Author Archives: securityresearch

What We Learned from APTs in the Current Year?

Early this year we witnessed major IT firms suffering from data breaches of one kind or another, and they have come out in the open about the breaches, as well. A couple of examples are Apple and Twitter. It’s going to be costly if the enterprises play according to the old book of rules—develop and deliver. The threat landscape has seen remarkable changes, especially with the cloud being the major form of technology sought after these days. Security threats have seen a marked evolution from botnets and spywares to advanced malwares and APTs. Firms such as Mozilla, Google, Facebook, and many others realized this simple fact and have started bounty programs to detect and prevent security breaches. Attacks have been engineered to steal trade secrets, insider information, authentication credentials, and other personal information of the targeted enterprises.

Gone are the days when an enterprise could be secured by a network-centric approach based on perimeter security. APTs have arrived and it’s all about data now! Hardly ever do we see any data-centric security approaches these days. In my previous two articles here, I have explained about APTs and how to crack their maze. Today, I am going to find out what we can learn from these APT-based attacks and what alternative approaches an enterprise needs to follow to combat them more effectively.

Read my full post at Infosec Institute.

Enterprise Security Management

An enterprise invests considerable amount of time in its day to day scanning and managing patched for the infrastructure. But, an enterprise psychological analysis shows us otherwise i.e. most of the enterprises shy away from scanning and patching their business critical infrastructure in a fear of interrupting their already established critical applications. Another side of the story shows that, the enterprise test, scan and manage patches up to the staging elevation but fail to re-asses the same when they go live on production environment. The major challenge here is to convince the stakeholders about the end user impact after running a thorough security scanning and management of patches. Metasploit which is a famous exploit development toolkit adds several exploits to its repository on a monthly basis there by hinting to us that the threat vectors are increasing day by day. In this article we shall understand how to balance the security management with business operations.

Read the full article published at Infosec Institute.

Webview mail app vulnerability

WebView is an essential component in Android and iOS. It enables applications to display content from on-line resources. It simplifies task of performing a network request, parsing the data and rendering it. WebView uses a number of APIs which can interact with the web contents inside WebView. In the current paper, Cross-site scripting attacks or XSS attacks specific to Android WebView are discussed. Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to run malicious code into victim’s WebView, through HttpClient APIs. Using this malicious code, the attackers can steal the victim’s credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability.

Avast has published a detailed blog regarding the same. Follow this link to find out more details about this exploit.

IOS fingerprint scanner hacked!

Within few days of its launch, Apple iPhone 5S has faced the wrath of hackers from Germany. The chaos computer club were quoted saying: “Biometrics are not safe” who provided video showing how they could use a fake fingerprint to bypass phone’s security lock screen.

See this Youtube video which demonstrates the Hack.

http://www.youtube.com/watch?v=HM8b8d8kSNQ

“…. fingerprint biometrics is unsuitable as access control method and should be avoided” – Chaos Club’s blogpost author, “Starbug”.

“Relying on your fingerprints to secure a device may be okay for casual security – but you shouldn’t depend upon it if you have sensitive data you wish to protect,” security specialist Graham Cluley was quoted after the hack. The group does not claim to have extracted the fingerprint representation from the phone, instead it relies on capturing a high-quality fingerprint elsewhere, and having access to the phone.

Chaos Club disclosed their hack to the public stating that begins with a high-quality fingerprint lifted from a glass, doorknob or glossy surface. The print, which essentially consists of fat and sweat, is made visible using graphite powder or a component of superglue, and then photographed at high resolution to create a 2400 pixel-per-inch scan. That is then printed onto an overhead projector plastic slide using a laser print, forming a relief. That is then covered with wood glue, cut and attached to a real finger.

Courtesy: TheGuardian

Being a Pen-tester

In this post, we cover some brutal tips to become a successful pentester!

First, Get your basics right!

Are you already a great system administrator who understands the nuances of many operating systems, or a professional developer who has a deep background in one or more languages? – If yes, this is a huge advantage.

