Friday, 29 May 2015

BSides London 2015 - Virtual Terminals, POS Security and Becoming a Billionaire Overnight!

Yes, it is true. The talk was short-listed and it was voted for the BSides London 2015 conference! Thank you all for voting for my talk. 

I am looking forward to fantastic line-up of talks at the conference. As you probably noticed at the schedule page, the session is not to be recorded due to the sensitive content, so please, do respect this request. 

This means that if you want to find out more about the talk, you will have to be there and attend the session
Tripwire (@TripwireInc) posted a short article about my forthcoming Security BSides London 2015 talk, which you can find at this link.
 
As far as I know Track 2 is quite big and I really hope there are going to be enough spaces for everyone. For those attending the talk, mark it down on your schedule, tweet about it and follow me @drgfragkos to find out more! :) 

I have only one thing to say to you for now: Great things do come, to those who attend ;)

If you want to tweet about the talk dont forget to use the BSides London 2015 handler: #BSidesLDN2015

Copy-Past Tweet for sharing: 

Virtual Terminals, #POS Security and Becoming a Billionaire Overnight! via @drgfragkos at @BSidesLondon #BSidesLDN2015

I am looking forward to the event, hoping to have a chance to speak to all of you at the conference and potentially share a drink or two. I really appreciate your interest in this field and I can only hope my talk will keep you all excited once more. I really believe that anyone who has the opportunity to be at this conference should not miss the chance. We are all going to be there and if you have like five minutes to spare, come and say hi.

Tuesday, 26 May 2015

NitlovePOS - POS terminals being targeted through phishing emails

Cyber-criminals and fraudsters have started targeting employees working on Point-of-Sales terminals in order to get their hands on card details. 

There is now evidence that social engineering and spear phishing emails are actively being used and have become the next attack method against employees who have access to payment applications, virtual terminals and electronic cash registries. 
The new malware is named NitlovePOS [Virus Total Detection Rate] and it targets track one and track two data by scanning the processes running. In other words, it is yet another memory-scraping malware that sends the captured data to a remote server over SSL.


Monday, 25 May 2015

Personal Greeting for your mobile phone, using a bash script, Kali Linux and the Raspberry Pi

First of all, this is a quick way for making your Kali Linux speak. I am going to tell about a couple of ways to do text-to-speech on your Linux box. I used this for fun, for having audio alerts embedded to my applications and finally for recording a personal greeting for my phone. 
I started playing with espeak, and experimented with the different voices. The espeak application is fantastic but the different voices/languages it has, are too computerised. They do not sound as natural as you would have expected. However, for some quick tasks like listening to your LAN and/or WAN IP address, it can be useful, and cool.

Friday, 22 May 2015

Adult Friend Finder data breach, the aftermath...

Did you hear about the Adult Friend Finder data breach? Of course you did, it’s all over the news [1] [2] and it is getting major attention due to the spicy nature of the content. 
The online adult service was breached and 3.8 million accounts became public. 

The information including sexual preference, marital status and other personal data (such as, date of birth, email addresses and postal/home addresses) are now all publicly available

Well, we have seen data breaches before, but how is this data breach a little bit different??

Up to now, every article I read online about this incident treats it as yet another data breach, without paying any attention to the effects such a data breach will bring to people. Let us see the issues that come to mind, one by one in the following lines. 

Wednesday, 20 May 2015

Logjam attack - Diffie-Hellman key exchange weakness (a quick and brief explanation)

A study was published regarding the security of the Diffie-Hellman key exchange. This popular cryptographic algorithm can be found among many protocols such as HTTPS, SSH, IPsec, SMTPS and it is used for sharing a key and establishing a secure connection. 

The weaknesses uncovered affect websites, mail servers, and other TLS-dependent services that support DHE_EXPORT ciphers. The exploitation of this vulnerability  was given the name Logjam attack [1] and depends on how Diffie-Hellman key exchange has been deployed in each case. 

The Logjam attack against TLS can be performed by downgrading vulnerable TLS connections to 512-bit export-grade cryptography, allowing the man-in-the-middle (MiTM) attacker to read and modify any data passed over the connection. At the moment, this attack affects all modern web browsers. 

Thursday, 14 May 2015

ozwpan driver - Remote packet-of-death vulnerabilities in Linux Kernel

"The ozwpan driver accepts network packets, parses them, and converts them into various USB functionality. There are numerous security vulnerabilities in the handling of these packets. Two of them result in a memcpy(kernel_buffer, network_packet, -length), one of them is a divide-by-zero, and one of them is a loop that decrements -1 until it's zero." [1]
1. A remote packet can be sent, resulting in funny subtractions of
signed integers, which causes a memcpy(kernel_heap, network_user_buffer, -network_user_provided_length).

