Month: January 2015

Critical DNS hijacking flaw affects D-Link DSL router

Posted on

Critical DNS hijacking flaw affects D-Link DSL router, the flaw affects the ZynOS firmware that is used also by other vendors, including TP-Link and ZTE.
A security vulnerability affects DSL router model from D-Link, the flaw could be exploited by a remote attacker to change device DNS settings and hijack users’ traffic. The Bulgarian security expert Todor Donev, member of the Ethical Hacker research team, explained that vulnerability is found in the ZynOS firmware, which is present in many other devices from other vendors, including D-Link, TP-Link, ZTE.

At least one D-Link router is affected by the flaw, the D-Link’s DSL-2740R ADSL modem/wireless router, but every manufacturer using the same firmware is potentially exposed to remote hacking.


Todor Donev published a proof-of-concept exploit for the D-Link DSL-2740R model, which has been already phased out, but might still receive support if covered by warranty.

By exploiting the flaw, the attacker can access the D-Link device’s Web administration interface without authentication. The attacker can then modify the DNS settings to redirect users to phishing websites or domain used to serve malware. Even if the Web administration, it’s not exposed on the Internet, the attacker can access the router’s interface from within the local area network with a cross-site request forgery (CSRF) technique.

“If the administration interface is exposed to the Internet — routers are sometimes configured in this way for remote administration — the risk of exploitation is higher. But even if it’s only accessible from within the local area network, hackers can still use cross-site request forgery (CSRF) techniques to reach a router’s interface. CSRF attacks hijack users’ browsers to perform unauthorized actions when they visit compromised sites or click on malicious links. Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers. Large scale CSRF attacks against router owners that were designed to replace DNS servers configured on their devices with servers controlled by attackers were observed on the Internet in the past.” reported ComputerWord.

Donev hasn’t notified D-Link of the vulnerability, but the availability of the exploit in the wild urges all vendors that adopt the flawed firmware to check if their products suffering the same security issue.


Silk Road paid thousands in shake-downs from malicious hackers

Posted on

When operating outside of the law, you can’t rely on the police to protect your illegal enterprise from other criminals.

The Silk Road marketplace founders likely learned this lesson in 2012 and 2013, after paying thousands of dollars to cyber extortionists who threatened to expose serious site vulnerabilities or hit it with denial of service attacks, according to evidence presented in federal court in Manhattan on Wednesday.

The extortion information emerged during testimony from U.S. Internal Revenue Service special agent Gary Alford, who had subpoenaed the emails of defendant Ross Ulbricht as part of his investigation. Ulbricht is on trial at the U.S. District Court for the Southern District of New York for narcotics and criminal enterprise charges in relation to Silk Road.

According to prosecutors, Silk Road facilitated the exchange of $1.2 billion in illegal goods, mostly drugs, and generated $80 million in commissions for the operators from 2011 until October 2013, when the site was shuttered by law enforcement. Like an eBay for unlawful goods, Silk Road matched sellers with buyers, who used bitcoins to pay for goods that were delivered through the mail.

On at least two separate occasions, Silk Road operators paid malicious attackers ransoms in exchange for keeping the site up and secure.

Silk Road malicious hackers
Silk Road malicious hackers

During his testimony, Alford showed an email received by Silk Road in November 2012 claiming to have found a serious vulnerability in the site’s software. The e-mail, from an anonymous sender, asked for $5,000 in exchange for not exposing the flaw, or $15,000 to offer full details on how the flaw operated and how it could be exploited.

A spreadsheet found on the computer Ulbricht was using at the time of his arrest suggested that $15,000 was paid out shortly after the email was received. An entry for a debit for that amount was annotated with the phrase “pay off hacker.”

Chat log files between the Silk Road admin identified as Dread Pirate Roberts — whom prosecutors have alleged is Ulbricht — and another administrator of the site, also indicate the extortion fee was paid. The fellow administrator consoled Dread Pirate Roberts by writing: “You’re still way richer than he is.”

