Posts Tagged ‘security’

Goodbye Applets: Another Cruddy Piece of Web Tech Is Finally Going Away | WIRED

Tuesday, March 8th, 2016

Another piece of old, insecure web infrastructure is about to be killed off.

Oracle says that it’s discontinuing its Java browser plugin starting with the next big release of the programming language. No, Oracle isn’t killing the Java programming language itself, which is still widely used by many companies. Nor is it killing off JavaScript, which is a completely different language that Oracle doesn’t control. What Oracle is getting rid of is a plugin that allows you to run programs known as “Java applets” in your browser.You may not think you even have the Java plugin installed, but if you’ve ever installed Java, or if Java came pre-installed on your computer, then you probably do, even if you never use it. The good news is that Oracle won’t be automatically installing the Java plugin when you install Java anymore. The bad news is that it won’t be providing security updates anymore either, so you should go ahead and uninstall it now. In fact, there’s a good chance you can uninstall Java entirely.

Source: Goodbye Applets: Another Cruddy Piece of Web Tech Is Finally Going Away | WIRED

Password hash cracking on a Juniper ScreenOS device

Monday, January 4th, 2016

So the Juniper Netscreen/SSG ScreenOS password hash is a bit of a hidden mystery. I had in my hand the config of a Netscreen device and I wanted to perform a reverse of the password hashes to see if they were weak.

In this case here’s the line from the config:

1
set admin user “admin” password “nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn” privilege “all”

John The ripper has supported Netscreen passwords since back in 2008 when Samuel Moñux released this patch. Unfortunately John was too slow for my needs as I was up against a deadline, thus I looked at the faster approach of using the GPU to perform the cracking. Hashcat is the best tool for the job but unfortunately Hashcat didn’t support this hashing algorithm. :-(

After a looking through jar source code I found this python script which can generate a Netscreen hash, getting warmer. Here’s a shortened version of the code to show just the function we’re interested in:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def makepass(user, password):
middle = “Administration Tools”
s = “%s:%s:%s” % (user, middle, password)
print s
m = hashlib.md5(s).digest()
narray = []for i in range(8):
n1 = ord(m[2*i])
n2 = ord(m[2*i+1])
narray.append( (n1<<8 & 0xff00) | (n2 & 0xff) )

res = “”
for i in narray:
p1 = i >> 12 & 0xf
p2 = i >> 6  & 0x3f
p3 = i       & 0x3f
res += b64[p1] + b64[p2] + b64[p3]

for c, n in  zip(“nrcstn”, [0, 6, 12, 17, 23, 29]):
res = res[:n] + c + res[n:]
return res

After looking through the code it is clear that there is a fixed salt of Administration Tools and a salt of the username(lines 2 and 3).
The code then takes each 2 chars and adds the binaries together(lines 8-11)
From this it creates 3 characters from the 16bits(lines 14-18)
And finally is scatters the letters n,r,c,s,t & n onto the hash in specific places (lines 20 and 21)
It’s worth noting that the letters nrcstn is actually NeTSCReeN in reverse without the e’s :-)

Using this code it was possible to write some new code to reverse backwards through the steps in order to go from a Netscreen hash back to the raw MD5 hash. Here’s the function for this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
def reversetomd5(knownhash):
# strip out nrcstn fixed characters
clean=“”
for i in [1,2,3,4,5,7,8,9,10,11,13,14,15,16,18,19,20,21,22,24,25,26,27,28]:
clean+=knownhash[i]# create blocks
block=[]
for i in xrange(2,24,3):
p1 = b64.index(clean[i-2])
p2 = b64.index(clean[i-1])
p3 = b64.index(clean[i])
block.append(p1 << 12 | p2 << 6 | p3)

# split block into half and find out character for each decimal
md5hash=“”
for i in block:
n1 = i >> 8
n2 = i & 0xff
md5hash+=chr(n1)+chr(n2)
return binascii.hexlify(md5hash)

Using this function you are able to give it a Netscreen hash and you’ll get back the raw MD5.

