So a pretty serious remote vulnerability has been discovered in Windows 7, as usual Microsoft is downplaying the problem asking you to block the ports on your firewall rather than fixing the issue.

I’d imagine the problem would only really be a big issue inside networks as who exposes SMB ports to the outside world anyway (TCP ports 139 and 445).

But as we all know, the biggest threat to corporate network security ALWAYS comes from the inside.

Microsoft late on Friday confirmed that an unpatched vulnerability exists in Windows 7, but downplayed the problem, saying most users would be protected from attack by blocking two ports at the firewall.

In a security advisory , Microsoft acknowledged that a bug in SMB (Server Message Block), a Microsoft-made network file- and print-sharing protocol, could be used by attackers to cripple Windows 7 and Windows

The zero-day vulnerability was first reported by Canadian researcher Laurent Gaffie last Wednesday, when he revealed the bug and posted proof-of-concept attack code to the Full Disclosure security mailing list and his blog. According to Gaffie, exploiting the flaw crashes Windows 7 and Server 2008 R2 systems so thoroughly that the only recourse is to manually power off the computers.

At the time, Microsoft only said it was investigating Gaffie’s reports.

And well let’s face is, this is not the first time that a serious flaw that can be remotely exploited has been discovered in SMB.

It doesn’t seem like the most secure of protocols, I really doubt Microsoft developed it using SDL (Security Development Lifecycle).

It seems in this case though it’s limited to a DoS attack, perhaps due to all the fancy security controls Microsoft has implemented in the Windows 7 kernel.

Then on Friday, it took the next step and issued the advisory. “Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable,” Dave Forstrom, a spokesman for Microsoft security group, said in an e-mail. “The company is not aware of attacks to exploit the reported vulnerability at this time.”

Forstrom echoed Gaffie’s comments earlier in the week that while an exploit could incapacitate a PC, the vulnerability could not be used by hackers to install malicious code on a Windows 7 system.

Both SMBv1 and its successor, SMBv2, contain the bug. “Windows Vista, Windows Server 2008, Windows XP, Windows Server 2003 and Windows 2000 are not affected,” assured Forstrom.

Attacks could be aimed at any browser, not just Internet Explorer (IE), Microsoft warned. After tricking users into visiting a malicious site or a previously-compromised domain, hackers could feed them specially-crafted URIs (uniform resource identifier), and then crash their PCs with malformed SMB packets.

Even so, I’m sure a skilled attacker could probably work out a way to drop some malicious code into the OS using this PoC and well if I know the underground they probably already are.

This vulnerability is the first official zero-day reported and confirmed by Microsoft in Windows 7 since the new operating system went on sale October 22nd.

I’m sure there will be many more.

Source: Network World

Tags:  hacking-windows,  microsoft,  microsoft security,  smb exploit,  smb flaw,  windows,  windows 7,  windows 7 0day,  windows 7 exploit,  windows 7 oday,  windows 7 security,  windows 7 vulnerability,  windows vulnerability,  windows-exploit,  windows-security

The Katana: Portable Multi-Boot Security Suite is designed to fulfill many of your computer security needs. The idea behind this tool is to bring together many of the best security distributions and applications to run from one USB Flash Drive. Instead of keeping track of dozens of CDs and DVDs loaded with your favorite security tools, you can keep them all conveniently in your pocket.

Katana includes distributions which focus on Penetration Testing, Auditing, Password Cracking, Forensics and Honey Pots. Katana comes with over 100 portable Windows applications, such as Wireshark, HiJackThis, Unstoppable Copier, Firefox, and OllyDBG. It also includes the following distributions:

• Backtrack 4 pre
• the Ultimate Boot CD
• Ophcrack Live
• Damn Small Linux
• the Ultimate Boot CD for Windows
• Got Root? Slax
• Organizational Systems Wireless Auditor (OSWA) Assistant
• Damn Vulnerable Linux

Katana is also highly customizable. You can modify Katana by adding or removing distributions and portable apps with ease. You can add functionality to distributions like the Ultimate Boot CD, Got Root? Slax and UBCD4Win. You can also load your personal scripts and documents to keep them conveniently with
you on your flash drive to use in concert with the provided tools.

