Tuesday, December 30, 2008

Rogue CA certificates through MD5 collisions

| Armando Romeo |
Researchers Sotirov and others, provided practical proof of concept of a well known but till now theoretical threat: MD5 collisions.

Today, At the 25c3 conference in Berlin, it has been shown how possible it is to find a collision with one of the browser-embedded trusted root CA's signatures to build a new rogue CA capable of signing rogue websites certificates. These certificates would then be accepted by the browser advertising a completely secure and reliable connection.

It's the first time that this is put in place and according to authors of research over 100 Play stations 3 have been using to match the collisions.

This successful proof of concept shows that the certificate validation performed by browsers can be subverted and malicious attackers might be able to monitor or tamper with data sent to secure websites. Banking and e-commerce sites are particularly at risk because of the high value of the information secured with HTTPS on those sites. With a rogue CA certificate, attackers would be able to execute practically undetectable phishing attacks against such sites
More on the research can be found here,

Monday, December 29, 2008

Winner of the Survey contest is...

| Armando Romeo |
etr[**]acers1@verizon.net who has already received the HSC Ethical Hacker Kit as the prize of the contest.

The survey collected almost 100 responses, very useful to us to understand, where we were and where we are now in the everyday challenge to make our site a useful one-stop place for security people.

Personally, I expected more criticisms on the layout and navigability. They instead proved to be very appreciated although some improvements were suggested.

Most of our visitors asked for more contents: Tools, Exploits and new researches above all.

As you may already have noticed, we are adding the most important exploits everyday, not just as an external link, but as our own content.
Moreover, Basher is taking care of the tools and we are having 2-3 new tools everyweek, with snapshots and descriptions.

As I am personally more and more busy with Security Brigade and the old staff is busy with everyday job we are still looking for people willing to take part of our projects. We mainly need webdevelopers and content providers. And we are open to anyone willing to exploit our big audience to start blogging in our blogs.

I have many projects, on my papers, I only need help from you ;)

Anyway, I wish a great 2009 to all of our members!

Wednesday, December 10, 2008

IE7 Exploits for XP and Vista published

| Armando Romeo |
After few hours from our last post milw0rm publishes the POC of the 0days Internet Explorer 7 bot on XP SP3 and Vista Sp0.
Vista SP1 users are advised not to use IE7 either until Microsoft provides a patch (unpublished exploit for SP1 may still be in the wild).

Proof of concepts for XP and Vista.

If you want a long term patch please go here

IE 7 0day allows malware spreading

| Armando Romeo |
A patch for Internet Explorer 7 on Windows XP SP2 should be available shortly as a new 0day has been uncovered in a chinese forum.

The 0day seems to be exploiting a vulnerability in XML handling and allows for silent download and execution. More details will be added later.

The story is available here

Tuesday, December 9, 2008

Obama and the new CyberSecurity Army

| Armando Romeo |
President Obama will officially announce a new department to protect cyberspace from hackers, thieves and foreign agents, coordinating security efforts across U.S. military, intelligence and civilian agencies.

The new effort is meant to protect US government assets from random hackers but above all from foreign governments threats.

Although the name of the department will still be "Einstein", created by GW Bush, it will have much more power to to respond and defeat cyber threats.

U.S. options could include trade or financial sanctions or military attacks in response to hacking attempts

It seems to me that we are giving more power to the hackers this way. And it's a big mistake.
Fighting cybercrime should be a a cyber fight. A skills fight.

If a bunch of hackers will have the power to cause financial sanctions (not to talk about militiary attacks) more and more people will try to hack penthagon.

You cannot demonstrate whether it was a chinese hacker to break into Merkel's laptop launching an attack from there. Would they bomb Germany?

Monday, December 8, 2008

AVID - Antivirus is Dead!

| Yash Kadakia |
Late last night I was surfing some forums looking at interesting posts and I noticed one about an MD5 Cracker that utilized various Free Online Services.

Intrigued I downloaded this utility, However suspecting a virus or trojan of some kind, I ran this utility through 37 Anti-Virus Scanners via VirusTotal - Free Online Virus and Malware Scan. Nothing!!. Every scanner on the market gave it a clean-chit including every single heuristic feature these scanners boast.

Being as paranoid as I am, I finally ran this utility through Sandboxie. A few seconds later, Comodo Firewall Pro came up with an alert: The utility was trying to connect to an FTP Server. Instantly I ran Wireshark and sniffed the Username/Password credentials for the FTP Server.

I put these details into Filezilla and in a few seconds I was connect to the server. The server was filled with log files from hundreds of users. The malware had dumped Saved Passwords from IE, Chrome, Firefox etc and uploaded these log files onto the server. After downloading a few of these files for deeper investigation, I deleted every file on the server to ensure that the compromised users would not have their information hi-jacked.

On further investigation of the log files, the virus seemed to be one from mutX.org. I was thoroughly disappointed that a known virus-strain could evade every single Anti-Virus scanner on the market even though it had such obvious heuristic traits such as: dumping information from browsers, msn messenger and uploading it to a rogue ftp server.

This entire episode reminded me about a Podcast I heard last week where Robin Bloor was a guest discussing AVID (Antivirus is Dead). After this particular incident, I couldn't agree more with Robin. If this particular incident had targeted an Organization as opposed to some Security Forums, it could have cause massive damage and probable financial loss to these organizations.

I have always been a fan of Layering Security and in this particular instance layering Avira Antivir, Comodo Firewall Pro, Sandboxie etc together really paid off.

Originally from: Yash Kadakia's Blog

Free Security Magazines