Microsoft Flaw allows USB with Payload to Bypass Security Controls

This flaw allows anyone with a USB thumb drive loaded with the payload to bypass security controls and access a vulnerable system even if AutoRun is disabled, and the screen is locked. Flaw exposes your Windows PCs to major risk. If you remember Stuxnet, worm was injected to Iran's nuclear program system using USB thumb drive.

During March Patch Tuesday of 2013, Microsoft released seven new security bulletins, with four rated as critical, and others as Important. Most interesting one was MS13-027, which is rated as "important" because the attack requires physical access to the vulnerable machine.

Windows typically discovers USB devices when they are inserted or when they change power sources (if they switch from plugged-in power to being powered off of the USB connection itself).

To exploit the vulnerability an attacker could add a maliciously formatted USB device to the system. When the Windows USB device drivers enumerate the device, parsing a specially crafted descriptor, the attacker could cause the system to execute malicious code in the context of the Windows kernel.

Because the vulnerability is triggered during device enumeration, no user intervention is required. In fact, the vulnerability can be triggered when the workstation is locked or when no user is logged in, making this an un-authenticated elevation of privilege for an attacker with casual physical access to the machine.

Microsoft admits the flaw could "open additional avenues of exploitation that do not require direct physical access to the system," once the USB-based exploit is successful.

The vulnerabilities addressed by Microsoft do not include those exploited by security researchers at the recent Pwn2Own hacking competition at the CanSecWest Conference in Vancouver.

source: http://thehackernews.com

9/11 Cyber Doomsday

Senators are interested to evaluate the level of protection of nuclear stockpile of foreign governments against cyber attacks, question has been raised after that Pentagon's chief cyber officer admitted to ignore if countries such as Russia or China have adopted efficient countermeasures.

Nelson and Armed Services Committee Chairman Sen. Carl Levin, D-Mich. will request to national intelligence an assessment about the ability of foreign states to safeguard networked nuclear systems.

"In this new world of cyber threats, we of course have to be responsible for ours, but we have to worry about those others on the planet that have a nuclear strike capability, of protecting theirs against some outside player coming in and suddenly taking over their command and control," Nelson declared.

Last week Defense Science Board (DSB), a Federal Advisory Committee, published a report titled “Resilient Military Systems and the Advanced Cyber Threat”, the document presented alarming scenarios on US nation’s military considered unprepared for a full-scale cyber-conflict.



The analysis proposed by DSB alerts Pentagon on the necessity to improve cyber capabilities, top-tier adversary represents a serious menace in case of cyber war, the analyst believe various initiatives conducted by US Government not sufficient to face with sophisticated cyber attacks by hostile countries. The report remarks that Defense Department “is not prepared to defend against these threats” and its effort leak of a proper coordination, the document also alert central authorities on a “fragmented” dispersion of commitments.

“Current DoD actions, though numerous, are fragmented. Thus, DoD is not prepared to defend against this threat DoD red teams, using cyber attack tools which can be downloaded from the Internet, are very successful at defeating our systems The study by the Defense Science Board urges the intelligence community to maintain the threat of a nuclear strike as a deterrent to a major cyber attack.”

“DoD needs to take the lead and build an effective response to measurably increase confidence in the IT systems we depend on (public and private) and at the same time decrease a would-be attacker’s confidence in the effectiveness of their capabilities to compromise DoD systems” “the relative ease that our Red Teams have in disrupting, or completely beating, our forces in exercises using exploits available on the Internet; and the weak cyber hygiene position of DoD networks and systems”

The statements are concerning, attackers don’t need sophisticated computing platforms to hit the country in its vital centers, the technologies are readily available on Internet.

Chief of U.S. Strategic Command, Gen. C. Robert Kehler, which oversees Cyber Command highlighted the need of intelligence activities to evaluate security level of foreign infrastructures but he remarked the necessity to evaluate the potential for a cyber-related attack on U.S. nuclear command and control systems and the weapons systems.

The high official admitted to hasn’t information on capabilities of other governments to response to a cyber offensive against its nuclear plants and arsenal. A cyber attacks could hit directly control system of a critical infrastructure, but it could also compromise military system such as an intercontinental missile that could be directly against other resources of the country.

"What about the Russians and the Chinese? Do they have the ability to stop some cyber-attack from launching one of their nuclear intercontinental ballistic missiles?" probed Sen. Bill Nelson, D-Fla., a member of the Armed Forces Committee.

"Senator, I don't know," answered Kehler, who was testifying on Tuesday at a committee hearing.

