Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

16 September 2014 | 1,457 views

StegExpose – Steganalysis Tool For Detecting Steganography In Images

Prevent Network Security Leaks with Acunetix

StegExpose is a steganalysis tool specialized in detecting steganography in lossless images such as PNG and BMP (LSB – least significant bit type). It has a command line interface and is designed to analyse images in bulk while providing reporting capabilities and customization which is comprehensible for non forensic experts.

Steganography is the art or practice of concealing a message, image, or file within another message, image, or file. The word steganography combines the Ancient Greek words steganos, meaning “covered, concealed, or protected”, and graphein meaning “writing”.

StegExpose rating algorithm is derived from an intelligent and thoroughly tested combination of pre-existing pixel based staganalysis methods including:

  • Sample Pairs by Dumitrescu (2003)
  • RS Analysis by Fridrich (2001)
  • Chi Square Attack by Westfeld (2000)
  • Primary Sets by Dumitrescu (2002)

In addition to detecting the presence of steganography, StegExpose also features the quantitative steganalysis (determining the length of the hidden message).

Detecting Steganography In Images

Usage

[directory] – directory containing images to be diagnosed

[speed]Optional. Can be set to ‘default’ or ‘fast’ (set to ‘default if left blank). default mode will try and run all detectors whereas fast mode will skip the expensive detectors in case cheap detectors are able to determine if a file is clean.

[threshold]Optional. The default value here is 0.2 (for both speed modes) and determines the the level at which files are considered to be hiding data or not. A floating point value between 0 and 1 can be used here to update the threshold. If keeping false positives at bay is of priority, set the threshold slightly higher ~0.25. If reducing false negatives is more important, set the threshold slightly lower ~0.15

[csv file]Optional. Name of the csv (comma separated value) file that is to be generated. that If left blank, the program will simply output to the console.

Performance

The accuracy and speed of StegExpose has been tested on an image pool of 15,200 lossless images, where 5,200 of them were stego images (images with hidden data) created with the tools OpenStego, OpenPuff, SilentEye and LSB-Steganography. Embedding rates range from 2.5% to 25.3% with an average of 13.8% (secret data / cover image).

You can download StegExpose here:

master.zip

Or read more here.



13 September 2014 | 2,482 views

Google DID NOT Leak 5 Million E-mail Account Passwords

So a big panic hit the Internet a couple of days ago when it was alleged that Google had leaked 5 Million e-mail account passwords – and these had been posted on a Russian Bitcoin forum.

I was a little sceptical, as Google tends to be pretty secure on that front and they had made no announcement regarding the incident. The news was published on a number of fairly high profile, legitimate news sources as though it was real (TIME, CBS, FastCompany, IBT, The Independent & many more).

Google Password Leak

Some may say the whole thing was just an elaborate e-mail farming excercise as many articles cited a domain IsLeaked.com which registered a mere 2 days before the huge password leak..by Russians.

Plenty of room for conspiracy theories here.

In some cases, those alleged breaches are not quite what they seem to be. Case in point is a report first posted to a Russian Bitcoin forum site that information on nearly 5 million Google account holders was breached this week.

Any alleged attack against Google is noteworthy, and 5 million accounts is also a significant number. That said, the bigger questions that always should be asked in any breach coverage center on what was stolen and whether there is any real impact.

As a professional, facts are my currency, and speculation is just a cheap narcotic. So when I initially saw the first Google account breach reports, I held off on writing until the facts were revealed.

The facts are that Google itself was not breached and 5 million users are not actually at risk.

In a blog post Sept. 10, Google claimed that less than 2 percent of the username/password credentials in the Russian breach list were actually valid.

To add further fuel to the fire, Google noted that its automated anti-hijacking systems would limit the risk on the 2 percent that might be affected. Additionally, Google is now telling those people in the 2 percent list that they are required to reset their passwords.

Google did release something later about this ‘compromise’ and stated that less than 2% of the leaked e-mail addresses were valid credentials and all those that might have been effected have had their passwords forcibly reset.

The Google announcement is here: Cleaning up after password dumps

They also stated categorically that the leaked account details were not due to a compromise of any Google systems.

So to recap, it wasn’t 5 million “real” passwords, and of those that might be real, there is little user risk. It also was not actually an attack directly against Google’s infrastructure either.

“It’s important to note that, in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems,” Google stated. “Often, these credentials are obtained through a combination of other sources.”

So what does that mean? Simply put, Google account information is also used on non-Google systems and also might be stored outside of Google’s control or influence. An attacker can get a user account by a breach of a third-party system or more likely via a phishing attack against a user.

