January 22, 2012
The cyber war between India and Pakistan continue to rises as an Indian blackhat group Indishell defaced 30 Pakistani government websites only a few days ago including sites such as pak.gov.pk, paknavy.gov.pk, sindh.gov.pk, etc. The reason behind this recent attack was in retaliation to the hacking of the official website Bharatiya Janata Party (BJP) of Karnataka which was defaced by a Pakistani blackhat group. We fear that this war is going to continue to rise to increasing numbers in the near future.
Prior to this attack, Indishell already attacked other high profile Pakistani sites. Indishell believes that the government of Pakistan is involved with various Pakistani attackers instructing them to hack Indian sites. The Pakistani government also received a notice from Indishell as a message on one of the recently hacked websites.
The rivalry between Indian and Pakistani hackers has been going on since years now. This only goes to show that the governments of both Pakistan and India fail to understand the importance of securing official websites along with other websites from attackers, due to which huge security vulnerabilities seem to exist which makes it extremely simple for attackers to exploit.
How did the situation get so bad? In all honesty, it’s the fault of the hosting provider and the application developer of the websites that got attacked. First of all, the hosting infrastructure should have been properly secured and segregated. Applications and servers should have been audited for security and hardened according to a standard. Blackhats tend to target the web application first and exploit it to access the server hosting the website. So, it’s a jack pot for an attacker if he gets access to the server which hosts multiple sensitive websites. Following is a list of Pakistani government websites that were hosted on a single server (50.23.225.39-static.reverse.softlayer.com) that got attacked:
It’s very saddening to know that so many high profile government websites are hosted at a third-party hosting provider and possibly even on a same server, a poor practice for websites that has information of extreme sensitive nature. This is the same server that hosts websites for National Telecommunication Corporation (NTC)– www.ntc.net.pk – Official IT&T Service Provider for Government of Pakistan and the abandoned National Response Centre for Cyber Crimes (NR3C) – www.nr3c.gov.pk. We wonder if these organizations actually noticed this defacement and decided to take security seriously. It’s never advised to put all eggs in one basket. Moreover, even when hosting multiple websites on the same box, server should be configured in such a way that even though if an attacker is able to exploit an application, he should not be able to access the server and other websites.
January 6, 2012
‘Anonymous’ is a well-known international blackhat group which has been active since 2003. Anonymous beginnings make it difficult to understand the identity even though the concept of anonymous has always existed. They believe themselves to be simply ideas without an origin.
The recent attack by Anonymous was on COX DNS servers when all the DNS servers collapsed which resulted in Colorado, Texas, New Mexico and Louisiana to have no internet access. The main reason that led to this attack was because of COX’s latest message to the consumers mentioning their “Data usage quota” stating the consumers would not be able to access the internet if they exceed their limit.
During the past couple of years, Anonymous has managed to take down some of the high profile websites on the internet by causing a distributed denial-of-service (DDoS) attack. They believe themselves to be the “internet hate machine” or “hackers on steroids”. Anonymous includes a number of members that work together to attack a country’s internet coverage like in the case of the Toronto attack. When such a huge scale attack takes place, people from within the country join the Anonymous group in order to help them in carrying out the attack usually because they share similar motives behind the attacks. These blackhat activities usually take place against a stance they disagree with. According to some members of the group, membership to Anonymous can be gained easily but only under conditions which is as short as being concealing one’s identity when carrying out the activities.
The Anonymous mostly uses the Low Orbit Ion Cannon (LOIC), an open source network stress testing and denial of service application, to achieve its DDoS attacks. Potential members of Anonymous allow their computers to be connected to a Botnet by downloading the LOIC. The AnonOps (a pathway for communication within the group) then direct the Botnet against the target while coordinating their attacks on ITC which allows the individual to become a member of the Anonymous blackhat group.
The DDoS attack acts in a similar manner as a huge surge in the amount of individuals visiting the site. The main aim is to delay the access to prove their point; it directly does no damage to the site. Similar to a protest where hundreds of people get together at a certain place which as a result slows the traffic down from that area which brings even more attention to the protestors’ motives. However, in this case instead of protests and people its the internet and computers.