There are two different conditions that can lead to this:
https://lkml.org/lkml/2015/5/13/740
https://lkml.org/lkml/2015/5/13/744

2. A remote packet can be sent, resulting in divide-by-zero in softirq, causing hard crash:
https://lkml.org/lkml/2015/5/13/741

3. A remote packet can be sent, resulting in a funny subtraction, causing an insanely big loop to lock up the kernel: https://lkml.org/lkml/2015/5/13/742

4. Multiple out-of-bounds reads, resulting in possible information leakage, explained in the last paragraph of the introductory email here: https://lkml.org/lkml/2015/5/13/739

The above is a repost of this: http://seclists.org/oss-sec/2015/q2/446

You may find more information about ozwpan here: https://lkml.org/lkml/2015/5/13/739

[1] https://lkml.org/lkml/2015/5/13/739

Wednesday, 13 May 2015

VENOM Vulnerability - Virtualized Environment Neglected Operations Manipulation

VENOM is short for Virtualized Environment Neglected Operations Manipulation and it is a vulnerability in the QEMU’s virtual Floppy Disk Controller (FDC). The vulnerable code is used in numerous virtualization platforms and appliances such as Xen, KVM, and the native QEMU client. 

The vulnerability has been assigned the following CVE (CVE-2015-3456). As far as we know, VMware, Microsoft Hyper-V, and the Bochs hypervisors are not impacted by this. 

The interesting fact about VENOM is that it applies to a wide range of virtualization platforms (using the default configurations) and it allows for arbitrary code execution. Due to the fact that the vulnerability exists in the hypervisor’s codebase, it affects all host and guest Operating Systems. 

However, the vulnerability can be exploited only with escalated privileges (root, administrator). 

Saturday, 9 May 2015

{ } YARA - The pattern matching swiss knife for malware researchers

This is a blog post about YARA, the pattern matching tool which allows malware researchers to identify and classify malware samples. It is a very interesting tool and fairly easy to get the hand of it. In a few lines of code you can create descriptions of malware families (or anything else you would like to describe) based on textual or binary patters. 

You can create simple rules or more complex ones, depending on what you trying to do. It supports wild-cards, case-insensitive strings, regular expressions, special operators and has a number of additional features to play with. 

YARA is also multi-platform! It can be run on Windows, Linux and Mac OS X. It can be used through its command-line interface or from your own Python scripts with the yara-python extension.

Wednesday, 6 May 2015

Download recursively all files from a certain directory listing using wget

This is going to be a quick blog post about wget which I believe it is very interesting for you to know how to do this. From your Linux box you can use wget to recursively download all the files listed in a directory listing. 

If you have seen something similar to Figure 1, then this is what directory listing looks like. If someone wants you to have access to their files on the web server through HTTP then it is a quick and easy way of doing it, but most of the time is a misconfiguration allowing the hosted files to be publicly available to unauthorised users. 

Figure 1 - Directory Listing


Saturday, 2 May 2015

Things you should know about the Opera browser (Presto) and its features

For me, the ultimate browser is the Opera Web Browser. I have been using Opera as my default browser under Windows since 2001 (Mozilla under Linux) where I had the luxury of having multiple tabs open while I was enjoying the amazing speed of the fastest browser at the time. Due to the fact most viruses were being written at the time to affect Internet Explorer, Opera was unaffected by malicious scripts and viruses hosted on web servers/portals. Also, one of the most life saving features of Opera was that whatever happened to the OS (the OS used to hang and crash a lot back then) you would never loose your work! All my tabs, with all the things I was reading/researching were kept as they were, no matter what e.g. power failure. 

Many "experts" at the time were claiming that a multi-tab browser is a pointless feature because you are always going to be using one tab in front of you at any time anyway. Today the answer to these people seems obvious, but back then it was a nightmare to convince these "opinionated experts"  that multi-tab browsing is the future. 

Friday, 1 May 2015

Cyber Essentials Scheme explained

Cyber Security is of increasing importance to private companies, SMEs and organisations. Becoming certified against a cyber security standard can be proven a trivial task. Getting familiar with the Cyber Essentials Scheme might proven invaluable when it comes to the cyber security of a business/organisation and to obtaining government contracts. Becoming certified to a cyber security standard significantly lowers the risk of becoming the victim of a data breach. 

According to the Verizon Data Breach Investigations Report (2013-2015) most of the attacks require very little skill or experience to be carried out. Consequently, the UK government in order to roll out a basic level of security for protecting businesses against these widely spread cyber attacks (usually low-tech attacks) introduced the Cyber Essentials Scheme on the 1st of October 2014.