Someone always checks up on you

I would like to start by thanking Smit Bharatkumar Shah from http://about.me/smitbshah for bringing to our attention that our site has a potential security vulnerability that could be used by malicious attackers to preform phishing and/or clickjacking attacks. With his help we were able to prevent this attack from occurring. No customers have been affected by this issue.

Our ScanMyServer.com service has been providing security scan reports and vulnerability information for sites from all over the world; but we did however neglect to do one small thing, which is scan our web site with the same service. If we had, ScanMyServer.com would have shown us of the potential issue. How embarrassing is that?!

We have checked our logs for any sign that the vulnerability has been exploited or our customers have been misused but nothing came out. Due to the nature of this issue, any attack would have been recorded in the logs.

The solution for the above mentioned vulnerability is a simple two step fix:
1) Run:
a2enmod headers

2) Add to /etc/apache2/conf.d/security the following line:
Header always append X-Frame-Options SAMEORIGIN

If any of you finds any other issues in our site, please contact us at support@beyondsecurity.com and we will be happy to credit you with the find. Thanks for making our service better!

Why PS3 Encryption Key Leak is not an End Game

A lot of people a speculating that since the PS3 LV0 encryption key has leaked, that all bets are off and piracy for the PS3 is now a fact and there is nothing Sony can do to resolve. They further claim, even if Sony releases a patch, with the availability of this LV0 encryption key, hackers would just need to decrypt the update and snatch from it the new LV0 keys if those are updated using a patch.

This reminds me of a story about a Satellite Broadcaster a few years ago that has lost similar encryption keys that were part of its update mechanism for enabling/disabling your subscription card. Once you had this encryption key you could enable your card without needing to pay anything to the broadcaster.

When this news got out, it seemed to be an obvious bet that the company would go bankrupt in a few months as piracy would ruin them.

But the broadcaster didn’t lose hope and devised a plan that was quite ingenuous. They knew that updating the encryption key in one “bang” would be blunt and very easy to track down. So instead, over the course of a year they sent “junk” data as part of their updates, gradually sending out more and more chunks of indecipherable data. Then one day, they “executed” this “junk” data, and voila! the “junk” wasn’t junk at all. It was self decrypting pieces of code.

There were two very clever parts to their plan. First, they data they sent just hid there until it got executed. In fact, only in retrospect it was noticed that there was even “junk” data there. The second part was that it was not executable on anywhere but on their specific platform. You couldn’t decrypt that data as it used inherit functionality of the hardware on which it ran – you couldn’t easily disassemble it without knowing some of the secret ASM code that ran on their hardware.

The moral of this story  is, even when all is lost, as long as your true customers are updating, and your thieves need to upgrade too in order to enjoy the full benefits of the system, you can always regain control over you hardware – in essence having “code execution” on your system allows you full control over it, even if someone else is watching and tracking what you are doing – it is just a tad harder to do so in a way that will mask from guy who controls the system what you are doing.

Windows Device Driver Fuzzing

We recently received a request to adapt the beSTORM  fuzzing framework to fuzz a series of Windows Device Drivers. It appears that there is little documentation and practically no commercial tools to provide proper fuzzing for Windows Drivers.

Adding support for device driver fuzzing required us to add a few function to our already existing File Utils library. This library allows you to create and read files with the intent of using the information inside these files to either fuzz something else, or provide a file to a piece of software that you intend to test.

With a device driver you basically do the same, but instead of opening an ordinary file, you open a device driver – usually in the form of “\\.\AAA”. The AAA is replaced by a string that tells the Windows operating system what device he should open. To provide this function inside beSTORM we introduced the Win32CreateFile wrapper function which receives the device driver’s name. This function returns a HANDLE that is then fed to the Win32CloseHandle wrapper function to close the opened handle.

