Breaking Down the Anatomy of Chained Exploits
Several weeks ago, I was reading about Shellshock Bash and it sparked my curiosity to investigate just how far one could exploit this vulnerability.
I was conducting an external penetration assessment for a client and it didn’t take long for me to find an opportunity to investigate this issue. The further I was into the assessment, the more I realized the seriousness of Shellshock.
I am sharing what I’ve learned and hope you will use this information to help keep all the pieces of your puzzle in place. If you find out you have some of the key components that made this exploit successful, I recommend you stop reading this blog and apply the remediation suggestions as soon as feasibly possible.
This blog is my attempt to recreate the environment.
This was a routine gray-box external... read more >
There's free Wi-Fi, and there's paid Wi-Fi.
Both are legal, and the price of paid Wi-Fi can be whatever the market will bear. In some hotels and conference centers, that price is substantial -- $100 per day and sometimes much more.
This can be a major revenue stream, so it’s no wonder that facilities try to sell the service. It’s also no wonder that their customers might try to use alternatives. Most cell phones can establish a Wi-Fi hotspot, allowing one or more Wi-Fi enabled computers to access the Internet. Cell phone carriers also offer stand-alone hotspots such as the Jetpack and MiFi products.
A List of Do's and Don'ts
Employees return from lunch and swipe their badges across proximity readers at the main entrance and the side door leading from the smoking area. The chatter of multiple conversations via mobile and in-person merges with the oh-so-familiar beeps, accompanied by the green (or was it red) light and the routine motions of “badging in” is just that... routine.
The hacker observes discretely. He identifies the vulnerability. Adopting the guise of an employee, he raises his smartphone to his head and joins the line of tailgaters. He exploits the vulnerability.
The above scenario is constantly used by penetration testers, security consultants, disgruntled and active employees... read more >
10 Steps to Privacy In-Depth
This term describes the expansion of the Internet from the World Wide Web to your home (smart TV, thermostats, automobiles) and even your body (pacemaker, bio chip transponder). The basic concept is that if a device can be networked, it will be able to communicate to other devices for real-time monitoring or triaging.
One question keeps bubbling to the surface: Are we humans ready for this mass integration of technology and life?
Keep in mind that roughly 10 years ago, 70% of the technology we see today didn’t exist: iPhone, Kindle, Galaxy, Bluetooth watches. With our human nature to be social, open and divulge information to those we trust, we put ourselves... read more >
This Scary Malware is More of a Trick than a Treat
This year, I'm dressing as ransomware for Halloween. Maybe I'll take candy from trick-or-treaters and hold it for ransom. Or maybe I'll pass out malware-infected USB sticks.
Last year I wrote a blog of how CryptoLocker ransomware was striking fear and panic into the hearts of IT staff around the world.
Ransomware is like Clark Griswold's crazy Cousin Eddie in the movie National Lampoon Vacation. It just won’t go away, no matter how hard you try to get rid of it.
In case anyone has forgotten, CryptoLocker encrypted user files and held them for ransom. It was delivered through good ol’ social engineering phishing attempts.
Typically, the phishing attempts were conducted via emails with a failed delivery message from various ... read more >
2014 is the Year of the Retro Vulnerability
Last month, Shellshock exploited a 24+ year old flaw in the bash shell. Now we find that SSL 3.0, which is almost old enough to drive, is the basis of an attack which renders more modern encryption useless. This one goes by the name of POODLE (Padding Oracle On Downgraded Legacy Encryption).
Despite its name, this one has nothing to do with the Oracle database system (or dogs, for that matter). It’s a new way to exploit known flaws (CVE-2014-3566) in SSL 3.0. The details are in this short research paper, published by Google researchers on the OpenSSL site. The paper contains some heavy math, but the upshot is a conversation similar to this one:
Server: Please log in using a secure protocol. I recommend TLS.
Client: I don’t speak... read more >
In Frank Herbert’s 1965 novel “Dune” giant sandworms are instrumental in helping the valiant heroes defeat the alliance of a corrupt government and evil corporation.
In the real world, an advanced persistent threat (APT) group dubbed “Sandworm Team” has been actively attacking industry and public sector organizations. Since September of 2014, the attackers have been targeting specific organizations with focused phishing attacks in an effort to coerce those individuals into installing malware.
The recent spear-phishing attacks have been exploiting a new zero-day vulnerability (CVE-2014-4114), which allows the OLE packager to download and execute arbitrary code. The exploit is current being implemented by emailing malicious PowerPoint attachments to the targeted... read more >