Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on RSS or Twitter for the latest updates.

17 April 2014 | 325 views

Royal Canadian Mounted Police Arrest Heartbleed Hacker

Secure Your Website with Acunetix

The Heartbleed Bug was the big thing last week and honestly pretty much the biggest thing this year so far.

And it turns out someone has been caught using the Heartbleed bug in a malicious way and in Canada no less. The young Heartbleed hacker goes is a 19 year old Stephen Arthuro Solis-Reyes and hails from London, Ontario.

It seems he was using Heartbleed against the tax system in Canada (CRA or the Canada Revenue Agency).

Hearbleed Hacker in Canada

Cops in Canada have arrested a teen they believe to be behind an attack on the country’s tax system using the Heartbleed bug.

The Royal Canadian Mounted Police (RCMP) said 19-year-old Stephen Arthuro Solis-Reyes of London, Ontario, was cuffed and charged with the unauthorized use of a computer and criminal mischief in relation to the theft of taxpayers’ personal records from the Canada Revenue Agency (CRA).

“The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible,” assistant commissioner Gilles Michaud said in a statement.

“Investigators from National Division, along with our counterparts in [Ontario] Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.”

He must be pretty n00b tbh if he wasn’t proxying/bouncing his IP around/using TOR/VPNs etc and gets caught in 4 days. But the majority of people that get caught for ‘hacking’ are at that level – script kiddy level.

They get a tool like Heartbleed, and run it against a server without really understanding what is going on – and how easily they can be caught. And then boom – they are in prison trying not to drop the soap.

Solis-Reyes is alleged to have exploited the Heartbleed vulnerability, present in OpenSSL running on the CRA’s servers, to swipe 900 social insurance numbers. The CRA believes that whoever hacked the systems gathered the sensitive information during a six-hour window on April 9, which was after the first public reports of the flaw and before the computers were patched.

The attack marked one of the first known instances of hackers actively exploiting the Heartbleed condition in the wild to steal user data. Though if reports are to be believed, the NSA and (likely) other government organizations have been exploiting the flaw for years in order to gather intelligence info.

The RCMP reported that it arrested Solis-Reyes without incident on April 15. The Mounties also seized computer equipment from his home. He is scheduled to appear before a court in Ottawa on July 17 to begin trial.

The investigation is still ongoing, although the Mounties did not report of any other persons involved in the attack.

So far I haven’t seen anyone else getting arrested for exploiting Heartbleed, and by now Stephen is pretty much World famous. It’ll be interesting to see if any other cases come out, I’m not sure if social insurance numbers are valuable in Canada – or if you could do anything with them – or sell them?

Here’s the algorithm and analysis – Social Insurance Number Authentication

Source: The Register



15 April 2014 | 1,816 views

Kvasir – Penetration Testing Data Management Tool

Penetration Testing Data Management can be a nightmware, because well you generate a LOT of data and some information when conducing a penetration test, especially using tools – they return lots of actual and potential vulnerabilitites to review. Port scanners can return thousands of ports for just a few hosts. How easy is it to share all this data with your co-workers?

Kvasir - Penetration Testing Data Management Tool

Features

That’s what Kvasir is here to help you with. Here’s what you’ll need to get started:

  • The latest version of web2py
  • A database (PostgreSQL known to work)
  • A network vulnerability scanner (Nexpose/Nmap supported)
  • Additional python libraries
  • Kvasir is a web2py application and can be installed for each customer or task.

Tools Supported

At current release, Kvasir directly supports the following tools:

This design keeps data separated and from you accidentally attacking or reviewing other customers.

This tool was developed primarily for the Cisco Systems Advanced Services Security Posture Assessment (SPA) team. While not every method used by the SPA team may directly relate we hope that this tool is something that can be molded and adapted to fit almost any working scenario.

Installation

Kvasir was primarily designed for use on short customer-focused engagements. A directory ‘application’ for each customer would be used allowing for much stronger data separation.

