InfoSec Daily Podcast Episode 620 for March 15, 2012. Tonight's podcast is hosted by Rick Hayes, Boris Sverdlik, Adrian Crenshaw, and Karthik Rangarajan.
Announcements:
InfoSec Southwest
When: March 30-April 1
Where: Austin, TX
http://www.Infosecsouthwest.com
Outerz0ne 2012
When: April 20-22, 2012
Where: Atlanta, GA
http://www.outerz0ne.org
Linuxfest Northwest 2012
When: Saturday, April 28th-29th, 2012
Where: Bellingham Technical College – Bellingham, WA
http://www.linuxfestnorthwest.org/
AIDE 2012
When: May 21-25, 2012
Where: MU Forensic Science Center – Huntington, West Virginia
http://www.appyide.org/
LayerOne 2012
When: May 26-27, 2012
Where: Clarion Hotel – Anaheim, CA
http://www.layerone.org
Security 504: Hacker Techniques, Exploits & Incident Handling – Matt Romanek
When: June 20 – 27, 2012
Where: Courtyard Seattle Federal Way, WA
http://www.sans.org/mentor/details.php?nid=28014
Social Engineering Training
When: July 21-24, 2012
Where: Black Hat Vegas
When: August 20-24, 2012
Where: Bristol, UK
When: November 12-16, 2012
Where: Columbia, MD
http://www.social-engineer.com/social-engineer-training
Inside and Out of the Social-Engineer Toolkit (SET)
When: July 21 – 22, 2012
When: July 23 – 24, 2012
Where: Black Hat Vegas
http://blackhat.com/html/bh-us-12/training/courses/bh-us-12-training_social_engineer_toolkit.html
DerbyCon 2012 – The “Deuce” Reunion
When: September 27-30, 2012
Where: Louisville, KY
http://www.derbycon.com
Thanks to everyone that has purchased products from Amazon through the affiliate program. If you’re not familiar with the affiliate program, simply go to http://www.isdpodcast.com and locate the Affiliate Program link on the right hand side.
Stories
Source: http://pastebin.com/jZt9gmD5
Source: http://pastebin.com/fFWkezQH
Source: http://www.9170.org/post-421.html
There are currently three, possibly more, PoC examples for MS12-020 that are floating around. When you look at these you’ll notice first that they were supposedly coded by ‘sabu@fbi.gov’ and that they require FreeRDP for the code to function. This is not surprising since it’s an RDP vulnerability that we’re looking to exploit. The problem comes when you try to utilize a python module named freerdp.
from freerdp import rdpRdp
from freerdp import crypto
from freerdp.rdpRdp import rdpNego
It might not surprise you to learn that there is no freerdp module included with FreeRDP, so we reached out to the developers of the FreeRDP project, nice work BTW, to see if they could confirmed the existance of a FreeRDP module for Python. According to FreeRDP developer Marc-André Moreau, there is no known freerdp python module. There has never been any reason to write one since FreeRDP wouldn’t be usable from within Python. Therefore when you combine the fact that this module is required along with the shell code from the MS08-067 exploit, but interestingly a completely different (and significantly larger) payload. There are some undeniable similarity between the PoC and the MS08-067 exploit: http://downloads.securityfocus.com/vulnerabilities/exploits/31874.py. Also the ‘payload’ is strikingly similar to an apache exploit: http://www.chroot.org/exploits/chroot_uu_011.
It has been confirmed that a working PoC has been confirmed to cause a blue screen on a patched to ms11-065 Windows XP SP3. There are currently efforts ongoing to fully understand why the crash is occurring. Determine methods for getting a crash reliably (currently the PoC doesn't always cause a crash). Craft an open source version of the trigger (instead of this binary rdpclient.exe) and determine a mechanisms for sculpting heap memory to get control
….
Source: http://www.wired.com/threatlevel/2012/03/fbi-android-phone-lock
Pattern-screen locks on Android phones are secure, apparently so much so that they have stumped the Federal Bureau of Investigation.
The bureau claims in federal court documents that forensics experts performed “multiple attempts” to access the contents of a Samsung Exhibit II handset, but failed to unlock the phone.
An Android device requires the handset’s Google e-mail address and its accompanying password to unlock the handset once too many wrong swipes are made. The bureau is seeking that information via a court-approved warrant to Google in order to unlock a suspected San Diego-area prostitution pimp’s mobile phone
Locking down a phone is even more important today than ever because smart phones store so much personal information. What’s more, many states, including California, grant authorities the right to access a suspect’s mobile phone, without a warrant, upon arrest for any crime.
Forensic experts and companies in the phone-cracking space agreed that the Android passcode locks can defeat unauthorized intrusions.
“It’s not unreasonable they don’t have the capability to bypass that on a live device,” said Dan Rosenberg, a consultant at Boston-based Virtual Security Research.
A San Diego federal judge days ago approved the warrant upon a request by FBI Special Agent Jonathan Cupina. The warrant was disclosed Wednesday by security researcher Christopher Soghoian,
In a court filing, Cupina wrote: (.pdf)
Failure to gain access to the cellular telephone’s memory was caused by an electronic ‘pattern lock’ programmed into the cellular telephone. A pattern lock is a modern type of password installed on electronic devices, typically cellular telephones. To unlock the device, a user must move a finger or stylus over the keypad touch screen in a precise pattern so as to trigger the previously coded un-locking mechanism. Entering repeated incorrect patterns will cause a lock-out, requiring a Google e-mail login and password to override. Without the Google e-mail login and password, the cellular telephone’s memory can not be accessed. Obtaining this information from Google, per the issuance of this search warrant, will allow law enforcement to gain access to the contents of the memory of the cellular telephone in question.
