"Unauthorized code" in Juniper firewalls decrypts encrypted VPN traffic

Juniper Networks published an advisory saying that NetScreen firewalls using ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20 contain unauthorized code that surreptitiously decrypts the VPN traffic by giving attackers administrative access. 

This system "backdoor" requires immediate patching! The vulnerability was discovered during a recent internal code review[1]. The "unauthorised code" in ScreenOS could allow a knowledgeable attacker to gain administrative access to NetScreen appliances and to decrypt VPN connections. 

Juniper Networks explained in a separate advisory that there are two separate vulnerabilities which are both described as “Unauthorised Code”.

The first flaw allows unauthorized remote administrative access to an affected device over SSH or telnet. Exploits can lead to complete compromise. "The second issue may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic," the advisory said. "It is independent of the first issue. There is no way to detect that this vulnerability was exploited." [2]

This Github repository contains notes, binaries, and related information from the analysis of the CVE-2015-7755 & CVE-2015-7756 issues within Juniper ScreenOS. See a detailed analysis by Rapid7. 

Critical Patch by Microsoft - MS15-078

Vulnerability in Microsoft font driver could allow remote code execution. This vulnerability requires immediate remediation (16 July 2015). 

Microsoft patch MS 15-078 addresses a serious security flaw found in the way Windows products read certain types of fonts. 

An attacker can send you an office document or ask you to visit a specific web page with a specific font being used. The attack is straight forward and simple to execute, and for that reason it is highly important to patch immediately. 

The attack is possible because it focuses on the Windows Adobe Type Manager Library and the way it deals with OpenType fonts, allowing Remote Code Execution. 

Please note that this vulnerability affects all modern versions of Windows. Also, if you install a language pack after you install this update, you must reinstall this update. Therefore, install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

ozwpan driver - Remote packet-of-death vulnerabilities in Linux Kernel

"The ozwpan driver accepts network packets, parses them, and converts them into various USB functionality. There are numerous security vulnerabilities in the handling of these packets. Two of them result in a memcpy(kernel_buffer, network_packet, -length), one of them is a divide-by-zero, and one of them is a loop that decrements -1 until it's zero." [1]

1. A remote packet can be sent, resulting in funny subtractions of
signed integers, which causes a memcpy(kernel_heap, network_user_buffer, -network_user_provided_length).

There are two different conditions that can lead to this:
https://lkml.org/lkml/2015/5/13/740
https://lkml.org/lkml/2015/5/13/744

2. A remote packet can be sent, resulting in divide-by-zero in softirq, causing hard crash:
https://lkml.org/lkml/2015/5/13/741

3. A remote packet can be sent, resulting in a funny subtraction, causing an insanely big loop to lock up the kernel: https://lkml.org/lkml/2015/5/13/742

4. Multiple out-of-bounds reads, resulting in possible information leakage, explained in the last paragraph of the introductory email here: https://lkml.org/lkml/2015/5/13/739

The above is a repost of this: http://seclists.org/oss-sec/2015/q2/446

You may find more information about ozwpan here: https://lkml.org/lkml/2015/5/13/739

[1] https://lkml.org/lkml/2015/5/13/739

VENOM Vulnerability - Virtualized Environment Neglected Operations Manipulation

VENOM is short for Virtualized Environment Neglected Operations Manipulation and it is a vulnerability in the QEMU’s virtual Floppy Disk Controller (FDC). The vulnerable code is used in numerous virtualization platforms and appliances such as Xen, KVM, and the native QEMU client. 

The vulnerability has been assigned the following CVE (CVE-2015-3456). As far as we know, VMware, Microsoft Hyper-V, and the Bochs hypervisors are not impacted by this. 

The interesting fact about VENOM is that it applies to a wide range of virtualization platforms (using the default configurations) and it allows for arbitrary code execution. Due to the fact that the vulnerability exists in the hypervisor’s codebase, it affects all host and guest Operating Systems. 

However, the vulnerability can be exploited only with escalated privileges (root, administrator). 

Guest Speaker for University of South Wales (Information Security Research Group) - CyberSecurity and the Payment Card Industry

I had the pleasure to be invited as a guest speaker to the University of South Wales in order to give a talk about CyberSecurity and the Payment Card Industry more specifically for the Information Security Research Group (ISRG).

The talk included an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participant had an opportunity to understand what is an Approved Scanning Vendor (ASV), a Qualified Security Assessor (QSA) and last but not least a PCI Forensics Investigator (PFI).

BSides London 2015 - CFP

I hope you all look forward to BSides London 2015, https://www.securitybsides.org.uk. In case you want to tweet about it, this year we are using the #BSidesLDN2015 hash tag. The event will take place on Wednesday 3/Jun/2015 at the ILEC Conference Centre, 47 Lillie Road, SW6 1UD, London (see the MAP). 

As a side note, this year InfoSecurity Europe in London will take place between the dates 2nd and 4th/June/2015. Usually, Security BSides London is in line with InfoSec and the event takes place on the first day of InfoSec. However, this year, make sure you note down that the event will take place on the second day of InfoSec (see InfoSec). 