As reported in the in the report of Defense Science Board the attacks against US infrastructures, including weapons of defense, could be conducted by various actors, state sponsored attacks appears to be most interested but intelligence is aware of the menace represented by cyber terrorist and cyber criminals.

Cyber terrorism is one of the aspect most debated in this moment, hit a critical infrastructure with a cyber attacks has the same effect as a conventional attack, but it has the advantage of being easier to manage. The recruitment of cyber mercenaries and the availability of tools in internet and in the underground that could be used by attackers to cause considerable damage, as demonstrated by the U.S. cyber units, may increase the risk related to the conduction of cyber attack for terrorist purposes.

We read on news paper world such as cyber “9/11” and “cyber doomsday” words that evoke death, destruction and scary scenarios but above all describe a real danger not to be underestimated, that’s why top U.S. intelligence official, in another Senate chamber, named cyber first on his list of current transnational threats.

An article on Nextgov portal states: “There is a danger that unsophisticated attacks by highly motivated actors would have “significant outcomes due to unexpected system configurations and mistakes” or that a vulnerability in one spot “might spill over and contaminate other parts of a networked system," James Clapper, national Intelligence director, testified before the Intelligence Committee on Tuesday. “

What’s about U.S. command and control systems nuclear weapons platforms security?
Gen. C. Robert Kehler is cautiously optimistic, he is confident U.S. command and control systems and nuclear weapons platforms "do not have a significant vulnerability", the official also remarked that meanwhile there is a “fairly decent transparency" with Russian government officials on missile capabilities it’s not the same with China.

My interpretation of the words of General suggests that despite the opening to the two governments, there is much work to be conducted under its diplomatic profile in the definition and unanimous acceptance of a framework to regulate the use of cyber weapons that menace security of critical systems. We are in an extremely critical period of transition, most of the governments work for the production of cyber weapons and conduct cyber espionage campaign undercover. Alongside to historical powers such as Russia and China there are dangerous states such as Iran and North Korea and a plethora of independent actors represented by cyber terrorists and cyber criminals, so it is crucial to know the capabilities of the opponents but also enhance their own.

source: http://thehackersnews.com

Indian pentester discovers a flaw in Google Drive

As usual I was reading the news on The Hacker New security portal when a post attracted my attention, another security issue related to an IT giant, Google. The Indian penetration tester Ansuman Samantaray discovered a security flaw in Google drive that exposes millions of Google users to threat of phishing attacks.

Too bad that Google has ignored the warning underestimating the risks and replying to the researcher that

“It is just a mare phishing attempt,not a bug in Google”

On December 20th Ansuman Samantaray reported JavaScript Script Execution vulnerability in Google Drive Files but Google Security Team rejected it the day after. The thesis exposed by the researcher is that the flaw could be exploited for phishing attack.

An attacker could exploit the mode Google Drive preview the documents in the browser, he may execute code contained is a doc files as HTML/JavaScript just by changing the value of a parameter called “export” in the URL.

Analyzing in detail the URL used to upload or create a file on Google Drive/Docs is possible to note the value “download” for the attribute “export” that alow user to download the document.

https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jWXp2N2FvdHBVTTg&export=download

The Indian pentester  demonstrated that if an attacker changes “export” parameter to “view“, the malicious code written in the document file created is executed by the browser.

https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jWXp2N2FvdHBVTTg&export=view



The researcher at THN also provided proof of flaw, they uploaded a file on Google Drive and using the attribute value download.

https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jZnZnV1ZEZThqaDA&export=download

meanwhile following there is the same link using view value for the export attribute.

https://docs.google.com/uc?authuser=0&id=0B6mcoM7O55_jZnZnV1ZEZThqaDA&export=view

The document contains a JavaScript code that displays a fake authentication box that request to the user to insert the password to re-authenticate him to the view of the document.



Once submitted the password the scripts intercept it in a log file and redirect the user to Google Drive homepage.



The hacker news Team revealed that Google Security Team in not new to similar error of evaluation of possible, last week another Google Drive Clickjacking Flaw was refused by Google, that later extends to phishing attack.

source: http://securityaffairs.co

NIST – National Vulnerability Database website hacked

The news is curious as it is worrying, unknown hackers have violated the US government repository of standards based vulnerability management website, known as National Vulnerability Database (NVD), last week.

The NVD website appears down since last Friday, fortunately while I’m writing is up again, the attackers have compromised at least two servers with a malware-based attack discovered on Wednesday.