1
Knownhash of:nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn has MD5Hash of: 078f1d1f09bede18edf49c0f745781dd

Now using the power of GPU cracking and my favourite tool Hashcat it is possible to crack the hash. We need to put the hash in a format that hashcat can understand so we create a file called netscreen.txt and put the hash in the following format(note the training colon after the fixed salt):

1
2
[hash]:[user]:Administration Tools:
078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:

We then use hashcat’s mode 20 which is md5($salt.$pass) to crack the hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\cudaHashcat64.exe -m 20 netscreen.txt rockyou.txt
cudaHashcat v1.01 starting…
Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 660M, 2048MB, 950Mhz, 2MCU
Device #1: Kernel ./kernels/4318/m0020_a0.sm_30.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptxGenerated dictionary stats for rockyou.txt: 139921541 bytes, 14344395 words, 14343300 keyspace

078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools::MySecretPassword

Session.Name…: cudaHashcat
Status………: Cracked
Input.Mode…..: File (rockyou.txt)
Hash.Target….: 078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:
Hash.Type……: md5($salt.$pass)
Time.Started…: Fri Jan 10 15:03:24 2014 (5 secs)
Speed.GPU.#1…:  4886.1 kH/s
Recovered……: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress…….: 11109723/14343300 (77.46%)
Rejected…….: 1371/11109723 (0.01%)
HWMon.GPU.#1…:  0% Util, 41c Temp, N/A Fan

Started: Fri Jan 10 15:03:24 2014
Stopped: Fri Jan 10 15:03:32 2014

Bingo it’s cracked the hash with the password MySecretPassword

As this algorithm uses more than just a fixed salt to create the hash I’ll speak to Atom (the creator of hashcat) to see if he want’s to implement it into a future release, but until then this code should help you in cracking netscreen passwords.

Update: Atom has added this hash type to oclHashcat as of version 1.20 https://hashcat.net/hashcat/ (Feature request here: https://hashcat.net/trac/ticket/235)

 

This article’s Original Author:

https://www.phillips321.co.uk/2014/01/10/cracking-a-juniper-netscreen-screenos-password-hash/

Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password

Tuesday, August 4th, 2015

Hackers have their hands on something of your concern. A severe zero-day vulnerability in the latest, fully patched version of Apple’s Mac OS X is reportedly being exploited in the wild by the hackers. The vulnerability could allow attackers to install malware and adware onto a target Mac, running OS X 10.10 (Yosemite) operating system, without requiring victims to enter system passwords, a new report says. The zero-day bug came over a week after security researcher Stefan Esser discovered a privilege escalation zero-day vulnerability in the latest version of Apple’s OS X Yosemite that caused due to environment variable DYLD_PRINT_TO_FILE and dynamic linker dyld, new error-logging features added to the operating system. The developers failed to implement standard safeguards that are needed while adding support for new environment variables to the OS X dynamic linker dyld, allowing hackers to create or modify files with root privileges that can fit anywhere in the Mac OS X file system. OS X Zero-Day Exploit in the Wild Now, security researchers from anti-malware firm Malwarebytes spotted a malicious installer in the wild that was exploiting the zero-day vulnerability to infect Macs with different types of adware including VSearch, MacKeeper and Genieo.

The issue actually resides in a hidden Unix file – Sudoers – which is actually a list of files as to which software are allowed to get root permissions on a computer. However, a modification to the Sudoers allowed the installer to gain root level permissions without the need of password from an administrator. The issue was discovered by Adam Thomas while testing a new adware installer. “The script that exploits the DYLD_PRINT_TO_FILE vulnerability is written to a file and then executed,” Malwarebytes researchers explains in a blog post. “Part of the script involves deleting itself when it’s finished.” “The real meat of the script, though, involves modifying the Sudoers file.

The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password.” No Way Out for Mac Users The zero-day flaw affects both the current stable Mac version OS X 10.10 (build 10.10.4) and the recent Beta build OS X 10.10.5 (Yosemite). Good news for Mac users who are running Mac OS X 10.11 El Capitan Beta builds, as it appears that they are not affected by the zero-day flaw. Until Apple patches this critical issue, you don’t have any good options to prevent a skilled hacker from installing malware on your Mac systems, beyond using a patch created by Esser himself, which can be downloaded from here. No doubt, Esser is a respected security researcher, but installing a patch from a third party developer can be a risky. Therefore, we advise you to fully investigate the patch before installing.

Source: Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password

Major flaw could let lone-wolf hacker bring down huge swaths of Internet | Ars Technica

