Skip to content

Open Whisper Systems – Forward Secrecy, Advanced cryptographic ratcheting and other great things

Some companies have made encryption and privacy into non – negotiable building blocks, rather than an afterthought. Open Whisper Systems is an exemplary designer of encrypted systems.

https://www.whispersystems.org/blog/advanced-ratcheting/

This article needs reading and reading for Crypto fans.

 

 

Thieves can wirelessly unlock up to 100 million Volkswagens, each at the press of a button

http://www.theregister.co.uk/2016/08/11/car_lock_hack/

Security researchers will demonstrate how crooks can break into cars at will using wireless signals that can unlock millions of vulnerable vehicles.

The eggheads, led by University of Birmingham computer scientist Flavio Garcia alongside colleagues from German engineering firm Kasper & Oswald, have managed to clone a VW Group remote control key fob after eavesdropping on the gizmos’ radio transmissions.

The hack can be used by thieves to wirelessly unlock as many as 100 million VW cars, each at the press of a button. Almost every vehicle the Volkswagen group has sold for the past 20 years – including cars badged under the Audi and Skoda brands – is potentially vulnerable, say the researchers. The problem stems from VW’s reliance on a “few, global master keys.”

During an upcoming presentation, titled Lock It and Still Lose It — on the (In)Security of Automotive Remote Keyless Entry Systems at the Usenix security conference (abstract below) – the researchers are also due to outline a different set of cryptographic flaws in keyless entry systems as used by car manufacturers including Ford, Mitsubishi, Nissan and Peugeot.

The two examples are designed to raise awareness and show that keyless entry systems are insecure and ought to be re-engineered in much the same way that car immobilisers were previously shown to provide less than adequate protection.

While most automotive immobiliser systems have been shown to be insecure in the last few years, the security of remote keyless entry systems (to lock and unlock a car) based on rolling codes has received less attention. In this paper, we close this gap and present vulnerabilities in keyless entry schemes used by major manufacturers.In our first case study, we show that the security of the keyless entry systems of most VW Group vehicles manufactured between 1995 and today relies on a few, global master keys. We show that by recovering the cryptographic algorithms and keys from electronic control units, an adversary is able to clone a VW Group remote control and gain unauthorised access to a vehicle by eavesdropping a single signal sent by the original remote.

Secondly, we describe the Hitag2 rolling code scheme (used in vehicles made by Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, and Ford among others) in full detail. We present a novel correlation-based attack on Hitag2, which allows recovery of the cryptographic key and thus cloning of the remote control with four to eight rolling codes and a few minutes of computation on a laptop. Our findings affect millions of vehicles worldwide and could explain unsolved insurance cases of theft from allegedly locked vehicles.

Garcia was previously blocked from giving a talk about weaknesses in car immobilisers following a successful application to a British court by Volkswagen. This earlier research on how the ignition key used to start cars might be subverted was eventually presented last year, following a two year legally enforced postponement.

The latest research shows how tech-savvy thieves might be able to unlock cars locked by the vehicles’ owners without covering how their engines might subsequently be turned on.

WiReD reports that both attacks might be carried out using a cheap $40 piece of radio hardware to intercept signals from a victim’s key fob. Alternatively, a software defined radio rig connected to a laptop might be employed. Either way, captured data can be used to make counterfeit kit. ®

Microsoft accidentally release backdoor keys to bypass UEFI secure boot

Secure Boot is a security feature that protects your device from certain types of malware, such as a rootkit, which can hijack your system bootloader, as well as, Secure Boot restricts you from running any non-Microsoft operating system on your device.

In other words, when Secure Boot is enabled, you will only be able to boot Microsoft approved (cryptographically signature checking) operating systems.

However, the Golden Keys disclosed by two security researchers, using alias MY123 and Slipstream, can be used to install non-Windows operating systems, say GNU/Linux or Android, on the devices protected by Secure Boot.

https://rol.im/securegoldenkeyboot/

Moreover, according to the blog post published by researchers, it is impossible for Microsoft to fully revoke the leaked keys, potentially giving law enforcement (such as FBI and NSA) special backdoor that can be used to unlock Windows-powered devices in criminal cases.

The issue actually resides in the Secure Boot policy loading system, where a specially signed policy loads early and disables the operating system signature checks, the reg reports.

This specific Secure Boot policy was created and signed by Microsoft for developers, testers, and programmers for debugging purposes.

“During the development of Windows 10 v1607 ‘Redstone,’ MS added a new type of secure boot policy. Namely, “supplemental” policies that are located in the EFIESP partition…” researcher said.

“…a backdoor, which MS put into secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!”

