Month: November 2015

Walmart spied on workers’ Tweets, blogs before protests

Posted on

Defence contractor Lockheed Martin provided intelligence services before Black Friday.

Walmart has recruited aerospace, defence and security concern Lockheed Martin to comb open source intelligence in the lead up to Black Friday union protests, Bloomberg reports.

The super-colossal retailer has a difficult history with unions and engaged the defence contractor to keep tabs on its employees in the run up to the national fire sale.

Organisers at workers’ rights advocate OUR Walmart were encouraging staff to join its movement to protest against what it claims are poor wage conditions at the retailer that force some workers to rely on supplementary government assistance for basic clothing, food, and housing.

Walmart spied on workers' Tweets, blogs before protests

The allegations, found in more than 1000 pages of emails, reports, and testimony produced in discovery ahead of a National Labor Relations Board meeting between the OUR Walmart effort and the retail giant, and handed to Bloomberg Business Week.

Lockheed Martin sells the LM Wisdom open source intelligence service but it is not known if Walmart uses the product.

Monitoring activity through Walmart’s so-called Black Friday Delta Team produced intelligence about OUR Walmart union activity including planned disruption at various Walmart stores.

This included a map of how protestors on five buses would be travelling from their locations to Walmart stores.

“With some assistance from LM [Lockheed Martin] we have created the attached map to track the caravan movements and approximate participants,” emails show risk program senior manager telling colleagues.

When the team created in the lead up to the recent sales blitz learnt of potential involvement of members of the Occupy sit-in movement, the retailer contacted the FBI.

The monitoring allowed the company to stay ahead of some planned protests, foiling some disruption efforts and ensuring management would report news of union efforts.



Style sheet vulnerability allowed attacker to hijack LinkedIn pages

Posted on

LinkedIn has invited a security researcher to join its private bug bounty programme after he identified a novel exploit involving the site’s cascading style sheets (CSS).

Style sheet vulnerability allowed attacker to hijack LinkedIn pages

Ruben van Vreeland, CEO of BitSensor, discovered that he could use CSS to bypass LinkedIn’s security systems which filter attributes and event handlers that could be used to launch cross-site scripting attacks.

By referencing existing CSS already hosted onLinkedIn, he was able to create a proof of concept to publish a page and hijack the links to redirect users to an external site.

LinkedIn published an example to prove the case, based on a user creating a new blog entry.

A JSON request can be used to create a new HTML page with an image tag and a URL:

{“content”: “<p><a href=\”\”>LinkedIn</a><img src=\”linkedin.png\”/></p>”}

There are a number of style classes that could be added to this, including .li_style.

.li_style {
position: absolute;
width: 100%;
z-index: 10021;
position: fixed;
top: 0;
left: 0;
width: 100%;
height: 100%;
padding: 0;
overflow-y: scroll;
_overflow-y: hidden

This style is commonly used to force an element to stretch the entire width and height of a page, and it can be included in the JSON request:

{“content”: “<p><a class=\”li_style\” href=\”\”>Example Site</a><img src=\”image.png\”/></p>”}

Used in this way, li_style makes the entire page clickable and will redirect to the URL of the attacker’s choice.

Writing on the LinkedIn security blog, information security engineer Jovon Itwaru wrote: “This technique can be used to send members to sites hosting malware or counterfeit sites that attempt to phish members by requesting their usernames and passwords. This is especially successful on social sites that share blogs or articles.”


FBI seeks hacker after 1.2 billion logins are stolen

Posted on

The FBI has linked a hacker to the theft of 1.2 billion internet credentials – the largest heist of its kind.

A hacker known as “mr.grey” is named in court documents filed by the bureau last year, according to the Reuters news agency.

The hacker was linked to the stolen logins via a Russian email address.

Previously, “mr.grey” had advertised the credentials to Facebook and Twitter accounts for sale online.

It was the American cyber security firm Hold Security that initially reported the theft of the credentials and an additional 500 million email addresses last year.

The Russian crime ring responsible for stealing the data – dubbed CyberVor – had breached more than 420,000 websites, according to Hold Security.

The hacker had advertised Facebook and Twitter logins for sale
The hacker had advertised Facebook and Twitter logins for sale

In August, the firm said, “To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totalling over 1.2 billion unique sets of e-mails and passwords.”

Hold Security then began marketing a “breach notification service” to users concerned that their details had been affected, for $120 (£71) per month.

Botnet breach

Whatever the identity of the perpetrator behind the CyberVor breach, the method used was something of a departure from how botnets – large networks of computers linked together maliciously – are usually used, according to Dave Palmer, director of technology at security firm Darktrace.

“What’s interesting about this is botnets are usually used to harness their massive scale to attack an individual target – like taking computer games consoles down last Christmas for example,” he told the BBC.

“It’s instead been used as a massive scanner scanning websites all around the world for weaknesses.”

Mr Palmer added that the vulnerabilities which allowed computers to be drafted into such botnets as well as the flaws in websites which meant login details could be hacked were preventable.

“We’re still getting caught out by these attacks,” he said.