You can download Katana v1 here:

katana-v1.rar

Or read more here.

Tags:  auditing,  backtrack,  boot from usb,  damn small linux,  damn-vulnerable-linux,  dvl,  firefox,  Forensics,  got root,  hack from a cave,  hackfromacave,  hijackthis,  honey pots,  katana kyuzo,  katana v1,  mult-boot security distro,  ollydbg,  Ophcrack,  ophcrack live,  oswa,  Password Cracking,  pen-testing,  penetration-testing,  UBCD,  unstoppble copier,  usb security tools,  wireshark

When this SSL Renegotiation bug hit the news, most people said it was a theoretical attack and was of no practical use in the real world.

But then people tend to say that about most things don’t they until they get pwned up the face.

It turns out the rather obscure SSL flaw can be used to take over user accounts from websites that use API’s and especially those utilizing 3rd party clients (Twitter being the biggest but a lot of people are accessing Facebook now using clients too).

A Turkish grad student has devised a serious, real-world attack on Twitter that targeted a recently discovered vulnerability in the secure sockets layer protocol.

The exploit by Anil Kurmus is significant because it successfully targeted the so-called SSL renegotiation bug to steal Twitter login credentials that passed through encrypted data streams. When the flaw surfaced last week, many researchers dismissed it as an esoteric curiosity with little practical effect.

For one thing, the critics said, the protocol bug was hard to exploit. And for another, they said, even when it could be targeted, it achieved extremely limited results. The skepticism was understandable: While attackers could inject a small amount of text at the beginning of an authenticated SSL session, they were unable to read encrypted data that flowed between the two parties

So even though the fella couldn’t decrypt or read the data in the session, he could manipulate it in such a way that it spat out the goodies using the Twitter API.

It’s a very neat attack if you ask me, especially if you executed it via DM (Direct Message) it’s pretty unlikely anyone would notice their account had been ‘hacked’.

Perhaps this is how the bad guys have been doing it for a while because I do see an awful lot of hijacked accounts on Twitter and the owners have no idea why (they hadn’t logged in to any dodgy sites with OAuth or their Twitter credentials).

Despite those limitations, Kurmus was able to exploit the bug to steal Twitter usernames and passwords as they passed between client applications and Twitter’s servers, even though they were encrypted. He did it by injecting text that instructed Twitter’s application protocol interface to dump the contents of the web request into a Twitter message after they had been decrypted.

“My point is I think that it’s not so hard to make it work,” said Kurmus, who lives in Zurich and recently completed his masters thesis at the Eurecom Institute. “Maybe some other people did the same thing and did not make it public, so this is why I think it’s important that people would take this bug more seriously.”

Twitter proved an ideal platform to carry out the attack for several reasons. First, every request sent over the microblogging site includes the account holder’s username and password. Second, the site’s API made it easy to post the contents of the intercepted data stream into a message that an attacker could then retrieve.

Twitter has apparently plugged the hole from their side, but as the flaw in SSL itself it seems only one vendor is near to issuing a patch (OpenSSL).

If you extrapolate a little though, this attack could work on anything with a POST/GET interface on the web running on SSL – like Gmail for example.

I hope companies get to patching and plug this hole as it can be carried out all too quietly and wreak a whole lot of havoc!

Source: The Register

Tags:  hacking ssl,  hacking twitter,  hacking-networks,  network-security,  SSL,  ssl bug,  ssl flaw,  ssl renegotiation,  ssl renegotiation bug,  ssl security,  ssl vulnerability,  twitter,  twitter flaw,  twitter security

It’s been quite a while since we’ve written about Cain & Abel, one of the most powerful tools for the Windows platform (back in 2007 here).

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol’s standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some “non standard” utilities for Microsoft Windows users.

Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. Please carefully read the License Agreement included in the program before using it.

The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.

Most recently added is the support for Windows 2008 Terminal Server in APR-RDP sniffer filter.

You can download Cain & Abel v4.9.35 here:

ca_setup.exe

Or read more here, the online user manual is here.