In this case, Google has made it painfully obvious that the risk is low with this credentials breach. Aside from the fact that only 2 percent of the account information might be valid, Google’s efforts to protect its users and its systems from attacks are exemplary. Alerting users to the potential of a highjack and requiring a new password is an excellent best practice.

The use of other security tools and techniques to detect anomalous account behavior is also admirable. As I’ve written in the case of the Apple iCloud security incident, it is incumbent on Internet vendors and online services to proactively defend users against fraud, and that’s precisely what Google is doing.

So basically yah, this is a whole lot of non-news about something that didn’t really happen. Either way, keep your accounts safe and set up 2FA please.

But it does show once again, Google is up on the security of its userbase and it intends to keep everyone safe. Because they need your data, that’s how they make money.

Source: eWeek


11 September 2014 | 2,715 views

Lynis v1.6.0 Released For Download – Linux Security Auditing Tool

Lynis is an open source linux security auditing tool. The primary goal is to help users with auditing and hardening of Unix and Linux based systems. The software is very flexible and runs on almost every Unix based system (including Mac). Even the installation of the software itself is optional!

It’s a great tool for auditing *nix based systems and hardening them based on the recommendations, it works well on a variety of systems including Linux, AIX, FreeBSD, OpenBSD, Mac OS X & Solaris.

Lynis - Linux Security Auditing Tool

We’ve written about this tool a few times, when it first came out in 2008 – Lynis – Security & System Auditing Tool for UNIX/Linux and again in 2009 – Lynis 1.2.6 Released – UNIX System & Security Auditing Tool.

How it works

Lynis will perform hundreds of individual tests to determine the security state of the system. Many of these tests are also part of common security guidelines and standards. Examples include searching for installed software and determine possible configuration flaws. Lynis goes further and does also test individual software components, checks related configuration files and measures performance. After these tests, a scan report will be displayed with all discovered findings.

Typical use cases for Lynis:

  • Security auditing
  • Vulnerability scanning
  • System hardening

Why open source?

Open source software provides trust by having people look into the code. Adjustments are easily made, providing you with a flexible solution for your business. But can you trust systems and software with your data? Lynis provides you this confidence. It does so with extensive auditing of your systems. This way you can verify and stay in control of your security needs.

You can download Lynis v1.6.0 here:

lynis-1.6.0.tar.gz

Or read more here.


08 September 2014 | 760 views

Twitter Bug Bounty Official – Started Paying For Bugs

So the Twitter bug bounty program is now official, they are actually paying – and not a bad amount too. A minimum of $140 for a confirmed bug with no defined maximum.

This includes the Twitter website itself and any sub-domain (mobile, ads, apps etc), and the official mobile apps for iOS and Android. It’s somewhat strange it doesn’t mention Windows Phone as well, but I’d assume that’s included as it’s also an official app.

Twitter Bug Bounty

You can see the official tweet on the matter here:

Set up through the security response and bug bounty platform HackerOne, the program offers a minimum of $140 per threat. The maximum reward amount has not been defined.

The company is currently asking bug hunters to submit reports about bugs on its Twitter.com domain and subdomains (ads.twitter.com, apps.twitter.com, tweetdeck.twitter.com, and mobile.twitter.com) and its iOS and Android apps.

“Any design or implementation issue that is reproducible and substantially affects the security of Twitter users is likely to be in scope for the program,” the company pointed out. “Common examples include: Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Remote Code Execution (RCE), unauthorized access to protected tweets, unauthorized access to DMs, and so on.”

It includes all kinds of vulnerabilities, including those which some other companies brush off as “non-serious” like CSRF and XSS especially. Just don’t bother if you’re from Cuba, Sudan, North Korea, Iran or Syria because you won’t get paid.

They specifically list:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Remote Code Execution (RCE)
  • Unauthorized Access to Protected Tweets
  • Unauthorized Access to DMs

Reports about bugs on other Twitter properties or applications are welcome, but will not be eligible for a monetary reward – bug hunters will have to be content with a mention on the Twitter’s Hall of Fame, which is already populated with the names of 44 hackers.

In fact, Twitter’s bug reporting program on HackerOne has been up for three months now, but the company has only now announced that it will start paying out bounties.

So far, 46 of the reported bugs have been closed by the company’s security team, but reports received prior to September 3, 2014, are not eligible for monetary rewards.

