October 19th, 2009

'Evil Maid' USB stick attack keylogs TrueCrypt passphrases

Posted by Dancho Danchev @ 10:32 am

Categories: Anti Virus, Browsers, Complex Attacks, Data theft, Hackers, Kernel-level Exploits, Malware, Passwords, Privacy, Research, Rootkits, Spyware and Adware, Tools

Tags: USB, Laptop Computer, Attack, TrueCrypt, Mobile Proximity Alarm, Security, Hardware, Notebooks & Tablets, Dancho Danchev

Security researcher Joanna Rutkowska has released a PoC (proof of concept) of a keylogger that is capable of logging TrueCrypt’s disk encryption passphrase enabling the attacker to successfully decrypt the hard drive’s content.

Dubbed, the ‘evil maid’ attack due to its ‘plug-and-exploit’ functionality requiring 1-2 minutes for the infection process to the take place, works with the latest TrueCrypt versions 6.0a - 6.2a.

Here’s how it works, and TrueCrypt’s response:

Read the rest of this entry »

October 8th, 2009

Monster Patch Tuesday on tap: 13 bulletins, 34 vulnerabilities

Posted by Ryan Naraine @ 4:38 pm

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Hackers, Kernel-level Exploits, Locally Running Web Servers, Microsoft, Passwords, Patch Watch, Pen testing

Tags: Monster, Vulnerability, Microsoft Corp., Microsoft IIS Server, Attack, Smb/Sme, Microsoft Windows, Security, Operating Systems, Software

Microsoft is planning a bumper Patch Tuesday next week — 13 bulletins covering 34 security vulnerabilities in a wide range of products. Eight of the 13 bulletins will be rated “critical,” Microsoft’s highest severity rating.

According to Microsoft’s advance notice, the patches coming on October 13 includes fixes for two serious issues that are well-known and already documented — a code execution bug in SMB v2 and a gaping hole in FTP in IIS. Read the rest of this entry »

August 12th, 2009

Advanced Mac OS X rootkit tools released

Posted by Ryan Naraine @ 1:42 pm

Categories: Anti Virus, Apple, Arbitrary Code Execution, Black Hat, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Kernel-level Exploits, Locally Running Web Servers, Malware, Open source, Research, Responsible disclosure, Rootkits, Viruses and Worms, Vulnerability research

Tags: Apple Macintosh, Tool, Dai Zovi, Rootkits, Productivity, Apple Mac OS X, Apple Mac OS, Operating Systems, Security, Spyware, Adware & Malware

Security researcher Dino Dai Zovi (of Pwn2Own fame) has released a suite of tools to demonstrate how to load an advanced rootkit on Mac OS X machines.

The tools were first discussed at this year’s Black Hat security conference where Dai Zovi (right) presented techniques to manipulate the way the Mach micro-kernel uses RPC calls to create hidden system calls or create kernel threads.

Read the rest of this entry »

July 30th, 2009

Researchers find insecure BIOS 'rootkit' pre-loaded in laptops

Posted by Ryan Naraine @ 1:18 pm

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Exploit code, Kernel-level Exploits, Malware, Responsible disclosure, Rootkits, Tools, Viruses and Worms, Vulnerability research

Tags:

LAS VEGAS — A popular laptop theft-recovery service that ships on notebooks made by HP, Dell, Lenovo, Toshiba, Gateway, Asus and Panasonic is actually a dangerous BIOS rootkit that can be hijacked and controlled by malicious hackers.

The service — called Computrace LoJack for Laptops — contains design vulnerabilities and a lack of strong authentication  that can lead to “a complete and persistent compromise of an affected system,” according to Black Hat conference presentation by researchers Alfredo Ortega and Anibal Sacco from Core Security Technologies.

Read the rest of this entry »

June 9th, 2009

Microsoft patches 31 Windows, IE, Office security holes

Posted by Ryan Naraine @ 11:08 am

Categories: Adobe, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Hackers, Kernel-level Exploits, Malware, Microsoft, Passwords, Patch Watch, Responsible disclosure, Vulnerability research

Tags: Microsoft Word, Microsoft Windows Server, Window, Vulnerability, Microsoft Internet Explorer, Microsoft Corp., Microsoft Windows Server 2003, Critical, Microsoft Windows, Microsoft Office

Microsoft’s batch of patches this month is a big one: 10 bulletins covering a total of 31 documented vulnerabilities affecting the Windows OS, the Internet Explorer browser and the Microsoft Office productivity suite (Word, Works and Excel).

Five of the 10 bulletins are rated “critical,” Microsoft’s highest severity rating.  Among the patches this month are fixes for a pair of IIS WebDav flaws that were publicly disclosed last month and cover for the CanSecWest Pwn2Own vulnerability that was used to exploit Internet Explorer on Windows 7.

Read the rest of this entry »

May 13th, 2009

China's 'secure' OS Kylin - a threat to U.S offensive cyber capabilities?

