Skip to content

nomx: The world’s most secure communications protocol – BBC Click

A great episode of BBC Click – detailing the security breaches of a super secure email server, which runs (I’m not joking) on a Raspberry Pi.  Yikes.

https://scotthelme.co.uk/nomx-the-worlds-most-secure-communications-protocol/

http://www.bbc.co.uk/iplayer/episode/b08p1nts/click-29042017

I was recently invited to take part in some research by BBC Click, alongside Professor Alan Woodward, to analyse a device that had quite a lot of people all excited. With slick marketing, catchy tag lines and some pretty bold claims about their security, nomx claim to have cracked email security once and for all. Down the rabbit hole we go!

nomx

You can find the official nomx site at https://www.nomx.com and right away you will see how secure this device is.

nomx main site

Now, I’m not sure how someone is supposed to edit this PHP file right now because I can’t see the SSH instructions anywhere nor can I see the setup password anywhere either. To save you all the trouble I extracted the hash of the original password whilst I had SSH access and you can see it here:

ec949c6a38322f160e8975cea965b4f6:1b84261e5d578c248825a58512175fa17d2bc118  

It turns out this was pretty easy to break after I had a quick dig in the source to see how they generated the hash.

function generate_setup_password_salt() {  
    $salt = time() . '*' . $_SERVER['REMOTE_ADDR'] . '*' . mt_rand(0,60000);
    $salt = md5($salt);
    return $salt;
}

function encrypt_setup_password($password, $salt) {  
    return $salt . ':' . sha1($salt . ':' . $password);
}

Soooo, yeah. I also had a dig around in the config file and stumbled over this which is used during the setup process.

$CONF['min_password_length'] = 5;

Anyway, the main point for now was that I managed to crack the setup password, which was death, with a quick tweet asking for help or I could have set my own if I needed so I could create an account and login to the device.

 

The master password for the whole system is “death”.

Undocumented admin account

After delving into the database on the device and browsing through a few tables, I saw something that horrified me. There was another admin account alongside my own that I hadn’t created.

mysql> select * from admin;  
+------------------------+------------------------------------+---------------------+---------------------+--------+
| username               | password                           | created             | modified            | active |
+------------------------+------------------------------------+---------------------+---------------------+--------+
| admin@example.com      | $1$d2242313$UJ6TolBZXSQQvrXvlMZO2/ | 2015-10-10 18:31:30 | 2016-10-24 21:35:46 |      1 |
| scotthelme@hotmail.com | $1$7d33f257$qxWGsOPg1PX6Axu.NoNaK0 | 2017-03-13 17:24:05 | 2017-03-13 17:24:05 |      1 |
+------------------------+------------------------------------+---------------------+---------------------+--------+

I extracted the hash and posted it to Twitter to see if I could crowd-source the input and it didn’t take very long for someone to come back to me with the answer.

The password was, quite literally, “password”. Sure enough I immediately opened up the web interface and I could indeed login with the username admin@example.com and the password password. I had full control of the device. This is inexplicably bad for more reasons than I care to list but coupled with the above CSRF attack I now don’t need to depend on the user to be logged in to the device to perform administrative functions, I can simply login to the device with these admin credentials and do anything I like. All this requires is two simple iframes on a page.

 

Well done BBC Click!

Make your computer speak what you type using notepad

I’ve just found a site that has applications coded in Notepad.  The applications are really fun to use.  I’d recommend that you check out this site.

https://errorcode401.blogspot.co.uk/2013/07/Make-your-computer-speak-what-you-ype-using-notepad.html

Create Application using notepad to make computer speak what you type

Here is one interesting code created by us to make your computer speak what you type.

Let’s Start.