Tuesday, August 4th, 2015

A recently disclosed vulnerability in Bind, the most widely used software for translating human-friendly domain names into IP addresses used by servers, makes it possible for lone-wolf attackers to bring down huge swaths of the Internet, a security researcher has warned.The flaw, which involves the way that Bind handles some queries related to transaction key records, resides in all major versions of the software from 9.1.0 to 9.8.x, 9.9.0 to 9.9.7-P1, and 9.10.0 to 9.10.2-P2. Attackers can exploit it by sending vulnerable servers a malformed packet that’s trivial to create. Vulnerable servers, in turn, will promptly crash. There are no indications that the vulnerability is being actively exploited in the wild, and the bug wasn’t disclosed until a fix was in place. Still, the critical vulnerability underscores the fragility of Bind, which despite its three decades in use and unwieldy code remains the staple for the Internet’s domain name system.Rob Graham, CEO of penetration testing firm Errata Security, reviewed some of the Bind source code and the advisory that Bind developers issued earlier this week and made this sobering assessment:BIND9 is the oldest and most popular DNS server. Today, they announced a DoS vulnerability was announced that would crash the server with a simply crafted query. I could use my “masscan” tool to blanket the Internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour. A single vuln doesn’t mean much, but if you look at the recent BIND9 vulns, you see a pattern forming. BIND9 has lots of problems—problems that critical infrastructure software should not have.Its biggest problem is that it has too many features. It attempts to implement every possible DNS feature known to man, few of which are needed on publicly facing servers. Today’s bug was in the rarely used “TKEY” feature, for example. DNS servers exposed to the public should have the minimum number of features—the server priding itself on having the maximum number of features is automatically disqualified.Normally, denial-of-service bugs receive low-severity ratings, but when they’re present in servers that form the Internet’s very core, the risks are much higher. Graham regularly scans almost the entire Internet to get an estimate of how many servers remain affected by the Heartbleed vulnerability in OpenSSL and other major software weaknesses. He said Bind’s code base still isn’t as bloated as that of OpenSSL, but it’s much slower than it should be despite being written using C and C++. The result: Bind has all the security weaknesses that come with those programming languages without the speed that often justifies their use anyway.Graham concluded:The point I’m trying to make here is that BIND9 should not be exposed to the public. It has code problems that should be unacceptable in this day and age of cybersecurity. Even if it were written perfectly, it has far too many features to be trustworthy. Its feature-richness makes it a great hidden master, it’s just all those feature get in the way of it being a simple authoritative slave server, or a simple resolver. They shouldn’t rewrite it from scratch, but if they did, they should choose a safe language and not use C/C++.

Source: Major flaw could let lone-wolf hacker bring down huge swaths of Internet | Ars Technica

rpp0/aggr-inject · GitHub

Thursday, July 2nd, 2015

aggr-inject is a proof-of-concept implementation of the A-MPDU subframe injection attack, which allows an attacker to inject raw Wi-Fi frames into unencrypted networks remotely. The PoC exploits a vulnerability in the 802.11n frame aggregation mechanism and can be performed against almost any modern Wi-Fi chipset, given that the target is connected to an open network. Results from this research were published in a paper and presented at the ACM WiSec 2015 security conference.

https://github.com/rpp0/aggr-inject

InfoSec Diary – Putty 0.64 released last week with New Features!

Thursday, March 5th, 2015

Putty 0.64 released last week (sorry, we missed it) – private-key-not-wiped-2 and diffie-hellman-range-check security issues resolved.

These features are new in beta 0.64 (released 2015-02-28):

  • Security fix: PuTTY no longer retains the private half of users’ keys in memory by mistake after authenticating with them. See private-key-not-wiped-2. (Sorry! We thought we’d fixed that in 0.63, but missed one.)
  • Support for SSH connection sharing, so that multiple instances of PuTTY to the same host can share a single SSH connection instead of all having to log in independently.
  • Command-line and configuration option to specify the expected host key(s).
  • Defaults change: PuTTY now defaults to SSH-2 only, instead of its previous default of SSH-2 preferred.
  • Local socket errors in port-forwarded connections are now recorded in the PuTTY Event Log.
  • Bug fix: repeat key exchanges in the middle of an SSH session now never cause an annoying interactive host key prompt.
  • Bug fix: reset the bolded-text default setting back to what it used to be. (0.63 set it to something wrong, as a side effect of refactoring.)
  • Bug fix: IPv6 literals are handled sensibly throughout the suite, if you enclose them in square brackets to prevent the colons being mistaken for a :port suffix.
  • Bug fix: IPv6 dynamic port forwardings should work again.

See http://www.chiark.greenend.org.uk/~sgtatham/putty/ and http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

via InfoSec Handlers Diary Blog – Putty 0.64 released last week (sorry, we missed it) – private-key-not-wiped-2 and diffie-hellman-range-check security issues resolved. See http://www.chiark.greenend.org.uk/~sgtatham/putty/ and http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html.

Lenovo, Google websites hijacked by a DNS attacks | PCWorld

Thursday, February 26th, 2015

The redirection of both Lenovo’s website and Google’s main search page for Vietnam this week highlights weaknesses with the Internet’s addressing system.