“Maintaining top-notch security online is a community effort, and we’re lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues,” the company noted, adding that the bug bounty program was started to “recognize their efforts and the important role they play in keeping Twitter safe for everyone.”

Things that do not quality (are outside the scope of the program) are issues such as:

  • Issues related to software or protocols not under Twitter control
  • Reports from automated tools or scans
  • Reports of spam (see here for more info)
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering of Twitter staff or contractors
  • Any physical attempts against Twitter property or data centers

The full details of the program can be found here: https://hackerone.com/twitter

It’s good to see more companies that are supporting responsible disclosure and putting their money where their mouths are. And honestly, the amount of money they have to pay out to make their platform and users more secure is minuscule compared to their over-bloated valuations.

Source: Help Net Security


03 September 2014 | 3,026 views

BurpSentintel – Vulnerability Scanning Plugin For Burp Proxy

BurpSentintel is a plugin for Burp Intercepting Proxy, to aid and ease the identification of vulnerabilities in web applications.

Searching for vulnerabilities in web applications can be a tedious task. Most of the time consists of inserting magic chars into parameters, and looking for suspicious output. Sentinel tries to automate parts of this laborous task. It’s purpose is not to automatically scan for vulnerabilities (even if it can do it in certain cases), as there are better tools out there to do that (BURP scanner for example). So it’s the only tool which sits in between manual hacking with BURP repeater, and automated scanning with BURP scanner.

BurpSentintel - Vulnerability Scanning Plugin For Burp Proxy

To use it, just send a suspicious HTTP request from BURP proxy to Sentinel. Then the user is able to select certain attack patterns for selected parameters (say, XSS attacks for parameter “id”). Sentinel will issue several requests, with the attack patterns inserted. It will also help find suspicious behaviour and pattern in the accompaining HTTP responses (for example, identify decoded HTML magic chars).

Features

  • AutomatedDetection Automated XSS/SQL Detection
  • AttackLists Self-Defined Attack Lists
  • Sessions Session Definition
  • Categorizer Categorizer
  • Reporter Generate Report
  • FirefoxAddon Firefox Addon

You can download BurpSentinel here:

BurpPlugin-full.jar

Or read more here.


02 September 2014 | 6,374 views

Massive Celeb Leak Brings iCloud Security Into Question

So this leak has caused quite a furore, normally I don’t pay attention to this stuff – but hey it’s JLaw and it’s a LOT of celebs at the same time – which indicates some kind of underlying problem. The massive list of over 100 celebs was posted originally on 4chan (of course) by an anonymous user who seems to have collected/bought the pictures using Bitcoin.

Celebrity Nudes on 4Chan

Some fingers are being pointed at iCloud and the security of it, as many of these pictures have been deleted and have been somehow rescued from the cloud. Some of the users are claiming they use Android though, but they might have synced the pictures to their Macbook and that was uploaded to iCloud.

Naked photos of celebrities including Jennifer Lawrence, Kate Upton and Ariana Grande have been published online by an anonymous hacker who reportedly obtained the explicit pics from the victims’ Apple iCloud accounts.

Nude photos of 17 celebrities have been published online. The anonymous hacker posting on grime-‘n-gore board 4chan claimed to possess naked pics of more than 100 celebrities in total.

Lawrence’s publicist Bryna Rifkin confirmed the validity of the photos and condemned their publication.

“This is a flagrant violation of privacy. The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence,” Rifkin told Buzzfeed.

However a separate set of images included in the hacked celeb haul purporting to show singer Victoria Justice in various states of undress were called out as fake.

Justice published a photograph where her face was clearly taken from an earlier photo and plastered on the body of a naked woman.

Other photos appeared legitimate but were not yet confirmed by those affected.

There’s not a lot of details right now, but there is a whole lot of speculation about what’s going on (Google Drive, Dropbox, iCloud and more). This is why if you use an iPhone you should know what Photo Stream is (and how to disable it), or Dropbox Camera Upload, or Google Photo Sync.

I’m guessing there’s more to come as only a few of the pictures have been released so far. I’m not sure if Apple are even going to bother saying anything, as well even when there’s a fairly security flaw they tend to just keep quiet. iCloud security issue? Who cares man.

The identity of the unscrupulous hacker including any alias appeared to be unknown. They posted the images to the 4chan ‘/b/’ image board from where it was quickly circulated on social media sites including Reddit.

The assailant seems likely to face a well-resourced investigation by US authorities, who take a dim view of this sort of thing.

In June, Romanian hacker Marcel Lazar Lehel, a.k.a. Guccifer, was sentenced and faced seven years jail with three years served for hacking email accounts of former US President George Bush along with other US officials, celebrities and UK pollies.

