Month: September 2015

Anonymous Knocks Down Zimbabwe Herald Website

Posted on

Zimbabwe government’s websites are apparently in great danger yet again since the infamous hacktivist group is using DDoS this time to get its message through.

Zimbabwe Herald is a state-run newspaper but on Friday its name was flashed in the news all over the world since Anonymous attacked it on grounds that it encouraged racism.

Anonymous Knocks Down Zimbabwe Herald Website
Anonymous Knocks Down Zimbabwe Herald Website

The site, which happens to be Africa’s global news website, was shut down temporarily after the attack.

Using their Twiter handle Zim4thewin, Anonymous Africa posted a tweet soon after claiming the site, which read:


It wasn’t however, confirmed by sources at Herald if the site was attacked with DDoS, but we do know that this has been the forte of Anonymous.

Anonymous Africa states that it has been training activists in Zimbabwe and one of them was probably being monitored by intelligence agencies.

“The activist noticed that SSL certificates to popular websites like Gmail and Facebook were no longer matching or secure. We are not sure who it was or how much they know, but it appears someone was monitoring the activist. Some networks like the Zim military networks or the Zanu-PF website have not changed one bit since we last trained [attacked] them. We will be visiting them all again in this campaign.” said Anonymous Africa.



Carbanak Banking Trojan Returns with a New Series of Attacks

Posted on

The Carbanak banking trojan was spotted once again in attacks on financial institutions and businesses across the globe, as CSIS is reporting.

Carbanak, also known as Anunak, was previously discovered and analyzed by Russian-based Kaspersky Lab security firm, in February 2015.

Back then, Kaspersky Lab was estimating that the group behind Carbanak infiltrated up to 100 financial institutions worldwide, gaining control over their computers, and stealing around $1 billion / €876.7 million.

Since then, the trojan has been making sporadic returns, always changing one small detail in its operation to keep up with firewall and antivirus updates.

Carbanak Banking Trojan Returns with a New Series of Attacks

New Carbanak variant uses a new proprietary communications protocol

As the CSIS team is now reporting, a new variant of the trojan has been observed in the wild, targeting the same kind of financial corporations as before.

This version of Carbanak is different from the original, using a predefined IP address instead of random generated domains to talk to the C&C server, employing random generated file names, and featuring a new proprietary protocol for managing its plugins and internal communications.

Just as before, Carbanak still hides in an infected svchost.exe process, keeps its modular structure that allows it to shape shift and adapt to victims, and continues to use a legitimate code-signing certificate to avoid detection.

According to CSIS, this new version of Carbanak uses a code-signing certificate issued by Comodo, to what appears to be a legal Russian-based business.

Carbanak continues to brazenly flaunt its Russian connection

Security researchers believe the criminals behind Carbanak have registered a real company with the sole purpose of having a legal base for some of their fraudulent transactions.

“Carbanak-related transfers are rather huge,” says the CSIS team. “Possibly, they have registered a company and opened bank accounts in order to receive their stolen money while having full control of the transferring process.”

Previously ESET researchers found a version of Carbanak using stolen certificates belonging to companies Moscow-based companies Stroi-Tekh-Sever, Flash, OOO “Techcom” and Torg-Group.

The Russian connection for the Carbanak trojan is very well known, Trend Micro researchers previously linking one of its C&C servers to an IP owned by the Russian Security Service (FSB).


Former Tesla engineer charged with hacking and leaking data

Posted on

A former Tesla Motors mechanical engineer is facing federal charges in a San Jose District Court on two counts of felony computer intrusion, and one count of misdemeanor computer intrusion.

Authorities said Canadian citizen, Nima Kalbasi, accessed his former manager’s email account and got his hands on communications regarding Telsa employee evaluations and other confidential information, according to a FBI release. Kalbasi then allegedly gave the information to other employees and posted it on a public website where he made “false and misleading comments,” in an effort, the FBI said, to damage Tesla’s reputation and credibility.

Former Tesla engineer charged with hacking and leaking data
Former Tesla engineer faces federal charges for computer intrusion for allegedly hacking his manages email to leak employee data.