In past few years, Anonymous has attacked New York Stock Exchange, the Westboro Baptist Church, the Recording Industry Association of America and government sites in Malaysia, Egypt, Tunisia and Zimbabwe. Only recently, Anonymous planned on taking down Mexico’s most feared drug dealer Zetas after posting a video on YouTube stating that Zetas had kidnapped a member of theirs and if he was not freed then they would publicize the people linked to Zetas including taxi drivers, local police officers and journalists. However, this issue was resolved soon after in favor of Anonymous.
Anonymous has received a lot of media attention internationally due to their on-going attacks on high profile websites on the internet. KTTV Fox 11 aired a story on them after they attacked a Myspace user who mentioned his account being hacked several times by Anonymous. Additionally, the English version of Al Jazeera publishes regular articles on the activities of Anonymous.
Regardless of all the controversies going on about whether Anonymous is doing the right thing or not, there are a number of people who continue supporting their actions since they share similar motives. A number of members of the Anonymous group have been caught by the police every now and then yet they remain as a strong hacking group with similar morals, motives and thoughts and they continue working in the same direction.
December 15, 2011
Duqu is a sophisticated malware that was discovered on September 1st, 2011. Some experts claim that Duqu could only have been created by creators of the Stuxnet because nobody else could have the source code to create such a sophisticated malware that is identical to Stuxnet but serves an entirely different purpose as a malware. The three major similarities that have been come to attention between Stuxnet and Duqu are firstly, the components that are signed is done through stolen certificates. Secondly, similar to Stuxnet, Duqu uses a zero-day vulnerability to attack Windows system and lastly, the way Duqu is targeted it requires advanced intelligence to operate it again similar to Stuxnet.
Highlighted few weeks ago by Symantec, researchers have discovered how Duque infects the targeted computers. The malware hides in a Word file (. doc) sent through email to the victims. Once opened, it exploits an 0-day vulnerability in the Windows kernel to execute code and infects the system through service.exe. The infected computers can then be remotely controlled by attackers, who can spread the malware on the network and retrieve data in the process. Symantec issued a diagram summarizing the performance of the intrusion.
With this new discovery, security researchers are now confident that Duqu is designed to address specific high profile critical infrastructures via Word documents designed to look legitimate. Symantec has identified six organizations contaminated in 8 countries: Iran, Sudan, Vietnam, India, France, the Netherlands, Switzerland and Ukraine. To which is added a list of identifications made by other experts in Austria, Hungary, Indonesia and the United Kingdom.
If Duqu starts attacking Pakistani networks, Pakistan would face a huge threat regardless of the existing on-going cyber war between Pakistan and India. Duqu, on the other hand, is a much more powerful malware which if targeted towards Pakistani networks, it could collect intelligence data and assets from high profile entities, with the purpose of conducting a future attack without much effort against additional third parties.
Today remains to be seen whether future changes made by Microsoft will be sufficient to stem the problem. At present, the source of Duqu has not yet been identified. Many measures may be taken to prevent this situation from reaching a system. It is important to have a backup of all exiting data but even more importantly since Duqu is a powerful malware the best way to prevent any potential attacks from it is by protecting and securing critical infrastructure networks from such threats. Microsoft has finally patched the flaw being exploited by the Duqu.
Moreover, a recent discovery was made which states that Duqu has shut down all operations and has cleaned up all their commands leaving security experts almost no evidence for their further research. According to Kaspersky Lab, Duqu has been active since 2007 and was only discovered in October 2011 which proves that several systems might have been infected with the Duqu since years and possibly still not detected.
A further discovery was made that Duqu undertook a global clean on October 20th which cleaned up all their activities since the year 2009 as a result leaving almost no trace of their existence throughout these years. This goes to prove that the aim of attackers behind Duqu was to keep it a secret and as soon as the word got out it was banished. Even now the command & control (C&C) servers behind Duqu remain undiscovered which only goes to show the capability and power of the attackers behind this malware.
Experts were able to point out that servers were hacked through brute-forcing the root password rather than the believed zero-day theory and as soon as the attackers gained control over the servers they upgraded OpenSSH 4.3 to version 5.8 which explains that the newer version of the software must hold such importance.