Yesterday, Microsoft released August Patch Tuesday that includes a security patch for designing flaw in Secure Boot for the second time in two months, but unfortunately, the patch is not complete.

http://techwarrior.us/oops-microsoft-accidentally-leaks-backdoor-keys-to-bypass-uefi-secure-boot/

Researchers crack open unusually advanced malware that hid for 5 years

http://arstechnica.com/security/2016/08/researchers-crack-open-unusually-advanced-malware-that-hid-for-5-years/

Espionage platform with more than 50 modules was almost certainly state sponsored.


The name “Project Sauron” came from code contained in one of the malware’s configuration files.

Security experts have discovered a malware platform that’s so advanced in its design and execution that it could probably have been developed only with the active support of a nation-state.

The malware—known alternatively as “ProjectSauron” by researchers from Kaspersky Lab and “Remsec” by their counterparts from Symantec—has been active since at least 2011 and has been discovered on 30 or so targets. Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus.

https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf

Because of the way the software was written, clues left behind by ProjectSauron in so-called software artifacts are unique to each of its targets. That means that clues collected from one infection don’t help researchers uncover new infections. Unlike many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.

“The attackers clearly understand that we as researchers are always looking for patterns,” Kaspersky researchers wrote in a report published Monday. “Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg.” Symantec researchers, in a report of their own, said they were aware of seven organizations infected.

Jumping air gaps

Part of what makes ProjectSauron so impressive is its ability to collect data from computers considered so sensitive by their operators that they have no Internet connection. To do this, the malware uses specially prepared USB storage drives that have a virtual file system that isn’t viewable by the Windows operating system. To infected computers, the removable drives appear to be approved devices, but behind the scenes are several hundred megabytes reserved for storing data that is kept on the “air-gapped” machines. The arrangement works even against computers in which data-loss prevention software blocks the use of unknown USB drives.

Kaspersky researchers still aren’t sure precisely how the USB-enabled exfiltration works. The presence of the invisible storage area doesn’t in itself allow attackers to seize control of air-gapped computers. The researchers suspect the capability is used only in rare cases and requires use of a zero-day exploit that has yet to be discovered. In all, Project Sauron is made up of at least 50 modules that can be mixed and matched to suit the objectives of each individual infection.

“Once installed, the main Project Sauron modules start working as ‘sleeper cells,’ displaying no activity of their own and waiting for ‘wake-up’ commands in the incoming network traffic,” Kaspersky researchers wrote in a separate blog post. “This method of operation ensures Project Sauron’s extended persistence on the servers of targeted organizations.”

Kaspersky researchers said they discovered the malware last September after a customer at an unidentified government organization hired them to investigate anomalous network traffic. They eventually unearthed a “strange” executable program library that was loaded into the memory of one of the customer’s domain controller servers. The library was masquerading as a Windows password filter, which is something administrators typically use to ensure passwords match specific requirements for length and complexity. The module started every time a network or local user logged in or changed a password, and it was able to view passcodes in plaintext.

The main purpose of the malware platform was to obtain passwords, cryptographic keys, configuration files, and IP addresses of the key servers related to any encryption software that was in use. Infected groups include government agencies, scientific research centers, military organizations, telecommunication providers, and financial institutions in Russia, Iran, Rwanda, China, Sweden, Belgium, and possibly in Italian-speaking countries.

Kaspersky researchers estimate that development and operation of the Sauron malware is likely to have required several specialist teams and a budget in the millions of dollars. The researchers went on to speculate that the project was funded by a nation-state, but they stopped short of saying which one.

KeySniffer: Hackers can snag wireless keyboard keystrokes from 250 feet away

http://www.computerworld.com/article/3101006/security/keysniffer-hackers-can-snag-wireless-keyboard-keystrokes-from-250-feet-away.html

Some keyboard manufacturers opted to save money by skipping over Bluetooth and instead have their wireless keyboards connect to computers using generic and undocumented transceiver alternatives. Those cheap transceivers wirelessly transmit keystrokes to the USB dongle without any encryption.

Bastille’s chief research officer Ivan O’Sullivan told Wired, “We were stunned. We had no expectation that in 2016 these companies would be selling keyboards with no encryption.”

Bastille is the same security firm that previously warned people about theMouseJack vulnerability which could allow attackers to inject keystrokes in millions of wireless mice and keyboards models from a distance up to 328 feet. But the newest KeySniffer attack goes beyond MouseJack since victims would not know they were being hacked; users wouldn’t even have to be using their computer as attackers could inject keystrokes while the keyboard is idle.

Newlin explained:

The keyboards vulnerable to KeySniffer use USB dongles which continuously transmit radio packets at regular intervals, enabling an attacker to quickly survey an environment such as a room, building or public space for vulnerable devices regardless of the victim’s presence. This means an attacker can find a vulnerable keyboard whether a user is at the keyboard and typing or not, and set up to capture information when the user starts typing.