I am happy to see that my talk for this year is number 2 on the list of submissions (CFP Submissions). Voting for the talks opened today 20/Apr/2015 and it will be running until 1/May/2015. Please find some more information about my talk in the section below (click Read More). You can find/follow me at twitter @drgfragkos and I really hope you spread the word regarding this talk to your friends and followers. 

Raspberry Pi 2 Model B and Kali Linux - quick setup

The new Raspberry Pi 2 Model B is approximately 6 times faster that its predecessor. It comes with:

• QUAD Core Broadcom BCM2836 CPU
• 1 GB RAM
•  40 pin extended GPIO
• Micro SD slot
• 4x USB ports
• HDMI
• 4 pole Stereo output and Composite video port
• CSI camera port & DSI display port
• Micro USB power source

In order to install Kali Linux on the new Raspberry Pi you will need to download the new image for Raspberry Pi 2 (0.48G) version 1.1.0  from https://www.offensive-security.com/kali-linux-vmware-arm-image-download/ (filename: kali-1.1.0-rpi2.img.xz). 

Good luck Lenovo and thank you for the Superfish!

When you purchase a laptop it comes with some default, pre-installed applications. I personally hate this and it is quicker to format the laptop with a fresh install than go down the route of uninstalling all the <r@p-ware one by one. 
Have you ever bought a new Vaio? The amount of extras installed and running in the background take upon most of the resources. 
However, this post is about the Lenovo laptops which also contain a number of added "features". One of the added "features" is an adware which activates when taken out of the box for the first time. This adware ships with all consumer PCs from Lenovo and uses a certificate to perform a man-in-the-middle attack in order to inject ads into the user's browser. 

Abertay Ethical Hacking Society run their fourth annual Security Conference: Securi-Tay IV

Securi-Tay [1] is an Information Security conferece held by the Abertay Ethical Hacking Society [2], and supported by the Abertay University in Dundee. The aim of the conference is to provide an opportunity to industry professionals, students and information security enthusiasts to attend and share knowledge and information. This year will be the fourth year the conference is taking place (hence the IV) and it will be held on February 27th, 2015. Personally, I believe this conference offers a fantastic opportunity to students to meet and network with experts in the area of security, share information and have a first glance on how their future in the security industry can be like. 

I was very pleased to get accepted to speak at the conference this year and I am already looking forward to it.

The Bug Bounty List - Bug Hunting

I started finding serious security issues and vulnerabilities back in 1998. Back then the community was so immature that I was getting so much grief every time I was trying to explain what I had found. The common response was "why did you check our system/application", "who told you to alter the input", "this was not suppose to happen, you broke it", "the others don't know to do this; why did you do it" and all sort of similar discussions. Unfortunately, back then they weren't any bug bounty or recognition programs for the poor security enthusiast like myself.

I am glad to see that the community starts becoming more mature and understands how valuable can be for a business the discovery of a security issue or a vulnerability by a "white hacker". I am also glad there are bug bounty programs out there which reward security researcher and security enthusiasts who discover security issues.

Safer Payments online, in-store and especially during the peak retail periods

Online shopping and retail in-store purchases dramatically increase at certain times, like during the recent festive period, and unfortunately these are also times when we see increases in skimming, phishing attempts, and cyber-attacks. Because of the number of incidents and the alarming statistics released over the years, consumers feel rather insecure when shopping online and more specifically every time they need to use their card details. Recent high profile data breaches have affected consumer’s confidence and the feeling of being insecure during a transaction, which in turn has had an impact on the number of purchase transactions. Businesses need to ensure that all necessary steps are taken towards the security of their customer’s data so that they can eventually bring them back into their trust. 

Enhancing your cyber defence through a physical security assessment

Physical Security Assessments can be viewed as a penetration test against the physical infrastructure of an organisation. Instead of the assessment of computer networks and services, buildings and physical locations are being assessed. During this type of assessment the overall physical security of the location of a building, the facilities and the access controls are in scope. Physical security is often overlooked and the consequences of a physical breach can have the same impact as a computer breach.

Backdoors on Web Applications

There are different types of backdoors being used and deployed, depending on what kind of system/service is being targeted, how stealth it needs to be and how persistent. In this instance, we are discussing backdoors being uploaded through Web Applications to your Web Server, in order to provide access to unauthorised third-parties. 

Using On-line Services for Reconnaissance

Ever wanted to use only existing online services to do reconnaissance without having to install or use any other tools. Well, the following URLs will give you a nice starting point. This list is to be expanded and updated with more links. If you believe you know of an online service which can be useful for this purpose do not hesitate to share it with the rest of us. Let me know and I will add it to the list! :)

Bash-ing (Bash Bug, Shell Shock) - All the information you need

The Bash Bug is a severe vulnerability discovered by by Stephane Chazelas of Akamai, who most probably deserves a pwnie award [1]. 
The discovery of this particular vulnerability is a serious risk, similar (maybe proven to be a lot bigger) to the Heartbleed bug [2]. Mostly because Linux not only runs the majority of the servers but also in a large number of embedded devices. Keep in mind that there are approximately about 25 years’ worth of Bash versions! Effectively, Mac OS X [11] and Android devices may also be running the vulnerable version of bash. 
Also, for Windows systems, msysgit contains a vulnerable version of bash (by Joshua McKinney) [12]. Which means, we are going to have more of these popping up very soon under the Windows platform as well.
Just to give you a hint about the severity of this vulnerability, NIST Vulnerability DataBase rated this with "10 out of 10". [3]

44CON 2014

It was really nice catching up with many friends from the industry at 44CON [1] (#44CON) this year in London. 

