U.S. Central Command @CentCom Twitter and YouTube Take Down by CyberCaliphate

Posted on January 12, 2015 by Carmelo

The United States Central Command (USCENTCOM) is a theater-level Unified Combatant Command of the U.S. Department of Defense, established in 1983. It was originally conceived of as the Rapid Deployment Joint Task Force (RDJTF). Its area of responsibility includes countries in the Middle East, North Africa, and Central Asia, most notably Afghanistan and Iraq.

The agency’s public Twitter and YouTube account was taken over by the CyberCaliphate in support of the Islamic State of Iraq and al-Sham (abbreviated ISIS) and in the name of Allah.

cybercaliphate

centcom

It is possible that the US Centcom used the same password for both online services.

@USCENTCOM has been reset to factory defaults.

Posted in Security Blog | Tagged , , , , , , , , | Comments Off on U.S. Central Command @CentCom Twitter and YouTube Take Down by CyberCaliphate

Blackhat Behind the Scenes Movie Trailer

Posted on January 11, 2015 by Carmelo

Back in September, I wrote about Thor being a black hat hacker.
Here is the behind the scenes extended trailer. The trailer seems pretty good with some research on the back end.
I hope the actual movie is good!

Post by Blackhat.
Posted in Security Blog | Tagged , , , , , , | Comments Off on Blackhat Behind the Scenes Movie Trailer

Stuart Varney, Fox Host, Gets Demo-Hacked By John McAfee

Posted on January 10, 2015 by Carmelo

This was in the news yesterday, it is proof that social engineering is the master key to unlock many locks. It is also proof that to keep your lock secured, security awareness and training is needed with the end goal of behavior modification.

From a remote location, John McAfee hacked into Stu’s phone via its voicemail, accessed the contacts and then faked a call from one of those contacts. When Varney’s phone rang, it appeared to be an incoming call from Fox News headquarters.

John McAfee founded the McAfee software company, but resigned from it in 1994. It’s now a subsidiary of Intel.

Want a website that will help you spoof a phone call (make your number show up as someone else’s)? Try this (CarmeloWalsh.com is not affiliated, charges may apply).

Posted in Security Blog | Tagged , , , , , , , , , , , | Comments Off on Stuart Varney, Fox Host, Gets Demo-Hacked By John McAfee

The Raven

Posted on January 9, 2015 by Carmelo

An adaptation of Edgar Allen Poe’s famous poem of the Raven.

Once upon a midnight dreary, while I pondered weak and weary,
Over many a quaint and curious volume of forgotten security lore.
While I nodded, nearly napping, suddenly there came a tapping,
As of some one gently rapping, rapping at my computer door.
`’Tis some visitor,’ I muttered, `tapping at my computer door –
Only this, and nothing more.’

Password secrets, password length, password change, password strength,
Passwords borrowed, passwords posted, passwords sharing, and passwords broken.
But the fact is I was napping, and so gently you came rapping,
And so faintly you came tapping, tapping at my computer door,
That I scarce was sure I heard you – here I opened wide the door; –
Darkness there, and nothing more.

Keystroke loggers and network sniffers, are the tools of password grifters,
But what other tricks of guile will gently rap at my computer door?
Social engineering, phishing scams, chain email and email spam,
Fill me with fantastic terrors never felt before.
My frightened heart fast beating, I stood in horror repeating,
`Let this end – please nothing more.’

Back into the chamber turning, all my soul within me burning,
Soon again I heard a tapping somewhat louder than before.
Laptop thieves and dumpster divers, wireless connections, and war drivers,
`How many threats must I explore? ‘

Let my heart be still a moment and from these threats be turning
My mind is reeling, but wait – there’s more.
Deep into that darkness peering, long I stood there wondering, fearing,
Doubting, dreaming dreams no user ever dared to dream before.
Viruses, worms, malicious code and Trojans, of any one I could be chosen,
And then what cost would be the compromise?
What if I am not protected and this treachery goes undetected,
I must ensure this happens nevermore.