If your answer is no to the above question, then – Learn to program. C / C++ is wonderful to begin with. Else, php, python ruby whatever! Just learn to code. Know the data structures and algorithms a developer uses to break them. You must have a strong understanding of how applications work and how they interact with one another (e.g., the OS, services, other applications).

Get to know the basics of networks by setting up and running your own home network. That way, you’ll gain an understating of how network administrators view the world.

Get to know operating system nuances by building your own home servers so that you better understand how system administrators view things.

Read on Security engineering – concepts in the CISSP domains. This is why security is harder and more dynamic than other IT areas. You not only have to be able to learn and understand multiple domains (i.e., programming, networking, administration, architecture) and be able to adopt their perspectives, but you also have to figure out how to break them using knowledge often drawn from multiple domains.

Now there are so many options you could spend all of your time just reading the security books. But don’t make that mistake. Start with the fundamentals. Once you have the base knowledge, security topics become dramatically easier to comprehend.

Source: Dark Reading

 

 

 

 

HoneyPot – Dr. Daniel Singh

Dr. Daniel Singh has sent his presentation to us about HoneyPots. Dr Daniel Singh is a CISO at Technogeeks, A security researcher, evangelist, Certified Ethical Hacker and a ECSA himself. He has also presented papers at International conferences and in the Indian scene he has been an active participant at the DEFCON Bangalore (DC9180) meet.

The paper covers the following areas:

1) Introduction to Honey Pots

2) Evolution of Honey Pots

3) Benefits and Dis-advantages

4) Analysis of Honeypots

5) Legal aspects behind Honey pots

6) Detection of Honey Pots

7)  Anti Honeypot techniques

We hope you find this post useful and extend a sincere thanks to Dr Daniel Singh for contributing to this post. You can download the presentation here HoneyPot1

 

The Security Research Team

Echo Mirage – A generic Network Proxy!

Echo Mirage is a generic network proxy. It uses DLL injection and function hooking techniques to redirect network related function calls so that data transmitted and received by local applications can be observed and modified which can’t be performed by wireshark.

To see inside encrypted channels, we can use tools like echo mirage. This tool allows you to see and edit the data being set and received within an SSL session.  It also does a great job of looking at unencrypted traffic as well which can also be done using wireshark.

A thick client is vulnerable to the following issues:

  • Improper error Handling,
  • SQL injection
  • Parameter tampering
  • DOS
  • Broken Access Control
  • Session Management

We have two options in echomirage:

  • Launch application from echomirage (ctrl+E)

21

  • Injecting into a running process.(ctrl+I)

22

Select the process for which you want to monitor the traffic. The below screenshot is the intercepted traffic of the application

23

In this application, sql queries were intercepted and we can try to modify the queries in order to check and perform SQL injection. In the below image, we are trying to find the version of the database being used by the application.

24

The query to get the version of database was executed and the result has been shown in the below image also we were able to update the whole database.  This is just a basic over look about this tool and we can perform a lot more things while performing a security review over a thick client.

25

The Security Research Team

 

Exploit Research and Development – Ajin Abraham

This post deals about Exploit Research and development. The content for this post is designed by Ajin Abraham.

Ajin Abraham is the founder of Xenotix XSS framework. He is an active OWASP member and an active security enthusiast in the Indian security scene. He has presented various papers at Blackhat, DEFCON Bangalore Meet (DCG 9180) and other OWASP chapters.

We share the Slideshare links for the posts below.

1. Buffer OverFlow for Beginners

2. Unicode Based Exploit Development

3. Elemenating

4. Exploit writers swiss knife

5. Egg hunter – win32

We thank Ajin for sharing this information with our readers.

Exploit writing for beginners – Sabari Selvan

The following post explains about basics of exploit writing for beginners by Sabari Selvan of E-hacking news.

Sabari Selvan is an Information Security Researcher who has more interest in PenTesting and Malware analysis. – See more at: http://www.ehackingnews.com
The post explains the following:
a) What is exploit writing
b) Impact of exploits
c) Introduction to stacks
d) Stack overflow attacks
Download the ppt here.