Security Posts

Infocon: green

.rar Files and ACE Exploit CVE-2018-20250
Categorías: Security Posts

What is Port Scanning?

BreakingPoint Labs Blog - Hace 1 hora 5 mins
Port scanning is the one of the oldest mechanisms used in network security scanning, service…
Categorías: Security Posts

Mirai is still alive and using multiple old exploits on home routers

BreakingPoint Labs Blog - Hace 1 hora 5 mins
Ixia’s Application Threat Intelligence (ATI) security researchers continue to hunt for the latest…
Categorías: Security Posts

Key Findings of the Ixia Security Report

BreakingPoint Labs Blog - Hace 1 hora 5 mins
Ixia just released its third annual security study—the Ixia 2019 Security Report. This report…
Categorías: Security Posts

Network Flow Monitoring: The ABCs of Network Visibility

BreakingPoint Labs Blog - Hace 1 hora 5 mins
This is another in a series of blogs on the important concepts of network managment. Today's topic…
Categorías: Security Posts

PayPal, Netflix, Gmail, and Uber users among targets in new wave of DNS hijacking attacks

BreakingPoint Labs Blog - Hace 1 hora 5 mins
Since March 29, 2019, Ixia’s Application and Threat Intelligence (ATI) center has been tracking the…
Categorías: Security Posts

Survey finds concerns related to cloud monitoring

BreakingPoint Labs Blog - Hace 1 hora 5 mins
This week Ixia, a Keysight business, released the results of a survey we conducted in December 2018…
Categorías: Security Posts

Software Defined Networks (SDN): The ABCs of Network Visibility

BreakingPoint Labs Blog - Hace 1 hora 5 mins
If you have been involved in networking over the last several years, then you have heard the term…
Categorías: Security Posts

The Malware Cloaking Device and How to Beat It

BreakingPoint Labs Blog - Hace 1 hora 5 mins
Shortly before his sudden but inevitable demise, Ensign Redshirt reported that he detected no…
Categorías: Security Posts

Monitoring performance where the action is: on the network edge

BreakingPoint Labs Blog - Hace 1 hora 5 mins
Intelligence is spreading out in organizations--moving closer to the customer, closer to customer-…
Categorías: Security Posts

Lightwave Innovation Reviews Honors Ixia AresONE 400GE Test Platform

BreakingPoint Labs Blog - Hace 1 hora 5 mins
At Ixia, we were delighted to see one of our most exciting new products, AresONE, be recognized by…
Categorías: Security Posts

Mueller Makes It Clear: Trump Was Worse Than a 'Useful Idiot'

Wired: Security - Hace 3 horas 37 mins
The Mueller report exposes the extent to which not just Russia but Donald Trump's own associates grifted the president.
Categorías: Security Posts

.rar Files and ACE Exploit CVE-2018-20250, (Mon, Apr 22nd)

Reader Carlos submitted an email with attached RAR file. In the past, when you received a RAR file as attachment in an unexpected email, it often contained a single malicious Windows executable. For the infection to occur, one would have to open the attachment and double-click the executable. Nowadays, a RAR file can also be an ACE exploit, like the popular %%cve:2018-20250%%. Infection typically occurs by opening the attachment, and then restarting the computer or performing a logoff/logon cycle. With oledump.py and plugin plugin_msg.py, one can inspect .msg files: There's an attachment with extension .rar: And it is indeed a RAR file containing an executable. If it would be an ACE file masquerading as a RAR file (.rar extension in stead of .ace), one would see the following: The binary data does not start with "Rar!", instead, one will see "**ACE**" a few bytes into the binary data. The example above is a normal ACE file. ACE files with a path traversal exploit will have an abnormal path stored in the ACE file:   Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts

Flashpoint Intel Official Web Site Serving Malware - An Analysis

It appears that Flashpoint's official Web site is currently embedded with malware-serving malicious script potentially exposing its visitors to a multi-tude of malicious software. Original malicious URL hosting location: hxxp://www.flashpoint-intel.com/404javascript.js hxxp://www.flashpoint-intel.com/404testpage4525d2fdc Related malicious URL redirection chain: hxxp://
Categorías: Security Posts

Hacking Fitness vía Garmin Connect [Parte 1 de 2] #Garmin #Fitness

Un informático en el lado del mal - Hace 14 horas 37 mins
Garmin Connect es una plataforma para deportistas que utilizan dispositivos de la marca Garmin para monitorizar en tiempo real, gracias al sistema GPS, variables importantes en la práctica del deporte como velocidad, metros de desnivel, posicionamiento dentro de un mapa, ritmo cardiaco, creación de historiales de recorridos e incluso crear pequeñas comunidades, donde los usuarios definen segmentos y utilizan gamificación para competir dentro del segmento y ver quién marca el mejor tiempo.

Figura 1: Hacking Fitness vía Garmin Connect [Parte 1 de 2]
Para compartir la información con otro usuarios, basta instalar la app en el smartphone y vincular éste con el dispositivo Garmin a través de Bluetooth, crear una cuenta gratuita en la plataforma Garmin Connect y vincular la cuenta de correo electrónico utilizada para la creación de la cuenta en el portal web en la app del smartphone. Una plataforma que, antes de almacenar los datos personales de cada usuario, llama la atención para hacer algo de "Hacking con Buscadores" y conocer cuál es su robustez.