In April 2013, Silk Road was subjected to another shake-down. An anonymous party had hit the site with a distributed denial of service (DDOS) attack, which can congest servers to the extent that legitimate users can’t access the targeted site. Silk Road paid $10,000 to stop the attack, according to the site’s ledger. However, the attack continued even after the money was deposited to an anonymous account, according to Dread Pirate Roberts chat logs.

In addition to drugs, Silk Road also sold hacking tools, according to prosecutors. Alford testified of buying, undercover, a “Hacking Pack,” that included 115 “hacking tools and programs” from the site. When the pack was purchased, the vendor emailed a list of links that the buyer could follow to download the programs, including some that supposedly offered the ability to remotely take control of a Web site.

Federal prosecutors maintain that Ulbricht was the mastermind behind the Silk Road site. Ulbricht was charged with narcotics conspiracy, engaging in a continuing criminal enterprise, conspiracy to commit computer hacking and money laundering. The narcotics and criminal enterprise charges carry maximum penalties of life in prison. Ulbricht has pled not guilty to all charges.

Ulbricht’s defense lawyer, Joshua Dratel, argues that Ulbricht handed off the site to other operators shortly after he started it, and that he rejoined immediately prior to his arrest, lured back in by the new operators to serve as a fall guy.


Cuidado con spear phishing

Posted on

La mayoría de los profesionales de servicios de seguridad informática están familiarizados con el término “phishing”, que describe la práctica de enviar correos electrónicos que imitan la correspondencia de empresas famosas con el fin de obtener información personal como contraseñas o números de tarjetas de crédito de los destinatarios.

Spear phishing es una evolución de este fenómeno – hackers se dirigen en línea como los pescadores con una estratagema sofisticada que funciona como una lanza proverbial. En lugar de enviar un número masivo de e-mails y ver lo que viene de vuelta, los spear phishers tienen un objetivo específico en mente. Y ese objetivo específico podría ser nada menos que su empresa y los datos sensibles de sus servidores poseen según expertos de forense digital.

BLOG curso de hacking ético en México, forense digital
curso de hacking ético en México, forense digital,servicios de seguridad informática

Spear phishing hackers pueden enviar correos electrónicos o mensajes de redes sociales a cualquier empleado de la empresa, por lo que es importante educar a toda su fuerza de trabajo acerca de la amenaza con capacitaciones como curso de hacking ético en México.

Anímelos para tratar los correos electrónicos y mensajes de redes sociales con duda, incluso si contienen información personal. Enseñe a los trabajadores que phishers utilizan páginas de redes sociales y sitios web de la empresa para obtener dichos datos, por lo que deben tener siempre en guardia. Eso es especialmente cierto para la correspondencia que se refiere al caso de noticias o pide acción inmediata, ya que estos son trucos comunes de spear phishing según investigadores de forense digital.

Los recipientes deben tener en cuenta el tono de toda la correspondencia que reciben y si es lo que cabría esperar de remitente. Spear phishers podrían ser capaces de averiguar el nombre y dirección de correo electrónico de un colega, pero no van a ser capaces de imitar su estilo de escritura. Por ejemplo, un empleado debe oír las campanas de alarma si un compañero de trabajo normalmente hablador envía un correo electrónico de una línea que indica “Haga clic en este enlace.”

Los empleados deben tomar los cursos como de curso de hacking ético en México y aprender nunca para descargar un archivo adjunto a menos que sean positivas que hemos llegado desde la fuente que esperan, y para escribir las direcciones URL en el navegador en lugar de simplemente hacer clic en enlaces enviados por correo.

electrónico. Enseñe a los trabajadores que se ciernen sobre los enlaces para verificar su autenticidad en mensajes de correo electrónico y navegadores web. Su negocio, sin duda debe centrarse en la prevención para evitar los ataques de spear phishing, pero también es importante concentrarse en la detección para minimizar el impacto de cualquier violación de la seguridad con ayudad de servicios de seguridad informática. Spear phishing es una amenaza cada vez mayor a través de la Web, pero estas medidas importantes pueden asegurar que su empresa no se convierta en la próxima víctima. Su empresa ha estado alguna vez en una víctima de los ataques de spear phishing?