December 1, 2011
Recently many Pakistani websites have faced attacks from various international blackhat groups, which continue to be a huge concern for Pakistani cyber space. The main reason behind this remains the lack of secured hosting infrastructure along with badly coded web applications. Such websites can be extremely vulnerable and may be easily compromised by attackers.
Telenor Pakistan Hacked
Pakistani websites may be vulnerable to various attacks, which include blogs, forums, government, telecommunication, and banking websites. Only recently some of the high profile websites that were defaced include LG Electronics Pakistan, WorldCall Telecom Limited, DunyaTV, Supreme Court of Pakistan, Telenor Pakistan, National University, and few more.
Moreover, a newer form of malware has been discovered which has been attacking Pakistani websites not only does this malware attack the target website but also mobile devices. More than hundreds of Pakistani government sites including Ministry of Information and Broadcasting – Government of Pakistan (infopak.gov.pk), PESC – Peshawar Electric Supply Company (pesco.gov.pk), Pakistan Navy (paknavy.gov.pk) are under attack by this malware, known to be controlled by an Indian blackhat. Most of the websites initially fail to understand the importance of having a secured web application and consequently lack the information security knowledge for securing their online information.
Malware Alert on the Infected Pakistani Websites
That is where we usually get involved and get to know about such incidents. Our team protects customers’ infrastructure from such attacks and performs constant monitoring. Rewterz already has a reputation of securing information for a number of high profile organizations. By providing services such as penetration testing, incident handling, application code review, forensics analysis, and security outsourcing, we ensure complete security to an affected website.
Today hacking is a career which is backed by strong institutes estimating about $2 billion annually. The cyber war between Pakistani and Indian blackhat community has been going on since years and this is not the first time we have seen rise in such attacks. The best way to protect the information available online on websites is by having secured hosting infrastructure which mitigates vulnerabilities that attackers may be looking to get into in order to carry out an attack. Taking such measures is becoming critically important in the cyber world and must be understood by personnel who make critical information available online before it’s too late.
February 5, 2011
PDF, a portable file format, had gained popularity among general users due to its extensive features, portability and availability of free tools to read and author the documents. With the increasing popularity this file format has gained among the general users, it has also become vulnerable to various malware which exploit the document for executing malicious attacks, and which uses the PDF files as malware depositing source to attack specific item or even the entire system.
Over the last three or four years, PDF malware have become increasingly devastating for computer security. The reason behind this increasing success is the achievement of blackhat community in attaining the hand-full of PDF distribution with which various malicious PDFs are being utilized to jeopardize the computer’s security. Before going into the depth of the PDF security system, let’s get a closer look at the different distribution channels, the attackers use to deposit malware in the computer. Among a variety of different PDF distribution channels, three dominating channels are Mass-Mailing, Drive-By Downloads, and Targeted Attacks.
In mass-mailing PDF distribution technique, a user is lured to open an email and receives the malware unsuspected by downloading the attached PDF file in the email. These kind of spam emails contain major subjects like IRS emails, Political or current affairs or any controversial subjects. While, drive-by -downloads deposits the malware into the system when the user visits an infected website and downloading a hosted PDF file. Malware authors utilize web exploits packs to trigger malware creation on websites. The hosted PDFs contain shell codes which on being executed download malicious content from the internet. In contrast, PDF targeted attacks are directed to individuals or organizations to give themselves a disguise of an authentic source which, consequently, will enable the user to launch the PDF file attached. What makes targeted attacks relatively successful is the use of zero-day exploits which renders the victim unaware of the fact that his system’s security is at stake.
Now, to make matters worse, each distribution channel uses different exploit techniques which are classified into two categories, namely: JavaScript based exploits and Non-JavaScript based exploits. Now, almost all the PDF exploits are utilizing JavaScript in different forms because of its use of a malicious code called heap spray code (a JavaScript code that is executed at first to set up the process memory of the reader with a shell code which as a result exposes the system to the malicious attack).