Much I marvelled these ungainly, security threats to hear so plainly,
I must go beyond detected and make certain I’m protected,
From that someone rapping, tapping at my computer door.
Hesitating then no longer, my resolve now grown stronger,
`Security be that word, our sign of parting, fiend!’
`Get thee back into the tempest – be gone forever more! ‘

And the raven, never flitting, still is waiting, still is sitting,
And his eyes have all the seeming of a demon’s that is dreaming,
Of an opportunity to enter my computer door.
But I’m no longer napping, and so when gently he comes tapping,
He will find no further welcoming to explore,
And he shall come nevermore.

Posted in Security Blog | Tagged , , , | Comments Off on The Raven

OpenSSL: 8 Bugs Fixed

Posted on January 9, 2015 by Carmelo

First off, I’d like to explain what OpenSSL is!

OpenSSL refers to the name of a 1998 project that was started to encrypt websites and user information across the Web. The “SSL” in “OpenSSL” refers to a Secure Sockets Layer (also known as transport layer security or TLS), and OpenSSL is an open project, meaning any programmer or coder can work on it, it was designed to prevent hackers from retrieving personal data submitted by users to a website (such as a banking, shopping, or digital content website). Eric Young is responsible for the eventual establishment of OpenSSL, seeing that he started what ultimately became SSL software back in the 1990s. OpenSSL is an important undertaking, seeing that, without it, our personal information submitted across every website we hold dear could find its way into the hands of dishonest criminals. What started as a project committed to data encryption has now become standard on two-thirds of all websites on the Internet.

According to this advisory from OpenSSL, there are eight security fixes. They address some very technical issues:

  1. A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack.
  2. A memory leak can occur in the dtls1_buffer_record function under certain conditions. In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch. The memory leak could be exploited by an attacker in a Denial of Service attack through memory exhaustion.
  3. When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference.
  4. An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. This effectively removes forward secrecy from the ciphersuite.
  5. An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. A server could present a weak temporary key and downgrade the security of the session.
  6. An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. This effectively allows a client to authenticate without the use of a private key. This only affects servers which trust a client certificate authority which issues certificates containing DH keys: these are extremely rare and hardly ever encountered.
  7. OpenSSL accepts several non-DER-variations (DER = Distinguished Encoding Rules) of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the certificate. By modifying the contents of the signature algorithm or the encoding of the signature, it is possible to change the certificate’s fingerprint. This does not allow an attacker to forge certificates, and does not affect certificate verification or OpenSSL servers/clients in any other way. It also does not affect common revocation mechanisms. Only custom applications that rely on the uniqueness of the fingerprint (e.g. certificate blacklists) may be affected.
  8. Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. This bug occurs at random with a very low probability, and is not known to be exploitable in any way, though its exact impact is difficult to determine.
Posted in Security Blog | Tagged , , , , , | Comments Off on OpenSSL: 8 Bugs Fixed

On June 30th at 23:59:59, Some Internet Might Crash

Posted on January 8, 2015 by Carmelo

Earth’s rotational time has slowed by 1 second. Earth is slowing down due to earthquakes, tidal drag, and the weather, and losing approximately two thousandths of a second every day. To allow for syncing up atomic clock time with the Earth’s rotational time the world’s atomic clocks and true Earth time must be reconciled every so often.

The last leap second was added back in 2012, more than a few sites had trouble with the change and were unavailable.

The time of the world is pretty much governed by the International Earth Rotation and Reference Systems Service.
The latest leap second announcement can be found here. When June 30th rolls around, expect to see some outages.

Posted in Security Blog | Tagged , , , , | Comments Off on On June 30th at 23:59:59, Some Internet Might Crash

SaveMe App is Actually SocialPath Malware for Android Phones

Posted on January 8, 2015 by Carmelo

The Save Me app claims to be able to save a user’s contacts and other data including photos and videos, in the event that a mobile device is lost or stolen but it actually contains a variant of information-stealing malware SocialPath, which saves all your phone data to a badguy owned command and control server.

When the victim registers, the malware displays an icon on the phone’s launcher. Once the registration process is finished, the malware deletes its own icon to hide on the phone. Oddly, it also has the ability to call any number designated by the C&C (command and control server) and automatically hang up the call according to a timer. It is unsure what the authors use this functionality for, but similar tactics are used as a revenue source — malware authors will call premium numbers to collect associated fees and make money. The malware then deletes the call records so as to hide its activities.

Other purposes for a command and control server, to ex-filtrate all the data on your phone (contacts, pictures, gps locations, videos, messages, everything…)

More Information can be read here.

You should only download apps from trusted developers; read reviews, research the developers, make sure you’re choosing a trustworthy product, especially if this tool is promising to help you protect sensitive information. Also, don’t download apps from third party marketplaces.

Posted in Security Blog | Tagged , , , , , | Comments Off on SaveMe App is Actually SocialPath Malware for Android Phones

CyberBerkut

Posted on January 7, 2015 by Carmelo

Head of the German governmental press and information agency said in a news conference that the government websites including Chancellor Angela Merkel’s page have been attacked.
The CyberBerkut pro-Russian and hacktivist organization has claimed the cyber attack. They even stated so on their website. They are doing so to raise awareness to stop financial and political support of criminal regime in Kiev. A lot more information on their website.

Posted in Security Blog | Tagged , , , , | Comments Off on CyberBerkut

Is 2015 Going to be Similar to 2014 in Breaches?

Posted on January 6, 2015 by Carmelo

chickfila databreach

On January 2nd, Chick-fil-A released a statement in regards to the security breach they found out about on December 19th, 2014.

One unnamed financial institution said it received an alert that contained “nearly 9,000 customer cards” for a breach that potentially lasted between Dec. 2, 2013 and Sept. 30, 2014. There is speculation that this is Point of Sale Malware based but time will tell once the investigations are completed.

BitstampBroken-Hacked

Bitcoin exchange Bitstamp has temporarily suspended services. BitStamp, which runs the world’s third largest bitcoin exchange, announced on Tuesday that $5.4 million worth of the cyber currency had been lost to a security breach.

“We would like to reassure all Bitstamp customers that their balances held prior to our temporary suspension of services will not be affected and will be honored in full,” the company said in a statement on its web site.

morganstanley

Morgan Stanley fired an employee (Galen Marsh) who stole the account names, numbers and transaction data on 350,000 clients; the insider crook’s plan was allegedly to sell customers’ data.

The breach was discovered and reported to authorities on Dec. 27, after Morgan Stanley discovered sensitive data for over 900 clients on PasteBin. Yet the bank claims that it has found no evidence that the data breach resulted in losses to customers. More here.

galen marsh

Posted in Security Blog | Tagged , , , , , , | Comments Off on Is 2015 Going to be Similar to 2014 in Breaches?

An Intro To Recon-ng Pushpin

Posted on January 6, 2015 by Carmelo

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.

Performing reconnaissance is to obtain information by visual observation or other detection methods, about the activities and resources of an enemy or potential enemy, or about the meteorologic, hydro-graphic, or geographic characteristics of a particular area.

Using recon-ng with the pushpin convenience module will allow to pull data from popular services, like Flickr, twitter, YouTube, etc, and correlate that data with the geolocation coordinates, and pull up a map pinpointing the terrain around the target. It’s some scary stuff if you are the target of opportunity!

When you take a picture or tweet, your smartphone automatically embeds coordinates into the picture or tweet.

Google photos creates storyboards with geolocations and timestamps. It’s a lot of fun (see my article on my Google GPS footprint). That same data can betray you. It will map where you sleep for 8 hours night after night, letting those who have access to know where you live. It will map where you spend your time from 8am-5pm, calling that place work. Said bad-guy will know when to rob your house, make your life a living hell, and where and when to be to avoid you. A horrible tool in the hands of a stalker or corporate spy.

Locations services can be a good thing. Like finding a restaurant nearby that has good reviews (using Yelp) or proving where you are. It can also be a bad thing, collectively, it can show physical weakness to a company via a crowdsourced collection of written information, pictures, and videos. It even helps the bad guys with extra information when they want to socially engineer a target.

Recon-ng is available here.
Here is how to disable location services for IOS
Here is how to disable location services for Android

Posted in Security Blog | Tagged , , , , , | Comments Off on An Intro To Recon-ng Pushpin