Home   Blog   Twitter   Database  

Massive DEA license plate reader program tracks millions of Americans

The DEA is using license plate reader cameras to capture information on an enormous number of motorists, with nearly 800 million license plates stored in a database used by federal and local authorities.

Posted: 28 Jan 2015 | 10:02 am

Scouts take down database due to 'security vulnerabilities'

Full security audit for Compass database

The Scouts Association has taken down its Compass database, which holds the records of nearly half-a-million young people and adult volunteers, after discovering a "potential security vulnerability," The Register can reveal.…

Posted: 28 Jan 2015 | 5:44 am

Not So Spooky: Linux “Ghost” Vulnerability

Researchers at Qualys have found a vulnerability in the GNU C Library (alternately known as glibc), which can be used to run arbitrary code on systems running various Linux operating systems. The vulnerability (assigned as CVE-2015-0235) has been dubbed GHOST and is the latest vulnerability to receive a “friendly” name, joining others like Heartbleed, Shellshock, and POODLE. However, closer inspection reveals that this particular vulnerability, while serious, is not easy to exploit and has a very limited attack surface.

GHOST is a buffer overflow vulnerability triggered by calling the gethostbyname*() functions in glibc. These functions are used to resolve domain names into IP addresses by various applications. Theoretically, any application that uses these functions (practically any application that goes online) is at risk of being exploited.

At first glance, it would seem that this poses a massive security problem. Fortunately for most users, there are many factors that mitigate any risk due to GHOST.

First of all, this vulnerability has long been patched. The underlying problem was first introduced into glibc in 2000, but was fixed by May 2013. This means that many newer Linux operating systems were never at risk. (Like Shellshock, Windows-based systems are generally not vulnerable either.)

Secondly, not all applications are at equal risk. Exploitation is very difficult as an attacker only has a small amount of initial exploit code that can be used: 4 or 8 bytes (depending on whether the system is a 32- or 64-bit system). Additional code must be written to an address referenced by a pointer which the attacker can modify. As a result, many apps are not at risk. So far, we are not aware of any potential web attack vectors, which reduces the attack surface considerably.

Thirdly, the functions that are the subject of this vulnerability are obsolete. They cannot be used to translate domain names to IPv6 addresses; newer applications use the getaddrinfo() function, which does have IPv6 support.

Taken together, the risk of actual exploits targeting GHOST is relatively small compared to other vulnerabilities like Shellshock or Heartbleed. Yes, the underlying vulnerability is problematic, but defense in depth by other vendors means that the actual risk is relatively low. So far, only Exim Mail Transfer Agent has been confirmed to be remotely exploitable, but there could more. With only four or eight bytes as the initial exploit vector, gaining further access is highly dependent on application design and memory usage. This is a significant barrier to exploitation.

This doesn’t mean that system administrators can ignore the problem altogether, but it does mean that they can respond in a calm and orderly manner. Linux distributions have released patches that upgrade the version of glibc in use. Administrators should roll these out as soon as possible.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Not So Spooky: Linux “Ghost” Vulnerability

Posted: 28 Jan 2015 | 12:38 am

Video archives of security conferences and workshops


Just some links for your enjoyment

List of security conferences in 2014

Video archives:




AIDE (Appalachian Institute of Digital Evidence)


Blackhat
Botconf
Bsides
Chaos Communication Congress
Defcon
Derbycon
Digital Bond's S4x14
Circle City Con
GrrCON Information Security Summit & Hacker Conference
Hack in the box HITB
Hack in Paris :
Hack3rcon
InfowarCon
Free and Open Source Software Conference 2014

International Cyber Security Conference 

KIACS Cyber Security Conference
Louisville
NATO Cyber Security Conference
Notacon

Nullcon
OWASP
OISF
OHM
Outerz0ne 9
Passwordscon
Ruxcon
Shmoocon
ShowMeCon
SkyDogCon
TakeDownCon
Troopers
Heidelberg Germany
Virus Bulletin
Workshops, How-tos, and Demos

Special thanks to  Adrian Crenshaw for his collection of videos

Posted: 27 Jan 2015 | 8:11 pm

Low Hanging Fruit: Flash Player

Flash Player version 16.0.0.296 is now available.

