Archive

Archive for the ‘exploits’ Category

Stealing your data while you watch

December 20th, 2014 Comments off
Reading Time: 4 minutes

medium_4612834833 In IT and IT Security there is a constant complaint about the risks of shadow IT, and the adoption of consumer collaboration and sharing tools. Over the last couple of years we also saw the emergence of novel exfiltration techniques including the persistent ultrasonic technique, where the infected devices  communicates with other compromised hosts via high frequency; or the Twitter based technique, where malware sends out data 140 characters at a time for anyone to read;  and the more recent Video technique, encrypting data in video files and putting corporate secrets onto video sites or later retrieval.

Read more…

ThruGlassXfr starts to make an impact

October 2nd, 2014 Comments off
Reading Time: 2 minutes

logoIt is awesome to see that Ian Latter’s work on bypassing all security measures to exfiltrate data via the screen is starting to be received by the InfoSec community. Today an article written by Richard Stiennon on Ian’s presentation at COSAC has been syndicated through to Forbes. Well done Ian!! this follows up on a post I did in July when I was allowed to start talking about TGXf.

As part of Ian’s presentation preparation (and in response to a number of CFP reviewers NOT READING HIS SUBMISSIONS) he also prepared a number of videos demonstrating the capability of ThruGlassXfr along with his ThruKeyboardXfr.

ThruGlassXfer Open Letter (PDF) – TGXf VER8 FPS5 GD
http://youtu.be/IXlYDYjqFLU

Android smart-phone in flight mode, downloading a PDF from Youtube via a Laptop screen
http://youtu.be/2_8GlFdlb0Y

TGXf Demo – Open Letter PDF, ANSI (Terminal) Version 1 at 8 FPS
http://youtu.be/ZrMN54Rooec
(i.e. you don’t need graphical access to steal data)

TKXf Demo – Keyboard upload of virus to hardened Windows platform
http://youtu.be/2Szza7dQZsY
(i.e. I can type a virus into Windows .. stop me)

TKXf Demo – Keyboard upload of payload via Windows to Linux
http://youtu.be/QmROf-Tx92E
(i.e. I can type any payload into anything via anything .. stop me)

TCXf Demo – Attacker exfiltration from Linux via socket over PuTTY/XPe/HP Thin Client
http://youtu.be/sMHx5VDpFjQ
(i.e. I can route anything via anything over screen and keyboard)

And my personal favourite!!!!!
TCXf Demo – IP networking over Screen and Keyboard!
http://youtu.be/PdjhevoBKbs

Yes that last one is a functional network over TGXf and TKXf…

As a Security Enthusiast I love seeing this, though I have to say as a Security Technology Vendor and IT Outsourcing and Management Supplier it causes me pause. Now I finally have that enthusiasm back to write that paper on the risks of BYOD.

 

ThruGlassXFER – exfiltration via QRCode

June 10th, 2014 Comments off
Reading Time: 1 minutes

This week Ian Latter, under his MidnightCode moniker, started to release information on his proof of concept for the exfiltration of information using QR Codes called ThruGlassXFER. This is ahead of his presentation at COSAC in Ireland and time at BlackHat later this year.

The full ThruGlassXFER White-Paper and proof of concept apps are coming. I was privileged enough to see this project as it emerged including the functioning proof-of-concept. The White-Paper will walk people from first principles through to sample code. There are also some inventive ways to get the base code onto secure systems.

This can put to bed the argument that a system that delivers a remote display, mouse and keyboard, only, are secure and that information cannot be easily exfiltrated. Yes, I understand that this is an oversimplification of the potential issue. Looking forward to how this is received and what people do with it.

My hat goes off to Ian!

Categories: exploits, Security Tags: ,

Bruteforce become DOS

May 27th, 2013 Comments off
Reading Time: 1 minutes

I noticed that I started too get a few emails from Wordfence about invalid login attempts. Now as I have both wordfence and Google two factor authentication happening I wasn’t worried, though I thought I’d do a large IP range block just to cut down on the noise.

 blocked login
What I found was that my provider was being really awesome in their pro-activeness and started automatically detecting brute force attacks on WordPress sites and removing the login.php
As I stated above I have both Wordfence installed, this will automatically block users and IP addresses that have attempted too many times to log in to a site. But what I also have is Google 2 Factor authentication set up as well, stopping these clowns.
 2FA
So whilst my provider was doing an awesome job preventing those-bad-guys™ from getting to my site, they in essence have locked me out too. Hats off to the support team for pulling this together. But the next stage really needs to include, not only scanning for the fact I run wordpress to block attacks, but scan for plugins too. Or even better, allow me to opt out..

iDevice tracking.

April 27th, 2011 Comments off
Reading Time: 3 minutes

I’m a little late wading into this but I thought it worth looking at based on my last post.

If you’ve been hiding under a rock; Apple tracks where you have been (regardless of your location tracking selection) in a file called consolidated.db.

Tracked!

This was originally discovered by Alex Levinson back in 2010 when he was researching the iPad.

Long story short there is s SQLite Database on both the iDevice (/private/var/root/Library/Caches/locationd/consolidated.db) and stored on your sync machine (/Users/<your user name>/Library/Application Support/MobileSync/Backup/). It uses cell tower triangulation, as opposed to GPS, to track your location (so accuracy isn’t always bang on, but pretty close in most cases).

Recently a couple of researchers from O’Reilly (Alasdair Allan and Pete Warden) wrote an OSX application that allows the visualisation of the stored data and bringing this out from the deep dark recesses of computer forensics to the mainstream, sparking outrage and cries of foul. This in turn forcing Apple to respond to these concerns.

You can see in the image “Tracked!” that it has tracked my movements throughout NSW and Canberra. So I decided to have a play myself to see what is all captured (instructions on how to find the consolidated.db file are on Pete Warden’s site). With the help of an SQLite viewer I opened up the file to see what all was there (see image below):

SQLite file opened

The second table is the interesting one that contains the location tracking data that everyone is interested in. A view into that table shows exactly what can be found in there:

CellLocation Table Contents

I’ve condensed the columns for Longitude and Latitude, mostly because I don’t want everyone knowing EXACTLY where I’ve been 😉

The interesting thing seems to be that there is also similar information being stored for WiFi locations though I’ll need some time playing about to understand how relevant the information stored is, but based on an initial pass it seems to capture any AP that my phone sees. I’ve tested this by pluging random MAC addresses into the Google to check against it’s wireless AP DB and sure enough, these are APs I’ve not connected to but are pretty close to some of the ones I do.

Given the high profile of this, now, and the ease in which the necessary scripts can be located online to grab this information. I suspect that it won’t be long before you see some exploits in the wild and high profile people start finding that their movements are published.

I hope Apple move to remedy this soon.

UPDATE: I forgot to add that Google also track phones and seem to track similar information on WiFi locations picked up by Android devices. I suspect that Apple is doing similar things with the information for their own reasons.

UPDATE2: Apple have released their latest IOS (4.3.3) that addresses some of the issues.

I’ve yet to run it up and review myself but it looks like they have made good. Now to see what happens with Google and Microsoft.