For example lets assume two customers, Foo Widgets and Bar Napkins.

Data for each customer is stored in /opt/data/$CUSTOMERNAME

Install Kvasir in each customer’s directory:

git clone https://github.com/KvasirSecurity/Kvasir /opt/data/foowidgets/kvasir
git clone https://github.com/KvasirSecurity/Kvasir /opt/data/barnapkins/kvasir

Now symbolically link Kvasir to the web2py application directory:

ln -s /opt/data/foowidgets/kvasir $WEB2PY_HOME/applications/foowdigets
ln -s /opt/data/barnapkins/kvasir $WEB2PY_HOME/applications/barnapkins

Create unique databases:

sudo su - postgres
createdb -O pguser foowidgets
createdb -O pguser barnapkins

Copy the kvasir.yaml.sample to kvasir.yaml and change the defaults:

db->kvasir->uri

Or read more here.


09 April 2014 | 2,812 views

Heartbleed Bug SSL Vulnerability – Everything You Need To Know

Introduction

So the Internet has been exploding this week due to the Heartbleed Bug in OpenSSL which effects a LOT of servers and websites and is being hailed by some as the worst vulnerability in the history of the Internet thus far.

Heartbleed Bug

The main info on the bug can be found at http://heartbleed.com/. In basic terms, it allows you to grab 64kb chunks of whatever is stored in RAM on the server as long as it’s using a vulnerable version of OpenSSL with Heartbeat enabled.

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

Who needs the NSA when we have this eh?

So ya this is really serious, a scanner was released before anyone had chance to patch it and huge sites like Yahoo! Mail were vulnerable and exposing user passwords to anyone who used Heartbleed against it.

Everyone scrambled to fix it fast though, which is good – as it’s a major vulnerability. As can be seen in this picture, the plain text user passwords for Yahoo! mail were being leaked.

Hashing is irrelevant in this case, as the hash and hash comparison are done on the server side, so the plain text password is stored in memory at some point.

Yahoo! Heartbleed

The bad part of it is that there’s no way to tell if it’s been exploited as there’s no crash, no damage, it just spits out the data to whoever runs the exploit.

There’s a good analysis of the actual code involved here:

Diagnosis of the OpenSSL Heartbleed Bug

What Should I Do?

Well you need to check if any of the servers you manage or run are using a vulnerable version of OpenSSL, from my experience if you are still on Ubuntu 10.04 LTS you are safe from this, as it uses OpenSSL 0.9.8 without heartbeat functionality.

If you are using Ubuntu 12.04 LTS (any subversion) then you ARE vulnerable and need to update ASAP.

IF you want to scan your servers you can grab the scanning script here:

heartbleed.py

There are also a couple of online scanners you can use (just beware of false positives).

- http://rehmann.co/projects/heartbeat/
- http://filippo.io/Heartbleed/

On the server side, you can check your OpenSSL version with:

openssl version -a

Don’t pay attention to the version or date, but look at the build date – it should be AFTER April 7th.

Something like this would be a vulnerable version:

OpenSSL 1.0.1 14 Mar 2012
built on: Wed Jan 8 20:45:51 UTC 2014

After updating it should look like:

OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 7 20:33:29 UTC 2014

How Do I Fix It?

For the majority of people, someone else probably hosts your sites and infrastructure, so you don’t need to worry that much – just change your passwords if you’re paranoid and make sure you enable 2 factor auth for anything that supports it.

Services like the Linode Nodebalancer with SSL termination have been updated, but do bear in mind your secret key could have been leaked (although, logically that’s pretty unlikely).

Linode – Heartbleed

On Ubuntu 12.04 it’s as simple as doing aptitude update; aptitude safe-upgrade -y; and then restarting all relevant services, or simply rebooting.

Ensure the build date is at minimum 2014-04-07.