The next step in fuzzing a Windows Device Driver is to send it information and in some cases read from it information. This is done through our Win32DeviceIoControl wrapper function, which receives the HANDLE from Win32CreateFile, and is passed an InBuffer as well as a IoControlCode value. Most commonly this value will be generated through the CTL_CODE macro under Visual Studio, and since it is usually very difficult to calculate this value by “hand” we provide a wrapper function called Win32CtlCode to allow you to do this inside the module you create.

Here is a complete “block” that utilizes all these wrapper functions and exploits a vulnerability in DVWDDriver – which was built with vulnerabilities inside it as an educational tool.

<SC Name="Sequence">
<SP Name="Win32CreateFile" Procedure="Win32CreateFile" Library="File Utils.dll">
<S Name="Filename">
<EV Name="Filename value" ASCIIValue="\\.\DVWD" Description="CreateFile Filename" />
</S>
<S Name="DesiredAccess">
<C Name="DesiredAccess value" Value="C0 00 00 00" />
</S>
<S Name="ShareMode">
<C Name="ShareMode value" Value="00 00 00 07" />
</S>
<S Name="CreationDisposition">
<C Name="CreationDisposition value" Value="00 00 00 03" />
</S>
</SP>
<SP Name="Win32DeviceIoControl" Procedure="Win32DeviceIoControl" Library="File Utils.dll">
<S Name="HANDLE">
<PC Name="HANDLE" ConditionedName="Win32CreateFile" Parameter="HANDLE"/>
</S>
<S Name="InBuffer">
<B Name="InBuffer value" />
</S>
<SP Name="IoControlCode" Procedure="Win32CtlCode" Library="File Utils.dll">
<S Name="DeviceType">
<C Name="DeviceType value" Value="00000022" Comment="FILE_DEVICE_UNKNOWN" />
</S>
<S Name="Function">
<C Name="Function value" Value="00 00 08 01" />
</S>
<S Name="Method">
<C Name="Method value" Value="00 00 00 03" Comment="METHOD_NEITHER" />
</S>
<S Name="Access">
<C Name="Access value" Value="00 00 00 03" Comment="FILE_READ_DATA | FILE_WRITE_DATA" />
</S>
</SP>
</SP>
<SP Name="Win32CloseHandle" Procedure="Win32CloseHandle" Library="File Utils.dll">
<S Name="HANDLE">
<PC Name="HANDLE" ConditionedName="Win32CreateFile" Parameter="HANDLE"/>
</S>
</SP>
</SC>

Using Skype Manager? no? Expect incoming fraud

I have been using Skype ever since it came out, so I know my stuff.

I know how to write strong passwords, how to use smart security questions and how to – most importantly – avoid Phishing attempts on my Skype account.

But all that didn’t help me avoid a Skype mishap (or more bluntly as a friend said – Skype f*ckup).

It all started Saturday late at night (about 2am GMT), when I started receiving emails in Mandarin from Skype, my immediate thought was fraud, a phishing attempt, so I ignored it. But then I noticed I got also emails from Paypal with charges from Skype for 100$ 200$ 300$, and I was worried, was my account hacked?

I immediately went to PayPal and disconnected my authorization to Skype, called in Transaction Dispute on PayPal and then went on to look at my Skype account.

I looked into the recent logons to my account – nothing.

I looked into email changes, or passwords – nothing.

I couldn’t figure out how the thing got to where it was, and then I noticed, I have become a Skype Manager – wow I was promoted and I didn’t even send in my CV.

Yeah, joke aside, Skype Manager, is a service Skype gives to businesses to allow one person to buy Skype Credit and other people to use that Credit to make calls. A great idea, but the execution is poor.

The service appears to have been launched in 2012, and a few weeks after that, fraud started popping up. The how is very simple and so stupid it shameful for Skype to not have fixed this, since it was first reported (which I found) on the 21st of Jan 2012 on the Skype forum.

Apparently having this very common combinations of:
1) Auto-charge PayPal
2) Never used Skype Manager
3) Never setup a Work email for Skype

Makes it possible for someone to:
1) Setup you as a Skype Manager
2) Setup a new work email on some obscure service (mailinator was used in my case), and have all Skype emails for confirmations sent there

Yes, they don’t need to know anything BESIDE the Skype Call name of your account – which is easy to get using Skype Search.

