Category Archives: Hack

Malware signed by Adobe

Posted on by
Reply

In September, Adobe detected two malwares that were legitimately signed by Adobe!  Having a valid signature of a trusted source like Adobe was a compelling advantage for these malwares.  As one of the malwares was not publicly available, the likelihood that it was to be used with an Advanced Persistent Threat (APT) is extremely high.

Did a signing private key leak out as it was the case for Yahoo in May?  Adobe performed an extensive forensics analysis.   They discovered that one build server had been compromised.  This build server could submit software for signature.  According to Adobe, the configuration of the server was not at the proper Adobe standard of security. As it was a server that was compromised, this means that the private key stored in a Hardware Secure Module (HSM) was not compromised.  Adobe had also the proof that this server requested the signature of the malwares.  They believe that the attackers accessed first another server and then moved laterally to control this build server.   Once the server controlled, the attackers requested the signature of their malware. This is a typical scheme for APT.  It means also that the signed malware should also be used by other steps of this APT, which target was not Adobe.

Adobe has informed in details about the attack.  The signing key has been revoked on October 4, 2012.  Very proper job.

Once more, we see that APT become more and more sophisticated.  Large organizations are clearly under serious threats (I will come back on that topic in one of my future posts.)

The power plug is watching you

Posted on by
1

Power PwnIf you watch this picture, you may just see an innocent power plug extension.  If you’re looking more carefully at the left bottom corner of the device, you may notice some connectors!   Why should a power extension need connectors?

Indeed, this device is a perfectly integrated penetration testing platform.  Here is a non-exhaustive list of features:

  • On board wireless Wifi connection, Bluetooth connection, Ethernet connection;   Everything to sniff communications.
  • Everything to create SSH connection, VPN connections
  • Out of band communication through 4G/GSM adapter!  You can send commands through SMS.
  • Stealth mode with device unpingable, and no listening ports
  • A wealth of preloaded tools
  • And many, many other goodies…
  • Of course, the plugs are functional

Of course, it should only be used by white hats.   Extracted from the user manual

All Pwnie Express / Rapid Focus Security products are for legally authorized uses only.

This may be a formidable tool!  Of course, it is better suited for the US, as the plugs are following US standards.   The device does not (yet) exist for other power plugs.

The product (and less powerful ones) is available form pwnie express.

World of Warcraft: a virtual genocide

Posted on by
Reply

On 7 October 2012, the population of the towns of Stormwind, Orgrimmar, Tarren Mill, Ragnaros, Draenor and Twisting Nether were wiped out in a few seconds.   This made tens of thousands of dead people.  Did you here about this carnage?  If not, then you’re probably not a hard gamer.

 

These towns are in the virtual realms of World of Warcraft (WoW).   This is the most deployed MMORPG with millions of players.   Thus, those are virtual deaths.   And the cause was a hack.  It seems that a script allowed to launch an extremely powerful spell (Aura of God) that kills everybody around.  The attack was claimed by Jadd.

 

Blizzard, the developer of WoW, quickly reacted, and hot-fixed the exploit within four hours.   In an official statement, Blizzard announced that

It’s safe to continue playing and adventuring in major cities and elsewhere in Azeroth.

Usually attacks on games are more oriented towards either cheating and gaining more money.  Jadd claims the exploit just for fun.

 

LinkedIn Password Leak (3) or The cost of one leak

Posted on by
Reply

In June 2012, 6.5 million of nonsalted passwords leaked out of LinkedIn.  The company asked the affected members to change their password (and hopefully salted the hashed passwords).

When publishing the earnings of Q2, LinkedIn described some expenses.    Obviously, the leakage had a direct impact.

  • The forensic investigation itself cost in the range $500,000 and $1,000,000.
  • LinkedIn provisioned additional  $2,000,000 – $3,000,000 to increase their security.

Therefore, this leakage seems to have cost less than other recent leakages such as Sony network.   As the number of LinkedIn members still grew, it seems neither to have impacted the popularity of the site.  The Q3 results (to be published soon) should still show growth in membership.

There is no news about the class action initiated by Katie Szpyrka.

WHITEHAT SECURITY WEBSITE STATISTICS REPORT

Posted on by
Reply

Every semester, WhiteHat security publishes its website security statistics report.   It provides a good insight on the evolution of the landscape.   Its reading is interesting although the data must be taken very carefully rather than ground truth.  To be honest, the author clearly highlights this point.

 

Some of the points that interested me.