And in 2011 Florida man Christopher Chaney was arrested after he hacked the email accounts of Scarlett Johansson and some 49 other celebrities and was sentenced to 10 years’ gaol.

The hacking serves as a timely reminder to ensure important passwords were not reused across websites or services and were not based on single words or common phrases.

There was an interesting proof of concept of an AppleID bruteforcing tool here – ibrute – which is fixed now, but it could have been used to pop these accounts. It authenticated against the Find My iPhone API which had no bruteforce protection implemented.

There’s even an entire subreddit about the leak here, which has been labelled ‘The Fappening’ – http://www.reddit.com/r/thefappening

Let’s see what more info (if any) comes out after this.

Source: The Register


29 August 2014 | 3,692 views

IronWASP – Open Source Web Security Testing Platform

IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool’s features are simple enough to be used by absolute beginners.

IronWASP - Open Source Web Security Testing Platform

Features

  • It’s Free and Open source
  • GUI based and very easy to use, no security expertise required
  • Powerful and effective scanning engine
  • Supports recording Login sequence
  • Reporting in both HTML and RTF formats – Click here to view the sample report
  • Checks for over 25 different kinds of well known web vulnerabilities
  • False Positives detection support
  • False Negatives detection suppport
  • Industry leading built-in scripting engine that supports Python and Ruby
  • Extensibile via plug-ins or modules in Python, Ruby, C# or VB.NET

Bundled Modules

  • WiHawk – WiFi Router Vulnerability Scanner
  • XmlChor – Automatic XPATH Injection Exploitation Tool
  • IronSAP – SAP Security Scanner
  • SSL Security Checker – Scanner to discover vulnerabilities in SSL installations
  • OWASP Skanda – Automatic SSRF Exploitation Tool
  • CSRF PoC Generator – Tool for automatically generating exploits for CSRF vulnerabilities
  • HAWAS – Tool for automatically detecting and decoding encoded strings and hashes in websites

Plugins

IronWASP has a plugin system that supports Python and Ruby. The version of Python and Ruby used in IronWASP is IronPython and IronRuby which is syntactically similar to CPython and CRuby. However some of the standard libraries might not be available, instead plugin authors can make use of the powerful IronWASP API.

You can download IronWASP here:

ironwasp.zip

Or read more here.


27 August 2014 | 1,227 views

Twitter Patents Technique To Detect Mobile Malware

So it was discovered that Twitter has been granted a patent which covers detection of mobile malware on websites to protect its user base. The patent was filed back in 2012, but well – as we know these things take time.

The method is something like the technology Google uses in Chrome to warn you if a webpage is malicious and it prompts you not to visit.

Twitter Patent to Detect Mobile Malware

It utilises multiple signals to detect mobile malware and protect the user from being infected (by calculating the probably of the page being malicious).

Twitter has been granted a patent for detecting malware on mobile sites, according to a filing made public this month.

According to the patent, filed back in 2012, Twitter could protect users from malware by crawling websites with “an emulated mobile device to cause behaviors to occur which may be malicious.” After Twitter’s bot visits a given mobile site, the “behaviors … are stored [and] classified as hard or soft signals.”

From there, Twitter’s patent describes a method for assessing the “probability of the webpage being malicious,” after which it is “classified as malicious or non-malicious.” Finally, Twitter describes how visitors of the site, the site’s developer, and the “distributor of the webpage” (perhaps the user who tweeted the link) will be alerted if the site has been classified as malware.

It seems like social networks, search engines etc want to take more responsibility for protecting their users (like the malware warnings on search results within Google and the Chrome warning splash page.

They think it adds value to their networks, which it does in a way – and of course it makes the user experience more positive, which is always a benefit. And this is definitely a more pro-active response than just acting on user reports and spam flags.

Most interestingly, the patent mirrors a similar system already implemented by Google on Google.com and within Chrome. Google alerts users with a warning splash page [below] which attempts to block users from accessing the site.

Twitter’s interest in preventing the spread of malware highlights new responsibilities for the social network as it continues to grow. Implementing such a system does not directly affect Twitter in the way the company’s anti-spam efforts have. Instead, this initiative to crawl the mobile web for malware would be a preventative effort to keep Twitter’s name clean.

In VentureBeat’s own tests, Twitter did not flag any sites known by Google for distributing malware on iOS or desktop, suggesting that the tech behind the patent is not publicly in use. Reached for comment, Twitter offered a boilerplate response.