GHOST glibc Remote Code Execution Vulnerability Affects All Linux Systems

Posted on

A critical vulnerability has been found in glibc, the GNU C library, that affects all Linux systems dating back to 2000. Attackers can use this flaw to execute code and remotely gain control of Linux machines.

The issue stems from a heap-based buffer overflow found in the __nss_hostname_digits_dots() function in glibc. That particular function is used by the _gethostbyname function calls.

“A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application,” said an advisory from Linux distributor Red Hat.

The vulnerability, CVE-2015-0235, has already been nicknamed GHOST because of its relation to the _gethostbyname function. Researchers at Qualys discovered the flaw, and say it goes back to glibc version 2.2 in Linux systems published in November 2000.

According to Qualys, there is a mitigation for this issue that was published May 21, 2013 between patch glibc-2.17 versions and glibc-2.18.

“Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from Qualys posted to the OSS-Security mailing list.

Respective Linux distributions will be releasing patches; Red Hat has released an update for Red Hat Enterprise Linux v.5 server. Novell has a list of SUSE Linux Enterprise Server builds affected by the vulnerability. Debian has already released an update of its software addressing the vulnerability.

“It’s everywhere, which is kind of the urgency we have here. This has been in glibc for a long time. It was fixed recently, but it was not marked as a security issue, so things that are fairly new should be OK,” said Josh Bressers, a member of the Red Hat security response team. “From a threat level, what it comes down to is a handful of stuff that’s probably dangerous that uses this function.”

Unlike past Internet-wide bugs such as Bash, patching glibc may not be the chore it was with Bash since so many components made silent Bash calls.

“In this instance, you just apply the glibc update, and restart any services that are vulnerable,” Bressers said. “It’s not confusing like Shellshock was.”

Qualys, in its advisory, not only shares extremely in-depth technical information on the vulnerability, but also includes a section explaining exploitation of the Exim SMTP mail server. The advisory demonstrates how to bypass NX, or No-eXecute protection as well as glibc malloc hardening, Qualys said.

GHOST glibc Remote Code Execution Vulnerability
GHOST glibc Remote Code Execution Vulnerability

Qualys also said that in addition to the 2013 patch, other factors mitigate the impact of the vulnerability, including the fact that the gethostbyname functions are obsolete because of IPv6 and newer applications using a different call, getaddrinfo(). While the flaw is also exploitable locally, this scenario too is mitigated because many programs rely on gethostbyname only if another preliminary call fails and a secondary call succeeds in order to reach the overflow. The advisory said this is “impossible” and those programs are safe.

There are mitigations against remote exploitation too, Qualys said. Servers, for example, use gethostbyname to perform full-circle reverse DNS checks. “These programs are generally safe because the hostname passed to gethostbyname() has normally been pre-validated by DNS software,” the advisory.

“It’s not looking like a huge remote problem, right now,” Bressers said.

However, while the bug may have been dormant since 2000, there is no way to tell if criminals or government-sponsored hackers have been exploiting this vulnerability. Nor is there any way to tell what will happen once legitimate security researchers—and black hats—begin looking at the vulnerability now that it’s out in the open. With Bash, for example, it didn’t take long for additional security issues to rise to the surface.


Wingstop, Metropolitan State University Hit by Hackers

Posted on

Vividly demonstrating how wide a range of organizations can be breached by hackers, both the restaurant chain Wingstop and Minnesota’s Metropolitan State University acknowledged data breaches in the past week.