In addition to eavesdropping on the victim’s keystrokes, an attacker can inject their own malicious keystroke commands into the victim’s computer. This can be used to install malware, exfiltrate data, or any other malicious act that a hacker could perform with physical access to the victim’s computer.

Newlin previously presented (pdf) the techniques he used to reverse engineer the shoddy transceivers at the Hack in the Box security conference in Amsterdam. An attacker could do the same with equipment that costs less than $100.

The KeySniffer attack works from “several hundred” feet away, the researchers say; Network World reported, “While this attack works at 250 feet line-of-sight it does work at greater distances, but they cite 250 feet because at that distance it works with 100% accuracy all the time.”

Wireless keyboards vulnerable to KeySniffer

The list of KeySniffer affected devices only include the keyboard models the research team tested, meaning there could be more. For now, the researchers are sure that keyboards manufactured by the following eight vendors are vulnerable: HP, Toshiba, Kensington, Insignia, General Electric, EagleTec, Radio Shack and Anker.

There is no way for the firmware to be updated in order to patch the vulnerability. If you own one of the flawed devices, then researchers advised tossing it out and going with a wired keyboard. If you use a Bluetooth keyboard, then don’t sweat it. If you want to stay wireless, then Bluetooth is the way to go.

Snoopers Charter would allow UK Government to ban end to end encryption

http://www.neowin.net/news/uk-government-admits-snoopers-charter-would-allow-it-to-ban-end-to-end-encryption

The UK government has publicly admitted that parts of the Investigatory Powers Bill (IPB), better known as the ‘Snooper’s Charter’, would allow it to force companies to ban end-to-end encryption.

In what may be viewed as a huge assault on the public’s privacy, not to mention digital security, the government would ask internet and communication service providers to “develop and maintain a technical capability to remove encryption that has been applied to communications or data”. As one member of the House of Lords put it, when debating the IPB, this essentially means that companies may not use end-to-end encryption, and could leave the public at risk, not to mention setting a supremely dangerous precedent.

Lord Strasburger explained:

The implication of what [the government] is saying is that no one may develop end-to-end encryption. One feature of end-to-end encryption is that the provider cannot break it; encryption is private between the users at both ends. He [the minister] seems to be implying that providers can use only encryption which can be broken and therefore cannot be end to end, so the next version of the Apple iPhone would in theory become illegal.

That’s because developing the technical capability to break strong encryption is a costly and problematic endeavor. So in essence, the government aims to force companies to offer weaker encryption and develop backdoors in their services. This is exactly what privacy and advocacy groups like the EFF warned about months ago, when the FBI was trying to force Apple to hack its devices.

As usual the powers granted by the Snooper’s Charter are claimed to be in the service of national security and the fight against terrorism. Earl Howe, minister of state for defence, argued that “there will be circumstances where it is reasonably practicable for a company to build in a facility to de-encrypt the contents of communication.”

But of course, the wider implications of such demands, by a democratic Western government no less, are rarely brought up by their proponents. However, Baroness Hayter attempted to explain:

The problem is whether the Government would ever require a company to engineer such access, enforcing the company to create a model which, if then followed by other nations with perhaps less security than ours, would lead to a lowering of standards.

Her arguments bring to mind recent cases where authoritarian regimes such as Turkey, Russia and China, have demanded they have access to user data and banned companies from using strong encryption which the government couldn’t bypass.

 

***Reddit Comments***

To be clear, the Government Minister of State for the Ministry of Defence in the House of Lords has clarified thatcertain clauses within the Investigatory Powers Bill do in fact compel Communications Service Providers to ensure that there is a capability for the state to acquire plaintext equivalents of encrypted communications if reasonably practicable if and only if the CSP has applied said crypto themselves.

  • Is this bad news for Whatsapp etc? Yes
  • Is this bad news for normal people? Yes
  • Is this bad news for crypto geeks? Kinda (it’s kinda abhorrent to have to undermine crypto for the state but nothing stopping you using PGP / OTR / etc)
  • Is “end to end crypto” banned? No
  • Is there a criminal offense for using crypto? No
  • Can you (a UK citizen) be jailed for refusing to decrypt your comms / HDDs etc? Yes (RIPA s.49 / s.50)

TL;DR; If you provide communications services (e.g. an app) and your app encrypts messages then the government can ask you to ensure you are able to decrypt messages if asked and if reasonably practicable.

Source: Provided written evidence to both the Parliamentary Joint Select Committee and the Science and Technology Committee against many powers within the bill (notably the encryption elements above, ICRs, Bulk EI (hacking) and the filter) and have been following this bill since its inception.