Figura 2: Hacking con Buscadores. Google, Bing, Shodan & Robtex
Como hemos visto anteriormente en el pasado, en plataformas como Endomondo (Róbame, que estoy así de sano y estoy haciendo deporte) o Runtastic (Otra red social de deportistas que publican su ubicación y su estado de salud) , si los usuarios no han tomado las adecuadas protecciones, si la plataforma no ha tomado las suficientes medidas para evitar los info-leaks y si el servicio web no ha configurado correctamente las opciones de información,  la privacidad de los usuarios podría verse afectada, y esto es lo que vamos a ver hoy.

Figura 4: Proyecto de ElevenPaths sobre info-leaks en webs de deportistas
En el pasado, el ejercito militar americano, tuvo que prohibir el uso de dispositivos y servicios como Strava, porque los datos que subían sus soldados pudo revelar la ubicación de bases secretas, como vimos en el artículo "¿Los datos de Strava delatan a los militares de USA?"

Análisis de Fichero robots.txt en Garmin Connect

Analizamos en la plataforma la existencia del fichero robots.txt utilizado para impedir a los motores de búsqueda la indexación de cierto contenido web. Observamos que no existe, así que la probabilidad de que los motores de búsqueda hayan indexado información web del sitio, como, por ejemplo, datos de las cuentas de los usuarios relacionados con su actividad física es elevada.

Figura 5: No existe el fichero robots.txt en la web del servicio Garmin Connect
Ya hemos visto en el pasado que el tener un fichero robots.txt no es una garantía total, y que incluso se podría convertir en una fuga de información en sí mismo, pero bien configurado ayuda a evitar problemas de info-leaks. Y en la web de Garmin Connect no existe.

Figura 6: Robots.txt en Garmin Connect not found
Como curiosidad, al realizar la petición del recurso “robots.txt” al nombre de dominio principal, observamos que sí que existe, aunque “de aquella manera”, porque no ha sido configurado siguiendo buenas prácticas. No

Figura 7: Fichero robots.txt para el nombre del dominio principal
Además, no es posible obtener información interesante a partir de las rutas relativas de recursos almacenadas en el fichero “robots.txt”. No obstante, hay que recordar que el sitio web podría hacer uso de Headers HTTP X-Robots-Tags "NoIndex" o de etiquetas HTML  META NoIndex en páginas web para evitar la indexación, así que la prueba del nueve es comprobar cuántas URLs de perfiles de usuarios de Garmin Connect se han quedado indexadas en los buscadores.

Búsqueda de URLs de actividades deportivas de usuarios

Una vez dentro de la plataforma, en la zona de actividades del usuario, se observa en la URL un posible patrón común para todas las actividades registradas de los usuarios de la plataforma: “modern/activity

Figura 8: URL con la información de una ruta en bicicleta de Amador Aparicio (@amadapa)
Haciendo, como hemos dicho al principio, un poco de “Hacking con Buscadores” se observa como Google tiene indexados casi 100.000 resultados relacionados con la actividad de los usuarios de la plataforma, lo que es una auténtica salvajada. Y desde el punto de vista de negocio de Garmin Connect extraño, ya que está entregando los datos de todos sus usuarios a Google.

Figura 9: Resultados indexados en Google de usuarios de Garmin Connect
Con una sencilla consulta, se determina que es posible acceder a la información de las actividades usuarios de la plataforma sin la necesidad de tener una cuenta en ella, seguramente porque la cuenta no cuente con la configuración de privacidad adecuada o porque los usuarios quieran compartir esta información con el resto de usuarios de Internet.

Figura 10: Información de la actividad deportiva de un usuario
junto con el dispositivo Garmin utilizado.
Además, para cada actividad pública, es posible conocer el dispositivo Garmin que registró y volcó la información deportiva en cada una de las actividades, junto con la versión de software que tenía en ese momento. De nuevo, un info-leak de un dispositivo igual que el sistema de recuperación de contraseñas de Google, lo que permite a una empresa tipo Cambridge Analytica realizar una mejor base de datos de las personas a atacar en campañas de Fake News.

Autor: Amador Aparicio de la Fuente (@amadapa), escritor de libro "Hacking Web Technologies"

******************************************************************************************************
- Hacking Fitness vía Garmin Connect [Parte 1 de 2]
- Hacking Fitness vía Garmin Connect [Parte 2 de 2]
******************************************************************************************************
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categorías: Security Posts

ISC Stormcast For Monday, April 22nd 2019 https://isc.sans.edu/podcastdetail.html?id=6464, (Mon, Apr 22nd)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts

Announcing the community-oriented osquery fork, osql

For months, Facebook has been heavily refactoring the entire osquery codebase, migrating osquery away from standard development tools like CMake and integrating it with Facebook’s internal tooling. Their intention was to improve code quality, implement additional tests, and move the project to a more modular architecture. In practice, the changes sacrificed support for a number of architectures, operating systems, and a variety of useful developer tools that integrate well only with the standard build system preferred by the open-source C++ community. Worse still, the project’s new inward focus has greatly delayed the review of community contributions — effectively stalling development of features or fixes for the needs of the community — without a clear end in sight. Lacking a roadmap or predictable release cycle, user confidence in the project has fallen. Enterprises are postponing their planned osquery deployments and searching for alternative solutions. Many of the most secure organizations in the world have already invested in making osquery the absolute best endpoint management solution for their needs. Being forced to look elsewhere would be a waste of their investment, and leave them relying on less effective alternatives. That is why we are announcing the community-oriented osquery fork: osql. What are the goals of osql? With osql, we are committed to restoring the community’s confidence in the osquery project, to making the development process more open and predictable, and to reviewing and accepting community contributions more quickly. Our goal is to restore direct community participation. An open and transparent development process In the immediate term, osql will be maintained as a “soft-fork.” We will closely track Facebook’s upstream updates without diverging from the codebase. Plenty of completed work is simply waiting upstream, in Pull Requests. We prepared a workflow through which the osql project can accept Pull Requests that the community deems stable enough to be shipped, but which have been ignored by the upstream maintainers. The community can pick and choose its priorities from those contributions, and incorporate them into the next release of osql. The osql organization on GitHub will be a hub for community projects Continuous Integration, Continuous Delivery We’ve also integrated a much-needed public CI using Azure Pipelines, which will build and run tests at each commit. Find the results here. The CI will help us build, test, and release faster and more frequently. We are committing to release a new osql binary (package installer) on a regular monthly cadence. We will communicate the changes that users can expect in the next release. They will know when to expect it, and that the version they download has passed all tests. Determine if the latest code is building for all platforms, at a glance Restoring standard tool support for developers We rewrote the build system from scratch to return it to CMake, the C++ community’s de-facto standard for building projects. This effort was non-trivial, but we believe it was central to preserving the project’s compatibility with open-source toolchains. The libraries and tools that represent the foundation of modern C++ development, such as Boost or the LLVM/Clang compiler toolchain, all support CMake natively. The most-used third party libraries use CMake as well, making it quite easy to include them in a CMake-based project. Developers benefit from built-in CMake support in their IDEs. Visual Studio, VS Code, CLion and QtCreator can all easily open a project from its CMakeLists file, enabling a precise view of the project’s structure and the outputs of its build process. They’ll also regain the convenience of CMake-supporting static analyzer frameworks, like Clang’s scan-build, which helps discover critical bugs across an entire project. By re-centering everything around a CMake build process, we made osql a more developer-friendly project than upstream osquery. If you would like to see for yourself and begin contributing to osql, check out the build guide. Work conveniently in the Visual Studio Code IDE, with CMake integration What’s next for osql Our work is just beginning! We plan to continue improving the automation of osql releases. Initially, osql releases will be unsigned binaries/packages. The next priority for the project is to implement a secure code-signing step into the CI procedure, so that every release is a binary signed by the “osql” organization. The osquery project’s build process used to allow you to choose whether to download or to build third-party dependencies, thanks to easily modifiable Homebrew formulas. Not only that, you could also choose from where these dependencies were downloaded. That is no longer true for osquery currently, but we will restore that ability in osql (a task made easier thanks to CMake). We also plan to extend the public CI for osql to enable it to test PRs opened against upstream osquery. This will help the community review those PRs, and provide a kind of quality assurance for their inclusion in a future release of osql. In the longer term, thanks to CMake’s support for building on various platforms, it will be possible for osql to be built for whatever new systems that the community demands. Want More? Let’s Talk When we originally ported osquery to Windows, we didn’t imagine it would become so big, or that it would outgrow what Facebook alone could maintain. A whole community of organizations now deploy and depend on osquery. That’s why we’ve launched osql, the community-oriented osquery fork. If you are part of this community and are interested in porting to other platforms, need special features from the project, or want some customization done to the core, join our osquery/osql support group or contact us!
Categorías: Security Posts

Hack of the day #2: Command-Line Interface helpers

Hex blog - Jue, 2019/04/11 - 13:04
The problem The “command-line input” (CLI), situated at the bottom of IDA’s window, is a very powerful tool to quickly execute commands in the language that is currently selected. Typically, that language will be Python, and one can use helpers such as idc.here() to retrieve the address of the cursor location. However, when some debuggers … Continue reading Hack of the day #2: Command-Line Interface helpers
Categorías: Security Posts

Pattern Welding Explained as Wearable Art

Niels Provos - Mar, 2018/08/28 - 06:37

Pattern-Welding was used throughout the Viking-age to imbue swords with intricate patterns that were associated with mystical qualities. This visualization shows the pattern progression in a twisted road with increasing removal of material. It took me two years of intermittent work to get to this image. I liked this image so much that I ordered it for myself as a t-shirt and am looking forward for people asking me what the image is all about. If you want to get a t-shirt yourself, you can order this design via RedBubble. If you end up ordering a t-shirt, let me know if it ends up getting you into any interesting conversations!

Categorías: Security Posts

Jue, 1970/01/01 - 02:00
Distribuir contenido