On Wednesday, visitors to lenovo.com were greeted with what appeared to be webcam images of a bored young man sitting in a bedroom, and the song “Breaking Free” from an old Disney movie. On Monday, Google’s site for Vietnam also briefly redirected people to another website.

Both Google and Lenovo were victims of “domain hijacking,” a type of attack against the Domain Name System (DNS), which translates domain names into IP addresses that can be called into a browser.

The domain name records for both companies were modified to redirect to different websites when people entered “lenovo.com” and “google.com.vn.”

The changes were apparently made through Web Commerce Communications, known as Webnic.cc, a Malaysian company that registers domains names.

The hacker group Lizard Squad has claimed credit for the defacements. Lenovo appeared to restore service at one point on Wednesday afternoon, but later was unavailable due to system maintenance, a notice said. Webnic.cc could not be immediately reached for comment.

In Lenovo’s case, the hackers changed Lenovo’s domain name registration details to redirect to nameservers at CloudFlare, a San Francisco-based company that specializes in bettering the performance of websites through extensive caching. Nameservers tell a computer which IP address to look up to view a website.

lenovo1

Lenovo’s home page appears to have been hacked

CloudFlare’s servers then redirected people trying to go to lenovo.com to two IP addresses hosted in the Netherlands by the company Digital Ocean, said Andrew Hay, senior security research lead for OpenDNS, a company that specializes in DNS-related security.

Those redirected to the other sites saw the webcam images of the bored young man. The source code for the Web page included the line: “The new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey,” referring to persons who have reportedly been connected to the hacker group Lizard Squad.

The Lizard Squad’s access to Lenovo’s registrant account also allowed it to capture some of Lenovo’s email, which the group posted excerpts of on Twitter.

Lenovo has already been under pressure in the last week for pre-installing a secretive application called Superfish on its laptops, which substitutes some ads on encrypted websites but also created a major security vulnerability.

CloudFlare offers free services that are sometimes abused by miscreants, but the company said it moved fast to help fix Lenovo’s problem.

“As soon as we saw the unauthorized transfer, we took control of the account, notified Lenovo and worked with them to restore service while they worked on getting their domain back,” said Marc Rogers, principal security researcher at CloudFlare.

On Monday, Google’s site for Vietnam briefly redirected people to another website. Like Lenovo, Google also had its google.com.vn domain name registered with Webnic.

It is possible that Webnic.cc has a vulnerability in its network that was discovered by the Lizard Squad and allowed changes to be made to domain name registrations. Another possibility is that the Lizard Squad obtained the authentication credentials used by those companies to modify domain name records.

It’s considered a low-brow style of attack, but changes to domain name records can be dangerous for Web users since there’s little they can do to protect themselves.

Such attacks—especially against websites that receive a lot of traffic—are powerful because attackers could redirect them to websites that try to automatically install malicious software. But that doesn’t appear to be the case with either the Lenovo or Google redirects.

via Lenovo, Google websites hijacked by a DNS attacks | PCWorld.

Information Regarding Server Issues for VyprVPN Customers in China | Golden Frog

Friday, January 23rd, 2015

We are aware of recent network issues affecting our VyprVPN customers in China. If you are in China and are having trouble connecting to several different VPN server locations, including US and Australia servers, please use the following locations:

Netherlands

Hong Kong

Connections to these locations have been successful, but may not have a 100% success rate. In the event one of those locations fails, please try another.

Thank you for your patience in this matter. We are investigating the issue and will provide you with an update once we have additional information.

via Information Regarding Server Issues for VyprVPN Customers in China | Golden Frog.

Two Million Cars Using Wireless Insurance Dongle Vulnerable to Hacking

Wednesday, January 21st, 2015

 

Two Million Cars Using Wireless Insurance Dongle Vulnerable to Hacking

2015 will be a year more smarter than 2014 with smarter mobile devices, smarter home appliances, and yes Smarter Automobiles. Nowadays, there are a number of automobiles companies offering vehicles that run on a mostly drive-by-wire system, meaning that a majority of the controls are electronically controlled, from instrument cluster to steering, brakes, and accelerator as well.

No doubt these systems makes your driving experience better, but at the same time they also increase the risk of getting hacked.

According to a recent research, an electronic dongle used to plugged into the on-board diagnostic port of more than two million cars and trucks contains few security weaknesses that makes them vulnerable to wireless attacks, resulting in taking control of the entire vehicle.

Since 2008, US-based Progressive Insurance has used the SnapShot device in more than two million vehicles. The little device monitors and tracks users’ driving behavior by collecting vehicle location and speed records, in order to help determine if they qualify for lower rates.