Also, a new 44Con Cyber Security was announced which will take place at some point next year. 

This year, there were 3 tracks running and a workshop. A number of interesting talks and a variety of subject to choose from. The stages were really nice and you should look for the DVD when it is out! It is very difficult to choose which talk(s) was/were the best. The main reason is because so many things happening at the same time it is hard to tell. So, it is best to assume that all were great. 

[1] http://44con.com

Disconnect Mobile

Finally an App for non-routed/jail-broken mobile devices that will allow you to control your privacy and security. Disconnect Mobile is a privacy and security app. The app actively blocks the biggest mobile trackers and thousands of malware threats when you use an app or browse the web using 3G, 4G, LTE or Wi-Fi. Optionally includes ad filtering and malware protection which you have to pay in order to activate them. 

Why the big fuss? Well, last week, Google kicked Disconnect Mobile out of the Play store. It even made the Wall Street Journal [1]. As always this post is not about promoting this specific app but on the fact that it blocks mobile trackers and that it was kicked from Play store. What has changed and Google finally allowed the app to be on the store?  Google kicked this app because it violated a policy prohibiting software that interferes with other apps. However, interference was precisely the point of Disconnect Mobile, a privacy tool aimed at stopping other apps from collecting data on users. In the six days it was available in Google’s store, it was downloaded more than 5,000 times.

upnp.ninja

U Plug, We Play, was the title of David Middlehurst’s (@dtmsecurity) presentation at the BSides Manchester conference. The presentation was about a new open source tool called 'UPnP Pentest Tookit' [1]  he developed and released on the day of the conference. I had the chance to catch up with David at the London Trust Forum the other day and shared some thoughts about the tool. I am 'a bit' of a geek so the next day after the BSides Manchester conference, it was the first thing I wanted to test. I downloaded the tool and started scanning my home devices. 

Well done David!

[1] upnp.ninja

Guest Speaker for Derby University (Digital Forensic Investigation Course)

I had the pleasure to be invited as a guest speaker to Derby University in order to give a talk about Penetration Testing in the real world and more specifically for the Digital Forensic Investigation course.

The talk included an introduction to the Payment Card Industry (PCI),  Payment Card Industry Data Security Standard (PCI DSS) and the Payment Card Industry Security Standards Council (PCI SSC). The participant had an opportunity to understand what is an Approved Scanning Vendor (ASV), a Qualified Security Assessor (QSA) and last but not least a PCI Forensics Investigator (PFI).

The students were introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and comparison of ASV, Vulnerability Assessment and Penetration Testing was given.

The second part of the talk focused on malware and included a more practical approach with a hands-on session. The talk focused on how easy could it be to create malware that is capable of evading AntiVirus detection (including reputation based detection). The students were given an executable file and a hex editor which allowed them to modify the given binary. Social engineering and spear phishing were also discussed. The purpose was to raise their awareness and allow them to understand with examples why we say there is no 100% security.

I had a wonderful day at the University, the students were very excited and I do hope they learned a lot. All the best with their course. The industry needs these knowledgeable future professionals. 

Guest Speaker for Derby University (Digital Forensic Investigation Course) - Cyber-Security and Cyber-Defence

I was very excited to be invited by the Derby University once more and more specifically by the Digital Forensic Investigation Course in order to give a talk. The title of the talk was "Cyber-Security and Cyber-Defence in the industry and financial services utilising Penetration Testing and Computer Forensics".

The talk focused on the current Cyber-Threats, Cyber-Security and Cyber-Defense tactics. It introduced to the participants different types of security services, which included threat assessment, threat intelligence and threat management solutions. The talk also gave the students an opportunity to hear about the most successful vendors in the security industry.

Figure 1 - Guy Fawks Mask as a Rorschach Test

The trends in cybercrime were discussed along with why cybercriminals participate in cyber-gangs and the reasons why cybercrime is still successful. More specifically the talk looked into the reasons why cybercrime has a presence, how much does it pay, explored the increasing scope, scale, and complexity of cybercrime impacting the industry at the moment, how cyber-espionage is involved and how can we focus on real-world strategies to avoid being targeted.

A number of tools and techniques were introduced to the students along with a practical session on how easy would it be to create their own version of a malware capable of evading AntiVirus detection. All this raised their awareness and made start thinking outside-the-box when it comes to this fast evolving threat landscape of cyber-threats.

I do believe the students enjoyed the talk as the feedback was exceptional. I do hope they gained enough information during the day to go back and start looking into cyberthreats more closely and with a better understanding.