Utilizing exploit techniques in different PDF distribution methods might have given the antiviruses and malware detection products to detect the presence of malicious PDF or the attack incorporated within the PDF file. To evade the possibilities of coming into antivirus detection, Malicious Acroform Stream is utilized by malware authors. This kind of evasion method misleads the user to believe that the malicious PDF file is simple a corrupt file and crashes the PDF reader so that it keeps on working in the background and remains undetected from both the user and the virus detecting product.
When your system’s security is jeopardized and various significant items are exposed to vulnerability, what can you do to protect your system to be infected with malicious content?
A bundle of considerable protective actions can be taken by the user which may keep his system safe from possible targeted or un-targeted attack from malware authors.
First and the foremost way to avoid system infection are keeping it up-to-date with all applications and softwares patches for your PDF reader. Second of all, keep your virus-detecting product up-to-date. Wherever possible, disable JavaScript so that the JavaScript based exploits may be prevented. Last but not the least; considerable discretion should be exercised while executing a PDF document from an untrusted location.
February 4, 2011
Vulnerabilities, malwares and exploits have been out there since the existence of software themselves. Running with malicious intentions, these programs have always been a thorn in application developers’ sides, and keep ongoing a continuous game of cat and mouse between developers and attackers.
Being the most popular OS in the world, Windows and its associated applications have been the most frequent target of malicious exploits, and Internet Explorer is no exception. Back in December 2010, a new vulnerability affecting IE 6, 7 and 8, running Windows Vista and above was published on a full-disclosure security list, labeled IE CSS 0-day vulnerability and was later addressed in Microsoft’s Security Advisory 2488013.
This exploit reportedly targeted users of IE 6 through 8, allowing the execution of a malicious code on an affected user’s computer through the currently logged in account just by visiting a website containing a malicious CSS script. Microsoft currently believes the attack hasn’t affected many users, and while it can be easily circumvented, it is a serious threat that can be used at a much larger scale causing massive damage.
Let’s try to understand how this whole thing works. As the name suggests, this vulnerability relies on a loophole within Internet Explorer’s processing of Cascading Style Sheets (CSS). Normally, a CSS file (which dictates the look and feel of an HTML file) would already be loaded when you visit a website, but if the style sheet imports itself, it wreaks havoc on IE’s memory management, allowing any unauthorized code to execute while bypassing the usual IE downloads’ security checks, including the new Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
DEP is designed to perform additional checks on memory to help prevent malicious code from running on a system. Specifically, if a remote attacker manages to crash a running application on your system, the areas of memory where the application stored its run-time data, including stack and heap, are marked un-executable, so even if malicious code makes it into memory bytes, the operating system would prevent it from running. Hence, DEP will prevent any unauthorized code execution unless the attack targets those memory sectors where code has already been marked executable, which is where ASLR comes in.
ASLR loads programs and DLLs in a different, random location each time they are executed, and since bypassing DEP requires you to know exactly where executable code is going to be, the randomization offered by ASLR ensures that the attacker can never accurately predict which memory blocks to target. He may opt to perform a search operation, but the code required to perform the search would be blocked by DEP in the first place. Hence, from the outside, it would seem that Microsoft has created the perfect security barrier.
Hats off to Microsoft, though, for they have, most unfortunately, allowed each DLL to decide for itself whether it supports ASLR or not. The Internet Explorer is a huge collection of DLLs itself, some of which execute at run-time to render the content that IE downloads. Now, with a malicious CSS code causing a memory heap to go berserk, the attacker would send otherwise-safe files to IE causing it to load the known DLLs. And, if any of these DLLs does not support ASLR (which they don’t), then their location in the memory is already known, and DEP simply goes out the window. One specially designed web-page is all a malicious attacker needs to gain execution access on your machine, without your knowledge at all.
While most modern browsers have entirely switched to the newer, safer versions of CSS handling, Microsoft’s prized internet browser still utilizes the same old DLLs to handle CSS rendering, and with the still-very-large user base of IE, such exploits can become disastrous should someone decide to take advantage of it. Microsoft’s security advisory suggests that the exploit is public knowledge, but neither used on a mass level yet nor critical enough to merit an out-of-band security release.