NIST detected the malware presence on March 8th due observation of suspicious activity, two servers being taken offline, one machine ran the NVD web site meanwhile the other hosted a half-dozen other sites, including manufacturing.gov, E3.gov, greensuppliers.gov, emtoolbox.nist.gov, nsreserve.gov, and stonewall.nist.gov.

It’s curious that the site which should enable automation of vulnerability management, security measurement, and compliance was victim of attacks, let’s remind that NVD also provides information on software flaws, misconfigurations, and distribute impact metrics and security checklists.



In the days when the site was down the home page of website states,

“The NIST National Vulnerability Database (NVD) has experienced an issue with its Web Services and is currently not available. We are working to restore service as quickly as possible. We will provide updates as soon as new information is available.”

Kim Halavakoski, Chief Security Officer at Crosskey Banking Solutions, in a blog post published on Google+ revealed that received the following information from NIST Public Inquiries Office:

“On Friday March 8, a NIST firewall detected suspicious activity and took steps to block unusual traffic from reaching the Internet. NIST began investigating the cause of the unusual activity and the servers were taken offline. Malware was discovered on two NIST Web servers and was then traced to a software vulnerability.”

He also added that there isn’t evidence that NVD website was used to spread malware infecting its visitors, a schema that recently has been adopted in many cases adopting a technique known as Watering Hole, a methods to infect on large-scale the goers of legitimate web sites.

The attackers exploited a vulnerability in Adobe’s ColdFusion Web development software, according revelation NIST (National Institute of Standards and Technology) spokeswoman Gail Porter who declared that the malware was inserted before a patch Adobe Issued January 15.

The mission of the NVD is to help organizations, private companies and individuals to improve protection from cyber threats of their IT infrastructures, many government agencies and private businesses use the database, infecting the NVD with a malware hackers may infect an impressive amount of visitors.

The hack of the National Vulnerability Database (NVD) reinforces the conviction that US needs for a stronger effort to improve cyber security, the same conviction has been manifested by president Barack Obama in meetings Wednesday and Thursday with corporate leaders according Bloomberg post.

The improvement of cyber capabilities and mitigation of cyber attacks is possible only if private companies and governments will increase the collaboration and the US Government will reaffirm its commitment.

source: http://securityaffairs.co

Phishers Hijack Facebook Page using Apps

Another phishing campaign come in action recently targeting Facebook accounts and company pages with millions of followers. Phishers continue to devise new fake apps for the purpose of harvesting confidential information.


Not a new method, but very creative phishing example in Facebook hacking scene, where hacker host a phishing page on Facebook app sub domain itself. Designed very similar to Facebook Security team with title 'Facebook Page Verification' and using Facebook Security Logo as shown in the screenshot posted above.


Phishing app URL: https://apps.facebook.com/verify-pages/
Application hosted on: https://talksms.co.uk/


The phishing page asking users to enter Page URL and Page Name that victim own and his Facebook login email ID with password. Once victim trapped in hacker web, the phisher records your information.

Another interesting fact is that, the phishing domain https://talksms.co.uk/ is a HTTPS site with with verified SSL from GeoTrust.




When someone has been phished, hacker hijack all there pages, Groups for his own use or selling purpose.

Three Facebook pages with millions of fans got hijacked last night by hacker using this phishing page and may be there can be many more victims that are right now unknown to us.

Hacker Pages are :
https://www.facebook.com/funHETU
https://www.facebook.com/getInspiration
https://www.facebook.com/bySmiles
We found that after hijacking these pages, hacker start spamming his own web blog (http://teenquotes2013.blogspot.in) with a Facebook page ( i.e. https://www.facebook.com/This.Is.Teen.Quote ). Facebook Insight shows that, hacker's Facebook gain 96,000 Followers in last two months.

We have informed Facebook security team about the issue, and hope that Facebook will suspend all similar phishing pages as soon as possible. Original Facebook Page Admin's also looking for help from Facebook team to get their pages back.

Facebook users are advised to follow best practices to avoid phishing attacks:
Do not click on suspicious links in email messages
Do not provide any personal information when answering an email
Do not enter personal information in a pop-up page.
Report fake websites and email (for Facebook, send phishing complaints to phish@fb.com)

source: thehackernews.com

Java 0day signed with cert stolen to bit9

According security experts the numerous cyber attacks that hit principal IT companies, news agencies and government offices exploited zero-day vulnerabilities in Java software to the point that many recommend to uninstall Java plug-in from our browser unless absolutely necessary.

Same clamor had obtained in the past the discovery that malware source codes were signed with stolen digital certificates to elude victims defense systems and infect their machines.