However, the security researcher Corey Thuen has revealed that the dongle is insecure and performs no validation or signing of firmware updates. It has no secure boot mechanism, no cellular communications authentication, and uses no secure communications protocols, possibly putting the lives of people inside the vehicle in danger.

“The firmware running on the dongle is minimal and insecure. It does no validation or signing of firmware updates, no secure boot, no cellular authentication, no secure communications or encryption, no data execution prevention or attack mitigation technologies … basically it uses no security technologies whatsoever,” Thuen told Forbes.

SnapShot plugs into the OBDII port of Thuen’s 2013 Toyota Tundra pickup truck. Thuen said that an attack on the adjacent modem, which handles the connection between Progressive’s servers and the dongle, was possible too, which could allow a potentially deadly takeover of the car’s acceleration and braking.

“What happens if Progressive’s servers are compromised? An attacker who controls that dongle has full control of the vehicle,” he added.

“A skilled attacker could almost certainly compromise such dongles to gain remote control of a vehicle, or even an entire fleet of vehicles. Once compromised, the consequences range from privacy data loss to life and limb.”

Mr. Thuen presented the detailed analysis of the research last week at the S4x15 Conference in Miami. The research highlighted the minimal protections included with many widely used car computer systems. While he focused on dongles from Progressive, he also warned that devices from other insurance companies could also be at risk.

Progressive officials has said they were confident SnapShot was secure and were not informed about the flaws by Mr Theun before he revealed them at a computer security conference. However the company said it welcomes input on identifying security weaknesses so that they could evaluate it and make any necessary improvements.

via Two Million Cars Using Wireless Insurance Dongle Vulnerable to Hacking – Hacker News.

Worst passwords of 2014 are just as terrible as you’d think

Tuesday, January 20th, 2015

weak-password-dragon

If the onset of high-profile hackings taught us anything in 2014, it’s absolutely nothing.

Password management firm SplashData released its annual list of the worst passwords of the year and it’s just as dreadful as you’d think. The company, which analyzed the 3 million passwords leaked online last year, revealed that the most common leaked password in 2014 was “123456,” followed by “password” — both topped the list last year, too.

Of course, the more common a password is the higher the chances a hacker can get into personal accounts, like email and banking.

While number sequences were as popular as ever, sports terms like “baseball” and “football” were used more often, as well as words related to favorite sports teams — “yankees,” “eagles,” “steelers,” “rangers” and “lakers” all made the top 100.

Birthday years were common too (especially 1989, 1990, 1991 and 1992) and names like “Michael,” “Jennifer,” “Michelle” and “Hunter” are also among the top 100 worst passwords of 2014.

Here’s a look at the top 25 passwords of the year:

1. 123456 (Unchanged from 2013)

2. password (Unchanged)

3. 12345 (Up 17)

4. 12345678 (Down 1)

5. qwerty (Down 1)

6. 234567890 (Unchanged)

7. 1234 (Up 9)

8. baseball (New)

9. dragon (New)

10. football (New)

11. 1234567 (Down 4)

12. monkey (Up 5)

13. letmein (Up 1)

14. abc123 (Down 9)

15. 111111 (Down 8)

16. mustang (New)

17. access (New)

18. shadow (Unchanged)

19. master (New)

20. michael (New)

21. superman (New)

22. 696969 (New)

23. 123123 (Down 12)

24. batman (New)

25. trustno1 (Down 1)

The list is particularly scary as it comes on the heels of major hacking attacks against companies like Sony Pictures and the celebrity nude photo scandal that hit last year.

This year’s worst passwords are painfully weak, but what were once considered clever password strategies — using symbols, capitalizations, the number 3 in place of the letter “e” — are old tricks.

This year’s worst passwords are painfully weak, but what were once considered clever password strategies — using symbols, capitalizations, the number 3 in place of the letter “e” — are old tricks. As a refresher, it’s now recommended to pick a different password for each account you use — you wouldn’t use the same key in all of your locks, and the same goes for passwords.

Another tip to remember is that passwords should be 14 characters long and you should avoid words with personal information, like your birthday and favorite color. Scatter numbers and symbols throughout your password (don’t just tack them onto the end) and pick word combinations that aren’t related (e.g. something like “catfoldersspaceshuttle” and not “icameisawiconquered”).

Companies like Gmail, Facebook, Twitter and Apple are now trying to make hacking more difficult on their services by offering two-factor authentication, which is basically like double locking your door at night. Each time you want to log into that account, the company will send a code to your phone — it changes after each login attempt, so hackers would have to be in physical possession of your smartphone to know the code.

via Worst passwords of 2014 are just as terrible as you’d think.