  • The number of serious vulnerabilities is decreasing each year.  Unfortunately, the deviation is large.  Some sites presents hundreds of serious vulnerabilities whereas banking sites present only a few (hopefully).   Here also, this is a best case scenario. image
  • Number one type of vulnerability: XSS, followed by Information leakage.   The famous SQL injection appears only in 8th position.  But we know how SQL injection can be devastative.
  • In the ranking of type of companies, as already said banking industry are the best students in the class with only 17 serious vulnerabilities.  Interestingly, social networks are not doing a bad job being at 3rd rank with 31 vulnerabilities

.image

  • An interesting, and worrying, data: the vulnerability reopen rates.  20% of the vulnerabilities have been reopened at least once!  The more serious the vulnerability, the higher the likelihood of reopening.

 

If you’re interested in collecting this type of trends, then read this white paper.

Why do Nigerian scammers say they are from Nigeria?

Posted on by
Reply

Nigerian scam is a generic term for the category of scams that always follow the same scheme: the widow/lawyer/son/exiled person has a huge sum of money blocked somewhere.  They need the help of a trusted person to exfiltrate this money.  You are this person.  Of course, you will be nicely rewarded for your help.  Obviously, if you accept to help, soon the scammer will ask a minimum fund to be able to make the paper or bribe the proper officials… Of course, at the end, no money transfer to you.   Nigerian scam is a very old trick.

 

As Nigerian scam is old and well-known, the question why the attackers still use such an obvious trick is a valid one.  And the basic answer that attackers may be stupid is not appropriate.  HERLEY Cormac, from Microsoft Research, provides a very convincing answer.

 

Scammers have also false positive.  This type of scams needs a lengthy interaction with the target.  This interaction has a cost (time, effort).   When starting the interaction, the attacker would rather like to have no false positive.  Ideally, the attacker should only start with viable targets, i.e. targets that will carry the interaction till the succesful skimming.   Intuitively, you may guess that the more gullible the target is, the higher the chance of success is.  Therefore, using such a worn-down trick filters the initial respondents.  It skims out only the most gullible persons. Thus, it lowers the rate of false positive.

 

Cormac analyses the typical Receiver Operator Characteristic curves that are usually used to draw the tradeoff between true and false positive of classifiers.  He checks for the optimal operating point.   He analyzes the impact of density (i.e. the ratio of viable targets) and the quality of the classifier.   Then, he applies the outcomes to the Nigerian scams.   He shows that the “dumbness” of the mail is a good classifier and that the attackers try to operate in a better overall profit.

 

This paper is interesting to read as it uses the usual maths for classifiers to analyze the impact of false positives on the financial gain of the attacker.  It takes also the stance that not all scams are costless to attackers.

 

The paper reference:

C. Herley, “Why do Nigerian Scammers Say They are from Nigeria?,” Berlin, Germany: Microsoft Research, 2012 available at http://research.microsoft.com/apps/pubs/?id=167719.

You are what you wear

Posted on by
Reply

Usual knowledge is that what you are wearing has some influence on the perception of your interlocutors.   When visiting a therapist, would you  trust more the one  in shorts and torn tee shirt than the one formally dressed?   But  do your clothes have some influences on your behavior?

This is what ADAM Hajo and GALINSKY Adam  explored in their paper “Enclothed cognition”.  And their findings are interesting.

Yet, the clothes we wear have power not only over others, but also over ourselves.

Clothes have influence on our behavior and even efficiency!  To prove that, they set up an experiment comparing the respective performance on completing a task between people wearing a white labcoat and people without the labcoat.   The first group performed better than the second group.

We posit that wearing clothes causes people to “embody” the clothing and its symbolic meaning.

This is even more interesting.  It is actually not the cloth itself but rather its symbolic meaning that impacts the wearer.  In another experiment, they created three groups;  the first group wore  a white labcoat that was announced to be for doctors.  The second group wore the same white labcoat but this time it was announced to be for painters.   The third group did not wear any labcoat.   The first group consistently performed better than the two other groups.   The people wearing a “painter” labcoat performed not better than people without a labcoat.

How is that related to security?   SOCIAL ENGINEERING!  We already knew that  you’d better be dressed in a way consistent with is expected from the role you are try to mimic. This helps to trick the target and to create good ground for trust;  here clearly, clothes carry a strong symbolic meaning that influences the victim.  Uniforms carry a message of order, authority and strength.  Labcoats carry a meaning of science, and expertise. ..   It seems that these clothes may also help the social engineer to  perform better his “supposed” role. 

By the way, in our daily life, could this trick help to boost our performances?

Reference

H. Adam and A.D. Galinsky, “Enclothed cognition,” Journal of Experimental Social Psychology, vol. 48, Jul. 2012, pp. 918–925 available at http://www.utstat.toronto.edu/reid/sta2201s/labcoatarticle.pdf.