technique would act as an obfustication while attempting to evade fingerprinting by security applications such as anti-virus and intrusion detection services.

Summary


The index.php defacement page propagated nearly one hundred thousand times in recently compromised <InMotion Hosting> web sites display a decorative brand promotion while loading a flash file that appeared to be for audio, but was unrecovered. A statistics tracking service was used and a couple of mostly common techniques where used to obfusticate the JavaScript code in an apparent attempt to evade filtering and detection by security services.

UPDATES:

10/2/2011 - Added decoded dF function pastebin
10/8/2011 - Added open source Unescape tool.

Sunday, September 25, 2011

Wednesday, September 21, 2011

Tuesday, August 30, 2011

DigiNotar Issued Fraudulent Google Certificate

<DigiNotar> is a Dutch Certificate Authority who issued a rogue SSL certificate to somebody in Iran on July 10th, 2011 for the domain name .google.com. This allows the certificate holders the ability to possibly carry out a man in the middle attack on most of Google's services, including GMail, Google+, and Google Docs.

DigiNotar is a wholly owned subsidiary of VASCO Data Security International. On August 30, 2011 <VASCO released a public statement> acknowledging that their DigiNotar Certificate Authority infrastructure was hacked on July 19, 2011, and was used to issue fraudulent CA's for a number of domains, including Google.com. <Some digging by F-Secure> found defacements left over from at least two separate intrusions that could be years old.

The Google Chrome browser <has an extra fine grained set of CA's with the authority to sign for Google> which is rumored to have protected Google Chrome users.

Firefox suggested revoking DigiNotar and <provides instructions for revoking the CA> in your local browser.


Fraudulent Digital Certificates Could Allow Spoofing (Aug 29, 2011)
<Microsoft Security Advisory (2607712)>

UPDATE (Aug 31, 2011):
<Mozilla pushes Firefox 6.0.1 update explicitly to revoke the DigiNotar CA>

Tuesday, July 26, 2011

Linux Version Number Bumped to 3.0

Linux 3.0 was committed July 22, 2011. The version numbering was bumped up from 2.6.xx to 3.0 in honor of 20 years of Linux, without the large changes a major version number change would normally imply.

InfoWorld (July 22, 2011)

<InfoWorld - Linux 3.0 a steady step forward>

Sunday, May 22, 2011

Geany text edittor

I wanted to take a second to point out a great tool that some might otherwise have overlooked; <Geany>. Based on <(Wiki)Scintilla>, Geany is a light weight, cross-platform, text editor with a familiar layout. Once the packaged plugins are all enabled, Geany goes from, light weight, simple IDE, to system administration and configuration portal with out missing a beat.


Geany is a tabbed file editor with a familiar layout. A left column shows a tree based navigation panel. This doubles as a file browser, project file browser, and symbol list for the current file. A panel across the bottom can switch between compiler output, messages, and a terminal.

The IDE capabilities of Geany are pretty simple. It has most the text editing bells and whistles one is accustomed to, including code highlighting, text folding, and auto-completion. Aside from the integrated terminal, Geany can be configured to do simple make, build, and execute operations, although there doesn't seem to be any debugger integration.

When run with elevated privileges, Geany makes a handy GUI administration tool. Quick file navigation, tabbed file editing, and a terminal combine to make an efficient GUI administration tool. If your already running a GUI, you can be terminal warrior and still have the luxury of a GUI file editor.

Geany is a very light weight text editor released under the GNU General Public Licence. It's light weight GTK+ base makes it great for most window managers and platforms. Geany is a common project, included in most Linux repositories (like Ubuntu), that even has a Windows binary release available.

Geany is definitely a light weight, handy, and flexible tool that shouldn't be overlooked.