The Subterfuge Project called Artemis

Artemis [1] is an advanced malware simulation suite capable of emulating the Advanced Persistent Threat (APT). Artemis raises the bar allowing ethical hackers and penetration testers the luxury of an advanced set of features equivalent to many of the tools employed by criminal gangs today. By abstracting polymorphism to a server based platform at cevincere.com Artemis is able to stay one step ahead of anti-virus vendors, and ensure that penetration testers can give their clients the value that they deserve.

[1] https://code.google.com/p/subterfuge/

BSides London 2014 - POS Devices

I was given the opportunity to present at this year's BSides London [1]. The talk was a 15 minutes presentation about Point of Sale (POS) devices, during a no-camera, no-recording session due to the sensitive content. 

I have been researching the features of POS devices for more than a year and I wanted to share my findings before someone else does something similar. However, due to the fact it is not easy to fix the issues overnight, I decided to keep the presentation "behind closed doors". During the presentation I demonstrated how it is possible for anyone to become a "hacker" and abuse these little devices with simple key combinations. 

Critical OpenSSL vulnerability

OpenSSL released a security advisory yesterday (7/Apr/2014) regarding the TLS heartbeat read overrun (CVE-2014-0160). [1] This is a CRITICAL vulnerability affecting 1.0.1 and 1.0.2-beta releases of OpenSSL, including 1.0.1f and 1.0.2-beta1.

An attacker can read memory contents of the remote server . The server will not crash or otherwise exhibit suspicious behaviour. Successful exploitation leaks usernames, passwords, web application session cookies or other sensitive information. 

Currently, some of the vulnerable websites are: 
yahoo.com
okcupid.com
flickr.com

The quickest way to test your server is by using the following link:
http://filippo.io/Heartbleed/

Remediation:
Affected users should upgrade to OpenSSL 1.0.1g. The alternaltive at this point if you cannot upgrade to OpenSSL 1.0.0g is to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS

For remediating against an Apache install you will also need to upgrade libssl (libssl1.0.0).

Note that Ubuntu 1.0.1-4ubuntu5.12 of OpenSSL resolves the issue.

Temporary Snort signatures:
a) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack with ssltest.py";flow:to_server,established; content:"|18 03 02 00 03 01 40 00|"; rawbytes; isdataat:!1,relative; reference:cve,2014-0160; sid: 6000000; rev:1;)

b) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Heartbleed attack";flow:to_server,established; content:"|18 03|"; rawbytes; depth:2; byte_test:1, &, 3, 0, relative; byte_test:2, >, 200, 3, relative, big; reference:cve,2014-0160; sid: 6000001; rev:2;)


[1] http://www.openssl.org/news/secadv_20140407.txt

So many Computer Forensics tools but no time

Do you want to get your hands in Computer Forensics but you don't really know where to start. Are you looking for a tool that does a specific job but you don't know which one to download and use. Forensic Control [1] have a list of free tools as a free resource for all. The tools are grouped in categories and a detailed description allows you to find what you are looking for. 

The main categories of the tools you can find are:

• Disk tools and data capture
• Email analysis
• General tools
• File and data analysis
• Mac OS tools
• Mobile devices
• File viewers
• Internet analysis
• Registry analysis
• Application analysis
• Abandonware

[1] https://forensiccontrol.com/resources/free-software/

Booby-trapped documents in Rich Text Format are being used for targeted attacks

There are booby-trapped documents being circulated in the Rich Text Format (RTF) that exploit a vulnerability in the 2010 version of Microsoft Word [CVE-2014-1761]. 

Microsoft Advisory published on Monday 24/Mar/2014 (2953095) [2] warns about the Vulnerability in Microsoft Word which could allow Remote Code Execution. A Temporary fix is available by Microsoft [3].

[1] ​http://arstechnica.com/security/2014/03/zero-day-vulnerability-in-microsoft-word-under-active-attack/

[2] http://technet.microsoft.com/en-us/security/advisory/2953095

[3] https://support.microsoft.com/kb/2953095