These time the two events have concurred for the success of the recent attacks, malware used in a zero-day Java exploit was signed with certificates stolen from a Bit9 security firm that was hit itself by a cyber attack.

The is no peace for Java software, the malicious code targeted all early version of the popular software such as Java 6 Update 41 and Java 7 Update 15 released a couple of weeks ago.

The shocking revelation has been made by researchers at security firms FireEye and CyberESI that discovered the attack known as CVE-2013-1493 able to compromise both above editions of Java.

The researchers discovered that the malicious code used for the exploits is the same found in the recently attacks at security firm Bit9, according FireEye the exploit downloaded the McRat, a remote access trojan. Security analysts observed also that once infected the victims, the malware contacted  C&C server with IP address 110.173.55.187, exactly the same server used in the attack against Bit9 and described by same security firm in a blog post.

“It contains one (1) export: “DllRegisterServer”. When this function is called, the malicious DLL beacons to IP address “110.173.55.187” over port 80.”

The following information was found about the “110.0.0.0-110.255.255.255” net range:

OrgName Asia Pacific Network Information Centre
Krebsonsecurity.com blog published the following eloquent declaration released by Alex Lanstein, a senior security researcher at FireEye:

 “Same malware, same [command and control server], I’d have to say it’s the same group that hit Bit9,”.

Security researchers at Symantec have proved the links between the malware (dubbed by Symantec as “Naid”) and the attacks against Bit9 firm, in July 2012, attackers stole certificates from Bit9 to sign malicious code.

The attack according Symantec is a watering hole attack that infects users while visiting a compromised web site, obviously hackers target web sites attractive for the victims.  The recent attacks against Apple, Facebook and Microsoft exploited zero day flaw the Java browser plugin while victims visited particular site.

The Symantec post states:

“As seen in figure 1, the initial stage of the attack involves a target visiting a compromised site that hosts a malicious JAR file, detected by Symantec as Trojan.Maljava.B. The JAR file contains the exploit CVE-2013-1493 which, if successful, downloads a file called svchost.jpg that is actually an MZ executable, detected by Symantec as Trojan.Dropper. This executable then acts as a loader for the dropped appmgmt.dll file, detected as Trojan.Naid”.

Security experts suggest to disable Java in user’s browser in not necessary, anyway to disable it until a patch has been released by Oracle, but we cannot ignore that is not sure that Oracle will issue an update for retired version of Java software such as Jave 6.

We just have to wait for Oracle java software updates!

Old School Hacker Spying on European Governments

Kaspersky Lab's team of experts recently published a new research report that analyzed that Cyber criminals have targeted government officials in more than 20 countries, including Ireland and Romania with a new piece of malware called 'MiniDuke'.

In a recent attack, malware has infected government computers this week in an attempt to steal geopolitical intelligence. The computers were infected via a modified Adobe PDF email attachment, and the perpetrators were operating from servers based in Panama and Turkey.

According to Kaspersky Lab CEO Eugene Kaspersky,"I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyber world."

Last week Adobe released an update that patches the Adobe PDF bug (CVE-2013-6040) used in the attack. Once it was opened, the MiniDuke malware would install itself on a victim's computer. It is not known what information the attackers are targeting.

MiniDuke attacks government entities in Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russian Federation, Slovenia, Spain, Turkey, Ukraine, United Kingdom and United States.

The malware also compromised the computers of a prominent research foundation in Hungary, two thinktanks, and an unnamed healthcare provider in the US.

source: http://thehackernews.com

Another Java 0day Vuln Exploited in the Wild

Do you still have Java installed? There is a bad news for you ! FireEye has detected yet another Java zero-day vulnerability being exploited in attacks in the wild.

The vulnerability targets browsers that have the latest version of the Java plugin installed Java v1.6 Update 41 and Java v1.7 Update 15 and FireEye warned that the vulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm.

"Not like other popular Java vulnerabilities in which security manager can be disabled easily, this vulnerability leads to arbitrary memory read and write in JVM process,"

"After triggering the vulnerability, exploit is looking for the memory which holds JVM internal data structure like if security manager is enabled or not, and then overwrites the chunk of memory as zero."

The exploit is reportedly different from the one used to attack Facebook, Twitter, Apple, and several other companies last month.

It is not known if this particular Java vulnerability is on Windows only or on Linux and Mac OS X, too. However, McRat is a Windows Trojan so the in-the-wild attacks are specifically targeting Windows users.

If you don't want any chance of being infected, the best thing to do is uninstall Java altogether.

source: http://thehackernews.com