Posted by Dancho Danchev @ 6:23 am

Categories: Browsers, Complex Attacks, Governments, Hackers, Kernel-level Exploits, Linux, Open source, Pen testing, People's Republic of China

Tags: China, Operating System, Operating Systems, Linux, Software, Dancho Danchev

Picture a cyber warfare arms race where the participating countries have spent years of building offensive cyber warfare capabilities by exploiting the monoculture on one another’s IT infrastructure.

Suddenly, one of the countries starts migrating to a hardened operating system of its own, and by integrating it on systems managing the critical infrastructure it successfully undermines the offensive cyber warfare capabilities developed by adversaries designed to be used primarily against Linux, UNIX and Windows.

That’s exactly what China is doing right now with their hardened OS Kylin according to Kevin G. Coleman, Senior Fellow and Strategic Management Consultant with the Technolytics Institute who presented his viewpoint in a hearing at the U.S. – China Economic and Security Review Commission.

Here’s an excerpt from the hearing:

Read the rest of this entry »

March 25th, 2009

Microsoft adds 'Skywing' to Windows defense team

Posted by Ryan Naraine @ 11:57 am

Categories: Arbitrary Code Execution, Complex Attacks, Data theft, Exploit code, Hackers, Hirings and firings, Kernel-level Exploits, Metasploit, Microsoft, Patch Watch, Pen testing, Punditocracy, Research, Responsible disclosure, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Team, Microsoft Corp., Defense, Shostack, Microsoft Windows, Operating Systems, Security, Software, Ryan Naraine

Ken ‘Skywing’ Johnson, a well-known hacker famous for his work on bypassing several Windows anti-exploitation mechanisms, has joined the software maker to help make it harder to compromise the operating system.

Johnson, who teamed up with another recent Microsoft hire — Matt ‘Skape’ Miller — on several Uninformed Journal articles on breaking into the Windows OS, will be working on “everything related to vulnerabilities, exploits, defenses [and] bypassing defenses,” according to Microsoft’s Michael Howard.

Read the rest of this entry »

March 23rd, 2009

Nils2Own: 'I want to see security flaws fixed'

Posted by Ryan Naraine @ 5:25 am

Categories: Adobe, Apple, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Exploit code, Firefox, Flash, Google, Hackers, Java, Kernel-level Exploits, Microsoft, Mozilla, Patch Watch, Pen testing, Punditocracy, Responsible disclosure, Vulnerability research, Windows Vista

Tags: Apple Macintosh, Mozilla Firefox, Vulnerability, Bug, Microsoft Internet Explorer, Web Browser, Exploit, Web Browsers, Apple Mac OS X, Apple Mac OS

VANCOUVER, BC — Charlie Miller may have dominated the headlines but the undisputed champion of this year’s CanSecWest Pwn2Own contest was a hitherto unknown hacker who asked to be identified simply as “Nils.”

A day after his perfect sweep of the breaking into fully patched default configurations of all three main Web browsers — Microsoft Internet Explorer, Mozilla Firefox and Safari for Mac OS X — the researcher sat down with me to explain his motivations, the reasons he opted not to sell the vulnerabilities for big money and to spread the word that he’s looking for a job after completing his studies.
Read the rest of this entry »

March 18th, 2009

CanSecWest: Caution, community at play

Posted by Ryan Naraine @ 5:17 pm

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Kernel-level Exploits, Microsoft, Open source, Patch Watch, Punditocracy, Responsible disclosure, Vulnerability research, Zero-day attacks

Tags: Contest, Microsoft Corp., Security, Ryan Naraine

Guest editorial by Sarah Blankinship

CanSecWest, in beautiful Vancouver BC, is one of my favorite conferences each year. It’s a cozy little security con that brings together security researchers from all parts of the security ecosystem. Like a PhNeutral or a BlueHat, one never quite knows what to expect out of a CanSecWest, but we do know that Microsoft products and engineers will play a prominent role. We’ll be presenting new security innovations and new tools, we’ll be watching Pwn2Own closely for possible hacks, and we’ll be happy to discuss our industry best practices in the hallway track.

Read the rest of this entry »

March 16th, 2009

One-year-old (unpatched) Windows 'token kidnapping' under attack

Posted by Ryan Naraine @ 1:30 pm

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Kernel-level Exploits, Locally Running Web Servers, Malware, Microsoft, Open source, Passwords, Patch Watch, Pen testing, Research, Responsible disclosure, Vulnerability research, Web Applications, Windows Vista, Zero-day attacks

Tags: Attacker, Server, Microsoft Corp., Attack, Microsoft Windows, Security, Operating Systems, Software, Ryan Naraine

Exactly one year after a security researcher notified Microsoft of a serious security vulnerability affecting all supporting version of Windows (including Vista and Windows Server 2008), the issue remains unpatched and now comes word that there are in-the-wild exploits circulating.

The vulnerability, called token kidnapping (.pdf), was originally discussed last March by researcher Cesar Cerrudo and led to Microsoft issuing an advisory with workarounds. Five months later (October 2008), Cerrudo released a proof-of-concept in an apparent effort to nudge Microsoft into patching but the company has not yet released a fix.

Now comes word from the SANS ISC (Internet Storm Center) that the flaw is being used in a blended attack against an unknown target:

Read the rest of this entry »