Tags:  abel,  arp poison routing,  arp sniffer,  arp spoofing tool,  arp-spoofing,  brute forcing tool,  brute-force,  brute-forcing,  cain,  cain&abel,  cain-&-abel,  Cain-and-Abel,  cracking passwords,  Hacking Tools,  Network Hacking,  network-cracker,  network-cracking,  network-sniffing,  Password Cracking,  password cracking tool,  password decoder,  password-cracker,  Windows Hacking,  windows hacking tool

The ‘big’ news this week was the first self-replicating worm hit the iPhone, it only seemed to be spreading in Australia though and only worked under a specific set of circumstances.

It only effects iPhone users that have jailbroken their phone and have the SSH software installed with a default password of alpine.

Thankfully it’s not particularly malicious unless you are allergic to Rick Astley.

iPhone owners in Australia awoke this weekend to find their devices targeted by self-replicating attacks that display an image of 1980s heart throb Rick Astley that’s not easily removed. The attacks, which researchers say are the world’s first iPhone worm in the wild, target jailbroken iPhones that have SSH software installed and keep Apple’s default root password of “alpine.” In addition to showing a well-coiffed picture of Astley, the new wallpaper displays the message “ikee is never going to give you up,” a play on Astley’s saccharine addled 1987 hit “Never Gonna Give You Up.”

Tricking victims in to inadvertently playing the song has become a popular prank known as Rickrolling. A review of some of the source code, shows that the malware, once installed, searches the mobile phone network for other vulnerable iPhones and when it finds one, copies itself to them using the the default password and SSH, a Unix application also known as secure shell. People posting to this thread on Australian discussion forum Whirlpool first reported being hit on Friday.

A new twist on the rickrolling phenomena at least, and of course the good thing for the rest of the World is that the infection seems to be fairly localized.

To me it’s more of a PoC (Proof of Concept) than anything else, but it is a neat piece of programming and shows what some malicious minds could put together if they wanted to target iPhones.

From the authors perspective he just wants to let people know that if they are gonna mess with their iPhone they better secure their shit.

The attack is a wakeup call for anyone who takes the time to jailbreak an iPhone. While the hack greatly expands the capabilities of the Apple smartphone, it can also make it more vulnerable. Programs such as OpenSSH, which can only be installed after iPhones have undergone the procedure, can be extremely useful, but if owners haven’t bothered to change their root password, the programs also represent a gaping hole waiting to be exploited.

Indeed, a hacker going by the moniker ikee and claiming to be responsible for the worm said here that he wrote the program to bring awareness to the widely followed practice of failing to change the iPhone’s password.

“I was quite amazed by the number of people who didn’t RTFM and change their default passwords,” the unidentified worm writer said. “I admit I probably pissed of [sic] a few people, but it was all in good fun (well ok for me anyway).”

Ikee said the worm disables the SSH daemon so it can’t be targeted further.

And in the true hacker spirit, the worm disables SSH so it can’t get infected again or hacked by anyone else.

It doesn’t takes skills to own the box, it takes skills to stay on the box

Source: The Register

Tags:  apple iphone,  apple iphone security,  apple iphone virus,  australia,  iphone,  iphone malware,  iphone security,  iphone virus,  iphone worm,  jailbreak,  jailbroken,  rick astley,  rickroll,  rickrolled

Turbodiff is a binary diffing tool developed as an IDA plugin. It discovers and analyzes differences between the functions of two binaries.

Requirements

“Turbodiff 1.01 beta release 1″ works with IDA starting from v5.0.

Instructions

For the binaries:
Download the plugin and store it at the directory “..\IDA\plugins”.

If you want to compile it on your own: We have compiled it and tested it using Borland C. For the free version of IDA Pro (4.9) you’ll need to first:

1. Generate the ida_free.lib library. To do this execute: “implib -c ida_free.lib ida_free.def”
2. Next, you must have the linker use this library.
3. Compile.

Comparing two files:

1. Open the first file to be compared with IDA and run /Option 1 (take info from this idb)/ from the plugin. Close.
2. Open the second file to be compared with IDA and run /Option 1 (take info from this idb)/ from the plugin.
   Use /Option 2 (compare with…)/ from the plugin, and when prompted to select a file, select the first file.
3. Chose if you want a log file to be genreated and run. Once finished a functions table will popup (watch Figure 1) describing results. The results are then saved for later usage.