Hacking and exploiting Active Directory Permissions

Posted on

Hacking y explotación de permisos de Active Directory

PowerView is a PowerShell tool to achieve network information on Windows domains for cyber security services and ethical hacking training professionals. It implements diverse practical meta-functions, including some user-hunting functions which will discover where in the network explicit users are logged in. It can also find which machines in the domain network the user has local administrator access. It also includes a number of functions for the enumeration and abuse of domain trusts. You can easily find function descriptions for suitable usage and accessible options mentions ethical hacking training professor.

It also includes a set of PowerShell replacements for diverse windows “net *” commands, which employ PowerShell AD hooks and essential Win32 API functions to execute useful Windows domain functionality as per cyber security services researchers. To run on a machine, start PowerShell with “powershell -exec bypass” and then load the PowerView component with: PS> Import-Module .\powerview.psm1 or load the PowerView script by itself: PS> Import-Module .\powerview.ps1

For comprehensive output of original functionality, add the -Debug flag to the functions. For functions that enumerate several machines, add the -Verbose flag to obtain a progress status as each host is enumerated. Most of the “meta” functions acknowledge an array of hosts.

How to use PowerView to exploit Active directory

AdminSDHolder is a unique Active Directory object positioned at “CN=AdminSDHolder,CN=System,DC=domain,DC=com“. The declared intention of this object is to protect certain privileged accounts from unintentional alteration.  Every one hour, a unique process called SDProp recursively enumerates association for a specific set of protected groups, revises the access control lists for all accounts found, and clones the ACLs of the AdminSDHolder object to any protected objects with a different ACL mentions ethical hacking training professor. If we alter the permissions of AdminSDHolder, that permission template will be removed from all protected accounts automatically by SDProp. So we can add an unprivileged user even with no group membership to the ACL of AdminSDHolder, and have a backdoor mechanism implemented that allow us to alter the membership of groups like Domain and network admin.

Any account/group which is or was a part of a protected group has their AdminCount property set to 1, even if the object is not any more in that protected group. With PowerView, we can effortlessly enumerate all users and groups with AdminCount=1 with Get-UserUser -AdminCount and Get-NetGroup -AdminCount, respectively. Thus it lets us speedily find all high value accounts, even if those accounts are not a part of a protected group. With Invoke-UserHunter we can use AdminCount flag, to effortlessly hunt for all high valued users in the domain.

Active Directory access rights are a somewhat unexplored area from an offensive cyber security perspective. Network admins should start auditing and monitoring the access rights of all privileged domain objects, particularly the domain root and AdminSDHolder. You can this manually, through PowerView’s Get-ObjectACL, or through help of cyber security services and ethical hacking training professionals.

World’s most complex cash register malware plunders millions in US

Posted on

‘ModPos’ kernel monster threatens haul during festive shopping blitz.

The world’s most complex sales till malware has been discovered … after it ripped millions of bank cards from US retailers on the eve of post-Thanksgiving shopping frenzies.

The ModPOS malware has pilfered “multiple millions” of debit and credit cards from the unnamed but large retail companies incurring millions of dollars in damages.

The attackers have operated in a low-key, ultra professional manner since late 2013 and has only come to light after weeks of painstaking reverse-engineering efforts by malware experts.

They have kept mum, too. Cybercrime forums are entirely devoid of references to the malware.

“This is POS [point-of-sale] malware on steroids,” iSight Partners senior director Steve Ward says. “We have been examining POS malware forever, for at least the last eight years and we have never seen the level of sophistication in terms of development …[engineers say] it is the most sophisticated framework they have ever put their hands on.”

World's most complex PoS malware plundering millions from US stores

Ward says his team took three weeks to debride one of ModPOS’ three kernel modules. By contrast it took the same experts 30 minutes to reverse engineer the Cherry Picker POS malware revealed last week.

The “incredibly talented” authors have done an “amazing job” and have such an understanding of security that the work has impressed the white hat engineers.

“It is hard not to be impressed,” Ward says.

He says the criminals have spent a “tonne” of time and money on each packed kernel-driver module which behaving like a rootkit is as difficult to detect as it is to reverse.

That approach to the 0module build is novel.

The anti-forensics componentry is highly-sophisticated, meaning most businesses that the advanced Eastern European attackers have popped will not know the cause of the attack.

It is clearly a tool targeted designed for large-scale revenue generation and return on investment.

Ward and his colleagues have briefed more than 80 major retailers across the US, all of which are on high alert for infection.

He says the attack group will need to change parts of its codebase to re-gain some of its now lost obfuscation, but adds that some changes will be much harder to implement than others.

The encryption used for network and command and control data exfiltration and communication is protected with 128 bit and 256 bit encryption, with the latter requiring a new private key for each customer.

This makes it much more difficult to know what data is being stolen, unlike other sales register malware that slurp details in cleartext.

“We will see disclosures and compromises in the future that point back to this framework.