Kalbasi was arrested in August by Customs and Border Protection in Derby Lane, Vt., as he crossed the Canadian border into the U.S. Kalbasi could receive as much as five years in prison for the felony charges and one year for the misdemeanor.


Cisco Patches File Overwrite Bug in IMC Supervisor and UCS Director

Posted on

Cisco has patched a remote file-overwrite vulnerability in a couple of its products that could allow an attacker to replace arbitrary files and cause target systems to become unstable.

The vulnerability affects the Cisco Integrated Management Controlled Supervisor and UCS Director software. The company has fixed the bug in new versions of the software, for Cisco UCS and for the UCS Director. The IMC Supervisor is designed to give customers the ability to manage other Cisco servers from a central point. The UCS Director, meanwhile, provides centralized management of software and hardware in Cisco’s Unified Computing System.


“A vulnerability in JavaServer Pages (JSP) input validation routines of the Cisco IMC Supervisor and Cisco UCS Director could allow an unauthenticated, remote attacker to overwrite arbitrary files on the system,” the Cisco advisory says.

“The vulnerability is due to incomplete input sanitization on specific JSP pages. An attacker could exploit this vulnerability by sending crafted HTTP requests to the affected system. An exploit could allow the attacker to overwrite arbitrary system files resulting in system instability.”

Cisco said there are no workarounds available for the vulnerability, but there are no known public exploits for the bug, either.


Bitcoin community ‘needs to collaborate’ over security and scalability

Posted on

The Bitcoin community has been urged by some of its most prominent members to do more to achieve “technical consensus” over security and scalability.

More than 30 developers and contributors involved with the virtual currency – also known as cryptocurrency – have come together to submit an open letter calling on influential figures and organisations to work harder to improve Bitcoin collaboratively.

Bitcoin community ‘needs to collaborate’ over security and scalability
Bitcoin community ‘needs to collaborate’ over security and scalability

They note that while there has been significant progress over the years, including improvements in CPU bottlenecks, memory usage and network efficiency, many challenges remain.

“There will be controversy from time to time, but Bitcoin is a security-critical system with billions of dollars of users’ assets that a mistake could compromise,” the group said.

“To mitigate potential existential risks, it behooves us all to take the time to evaluate proposals that have been put forward and agree on the best solutions via the consensus-building process.”

Some of the signees to the open letter include Bitcoin lead developer Wladimir van der Laan; Bitcoin project developer Amir Taaki; and Bitcoin software developer Luke Dashjr.

Bitcoin has gone from strength to strength since since it launched as an open source software in 2009.

It was developed by the deliberately enigmatic Satoshi Nakamoto as a way of offering the world a new payment system and currency type that was solely digital.

As Bitcoin has explained: ‘It is the first decentralized peer-to-peer payment network that is powered by its users with no central authority or middlemen. From a user perspective, Bitcoin is pretty much like cash for the internet.”

While it has had a relatively strong security record, it has been subject to a number of attacks and vulnerabilities have been identified.

The likelihood is that as it evolves and becomes more prominent and lucrative, it will face even greater threats from cybercriminals. Security, as outlined by the signees of the open letter, will be high on the agenda.


¿Cómo usar Cycript para romper apps de iOS?

Posted on

Acuerdo con los profesionales de empresa de seguridad informática, Cycript permite a los desarrolladores para explorar y modificar aplicaciones que se ejecutan en iOS o Mac OS X utilizando un híbrido de Objective-C ++ y la sintaxis de JavaScript a través de una consola interactiva que cuenta con resaltado de sintaxis. Escrito por Jay Freeman (Saurik) de Cydia, lo que hace es darnos una manera interactiva e inmediata para modificar los procesos que se ejecutan en iOS índico experto de seguridad en la nube.

Si hacemos SSH en un dispositivo iOS con cycript instalado, podemos ejecutarlo directamente desde el dispositivo. Esto inmediatamente nos da acceso a un entorno REPL configurado y estamos listos para jugar señaló Mike Stevens maestro de formación de hacking ético de la organización International Institute of Cyber Security. Es en este punto también podemos decidir cuál es el proceso para inyectar nuestras modificaciones en.