You can download Turbodiff here:

IDA PRO v4.9 Sources and plugin (Free version)
IDA starting with version v5 Sources and plugin

Or read more here.

Tags:  binary diff,  binary difference,  compare binaries,  compare binary files,  disassembler,  ida,  ida pro binary diff,  ida pro plugin,  IDA-pro,  turbo diff,  turbodiff

Facebook has had it’s fair share of security woes and the latest is the discovery of a new Trojan that uses Facebook to communicate.

Interesting that it’s using the Facebook notes feature to communicate depending on title/subject of the note.

The actual malware itself is spread through doc/pdf exploits and not through any flaws in Facebook itself.

Researchers at Symantec find a Trojan that uses Facebook to communicate with a command and control server.

The Trojan malware, known to Symantec as Whitewell, is being spread via e-mail through “documents (PDF, or MS Office formats) containing exploits for known vulnerabilities,” Andrea Lelli, a security analyst with Symantec Security Response, wrote on a Symantec blog Oct. 31. The malware works by contacting the mobile version of Facebook and using its Notes section. By analyzing the Trojan’s code, Lelli found that the Trojan will perform four different actions, depending on the notes’ titles that are found.

If the title is Wells, the note will contain the timedate stamp for when a machine was infected. If it is WebServer, however, the note will contain a URL to be contacted from which the Trojan will receive commands, Lelli wrote.

The malware can actually parse the data in Facebook, and post new notes itself meaning it is self-propagating according to whatever logic is programmed inside.

The ability of the trojan to do anything damaging is somewhat limited but it does show what could be achieved by using a social networking site as a command and control channel.

I’d imagine this won’t be the last we see and this could evolve into something much nastier.

If the note has the title ‘White’, it contains a URL that leads to an executable to be downloaded. If the title is anything else, the Trojan is programmed to wait, Lelli wrote.

This is not the first time social networks have been used to help control malware. In August, Arbor Networks researcher Jose Nazario uncovered a botnet using Twitter to communicate with its army of compromised machines.

According to Symantec, in this case, the documents containing the malware are made to look legitimate to conceal their intent, mimicking for example the names of well-known courier companies and utilizing popular headlines from the news media.

“Besides documents they can also spread the executables themselves, sending them with icons that resemble those that accompany legitimate documents, and with legit-looking file names such as ‘Competitive assessment.pdf .exe,’” Lelli wrote.

As with most attacks of this kind, the actual infection comes from lack of user knowledge and social engineering (double file extensions) as Windows STILL insists on hiding known file extensions from the user.

People have been falling for the old double-extension forever, I don’t see why Windows can’t just show extensions by default – do they scare people that much they have to be hidden?

Source: eWeek

Tags:  facebook,  facebook security,  facebook trojan,  facebook virus,  facebook-privacy,  online malware,  Privacy,  spam,  symantec,  trojan,  whitewell,  worm

It’s been a while since I’ve seen a tool of this type, back in the heydays of Google Hacking (which became the generic term for information gathering via search engines) there were multiple tools such as Gooscan and Goolag.

Binging is a simple tool to query Bing search engine. It will use your Bing API key and fetch multiple results. This particular tool can be used for cross domain footprinting for Web 2.0 applications, site discovery, reverse lookup, host enumeration etc. One can use various different directives like site, ip etc. and run queries against the engine. On top of it tool provides filtering capabilities so you can ask for unique URLs or hosts. It is also possible to filter results by applying power of regular expression. Get your Bing API key and use this tool for your audit, assessment and research.

You can download Binging here:

Binging.zip

Or read more here.

Tags:  bing,  binging,  domain enumeration,  domain footprinting,  google-hacking,  host enumeration,  information gathering,  information-leak,  Information-Security,  microsoft bing,  penetration-testing,  reverse lookup,  site discovery,  web-application-security,  web-applications

There have been a few stories about Windows 7, even one about Windows 7 UAC before and now it’s officially on sale I’d expect there to be many more.

As always malware and mass infections is a numbers game so the bad guys will always target the most popular and prolific operating systems to increase their chances of widespread infections.

For me personally UAC in Windows Vista was simply a pain in the ass, so much so I just turned it off completely as did most people rendering it completely ineffective. They seem to have toned it down in Windows 7 to make it less invasive and perhaps as a byproduct have made it less effective.