Rosenberg, in a telephone interview, suggested the authorities could “dismantle a phone and extract data from the physical components inside if you’re looking to get access.”
However, that runs the risk of damaging the phone’s innards, and preventing any data recovery.
Linda Davis, a spokeswoman for forensics-solutions company Logicube of suburban Los Angeles, said law enforcement is a customer of its CellXtract technology, which it advertises as a means to “fast and thorough forensic data extraction from mobile devices.”
But that software, she said in a telephone interview, “is not going to work” on a locked device.
….
Source: http://research.zscaler.com/2012/03/malware-campaign-targeting-opera-mobile.html
New research show that there is active malware targeting Opera Mobile users, to trick them into installing a malware on the device.
The links are in the form of: hxxp://geqe.net/opera_mini/1965/opera_mini.auto#phpsessid=85cfe7f19a08b6387d0441a9d949bb95
Each has a different phpsessid value. The domain was registered last month (02/12/2012) and does not seem to host any legitimate content.
These pages redirect to another domain, mskmarkets.ru (hxxp://mskmarkets.ru/l.php?l=o4&r=2695&a=29#phpsessid=afe9720a74a56800a2bd682b171e9914) where users are warned in Russian that their browser is out of date:
WARNING! An update your browser!
Your browser version is outdated, your phone is at risk of infection by dangerous virus!
We strongly recommend that you upgrade your browser. To update, click Update.
 * |
|
hxxp://geqe.net/opera_mini/1965/opera_mini.auto#phpsessid=85cfe7f19a08b6387d0441a9d949bb95 |
Note that a Google Chrome favicon is used and the page leverages the same theme and icons as Opera Mobile. The source code has multiple references to Opera (CSS, links, etc.) and targets WAP-enabled devices.
When the user clicks on the Refresh button, the file browser_update.jar gets downloaded (and possibly installed, I don't have the right device to test). This malicious Java application is currently flagged by 8 of 43 AV engines as an SMS sender. This type of malware is very common on mobile devices. They are used for spam or contact surcharged phone numbers.
According to Wikipedia, Opera has a huge market share in Russia and Eastern Europe, with more than 36% of the browser market (only 2.7% world-wide).
….
….
Source: http://www.lightbluetouchpaper.org/2012/03/07/some-evidence-on-multi-word-passphrases/
Using a multi-word “passphrase” instead of a password has been suggested for decades as a way to thwart guessing attacks. The idea is now making a comeback, for example with the Fastwords proposal which identifies that mobile phones are optimised for entering dictionary words and not random character strings. Google’s recent password advice suggests condensing a sentence to form a password, while Komanduri et al.’s recent lab study suggests simply requiring longer passwords may be the best security policy. Even xkcd espouses multi-word passwords (albeit with randomly-chosen words). I’ve been advocating through my research though that authentication schemes can only be evaluated by studying large user-chosens distribution in the wild and not the theoretical space of choices. There’s no public data on how people choose passphrases, though Kuo et al.’s 2006 study for mnemonic-phrase passwords found many weak choices. In my recent paper (written with Ekaterina Shutova) presented at USEC last Friday (a workshop co-located with Financial Crypto), we study the problem using data crawled from the now-defunct Amazon PayPhrase system, introduced last year for US users only. Our goal wasn’t to evaluate the security of the scheme as deployed by Amazon, but learn more how people choose passphrases in general. While this is a relatively limited data source, our results suggest some caution on this approach.
Amazon’s system requires a multi-word (minimum 2) passphrase which is globally unique. This provided an oracle for our experiment: in the original version of the site, error messages would clearly indicate if a phrase was already chosen (as opposed to being blacklisted or invalid), letting us test large lists of phrases to see what was taken. Our first experiment was a dictionary attack using lists of movie titles, sports team names, and dozens of other types of proper nouns crawled from Wikipedia, along with idiomatic phrases crawled from soruces like Urban Dictionary. We found about 8,000 phrases using a 20,000 phrase dictionary. Using a very rough estimate for the total number of phrases and some probability calculations, this produced an estimate that passphrase distribution provides only about 20 bits of security against an attacker trying to compromise 1% of available accounts. This is far better than passwords, which are usually under 10 bits by this same metric, but not high enough to make online guessing impractical without proper rate-limiting. Curiously, it’s close to estimates made using Kuo et al.’s published numbers on mnemonic phrases. It also shows that significant numbers of people will blatantly ignore security advice about choosing nonsense phrases and choose things like “Manchester United” or “Harry Potter.”
After this experiment, we did a few experiments to test the linguistic properties of phrases by generating potential phrases according to their distribution in large linguistic corpora (we used the British National Corpus and Google n-gram corpus). Some clear trends emerged—people strongly prefer phrases which are either a single modified noun (“operation room”) or a single modified verb (“send immediately”). These phrases are perhaps easier to remember than phrases which include a verb and a noun and are therefore closer to a complete sentence. Within these categories, users don’t stray too far from choosing two-word phrases the way they’re actually produced in natural language. That is, phrases like “young man” which come up often in speech are proportionately more likely to be chosen than rare phrases like “young table.”
….