Usted puede inyectar en el proceso de Springboard. El Springboard ayuda a controlar todo, desde la pantalla de bloqueo para la aplicación de conmutación. Antes de usar Cycript y cambiar algo, tenemos que saber lo que queremos cambiar, su nombre y dónde se encuentra menciono experto de sistemas de seguridad en la nube icloud.

¿Cómo usar Cycript para romper apps de iOS?

Hay varias maneras de encontrar algo que queremos cambiar usando cycript. Una forma es utilizar los header dumps que he mencionado antes de interactuar con las clases, métodos y variables directamente escribiendo sus nombres menciono el experto de empresa de seguridad informática . Otro método – útil si se está modificando una aplicación en lugar de Springboard – es llamar UIApp.keyWindow.recursiveDescription que imprimirá una descripción jerárquica de la configuración de la pantalla en este momento. Usted puede trabajar hacia atrás desde la parte inferior de esta descripción para encontrar finalmente la clase que usted desea cambiar.

El método que utilizaremos es función integrada en cycript llamada choose. La función de choose busca en la memoria de proceso inyectado para cualquier clase que busca, y agarra todo como una matriz. Por ejemplo podemos pedir todas las instancias de la clase UILabel, suponiendo que nuestro mensaje No hay Notificaciones será un UILabel. Según Jim Taylor experto de seguridad en la nube que debido a la gran cantidad de UILabel en la memoria, puede fácilmente instalarlo de modo que cycript muestra sólo el texto de las etiquetas. Afortunadamente, debido a la naturaleza de la escritura y de cycript, podemos hacer esto en una sola línea.

[choose(UILabel)[i].text for(i in choose(UILabel))]

for(i in choose(UILabel)) if (choose(UILabel)[i].text == “No Notifications”) nnLabel = choose(UILabel)[i];

En el fragmento anterior, hemos guardado el UILabel que es texto coincidente ” No Notifications ” como nnLabel. Ahora podemos interactuar con la etiqueta tanto como nosotros queremos, e incluso llamar a todos los métodos habituales se pueden usar en un UILabel.

Por desgracia, este pequeño cambio de piratería de memoria no es permanente, cerrar y volver a abrir el centro de notificación provocará código original de Apple para volver a ejecutar y arruinar todo nuestro duro trabajo. Hacer lo permanente el trabajo será el tema que pueden aprender durante de formación de hacking ético, que describe cómo se puede enganchar en el código de Apple mediante programación para cambiar lo que realmente se ejecute, en lugar de cambios temporales.

CERT Warns of Slew of Bugs in Belkin N600 Routers

Posted on

The CERT/CC is warning users that some Belkin home routers contain a number of vulnerabilities that could allow an attacker to spoof DNS responses, intercept credentials sent in cleartext, access the web management interface, and take other actions on vulnerable routers.

The vulnerabilities affect the Belkin N600 DB Wireless Dual Band N+ router, model F9K1102 v2 with firmware version 2.10.17, and potentially earlier versions of the firmware, as well. The vulnerabilities have not been patched by Belkin, the advisory from the CERT/CC says there aren’t any practical workarounds for them. 

CERT Warns of Slew of Bugs in Belkin N600 Routers
CERT Warns of Slew of Bugs in Belkin N600 Routers

Among the bugs in the router is a problem caused by the use of insufficiently random values to calculate transaction IDs. The issue could allow an attacker to guess the next TXID and spoof a response from a DNS server.

“DNS queries originating from the Belkin N600, such as those to resolve the names of firmware update and NTP servers, use predictable TXIDs that start at 0x0002 and increase incrementally. An attacker with the ability to spoof DNS responses can cause the router to contact incorrect or malicious hosts under the attacker’s control,” the CERT/CC advisory says.

Belkin also uses plaintext HTTP to sending firmware update information to the N600 routers, a weakness that could enable an attacker in a man-in-the-middle position to block firmware updates or send arbitrary files to the routers. The routers also don’t have a password set for the web management interface by default, so an attacker on the network could get privileged access to the router’s interface.

There is also a global cross-site request forgery bug in the N600.

“Belkin N600 routers contain a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. Note that in default configurations lacking password protection, an attacker can establish an active session as part of an attack and does not require a victim to be logged in,” the advisory says.