If you want to check what services are using OpenSSL you can do:

lsof -n | grep ssl | grep DEL

That fixes the bug, but remember it doesn’t change the fact that your secret keys/passwords could have been leaked, there has also been reports of 2FA session tokens being leaked among other stuff.

So to be secure, you really need to revoke all your SSL certificates, regenerate a new private key and csr, and regenerate your SSL certs.

And of course, change all your passwords.

More Reading

- Amazon Linux AMIs are updated.
- Why Heartbleed is the most dangerous security flaw on the web
- Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style
- Hacker News – The Heartbleed Bug
- Reddit – The Heartbleed Bug


07 April 2014 | 1,383 views

Sysdig – Linux System Troubleshooting Tool

Sysdig is open source, Linux System Troubleshooting Tool: capture system state and activity from a running Linux instance, then save, filter and analyze. Think of it as strace + tcpdump + lsof + awesome sauce. With a little Lua cherry on top.

Sysdig

Sysdig was born from a team’s constant frustration. System level troubleshooting is just way more of a pain than it should be — especially in distributed, virtualized, and cloud-based environments. So they took the lessons they learned while building network monitoring tools like WinPCap and Wireshark and created a new kind of system troubleshooting tool for Linux.

Sysdig captures system calls and other system level events using a linux kernel facility called tracepoints, which means much less overhead than strace.

It then “packetizes” this information, so that you can save it into trace files and filter it, a bit like you would do with tcpdump. This makes it very flexible to explore what processes are doing.

Sysdig is also packed with a set of scripts that make it easier to extract useful information and do troubleshooting.

To install Sysdig, just run this with sudo or as root:

curl -s https://s3.amazonaws.com/download.draios.com/stable/install-sysdig | sudo bash

Or read more here.


03 April 2014 | 577 views

Oracle Java Cloud Service Vulnerabilities Publicly Disclosed

Security researches from the Polish firm Security Explorations have released a massive slew of PoC code and technical details on 30 Oracle Java Cloud Service Vulnerabilities.

Java Cloud Vulnerabilities

It seems like they had already reported them to Oracle, but weren’t happy with how things were handled, so have decided to go public with the weaknesses. They gave them a fair amount of time too, over 2 months to address the issues in the cloud data centers.

As a fairly new service though, it seems Oracle is having some issues with policies and handling incidents like this for their cloud service.

Security researchers released technical details and proof-of-concept code for 30 security issues affecting Oracle’s Java Cloud Service, some of which could allow attackers to compromise business-critical Java applications deployed on it.

Researchers from Polish security firm Security Explorations, who found many Java vulnerabilities in the past, decided to publicly disclose the Java Cloud Service security weaknesses because they weren’t satisfied with how Oracle handled their private report.

“Two months after the initial report, Oracle has not provided information regarding successful resolution of the reported vulnerabilities in their commercial cloud data centers (US1 and EMEA1 respectively),” Adam Gowdiak, the CEO and founder of Security Explorations, said Wednesday via email.

“Instead, a year and a half after the commercial availability of the service, Oracle communicates that it is still working on cloud vulnerability handling policies,” he said. “Additionally, the company openly admits that it cannot promise whether it will be communicating resolution of security vulnerabilities affecting their cloud data centers in the future.”

The Oracle Java Cloud Service allows customers to run Java applications on WebLogic server clusters in data centers operated by Oracle. The service provides “enterprise security, high availability, and performance for business-critical applications,” Oracle says on its website.

According to a disclosure timeline published by Security Explorations, the company notified Oracle of 28 security issues on Jan. 31 and another two issues on Feb. 2.

It seems like Oracle has a fair amount of security measures built into the Java cloud (whitelisting, sandboxes etc) – but they don’t work properly. Which in my view, is often more dangerous than having none at all.

If people know there are no security measures, they will act and configure accordingly – especially for tech-centric platforms like this. But when the vendor, in this case Oracle, claims there are strong security measures in place – people will tend to relax their own implementation a little.