It seems the technology is not yet actually in use on the Twitter platform, as you can still spread malware laden URLs without warning.

Perhaps the technology is still in staging/testing phase – or perhaps they are starting to realise how long it takes to spider the web for malware. A very long time.

It’ll be interesting to see if they start using it soon.

Source: VentureBeat


23 August 2014 | 2,345 views

Garmr – Automate Web Application Security Tests

Garmr is a tool to inspect the responses from websites for basic security requirements. It includes a set of core test cases implemented in corechecks that are derived from the Mozilla Secure Coding Guidelines which can be found here:

https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines

The purpose of this page is to establish a concise and consistent approach to secure application development of Mozilla web applications and web services. The information provided here will be focused towards web based applications; however, the concepts can be universally applied to applications to implement sound security controls and design.

This page will largely focus on secure guidelines and may provide example code at a later time.

Garmr - Automate Web Application Security Tests

It’s a useful tool, combined with others to automate web application security tests to a decent, fairly comprehensive baseline. It was built to be part of a Continuous Integration process by the Mozilla WebQA team, but could easily be adopted by other teams and used in a similar way – it ouputs a JUnit style XML report that can be consumed by other tools such as Jenkins.

This is why it’s well suited to be used in a tool such as – Gauntlt – Security Testing Framework For Developers & Ops.

Usage

You can download the latest version here:

master.zip

Or read more here.


20 August 2014 | 1,447 views

Heartbleed Implicated In US Hospital Leak

If you’ve been up on your news consumption in the past week or so, you’ll have read about the Chinese hackers who managed to access 4.5 million patient records in a huge US Hospital Leak.

Community Health Systems hacked, records of nearly 4.5 million patients stolen

US Hospital Leak

Now it turns out, the first entry for this attack was via the Heartbleed bug – which should have been fixed months ago.

The Heartbleed flaw is responsible for the high-impact US hospital hacking attack disclosed this week, an unnamed investigator told Bloomberg.

As many as 4.5 million patient records have been exposed in an attack against Community Health Systems, a US hospital group that manages more than 200 hospitals.

China-based attackers stole millions of records which included data such as patient names, Social Security numbers, addresses, birth dates, and phone numbers after breaking into systems. No medical records nor any financial data was exposed by the nonetheless damaging breach, which CHS admitted had taken place between April and June as part of a regulatory filing.

A person “involved in the investigation who wasn’t authorised to comment publicly” blamed the Heartbleed OpenSSL bug for giving hackers a way into healthcare networks, an assessment backed up by a statement by a US security consultancy with a track record in accessing the IT security of government healthcare projects.

“The initial attack vector was through the infamous OpenSSL ‘Heartbleed’ vulnerability which led to the compromise of the information,” according to security consultancy TrustedSec, which was the first to comment on the reported cause of the breach.

It seems like the actual medical records themselves were safe and didn’t get stolen, but pretty much everything else about the patients was taken – including Social Security Numbers, which can be quite valuable.

Honestly, it’s quite sloppy, unpatched Juniper devices on a fairly critical network – they grabbed the VPN login credentials using Heartbleed, and well then I assume they were basically in a giant LAN with all 290 hospitals and they could cherry pick what they wanted.

“This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation. Attackers were able to glean user credentials from memory on a CHS Juniper device via the Heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN,” it added.

“From here, the attackers were able to further their access into CHS by working their way through the network until the estimated 4.5 million patient records were obtained from a database,” it said.

David Kennedy, TrustedSec’s founder and principal consultant, worked at the National Security Agency and the United States Marines in cyber warfare and forensics analysis prior to moving into the private sector. Last November, he testified before Congress on the security shortcomings of HealthCare.gov. So while not directly involved, TrustedSec is a credible commentator on healthcare-related security issues and Kennedy seems connected enough to get the early drop on problems in this area.

Community Health Systems has reportedly hired Mandiant to handle the security response and cleanup necessary in the wake of the breach.

The Heartbleed security bug, first publicly disclosed in early April, stems from a buffer overflow vulnerability in the Heartbeat component of OpenSSL. The vulnerability meant all manner of sensitive data – including encryption keys, bits of traffic, credentials or session keys – might be extracted from unpatched systems.

Back in April we did write about the Royal Canadian Mounted Police Arresting a Heartbleed Hacker. So there were some real hacks executed using Heartbleed, but this one on CHS is a whole new level.

It just makes me wonder what other major governments or organisations have been hacked in similar ways, and don’t even know about it.

Source: The Register