Step 1 : Open your notepad. [start >> run >> Type “notepad” >> Enter]

Step 2 : Copy the following code in notepad then save it with .hta extension [e.g MSG-Speaker.hta]

<html><head><title>Message Speaker – ErrorCode 401</title><HTA:APPLICATION
APPLICATIONNAME=”Message Speaker – ErrorCode 401″
ID=”Mesage Speaker – ErrorCode 401″
VERSION=”1.0″
MAXIMIZEBUTTON=”no”
SCROLL=”no”/></head>
<style> td { color: Black; }
caption { color: Black; }

body { font-family: Arial; background-color: #388A9F; color: #808080; }
input { background-color: #202020; color: #808080; }
textarea { background-color: #22374B; color: #D6E1EC; font-style:bold; }
</style>

Sub Window_OnLoad
Dim width,height
width=470
height=400
self.ResizeTo width,height
End Sub

Function Listen
Dim message
message = tamsg.value
If (message = null) Then
X = MsgBox(“Enter your message”, 48, “Error Message”)
Else
Set sapi=CreateObject(“sapi.spvoice”)
sapi.Speak message
End If
End Function

<body bgcolor=”white”>
<span title=”Visit our blog for more http://www.errorcode401.blogspot.in”&gt; <marquee color=”white” bgcolor=”black” style=”font-family= Book Antiqua;”>This code is uploaded on <font color=”cyan”>http://www.errorcode401.blogspot.in</font></marquee&gt;
</span> <table align=”center” width=”400″> <caption style=”font-family:Book Antiqua; font-size:20;”><hr color=”black”><b>Message Speaker</b><hr color=”black”></caption>
<tr> <td align=”center”> <span title=”Enter your Full message here”><textarea id=”tamsg” cols=”50″ rows=”10″></textarea></span> </td> </tr>
<td align=”right” color=”black” style=”font-family: Book Antiqua; font-size:18;”> <hr color=”black”> <span title=”Click here to listen your message”>
<input style=”width: 130px; height:25px; color: white; background-color: #203040; font-family:Book Antiqua; font-size:15;” type=”button” Value=”Listen” id=”btnsp” onClick=”Listen()” onmouseover=”btnsp.style.background=’#102030′” onmouseout=”btnsp.style.background=’#203040′”> </span> </td> </tr> <tr>
<td align=”right”><hr color=”black”> <span title=”All rights reserved by Attract Tech” style=”font-size: 13px; font-family:Book Antiqua;”>&copy; 2013 Attract Tech – All rights reserved.</span> </td> </tr> </table> </body> </html>

Step 3 : Now Open that file by double click then you will see one window.

Write your in text-box which you want to listen then click on listen button.

Reference:

https://errorcode401.blogspot.co.uk/2013/07/Make-your-computer-speak-what-you-ype-using-notepad.html

Embedded Cryptography Should Be A Requirement for IoT

Security is a top concern for the Internet of Things, as essential as low power consumption, affordability, and wireless connectivity.

Because IoT devices are optimized for low power consumption and affordability, many have less than optimal computing resources. The good news is there are several options for using cryptography to make it more difficult for hackers to highjack your living room webcam, video doorbell or car.

The denial-of-service attack last October showed how cheap IoT devices that had no security–in many cases not even proper password protections–could be hacked to flood Web sites with traffic, shutting them down. In an increasingly connected future, consequences could include having water or electricity shut off, security systems disabled, or even loss of life for attacks on medical devices.

For the IoT, authentication ensures that devices are interacting with authorized gateways and cloud services and they in turn verify they are working with authentic IoT nodes. The sender will use a hashing algorithm and shared secret keys to generate a tag known as a message authentication code (MAC). The receiver performs the same hashing algorithm to decode the MAC and compare it with one stored locally.

The strength of the MAC depends on the strength of the hashing algorithm, the length of the key used and whether the key is shared secretly and stored securely. The current state-of-the-art hashing algorithm for cryptographic purposes is SHA-256 with 256-bit keys.

For sharing keys securely, either a secure channel can be used or a Diffie–Hellman key exchange over an insecure channel. Storing keys securely is another challenge, and it’s advisable to store them separately from application data and the data being authenticated. Properly equipped integrated chips can require a secure boot and secure firmware updates.

Encryption has been used for millennia. Ancient Greek generals passed messages to each other encoded on leather strips. To be read they had to be rolled around a scytale, a rod made to a secret diameter. Only a rod of the proper diameter would render the message correctly.