A researcher at Sophos reports putting Windows 7’s User Account Control feature to the test and finding the technology failed to block numerous pieces of malware. Microsoft, however, stresses that UAC is only one part of Windows 7’s security.

A researcher at Sophos called the UAC feature in Windows 7 ineffective after numerous pieces of malware snuck by the technology in a test.

Microsoft first introduced User Account Control in Windows Vista to improve security. After some users complained the number of alerts it generated were annoying, the company pledged to cut down on the number of prompts in Windows 7. The move however has raised concerns in the security community, and Sophos Senior Security Adviser Chester Wisniewski said his test proves Microsoft took it a step too far.

Wisniewski wrote on his blog Nov. 3 that seven of the 10 pieces of malware he tested ran with the default AUC enabled in Windows 7 without generating any prompts. As part of the test, no antivirus software was installed on the system. Two of the malware samples did not work in Windows 7; of the remaining eight, only one generated a prompt, and that one still would have been installed had the user clicked yes, Wisniewski told eWEEK.

I’d imagine it only throws an alert if the software being installed tries to modify system files or place itself in system directories (c:/windows etc).

That would make sense to me, and yes it would make it ineffective against malware and even more ineffective when the bad guys work out how it functions and adapt to that.

Nothing much new here though is it, run anything on Windows XP and you’ll get no warnings..so just be vigilant. I’d rather Microsoft try an educate people on good security practice rather than trying to implement half-arsed technical measures to protect against wetware ignorance.

When asked about the test, Microsoft officials pointed to the other features of Windows 7 that have improved security.

“Windows 7 is built upon the security platform of Windows Vista, which included a defense-in-depth approach to help protect customers from malware; this includes features like Security Development Lifecycle (SDL), User Account Control (UAC), Kernel Patch Protection, Windows Service Hardening, Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP),” a spokesperson said.

“Windows 7 retains all of the development processes, including going through the Security Development Lifecycle, and technologies that made Windows Vista the most secure Windows operating system ever released,” the spokesperson added. “Coupled with Internet Explorer 8—which includes added malware protection with its SmartScreen Filter—and Microsoft Security Essentials, Windows 7 provides flexible security protection against malware and intrusions.”.

All the above technologies are great and they do help a LOT when it comes to exploitation of vulnerabilities and trying to execute shell-code. But that’s not the biggest threat, the biggest threat is idiot users installing malware ‘by accident‘ on their own computers.

So yes, however obvious it may seem to us – you still need to install Anti-virus software on Windows 7.

Source: eWeek

Tags:  malware,  microsoft,  sophos,  trojan,  uac,  user access control,  viruses,  windows,  windows 7,  windows 7 malware,  windows 7 security,  windows 7 uac

UCSniff is a VoIP & IP Video Security Assessment tool that integrates existing open source software into several useful features, allowing VoIP and IP Video owners and security professionals to rapidly test for the threat of unauthorized VoIP and Video Eavesdropping. Written in C/C++, and available on Linux and Windows, the software is free and available for anyone to download, under the GPLv3 license.

Why?

UCSniff was created as a Proof of Concept demonstration tool and a method of creating awareness around VoIP/UC threats. It can be used by VoIP/UC Administrators to test their own VoIP or Video Infrastructure in a pilot before vulnerabilities are rolled into production. It can also be used by security professionals as a method of convincing IT decision makers that security best practices should be applied to VoIP/UC in the same way that they are applied to other TCP/IP based, client-server applications.

New Features

• Real time VoIP and Video monitoring.
• New codec support, G729, G726, G723.
• GUI version of Windows and Linux.
• TFTP MitM Modification of IP phone settings.
• New VideoSnarf tool – Converts offline RTP pcap file to media file.
• Windows VLAN implementation, for VLAN Hopping in Windows.

Or read more here.

Tags:  ettercap,  hacking ip video,  Hacking Tools,  hacking voip,  ip video security,  ip video sniffer,  ip video sniffing,  ip video sniffing tool,  Network Hacking,  Privacy,  sniffing tool,  sniffing voip,  ucsniff,  videosnarf,  voip sniffer,  voip-security