The reported issues include bypasses of the Java security sandbox, bypasses of the Java API whitelisting rules, the use of shared WebLogic server administrator passwords, the availability of security-sensitive plaintext user passwords in Policy Store, the use of outdated Java SE software on the service that was lacking around 150 security fixes, and issues that enable a remote code execution attack against a WebLogic server instance used by other Oracle Java Cloud users.

“We found a way for a given user of Oracle Java Cloud service to gain access to applications and data of another user of the service in the same regional data center,” Gowdiak said. “By access we mean the possibility to read and write data, but also execute arbitrary (including malicious) Java code on a target WebLogic server instance hosting other users’ applications; all with Weblogic server administrator privileges. That alone undermines one of key principles of a cloud environment — security and privacy of users data.”

Potential attackers only need one-time access to the service to learn its specifics and can later break into all Java Cloud user accounts from the public Internet, Gowdiak said. Attacks can also be carried out from trial accounts because there’s no separation between trial users and paying customers in the regional data centers, he said.

Oracle confirmed the 30 vulnerabilities on Feb. 12, but failed to provide Security Explorations with a monthly report on their status in March, as it had been agreed, Gowdiak said.

They are some quite serious issues too, allowed users to gain access to userspace of another user in the same regional DC. Oracle has confirmed the vulnerabilities, but as of yet – has failed to provide any status updates regarding fixes/improvements/patches etc.

The attacks can also be carried out from a trial user account as there is no separation between trial users and paying customers. It seems like a generally poor architecture and sloppy design by Oracle – I hope this makes them really step up their game.

Source: Network World


01 April 2014 | 1,175 views

Agnitio v2.1 Released – Manual Security Code Review Tool

A tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the adhoc nature of manual security code review documentation, create an audit trail and reporting.

It hasn’t been updated for a fair while sadly, and v2.1 was released in 2011 – but still it’s a useful tool and a decent update. The last time we wrote about it was when Agnitio v2.0 was released back in August 2011.

Agnitio - Security Code Review

The major changes in v2.1 are listed below:

  • Windows x64 support
  • Automatically decompile Android .apk application to easily analyse the apps source code
  • Application profiles now have an application type of either web or mobile which allows only relevant checklist items to be displayed during the security code review
  • Create new checklist questions and mark them as web or mobile
  • C# and Java rules from the OWASP Code Crawler project have been imported into the Agnitio database and linked to relevant checklist questions

You can download Agnitio v2.1 here:

x64 – Agnitio x64.zip
x86 – Agnitio x86.zip

Or read more here.


26 March 2014 | 721 views

Security Vendor Trustwave Named In Target Suit

You might remember earlier in March, the Target CIO resigned due to the huge breach in December last year.

Now in an unprecedented move, the banks are suing Target’s security vendor – Trustwave. It’s a class-action suit accusing them of failing to detect the breach. It seems a bit of a stretch though, there’s no such thing as 100% as we all know, holding the security vendor responsible in this case seems a little unfair.

Trustwave

Security vendor Trustwave was accused in a class-action suit of failing to detect the attack that led to Target’s data breach, one of the largest on record.

Target, which is also named as a defendant, outsourced its data security obligations to Trustwave, which “failed to live up to its promises or to meet industry standards,” alleged the suit, filed Monday in U.S. District Court for the Northern District of Illinois.

Plaintiffs Trustmark National Bank of New York and Green Bank of Houston claim Target and Trustwave failed to stop the theft of 40 million payment card details and 70 million other personal records.

The lawsuit, one of dozens filed against Target, illustrates the growing frustration of banks burdened with the costs of reissuing compromised cards and their willingness to pull in other companies viewed as culpable into legal battles.

Support agreements between companies and security vendors are often confidential, and it was not clear from the suit how the banks determined Trustwave was one of Target’s contractors.

A Trustwave spokeswoman said Tuesday via email the company doesn’t confirm its customers or comment on pending legal matters. Target also said it also does not comment on pending litigation.