Today AES is the accepted standard to encrypt and decrypt our messages using digital keys. Symmetric key cryptography uses the same key to encrypt and decrypt the message, making it critical to keep the key secret. Asymmetric cryptography uses a shared, public key and a private key which is kept secret.

While asymmetric key cryptography has the benefit of added security over insecure channels, it’s more than 1,000 times more computationally expensive than symmetric key cryptography. Asymmetric cryptography can be used to establish a secure channel to exchange secret keys which can be used for subsequent symmetric methods. Alternatively, symmetric key cryptography used along with Diffie–Hellman key exchange is often secure enough for many embedded applications.

For IoT devices, hardware acceleration makes sense. Authentication chips or cryptographic co-processors can carry out sophisticated encryption and authentication efficiently in hardware, saving battery life and processor cycles. It takes more effort to secure any connected computing device, but in the long run, it’s the right thing to do.

Reference:

http://tekedia.com/63866/embedded-cryptography-requirement-iot/

How to create encryption program in Notepad

Hello with this Simple HTML Application you can Encrypt and Decrypt your message by password. First of all I will show you how to create it and then I will show you how to use it.

Let’s Start.

Step 1 : First if all open your notepad. [Start >> Run >> Type “Notepad” >> Enter]
Step 2 : Copy the following code in notepad which is starting from <html>to </html>

<html><head><title>Message Encrypter/Decrypter – Error Code 401</title><HTA:APPLICATION
APPLICATIONNAME=”Message Encrypter/Decrypter – Error Code 401″
ID=”Message Encrypter/Decrypter – Error Code 401″
VERSION=”1.0″
MAXIMIZEBUTTON=”no”
SCROLL=”no”/></head>
<style> td { color: Black; }
caption { color: Black; }
body { font-family: Arial; background-color: #708090; color: #808080; }
input { background-color: #202020; color: #808080; }
textarea { background-color: #202020; color: #808080; }
</style>

Sub Window_OnLoad
Dim width,height
width=700
height=500
self.ResizeTo width,height
End Sub
Function Validate(ID)
On Error Resume Next
Key = Int(pass.value)
If (pass.value = “”) Then
X = MsgBox(“You have to enter your password..!”, 48, “Error”)
Else If (tamsg.value = “”) Then
X = MsgBox(“Enter the text to encrypt or decrypt!”, 48, “ERROR!”)
Else
Junk = SetTimeOut(KEYS(ID), 1)
End If
End If
End Function
Function KEYS(ID)
text = pass.value
code = 0
Do Until text = “”
code = ((Asc(Left(text, 1)))+code)
text = Replace(text, Left(text, 1), “”, “1”, “1”)
Loop
code = code Mod 255
akey.value = code
Junk = SetTimeOut(ID, 1)
End Function
Function Encrypt
Alpha = Array(“A”, “B”, “C”, “D”, “E”, “F”, “G”, “H”, “I”, “J”, “K”, “L”, “M”, “N”, “O”, “P”, “Q”, “R”, “S”, “T”, “U”, “V”, “W”, “X”, “Y”, “Z”)
text = tamsg.value
code = “”
key = Int(akey.value)
Do Until text = “”
cnum = Asc(Left(text, 1))
cnum = (cnum+key) Mod 255
num = cnum Mod 26
count = 0
tst = num
Do Until tst = cnum
tst = tst+26
count = count+1
Loop
code = code & Alpha(num) & count
text = Replace(text, Left(text, 1), “”, “1”, “1”)
Loop
tamsg.value = code
End Function
Function Decrypt
Alpha = Array(“A”, “B”, “C”, “D”, “E”, “F”, “G”, “H”, “I”, “J”, “K”, “L”, “M”, “N”, “O”, “P”, “Q”, “R”, “S”, “T”, “U”, “V”, “W”, “X”, “Y”, “Z”)
text = tamsg.value
code = “”
key = Int(akey.value)
Do Until text = “”
lttr = Left(text, 2)
num = Asc(Left(lttr, 1))-65
chk = Right(lttr, 1)
count = 0
Do Until count = Int(chk)
num = num+26
count = count+1
Loop
num = num-key
Do While num
<body bgcolor=”white”> <input type=”hidden” id=”akey”> <span title=””> <span title=”Visit our blog for more http://www.errorcode401.blogspot.in”&gt;
<marquee color=”white” bgcolor=”black” style=”font-family= Book Antiqua;”>This code is uploaded on <font color=”cyan”>http://www.errorcode401.blogspot.in</font></marquee&gt; </span> <table align=”center” width=”400″>
<caption style=”font-family:Book Antiqua; font-size:20;”><hr color=”black”><b>Message Encrypter-Decrypter</b><hr color=”black”></caption>
<tr> <td align=”center”><span title=”Enter your Full message here”><textarea id=”tamsg” cols=”80″ rows=”15″></textarea></span></td> </tr>
&nbsp;&nbsp;&nbsp;&nbsp; <td color=”black” style=”font-family: Book Antiqua; font-size:18;”><hr color=”black”> Password &nbsp;<span title=”Enter your password here”>
<input type=”password” id=”pass”></span> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<span title=”Click Here to Encrypt your Message”> <input style=”width: 170px; height:23px; color: white; background-color: #203040; font-family:Book Antiqua;” type=”button” Value=”Encrypt” id=”btnenc” onClick=”Validate(‘Encrypt’)” onmouseover=”btnenc.style.background=’#102030′” onmouseout=”btnenc.style.background=’#203040′”> </span> <span title=”Click Here to Decrypt your Message”> <input style=”width: 170px; height:23px; color: white; background-color: #203040; font-family: Book Antiqua; font-size:13;” type=”button” Value=”Decrypt” id=”btndec” onClick=”Validate(‘Decrypt’)” onmouseover=”btndec.style.background=’#102030′” onmouseout=”btndec.style.background=’#203040′”> </span></td>
</tr> <tr> <td align=”right”><hr color=”black”><span title=”All rights reserved by Attract Tech” style=”font-size: 13px; font-family:Book Antiqua;”>&copy; 2013 Attract Tech – All rights reserved.</span></td> </tr> </table> </body> </html>