Flash Player Versions

In Windows, you can check what version you have installed via Flash's Control Panel applet.

Settings Manager, Flash Player 16.0.0.296

According to Adobe Security Bulletin APSA15-01, users who have enabled auto-update will have received the update starting on January 24th. Manual downloaders needed to wait a couple of days.

Adobe Bulletin CVE-2015-0311

We're not exactly sure why manual downloads were delayed, but whatever the reason, auto-updates are recommended.

And not only that, but more. At this point, we recommend enabling "click-to-play" options. Here's an example from Firefox with the "Ask to Activate" configured.

Firefox, Flash, Ask to Activate

Google Chrome also offers options in its "advanced" settings.

Why do we recommend click-to-play? Because Flash Player is currently the application most aggressively targeted by exploit kits.

Here are some stats from last week from which you can see that Angler, which was targeting a Flash Player 0-Day vulnerability, was leading the exploit kit market.

Finland:

Exploit Kits, January 2015 FI

Germany:

Exploit Kits, January 2015 DE

United Kingdom:

Exploit Kits, January 2015 UK

And Angler was number one in several other regions as well.

So, update your Flash Player, set it to auto-update, and configure click-to-play.

On 27/01/15 At 05:13 PM

Posted: 27 Jan 2015 | 7:21 am

Comparing the Regin module 50251 and the "Qwerty" keylogger

On January 17 2015, Spiegel.de published an extensive article based on documents obtained from Edward Snowden. At the same time, they provided a copy of a malicious program codenamed "QWERTY" (http://www.spiegel.de/media/media-35668.pdf), supposedly used by several governments in their CNE operations.

We've obtained a copy of the malicious files published by Der Spiegel and when we analyzed them, they immediately reminded us of Regin. Looking at the code closely, we conclude that the "QWERTY" malware is identical in functionality to the Regin 50251 plugin.

Analysis

The Qwerty module pack consists of three binaries and accompanying configuration files. One file from the package– 20123.sys – is particularly interesting.

The "20123.sys" is a kernel mode part of the keylogger. As it turns out, it was built from source code that can also be found one Regin module, the "50251" plugin.

Using a binary diff it is easy to spot a significant part of code that is shared between both files:

regin3_1

Most of the shared code belongs to the function that accesses the system keyboard driver:

regin3_2

Most of the "Qwerty" components call plugins from the same pack (with plugin numbers 20121 – 20123), however  there is also one piece code that references plugins from the Regin platform. One particular part of code is used in both the "Qwerty" 20123 module and the Regin's 50251 counterpart, and it addresses the plugin 50225 that can be found in the virtual filesystems of Regin. The Regin's plugin 50225 is reponsible for kernel-mode hooking.

regin3_3

This is a solid proof that the Qwerty plugin can only operate as part of the Regin platform, leveraging the kernel hooking functions from plugin 50225.

As an additional proof that both modules use the same software platform, we can take a look at functions exported by ordinal 1 of both modules. They contain the startup code that can be found in any other plugin of Regin, and include the actual plugin number that is registered within the platform to allow further addressing of the module. This only makes sense if the modules are used with the Regin platform orchestrator.

regin3_4

The reason why the two modules have different plugin IDs is unknown. This is perhaps because they are leveraged by different actors, each one with its own allocated plugin ID ranges.

Conclusions

Our analysis of the QWERTY malware published by Der Spiegel indicates it is a plugin designed to work part of the Regin platform.  The QWERTY keylogger doesn't function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225.  Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together.

Another important observation is that Regin plugins are stored inside an encrypted and compressed VFS, meaning they don't exist directly on the victim's machine in "native" format. The platform dispatcher loads and executes there plugins at startup. The only way to catch the keylogger is by scanning the system memory or decoding the VFSes.

 

Appendix (MD5 hashes):

QWERTY 20123.sys:

0ed11a73694999bc45d18b4189f41ac2


Regin 50251 plugins:

c0de81512a08bdf2ec18cb93b43bdc2d 
e9a43ea2882ac63b7bc036d954c79aa1

Posted: 27 Jan 2015 | 3:00 am

Wild Wild West – 12/2014

Added the following packs:

Null Hole
“Hanjuan EK”
“Archie EK”
“Astrum EK”
“SedKit”
“SPL2 Pack”

Special thanks to Kafeine for his valuable input.

wildwildwest_1214

Posted: 13 Dec 2014 | 5:16 pm

From Russia with love: Sofacy/Sednit/APT28 is in town

Yesterday, another cyber espionage group with Russian roots made it to the New York Times headlines again courtesy of FireEye and a new report they published.

FireEye did a pretty good job on attribution and giving some technical indicators; however, they neglected to reference previous work on this threat actor from companies like PWC, TrendMicro, ESET and others.

We have been tracking this threat actor (Sofacy) for a few years when it first appeared on our radar in one of the CVE-2012-0158/CVE-2010-3333 clusters. Based on the lure content contained in the malicious documents as well as the phishing campaigns we have seen in the past, this group tends to target NATO, Eastern Europe government and military institutions and defense contractors. We have seen lures related to Ukraine, Chechnya and Georgia that indicates one of the group's objectives is gathering geopolitical intelligence.

The techniques used by this group have evolved over the years.

- Spearphishing

Most of the Spearphishing campaigns launched by this group involve a malicious Word document exploiting one of the following vulnerabilities:

As described by FireEye and others, this group uses different payloads including a downloader and several second-stage backdoors and implants.

We cover these tools using the following rules with USM:

- Web compromises

The group has been seen infecting websites and redirecting visitors to a custom exploit kit being able to take advantage of the following vulnerabilities affecting Internet Explorer:

The following rule detects activity related to this exploit kit:

- Phishing campaigns

This actor uses phishing campaigns to redirect victims to Outlook Web Access (OWA) portals designed to impersonate the legitimate OWA site of the victim's company. This technique is used to compromise credentials and access mailboxes and other services within the company.

Inspecting the content of the malicious redirect we can alert on this activity using the following rule:

References:

[1] http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf
[2] http://blog.trendmicro.com/trendlabs-security-intelligence/operation-pawn-storm-the-red-in-sednit/
[3] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
[4] http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
[5] http://malware.prevenity.com/2014/08/malware-info.html
[6] http://www.fireeye.com/resources/pdfs/apt28.pdf

       

Posted: 28 Oct 2014 | 9:30 pm

A More Realistic Perspective on Cybersecurity from the Director of the NSA

A few days ago Admiral Mike Rodgers, director of the NSA and Commander of the U.S. Cyber Command, gave a keynote address at the Billington Cybersecurity Summit. His message was strong and clear, CYBER-RESILIENCY. He discussed the impractical reactions typical to cyber intrusions today. After an attack a network may temporarily shut down and operations will cease in government and private sector organizations alike. Both the Admiral and us here at Cyber Engineering Services believe this is an unnecessary and damaging response.

The goal of network security should be to monitor traffic and be ready to fight as quickly as possible in the face of an attack while keeping the network and productivity online. In his speech the admiral emphasized something that the experts at Cyber Engineering Services were forced to acknowledge long ago, cyber intrusions will happen no matter what defenses are in place. As fast as the good guys can develop technology to stop them, cyber criminals develop new weapons to get into networks.

Accepting this can be a hard pill for companies to swallow as it is natural to want to put an end to all intrusions and data loss. However accepting this problem doesn’t change it’s nature, it allows for the development of more realistic strategies. As the admiral puts it, “This is not a small problem. It’s not going away. Technology will not catch up. This is foundational to the future. I need your help.” Basically, the director of the NSA is explaining the government alone is not going to conquer this problem, private sector needs to step up to the plate and get realistic and proactive.

At Cyber Engineering Services we are very excited to see key individuals in the Cybersecurity war spreading accurate and motivating information. Our whole strategy at Cyber Engineering Services is based on a deep understanding of these realities. We have designed a system and a team of experts that is ready to watch, respond, and stem damage at a moments notice. We are ready to do our part in the Cyber-Resiliency revolution by helping companies monitor their network traffic and respond in a way that stops the damage while keeping companies running and production as smooth as possible.

If you’d like to read more of the Admirals message see the link below to a summary written by Mike Donohue.


NSA Rodgers Urges Cyber-Resiliency

Posted: 19 Sep 2014 | 2:46 pm