Once you have become a Skype Manager, “you” can add users to the group you are managing – they don’t need to logon as all they need to do is use the (email) link you get to the newly assigned Work Email, yes, it doesn’t confirm the password – smart ha?

The users added to your Skype Manager can now take the Credit (its not money, it just call credits) and call anywhere they want.

Why this bug / feature not been fixed/addressed since the first time it was made public on the Skype Forum (probably was exploited before then), is anyone’s guess, talking to the Fraud department of Skype – he mainly stated that I should:
1) Change my password for Skype – yes, that would have helped nothing in this case
2) Make sure I authorize Skype only on trustworthy devices

The bottom line, Skype users, make sure:
1) You have configured your Skype Manager – if you are using Auto-Charge feature – I have disabled my Auto-Charge and PayPal authorization since then, and don’t plan on enabling it anytime (ever)
2) You have configured your Skype Work email – yes, if its unset, anyone can change it – without needing to know your current password – is this company a PCI authorized company? 😀

If you have more insight on the matter, let me know

– Noam

Hacktivity 2012 CFP

Hacktivity 2012 Call For Papers: Deadline June 1st

The 9th annual IT Security Festival for Central and Eastern Europe will be held in Hungary in late September. The Hacktivity 2012 conference/festival will bring together information security professionals from all of central Europe in an informal, educational, but highly technical form.

Papers for HACKTIVITY 2012 are now being solicited and we invite you to participate.

For more information see: https://hacktivity.com/en/news/cfp-is-out-hurry-up/

For a list of the 36 presentations done in 2011 see: https://hacktivity.com/en/hacktivity-2011/programs/

NOPCON 2012

NOPcon is a non-profit and free hacker conference which will be held in Istanbul, TURKEY on the 21 May.
The conference will be the first technical and international hacker conference in Istanbul. The conference aims to learn and exchange ideas and experiences between researchers , consultants and developers.

SPEAKERS
Moti Joseph – “Advanced Browser Exploiting”
Mohhammad Hluchan – “Militarization of Hacking and the New Cyber Arms Race in the Middle East”
Sertan Kolat – “Attacking iOS Applications”
Yasin Surer – “Kernel Exploiting”
Mert Sarica – “Attacking Android Applications”
Nebi Senol Yilmaz – “Defeating DDOS in FreeBSD Kernel”
Melih Tas – “Penetration Testing VOIP”
Ozan Ucar – “Real-world Penetration Testing Examples [Workshop]”
Evren Yalcin – “Advanced Web Application Security [Workshop]”
Celil Unuver – “SCADA (in)Security”

Registration
Registration for the conference can be made at free: http://www.nopcon.org/register/

XSSQL attack (HTML5)

HTML 5 brings a lot of new features to the web. One of its features is SQLite – a client side database engine which allows storage of data on the client side. Databases can be created and queried by the JavaScript.

It is pretty clear that many developers would use the opportunity to store information on the client side. The risk will be high if they use this repository and store there sensitive information such us user passwords, session ids, credit card numbers etc.

In case of XSS vulnerability in such website it would be possible to query these databases via JavaScript.
I even have a name for this attack – XSSQL :-) funny as well as concerning …

Eventually, XSS attacks still remain common and even more powerful with the ability to query client side databases and steal sensitive information.

See more details at http://yossi-yakubov.blogspot.com/2011/07/html-5-xssql.html

BlackHat 2011 USA

I wanted to congratulate Ivan and Nicolas our winners of the SecuriTeam Secure Disclosure free entry and travel expenses to BlackHat Briefings 2011 (USA).

I hope to see the rest of our researchers there, I will be posting more details on our drink-o-party that is scheduled to occur during those two days.

Follow my twitter @nrathaus, or email me at noamr[]beyondsecurity@com for more details.