Edit: FWIW the House of Lords is having it’s final debate from 14:30 BST today in regards to ICRs (a record of every internet connection you make held for 12 months), the filter (a way to query *all** CSPs simultaneously for said ICRs using an identifier e.g. your name or your address)* and more. You can watch it here:http://parliamentlive.tv/Event/Index/564fcfed-b0eb-4220-bc56-4206f6e3c889

***Conclusion***

  1. Do encrypt your communications separately to your ISP (your ISP has to decrypt your data if asked and they are able).
  2. Use a service dedicated to privacy.  Use a VPN provider that provides both a DNS (so your ISP’s DNS server is not used  & does not keep logs, so that even if a court order is served, they are unable to comply.
  3. I use IVPN, along with a number of other privacy tools.   I’m a proud affiliate of IVPN, as I can’t find anyone who’s better.  I won’t promote anyone else, as nothing compares to them in my opinion.

IVPN – Free Trial of VPN

https://uwnthesis.wordpress.com/2016/05/26/ivpn-free-trial/

Warrant Canary – can be found here:

https://www.ivpn.net/resources/canary.txt

ivpn win 10

Flaws found in security products from AVG, Symantec and McAfee

http://breakingmalware.com/vulnerabilities/captain-hook-pirating-avs-bypass-exploit-mitigations/

Hundreds of security products may not be up the job, researchers say, thanks to flawed uses of code hooking.

The research is the handiwork of EnSilo duo Udi Yavo and Tommer Bitton, who disclosed the bugs in anti-virus and Windows security tools ahead of their presentation at the Black Hat Las Vegas conference next month.

The pair say 15 products including AVG, Symantec, and McAfee are affected. Scores more may be vulnerable thanks to their use of Microsoft’s Detours, code Redmond says is used for “re-routing Win32 APIs underneath applications [and] is licensed by over 100 ISVs and used within nearly every product team at Microsoft.”

The researchers did not specify if Microsoft’s enhanced mitigation experience toolkit (EMET) is affected.

Attackers would already need access to a system to reap the benefits of the vulnerabilities and neuter the security platforms running on the target system.

“We found six different common security issues that stem from incorrect implementation of code hooking and injections techniques,” the pair say.

“These issues were found in more than 15 different products.

“Practically, it means that thousands of products are affected.”

Microsoft is brewing a patch for Detours due to drop next month which will help to address matters.

The pair examined intrusive user-mode hooks common across end point security products and man-in-the-middle malware alike, namely the Duqu trojan, making the “depressing” finding that many are vulnerable to exploitation.

KALI LINUX 2.0 – How To: Reset Linux MySQL Root user password

This video will detail how to reset the root account password on a MySQL database.

https://learnnetsec.blogspot.co.uk/

Download PDF (3 pages)

https://drive.google.com/file/d/0B6jPadgZoPsbTlVHYkg2aDRxazA/view?pref=2&pli=1

****

Open a terminal as root

service mysql stop

mysqld_safe –skip-grant-tables & (then press enter twice)

mysql -u root (hit enter)

Reset Password:

use mysql;

update user set password=PASSWORD(“yournewpasswordhere”) where user=’root’;

flush privileges;

Restart MySQL:

service mysql restart

Testing:

mysql -u root -p

enter your password here and hit enter

Type exit and hit enter to quit.

 

 

KALI – Bleeding Edge Repository

The power of Linux is in the repositories, and how stable they are.  If you are using Kali Linux, then you’ll know that Debian Linux is prized for its stability.  Therefore it should come as no surprise that the Kali team have separated out the stable from the “Bleeding edge” tools. Bleeding edge tools are likely to break, which is why they are separate.

Step 1 A: Code (Fully automatic updates).

echo deb http://repo.kali.org/kali kali-bleeding-edge main >> /etc/apt/sources.list
apt-get update
apt-get upgrade

Step 1 B: Code (Opt-In updates)

We’ve set up an opt-in “Kali bleeding edge” repository which contains daily builds for several useful and frequently updated tools. These repositories are still highly experimental (meaning we expect things to break from time to time until we get more feedback from the community).

echo deb http://http.kali.org/kali kali-bleeding-edge contrib non-free main >> /etc/apt/sources.list
apt-get update
apt-get upgrade

Tools:

There are the tools considered bleeding edge – there are some such as SQLMAP that are amazing, but probably illegal in many countries.  Use SQLMAP against your own databases, and see what happens.  **Warning, sit down if you’ve got any medical conditions – once this baby works, she’s amazing*

SQLMAP

  • aircrack-ng

  • beef-xss

  • dnsrecon

  • johnny

  • libfreefare

  • libnfc

  • mfcuk

  • mfoc

  • rfidiot

  • set

  • sqlmap

  • w3af

kali bleeding edge tools

CppCon 2015: Greg Law ‘Give me 15 minutes & I’ll change your view of GDB’

Follow

Get every new post delivered to your Inbox.

Join 239 other followers

%d bloggers like this: