Week 03: Reconnaisance

A trio of hackers who orchestrated a denial of service attack that hijacked thousands of IOT devices are now cooperating with the FBI. Initially, their goal was to take down rival Minecraft users’ hosts, but they somehow caused much more damage than they intended.

The original article about the crime is here: https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/

You can check out the Mirai source code on Github here: https://github.com/jgamblin/Mirai-Source-Code

It is wise of the FBI and other agencies in the US to recruit these people instead of sentencing them to prison, assuming they aren’t complete sociopaths. The old system of requiring clearances in order to make an impact is frustrating, un-enticing and prevents talent from entering the government. If we can allow more people with skills in this area into the cyber security realm in our government in an expedited process, our country’s cyber security game will be substantially improved. In all likelihood, very few of these prospective employees would pass a background check.

https://www.wired.com/story/mirai-botnet-creators-fbi-sentencing/

I get to hang out with some very clever cryptographers at a bar about once a month. They make math-y jokes over my head, but demonstrate that best case is a stalemate where data is no longer significant before it’s encryption theme has become significantly penetrable.

T-Mobile announced an unauthorized capture of data. The updates paint a picture almost as disturbing as the loss itself in that they show either a misunderstanding or a ~careful wording to diminish verbal impact~, followed by better disclosure.

Here are a few that stood out for ~beer spit-take~ potential with the cryptography nerds;

“Because they weren’t [compromised]. They were encrypted.”

“may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).”

“about” or “slightly less than” 3% of its 77 million customers.” …so about …2 million…

https://motherboard.vice.com/en_us/article/a3qpk5/t-mobile-hack-data-breach-api-customer-data

https://www.t-mobile.com/customers/6305378821

Beware! Unpatched Safari Browser Hack Lets Attackers Spoof URLs

– Swati Khandelwal

 

The phishing attacks today are sophisticated and increasingly more difficult to spot, and this newly discovered vulnerability takes it to another level that can bypass basic indicators like URL and SSL, which are the first things a user checks to determine if a website is fake.

 

Vulnerability (CVE-2018-8383) is due to a race condition type issue caused by the web browser allowing JavaScript to update the page address in the URL bar while the page is loading. This vulnerability could essentially allow an attacker to load a legitimate page which would cause the page address to be displayed in the URL bar, and then quickly replace the code in the web page with a malicious one.

 

The URL below has a POC video for the vulnerability. Please do look.

 

Link: https://thehackernews.com/2018/09/browser-address-spoofing-vulnerability.html

Tenable Research, a Cyber Exposure Company, has discovered vulnerabilities, including a zero-day vulnerability, in NUUO NVRMini2 video software. The zero-day vulnerability, called Peecaboo, would allow unauthorized users to remotely view and tamper video footages by exploiting a remote code execution in the NUUO software. For example, cybercriminals could replace the live video with a static footage of the surveilled area to conceive security personnel.

NUUO is one of the leading video surveillance solution providers. The vulnerability could potentially affect more than 100 brands and 2500 camera models. NUUO has been working on a patch for the Peecaboo, but the release date is still unknown.

A bigger concern is that many users will be unaware of the vulnerability because many other vendors also adopt the NUUO software and integrate it into their products. NUUO has released a plugin to help users assess the vulnerability.

https://www.scmagazine.com/home/news/zero-day-found-in-nuuo-video-software-allowing-camera-takeover/

More and more people using social media on their every day life, much more personal data have been exposed with or without purpose. Have you ever considered your social media accounts have been hacked and who had managed to gain access and when it happened? This article is talking about Twitter has rolled out a new security feature, allowing users to know which apps and devices are accessing your Twitter account. Check it out and better protect your information.

 

https://thehackernews.com/2018/09/twitter-account-hacked.html

I found myself curious about why Ruby was so relevant to penetration testing and hacking in general and was fortunate enough to find this article on Null Byte.

First, some of the most popular exploitation frameworks are written in Ruby, such as Metasploit: https://github.com/rapid7/metasploit-framework

In the article below, you can use one line of Ruby code in the command line to do things such as dump passwords saved in the attacked computer’s web browser. This requires first hiding Ruby payloads in a PDF file which execute in the background (unbeknownst to the user) after the PDF is opened.

There are a number of other “how to” links in this article that take you further into the “how” of a procedure like this.

https://null-byte.wonderhowto.com/how-to/hacking-macos-hack-macbook-with-one-ruby-command-0186686/

The team of security researchers discovered there are millions Android brand new smartphone have been pre-installed malware, call “RottenSys”, somewhere along the supply chain. This looks like Android systems are more vulnerable to malware and other attacks. Android systems should consider running a pre-installation security check to be part of their OS, This will help detect any malware or unwanted software to be part of their Operating System. Also, comparative studies with other OS like MAC OS will help them understand why Android ‘s are more vulnerable to insecure software.

Because of the way Google Play works, Android has a “bad app” problem. Google lets any developer upload an app to the Play Store, regardless of if it works, how it looks, or whether or not it can harm users. Malware scanning happens primarily after apps are uploaded, and though Google has recently taken steps to safeguard users with its Play Protect program, you don’t have to depend on them.

Below are the few tips to prevent malware attacks in Android systems :

Tip 1: Don’t Depend on Google Play Protect

“Google Bouncer” will help identify malware in the apps within the play store

Tip 2: Review App Permissions

By minimizing app access, protect yourself from hackers obtaining an unnecessary amount of information about you. This practice also protects you from malicious agents (such as hackers) who might compromise the app to attack your device.

Tip 3: switch Off Unknown Sources

disabling “Unknown sources” won’t deactivate the third-party apps. Instead, it will prevent unauthorized installation of non-Play Store apps from outside threats scheming to attack your device.

https://blog.avira.com/rottensys-preinstalled-malware/

In this article, the author introduces about the challenges for email usage. 3.7 billion users use email everyday to send 269 billion messages. The primary challenge is that users lack security awareness. Most users think their emails are safe to use. What they usually do is to delete the spam emails.  In addition, phishing is also a problem for email security. Impersonations are the main method of phishing. Once attackers obtain trust from users, they can start attack activities. In addition, attackers send link to users’ emails, when they click the link, they may lose their passwords or install malware automatically. To prevent emails from being attacked, managing emails is important to companies. Organizations should control emails reception in certain period to block threats. What is more, improving employees’ security awareness should be the primary work for organizations to do.

 

https://www.securitymagazine.com/articles/89415-the-biggest-email-security-challenge-facing-organizations-today

A vulnerability in Fair Dice’s C++ source code was exploited by a hacker to steal $200,000 worth of EOS cryptocurrency from crypto-betting site, Fair Dice. The vulnerability involved the emplacement of an object which contained the amount of money to transfer into a vector. The problem was that there were not adequate parameters on the values that could be emplaced into this vector, which allowed the hacker to siphon this large amount of money. Moral of the story, always check your boxes when you are coding something involving other people’s money. It doesn’t take long to set instance variables, object parameters, etc. Better safe and have done some tedious work than very sorry.

source code:

https://github.com/Dappub/fairdicegame/blob/master/fairdicegame/include/fairdicegame.hpp#L240

original article:

https://www.zdnet.com/article/blockchain-betting-app-mocks-competitor-for-getting-hacked-gets-hacked-four-days-later/

https://techcrunch.com/2018/08/30/this-is-googles-titan-security-key/

Google has launched its in-house security key that adds an extra layer of security by requiring you to touch them in order to log into applications. Google has named it as ‘Titan Security Keys’ and it comes with a USB key as well as a Bluetooth key. Google claims that these keys will enhance protection against phishing and that it will provide high value to users such as IT admins.

However, the downside here is that if you lose these keys, you lose everything.