Hacking y explotación de permisos de Active Directory

Posted on

Hacking y explotación de  permisos de Active Directory

PowerView es una herramienta de PowerShell para obtener información situacional de la red en dominios de Windows para profesionales de hacking ético y servicios de auditoría de seguridad informática. Contiene un conjunto de comandos PowerShell para varios “net *” comandos de windows, los cuales utilizan ganchos de PowerShell AD y las funciones de API de Win32 para llevar a cabo la útil funcionalidad de dominio de Windows explica expertos de servicios de seguridad informática.

Según los profesionales de hacking ético e investigadores de servicios de auditoría de seguridad informática PowerView implementa varios metafunciones útiles, incluyendo algunas funciones por cazar usuarios que se identifican donde los usuarios específicos se registran en la red. También puede comprobar cuál de las máquinas en el dominio tiene acceso de administrador local. Además existen varias funciones para la enumeración y el abuso de confianzas de dominio. Podemos ver descripciones de las funciones para el uso apropiado y las opciones disponibles en la herramienta.

Para ejecutar en una máquina, iniciar PowerShell con ” by-pass -exec powershell ” y luego cargar el módulo PowerView con: PS > Import-Module.\powerview.psm1 o carga el script PowerView por sí mismo: PS> Import-Module.\powerview.ps1

Para el resultado detallado de la funcionalidad, pase la bandera -Debug a la mayoría de las funciones. Para funciones que enumeran varias máquinas, pase la bandera -Verbose para obtener un estado de avance que cada host se enumera. La mayoría de las funciones de “meta” acepta un conjunto de hosts acuerdo con profesor de hacking ético y auditoría de seguridad informática.

Cómo utilizar PowerView para explotar Active directory

AdminSDHolder es un objeto de Active Directory especial situado en el “CN = AdminSDHolder, CN = System, DC = domain, DC = com”. El propósito de este objeto es proteger ciertas cuentas privilegiadas de modificaciones accidentales. Cada 60 minutos, un proceso especial denominado SDProp recurrentemente enumera la pertenencia de un conjunto de grupos protegidos, comprueba las listas de control de acceso para todas las cuentas descubiertas, y clona las ACL del objeto AdminSDHolder a cualquier objeto protegido con ACL diferente acuerdo con profesor de hacking ético.

Cualquier cuenta o grupo que es (o era) parte de un grupo protegido tiene su característica  AdminCount a 1, incluso si el objeto se mueve fuera de ese grupo protegido. Con PowerView, usted puede fácilmente enumerar todos los usuarios y grupos con AdminCount = 1 con Get-User-AdminCount y Get-NetGroup – AdminCount, respectivamente. Esto le permite encontrar rápidamente todas las cuentas de alto valor, incluso si ha mudado fuera de un grupo protegido. Invoke UserHunter también acepta una bandera – AdminCount, permitiéndole cazar fácilmente a todos los usuarios valorados alto en el dominio.

Si modifica los permisos AdminSDHolder, esa plantilla de permiso será empujada a todas las cuentas protegidas automáticamente por SDProp explica experto de servicios de seguridad informática. Así que usted puede añadir un usuario sin privilegios (incluso sin la pertenencia al grupo) a la ACL de AdminSDHolder y tienen un mecanismo de puerta trasera que permite modificar la pertenencia a grupos como dominio y administradores de la red.

Los accesos de Active Directory es un área relativamente inexplorada de desde una perspectiva ofensiva. Los defensores deben comenzar auditoría y monitoreo de los derechos de los objetos de dominio privilegiado específico, sobre todo la raíz del dominio y AdminSDHolder. Esto se puede hacer de forma manual o  a través de PowerView Get-ObjectACL  o tomar ayuda de expertos de servicios de seguridad informática.

New docs: NSA spied on American citizens’ email traffic from overseas

Posted on

Files show agency just moved surveillance offshore.

Newly revealed documents (not from Snowden this time) show that the NSA has continued to collect Americans’ email traffic en masse using overseas offices to get around curbs introduced domestically.

Shortly after the September 11 attacks, President Bush authorized the NSA to collect bulk metadata on emails sent by Americans (although not the content) to help The War Against Terror (TWAT). The surveillance was authorized by the US Foreign Intelligence Surveillance Court, which mostly rubberstamped such requests.

But the collection was stopped in 2011, the NSA said, although it still monitored emails from Americans to people outside the nation’s borders. However, a Freedom of Information Act lawsuit started by The New York Times against the NSA’s Inspector General has uncovered documents showing that the NSA carried on collecting domestic data.


To get around the restrictions on operating in the USA, the NSA simply started using its overseas offices to do the collection. Stations like RAF Menwith Hill in Yorkshire were tasked with collecting the metadata and feeding it back to the NSA headquarters in Maryland.

There’s no evidence that the content of emails was being examined by NSA analysts. Instead the metadata was used to try and divine linkages between individuals the agency was looking to monitor. But that metadata is very useful.

“We have known for some time that traffic analysis is more powerful than content analysis,” said Dan Geer, chief information security officer of the CIA’s venture capital firm In-Q-Tel.

“If I know everything about you, about who you communicate with, when, where, with what frequency, what length, and at what location, I know you. The soothing mendacity of proxies from the president that claim that it is only metadata, is to rely on the profound ignorance of the listener.”