While Microsoft figures out a patch, one easy workaround could be to use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). This would allow you to force named applications to perform ASLR on every DLL that is loaded, irrespective of whether the DLL supports it or not. That way, DEP again comes into effect for every code that depends on a memory overload, and would at least bypass this particular vulnerability.
February 3, 2011
Exploit Database recently found an interesting vulnerability regarding Godaddy which is a leading domain and website hosting provider. The Godaddy workspace XSS vulnerability provides liberty to the attacker to send malicious JavaScript to the victim resulting in stealing of cookies and other malicious activities. This means that if you are using web interface of Godaddy workspace, a malicious attacker can obtain your session information and can even login to your account interestingly without using any credentials.
Following are the steps for exploiting Godaddy XSS vulnerability:
- Attacker logs in to the Godaddy workspace interface.
- Composes an email directed towards the targeted user.
- Uses firebug to craft malicious link using JavaScript in the email. This JavaScript is capable of capturing victim’s cookie (session id) and sending it to attacker controlled web server.
- The email is sent to the targeted user (victim) who also uses Godaddy web interface.
- The victim receives the email and opens it.
- As soon as the email is opened the victim’s session id is obtained by the malicious JavaScript and sent to the attacker controlled web server.
- To make sure that there are no credentials required to exploit this vulnerability the attacker logs out from his account and clear the cache and cookies.
- The attacker receives victim’s cookie (session id) from web server log and replays it using Live HTTP Headers (Firefox addon) to Godaddy.
- The attacker successfully logs into the victim’s Godaddy web interface.
c viictims cookie from web server logs
January 24, 2011
In the mid of last year the US Customs and Homeland agencies seized the domain names of nine popular video streaming sites sighting piracy issues. The seized domain names include popular websites including PlanetMoviez.com, NinjaThis.net, TVshack.net and Links.tv. Visiting these streaming websites displayed the following message from US authorities:
According to the US government these domains were seized for copyright infringement and illegal distribution of pirated movies and other video content. These websites usually charge a minimal subscription fee and provide users with the illegal content. Also the related bank accounts have been seized in addition with four residential search warrants in New York, New Jersey, North Carolina and Washington. An interesting fact about these websites was that all of them were ranked among top 10,000 in Alexa.
So the situation right now is that these websites cannot be accessed but does that means that the issue of copyright infringement and piracy been solved? Unfortunately, the answer is negative. These measures can only slow down the illegal content distribution but it is not the permanent solution. Why it is not the permanent solution? Lets have a look.
Let us take the example of TVshack.net. The website’s hosting service was provided by a Netherlands based company Ecatel. However the domain name was registered through a US based company and this was the main reason why the domain is inaccessible now. Ecatel is providing its hosting services to a number of companies/websites but none of them had a share on the server like TVshack. This can be supported by the fact that Ecatel’s overall traffic went down 25% after a few hours of the takedown of TVshack.
So have we really blocked the pirated content from TVshack? Unfortunately, the answer is negative. Though the content of the website is not available on TVshack.net, the owner of the website registered a new domain TVshack.cc which contains all the content of the previous domain. This time the domain registrar was a Chinese company. Later in the year the US authorities blocked this domain and the website owner registered a new domain and moved the content there. Similarly some other confiscated domains are also functional under their new domain name containing all the previous pirated content e.g. Movies-Link.tv is now working under domain Watch-movies-tv.info.
The matter of fact is that the rest of the seized domains will probably be registered under a new domain outside US and more pirated content will be available again in the coming future. In the next few months these websites will again have the same number of visitors they earlier had or probably more. So how much piracy issue been addressed by taking all these measures? You are not going to like it but the fact is that the issue is still the same and nothing changed a bit. The US law enforcers only managed to slow down the process but they failed to prevent it even a bit.
Now lets come to the solution. The first question is that is there even a solution for piracy? One thing is certain i.e. we can minimize piracy but it seems impossible to completely stop it. The problem is that different countries have different rules for piracy. One act can be considered as an offence in one country but the same act cannot be considered as crime in another country e.g. the case of TVshack. This also indicates that many countries don’t even consider piracy an issue and hence they are not taking serious measures to tackle it.