In response to reports of suspicious activity, Wingstop says it retained the digital forensics firm Stroz Friedberg to review the PoS systems at all of its U.S. locations. The investigation found that four of its independently owned and operated franchise locations in Texas had suffered point-of-sale (PoS) breaches during separate time periods in 2012 and 2014.

The company says Wingstop locations in Corpus Christi and Union City, Texas had malware on their PoS systems between June 4, 2014 and July 31, 2014; 20 customer payments cards that had been used at a location in Lubbock, Texas experienced fraud around the same timeframe; and one franchise Grand Prairie, Texas had malware on its PoS system between May 5, 2012 and June 27, 2012, and again between November 11, 2012 and December 9, 2012.

Metropolitan State University Hit

The data potentially exposed includes cardholder names, payment card account numbers and expiration dates.

“In each instance, Wingstop assisted franchisees by immediately removing the Internet-connected POS hard drives and replacing them with new systems,” the company said in a statement. “Wingstop franchisees operate entirely independent POS systems that are neither managed by nor connected to a central location. The investigation of the Internet-connected POS systems has detected no evidence of malware on the systems at any other location.”

All affected customers are being offered 12 months of free identity theft protection services from AllClear ID. Customers with questions are advised to contact (877) 615-3744.

And Metropolitan State University recently acknowledged that that a hacker appears to have breached its Web server in mid-December 2014 and accessed a database containing the personal information of faculty, staff and students. The university hasn’t yet determined who may have been affected.

“We do not believe this server contained any financial data or credit card information, but several databases included employees Social Security numbers,” the university said in a statement [PDF].

“To date, we have established the validity of the claimed attack, disabled the vulnerability that we believe permitted this breach, isolated the risk from other servers, and notified law enforcement,” the statement adds. “The university is also taking additional measures to minimize future security risks.”

Several recent articles at eSecurity Planet have offered advice on how to respond to a data breach, from conducting a security audit to consulting with data privacy counsel.


Adobe patches one Flash zero-day vulnerability but Angler Exploit Kit remains a threat

Posted on

Adobe has patched a zero-day vulnerability in its Flash Player software which was being actively exploited by criminals but the company has yet to address another zero-day flaw in the same software which is being used in the Angler Exploit Kit.

Earlier this week security researcher Kafeine revealed that a vulnerability in Flash was affecting people using Internet Explorer on Windows XP, Windows Vista, Windows 7 and Window 8 with the criminals using the Angler Exploit Kit to install the Bedep malware, which is used in ad-fraud campaigns.

Adobe patches one Flash zero-day vulnerability
Adobe patches one Flash zero-day vulnerability

On Thursday Kafeine updated his blog to reveal the hackers had adapted the exploit kit to also attack users of the Firefox browser, meaning millions more people were vulnerable to attack.

The researcher also added that a fully-patched version of Internet Explorer 11 on Windows 8.1 was now also vulnerable, having previously been protected.

Adobe patch

In an advisory also published on Thursday (22 January), Adobe announced an update to its Flash Player software which patched a vulnerability (CVE–2015–0310) that would allow hackers to “circumvent memory randomisation mitigations on the Windows platform”. This is not the flaw which is being used by the Angler Exploit Kit.

Adobe said however that it was aware of this issue and would issue a patch next week.

“We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below. Adobe expects to have a patch available for CVE–2015–0311 during the week of January 26.”

Wanting of the dangers of integrating this vulnerability into the Angler Exploit Kit, Pedro Bustamante from Malwarebytes said:

“The zero-day vulnerability in Flash Player, as discovered by Kafeine, could provide a big security risk for Internet users, effectively opening an unguarded window onto PCs worldwide. The fact that it has seemingly been integrated into the Angler Exploit Kit shows that criminals are keen to use it to target people and businesses en-masse.

“Using a delivery mechanism such as Angler increases the chance of successful infections, allowing for accurate attacks through infected adverts on high traffic websites.”