Everything factual seems to be legally shielded at the moment, as I would expect with any type of infosec related vendor. There will be NDAs in place and Trustwave have already stated that it’s against their policy to acknowledge who their clients are.

Also details about lawsuits don’t tend to come out until all parties are satisfied and the discussions are over.

The suit contends Target retained Trustwave to monitor its computer systems and ensure compliance with PCI-DSS, an industry security recommendation pushed by MasterCard and Visa to protect cardholder data from leaking.

Trustwave claims on its website to provide guidance to millions of businesses for compliance with PCI standards with testing and assessment teams.

Trustwave scanned Target’s network on Sept. 20, 2013 and told Target no vulnerabilities were found, the suit alleges.

Target has said it believed attackers stole the data between Nov. 27, 2013, and Dec. 15, 2013, via malicious software installed on point-of-sale devices.

The malware collected unencrypted payment card details after a card was swiped and briefly held in a computer’s memory, capitalizing on a unknown weakness despite years of efforts to harden payment systems.

U.S. banks have spent more than US$172 million reissuing cards, the suit said, citing figures from the Consumer Banker Association. The total cost of the breach to retailers and banks could exceed $18 billion, the suit claims.

The suit, which asks for a jury trial, seeks unspecified compensatory and statutory damages.

I don’t really think Trustwave is at fault here, from what I understand they are simply conducting PCI compliance scans. Which doesn’t cover any kind of deep, long term attack like this.

It covers basic, off the shelf, non zero-day vulnerabilities in software and web services. I think we’ll have to wait a little longer to get more details.

Source: Network World


17 March 2014 | 3,345 views

Blackhash – Audit Passwords Without Hashes

A traditional password audit typically involves extracting password hashes from systems and then sending those hashes to a third-party security auditor or an in-house security team. These security specialists have the knowledge and tools to effectively audit password hashes. They use password cracking software such as John the Ripper and Hashcat in an effort to uncover weak passwords.

Password Hashes

However, there are many risks associated with traditional password audits. The password hashes may be lost or stolen from the security team. A rogue security team member may secretly make copies of the password hashes. How would anyone know? Basically, once the password hashes are given to the security team, the system manager must simply trust that the password hashes are handled and disposed of securely and that access to the hashes is not abused.

Blackhash works by building a bloom filter from the system password hashes. The system manager extracts the password hashes and then uses Blackhash to build the filter. The filter is saved to a file, then compressed and given to the security team. The filter is just a bitset that contains ones and zeros. It does not contain the password hashes or any other information about the users or the accounts from the system. It’s just a string of ones and zeros. You may
view a Blackhash filter with a simple text editor. It will look similar to this:

00000100000001000100001

When the security team receives the filter, they use Blackhash to test it for known weak password hashes. If weak passwords are found, the security team creates a weak filter and sends that back to the system manager. Finally, the system manager tests the weak filter to identify individual users so that they can be contacted and asked to change passwords.

This enables you to audit passwords without actually giving out the hashes.

Pros

  • Password hashes never leave the system team.
  • Works with any simple, un-salted hash. LM, NT, MD5, SHA1, etc.
  • Security auditors do not have to transmit, handle or safe-guard the password hashes.
  • Anonymizes the users. The filter contains no data about the users at all.

Cons

  • Slower than traditional password cracking methods.
  • More complex than traditional password cracking methods.
  • Bloom Filters may produce a few false positives (very few in this case).

You can download Blackhash here:

Source – Blackhash_0.2.tar.gz
Windows – bh.exe

Or read more here.


14 March 2014 | 1,389 views

NSA Large Scale TURBINE Malware Also Target Sysadmins

So more revelations coming out about the NSA from the latest batch of documents leaked by Edward Snowden.

This time they detail a huge malware infection system created for widespread infections, it seems fairly advanced with the ability to spit out different types of malware depending on the target. Other than the TURBINE malware engine, there’s also some other interesting stuff like HAMMERSTEIN and HAMMERCHANT designed to intercept and snoop on VoIP and VPN connections.

NSA Turbine Malware

The latest batch of top-secret intelligence documents from the hoard collected by NSA whistleblower Edward Snowden detail the massive increase in the agency’s use of its Tailored Access Operations (TAO) hacking unit – including a system dubbed TURBINE that can spam out millions of pieces of sophisticated malware at a time.

The presentation slides, published by The Intercept, show that 10 years ago the NSA had infiltrated and tapped a modest number of computers, but has since hugely bolstered its toolkit and increased its target list. Within eight years, the number of active pieces of implanted spyware was in the tens of thousands, and slides show an extensive arms catalog of malware for the TAO team to choose from.

“One of the greatest challenges for active SIGINT/attack is scale,” explained one presentation from 2009, marked top secret. “Human ‘drivers’ limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).”

The solution was to build TURBINE, which can carry out “automated implants by groups instead of individually,” and scale to operate millions of implants at a time. This command-and-control server includes an “expert system” that automatically picks the right malware for a victim and installs it on their computer, thus “relieve the [TURBINE] user from needing to know/care about the details.”

It’s some interesting stuff with discussions about scaling SIGINT attacks, there’s some pretty detailed analysis over here:

How the NSA Plans to Infect ‘Millions’ of Computers with Malware

Which includes decryption technology and plug-ins to grab web browsing logs, key strokes and record from the microphone.

TURBINE was active from at least July 2010, the documents state, and has infected up to 100,000 devices and machines, with more planned. According to the agency’s 2013 budget files, some of the $67.6m of taxpayer dollars allocated to the NSA’s TAO team went to maintaining and developing the system.

TURBINE also links into a NSA sensor system dubbed TURMOIL, which taps into computer networks around the world to monitor data traffic and identify potential targets. It can track down a mark from their email address or IP address, which device he or she is using, or by web cookies from Google, Microsoft, Twitter, Yahoo! and others.

While terrorist targets are mentioned, it’s clear from the documents that system administrators are also high on the todo list for the TAO team. One comment on an internal NSA message board system was titled simply: “I hunt sys admins.”

“Sys admins are a means to an end,” it states. “Once you have control of the IT manager’s computer then it’s easy to monitor any “government official that happens to be using the network some admin takes care of.”

Pwning the sysadmin is useful for malware attacks against large commercial routers and to defeat VPNs. The documents detail two pieces of NSA-developed malware, HAMMERCHANT and HAMMERSTEIN, which are designed to sit on routers and eavesdrop on VoIP traffic, and grab encryption keys to decrypt supposedly secure VPN connections, all in real time.

Targeting sysadmins is a means to an end, as if you can compromise them – you pretty much have access to everything, including core routers/switches/firewalls/vpn concentrators etc.

Plus servers and more if you can get hold of their SSH private key or passwords from keylogging/file grabbing etc.

Pretty hardcore stuff.

Source: The Register


11 March 2014 | 1,595 views

ODA – Online Web Based Disassembler

ODA stands for Online DisAssembler. ODA is a general purpose machine code disassembler that supports a myriad of machine architectures. Built on the shoulders of libbfd and libopcodes (part of binutils), ODA allows you to explore an executable by dissecting its sections, strings, symbols, raw hex, and machine level instructions.

ODA is an online Web Based Disassembler for when you don’t have time or space for a thick client.

ODA - On-line Web Based Disassembler

You can use it for a variety of purposes such as:

  • Malware analysis
  • Vulnerability research
  • Visualizing the control flow of a group of instructions
  • Disassembling a few bytes of an exception handler that is going off into the weeds
  • Reversing the first few bytes of a Master Boot Record (MBR) that may be corrupt
  • Debugging an embedded systems device driver

You can check out the online disassembler here:

http://onlinedisassembler.com/odaweb/