An international body should be formed which would only focus on addressing issues related to piracy. With the collaboration of international community this organization should constitute an international piracy law which would be applicable to all the member countries. This international body would work similar to INTERPOL i.e. it would collaborate with all the member countries to address this crime. The main focus should be on the implementation of this law because certain countries already have some laws but they are not adequately implemented. If this happens, it would definitely help reduce piracy on a larger scale.
June 2, 2009
People tend to underestimate the intricacies involved in a Vulnerability Management program. The traditional approach of ‘Find them – Kill them’ tends to faint out when it comes to sweeping through a plethora of servers, platforms, protocols and not to mention end user systems.
A more effective approach has always been to plan your initial efforts, focus on your primary and secondary assets and analyze the life cycle span of the entire process.
In this article, we’ll discuss some proven methodologies known to efficiently deliver results.
Step 1. Many organizations fail to grasp the essence of VM and tend to regard it as a part of the IT administrator’s responsibilities. Though this may be true for smaller organizations (read very small) but any larger organization must have a dedicated team assigned solely responsible for hunting down and patching vulnerabilities.
Step 2. Create an index of all IT assets currently owned by the organization, specifically highlighting systems connected to IP networks. This database will act as your ‘Evaluation Base Line’ that will indicate the patching status of your entire inventory.
Step3. Vulnerability management is an ongoing process. New vulnerabilities emerge every instant and require continuous monitoring. Similarly a change in configuration might make a relatively secure system prone to attacks.
Step 4. Prioritize patch implementations when it comes to choosing in between ease of accessibility and security. Every system can hardened to become virtually impenetrable but at the cost of user friendliness.
Step 5. Simulate post patch scenarios in advance. New patches can sometimes cause unexpected changes in systems like conflicts with system registry and occasional incompatibility issues.
Step 6. Create a database of all patches. Since computers at an organization are perpetually being changed, formatted or simply being restored, an archive of all patches helps you to quickly cover up vulnerable systems, without having to search through patch releases for individual software all over again.
Step 7. Automate! Integrate easily available patching solutions or updating utilities at your organization to reduce manual overhead.
Step 8. Never assume. Assumptions in security have taught many professionals expensive lessons. A system isn’t safe unless it has withstood an attack. Make a habit of frequently simulating attack scenarios on systems likely to face rogue traffic, you’ll surprised at what your findings!
May 25, 2009
Here is our take on making the most of your vulnerability management system.
Act right away!
As much as people like to document their scan results in reports and refer to them in board presentations, do not loose focus on the primary objectives of these results…..Patch those vulnerabilities NOW. It is unintelligent … to say the least, to have discovered vulnerabilities but to leave the patching for a later date. And speaking of documenting, try to maintain a certain degree of privacy with your vulnerability findings while limiting access to your findings to relevant personnel only.
Patching and thinking you are protected?
Patching should only be a part of your defense strategy. Patching generally mitigates risk caused by faulty or sloppy programming codes, which are relatively easy to identify using automated techniques. The trickier aspect of information security involves logical errors, which arise due to acute lapses in configuration settings and parameters of the myriad of devices present on networks.
Protecting yourself from Zero day attacks…
Zero day attacks are quite understandably the worst fears of any security professional. While you cannot predict what the future has in store for your network, there are certain practices that will minimize the potential of your systems being targeted.
- Harden your systems
- Use heuristic protection based Anti viruses.
- Deny the irrelevant and only allow least privilege to those you permit
- Finally, educate users to be wary of unsolicited and suspicious email attachments.
A Vulnerability Management System is only as strong as its policies…
The strongest Vulnerability Management programs are always characterized by their elaborate policies. Policies help you regulate the operational effectiveness of your corporate infrastructure. Policies drive your users to
- Practice better password conventions.
- Bring in the use of encryption in official emails.
- Create a realization that security is everyone’s responsibility.
- Regularize the use of firewalls and antivirus programs.
- Familiarize people with the risks associated with social media
- Ascertain the confidentiality of organizational data and prevent instances of data leakage.
|
|
|
|