Richard Cassidy from Alert Logic says that exploit kits are an attractive tool for criminals, particularly those without a huge amount of technical expertise:

“From an attacker perspective exploit kits make the task of gaining access to a user’s system through web based exploitable vulnerabilities very easy indeed, you simply don’t need a great deal of security to technical expertise to effectively use them and can gain access to compromise systems in a very short period of time.


Internet attack could shut down US gas stations

Posted on

A device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel, according to research to be published on Thursday.

The security weakness—identified by Jack Chadowitz, a former process control engineer and founder of control-system monitoring service BostonBase—could theoretically affect the devices at many of the approximately 115,000 fueling stations in the United States, but only a small fraction of those systems—about 5,300—appear to be vulnerable to an Internet attack, according to security firm Rapid7, which conducted a scan for such devices on January 10. While automated tank gauges are typically accessed to monitor fuel inventories, so as to know when to order gasoline, attackers could also access the settings, Chadowitz said.

“One could change the calibration and make the tank report full or empty,” he told Ars. “If you report the tank is full, no one is going to order fuel.”

In the worst case, an attacker could cause the gauge to report a leak, which would shut down the pumps, Chadowitz said.

The vulnerability of the gauges used to monitor gasoline tanks is the latest security issue plaguing consumer and industrial devices that are increasingly being connected to the Internet. Often called the Internet of Things, connecting such technology to the wider Internet poses security risks because many of the devices were created without much thought to security. Most gas stations are independently owned, have razor-thin margins, and tend to be run by owners who are not very technically savvy, said HD Moore, chief research officer at Rapid7.

“If you look at these gas stations, they are using off-the-shelf home routers from Best Buy,” he said. “By connecting them to the Internet, mom-and-pop gas station owners are going to get hit with the same problems that regular consumers have. The problem is that these devices are doing something important, moderating tank levels of these gas stations.”

Because most gas stations are not owned by gas companies but by independent operators who are very focused on the bottom line, reliable Internet connections are not common. Connecting tank gauges to the Internet allows fast monitoring of inventories, but can be complex, requiring a serial-to-TCP/IP card, configuring of port forwarding on the station’s router, and requiring a more expensive static IP. Because gas station owners use consumer-level Internet providers, the network configuration at gas stations will often change, causing operational issues for monitoring services and components, such as tank gauges, BostonBase’s Chadowitz says.

For that reason, most gas stations use a polling service that calls into a modem connected to their gas-tank gauge, rather than have the gauges always connected to the Internet. Those gauges were not detected by the Rapid7 scans, but are likely vulnerable to an attacker dialing directly into the service, Rapid7’s Moore said.

The most common type of tank gauges are manufactured by Simsbury, CT-based industrial-technology maker Veeder-Root. While they can be protected by a six-character password, most are not. Moreover, the password is communicated in the clear and can be gleaned by eavesdropping, according to BostonBase’s Chadowitz.

Internet attack could shut down US gas stations

Veeder-Root is currently assessing the claims, but stresses that the company is serious about security and has notified customers.

“Security, accuracy and reliability are top priorities at Veeder-Root,“ Andrew Hider, president of Veeder-Root, said in a statement sent to Ars. ”We have taken immediate and decisive steps to inform each of our customers about activating the security features already available in their tank gauges. It is important to note that no breaches of any kind have been reported by any of our customers in regard to our gauges, but we feel that any question regarding security is met with the appropriate resources to safeguard Veeder-Root customers.”

Like many other types of industrial control systems, the fundamental problem is that the communication protocols for the tank-monitoring equipment were created about two decades ago, a time when security was an afterthought. As more security researchers focus on operational technology and as more industrial professionals gain security expertise, similar issues will likely be found, Rapid7’s Moore said.

“I think these type of issues will become more common, especially as you see experts in these fields getting involved in security,” he said. “This is a good example of an industry that has not really grown up, security-wise.