 

 Step 3 : Save it with .hta extension [eg. MSG – EncDec.hta]

How to use?

Step 1 : Double click on it. Then one window will open as shown in the following Image.

Step 2 : Write your Message/String in TextArea as shown in given Image.

Step 3 : Type your message in Password textbox.

Step 4 : Click on Encrypt Button.

Then you will see your Encrypted message in TextArea. Copy it and save it anywhere.

Write same password in password box then click on Decrypt Button you will get your original message.

Reference

https://errorcode401.blogspot.co.uk/2013/07/Create-Simple-Message-EncrypterDecrypter-Using-Notepad.html

Kali Linux can now use cloud GPUs for password-cracking

Think passwords, people. Think long, complex passwords. Not because a breach dump’s landed, but because the security-probing-oriented Kali Linux just got better at cracking passwords.

Kali is a Debian-based Linux that packs in numerous hacking and forensics tools. It’s well-regarded among white hat hackers and investigators, who appreciate its inclusion of the tools of their trades.

The developers behind the distro this week gave it a polish, adding new images optimised for GPU-using instances in Azure and Amazon Web Services. The extra grunt the GPUs afford, Kali’s backers say, will enhance the distribution’s password-probing powers. There’s also better supoprt for GPU cracking, hence our warning at the top of this story: anyone can use Kali and there’s no way to guarantee black hats won’t press it into service. And they can now do so on as many GPU-boosted cloud instances as they fancy paying for.

The new distribution, version 2017.1, also adds support for Realtek’s RTL8812AU wireless chipsets. The Linux kernel doesn’t support that silicon, but lots of mainstream modem-makers like D-Link, Belkin and TP-Link do. Adding support to Kali therefore makes it capable of probing a great many WiFi access points.

There’s also support for the OpenVAS 9 vulnerability scanner. Kali’s not included the tool in its default release, but has packaged it so a quick apt-get update and apt install openvas will install a nicely-packaged version of the tool.

 

Reference:

https://www.theregister.co.uk/2017/04/28/kali_linux_adds_gpu_support/

Homebrew crypto SNAFU on electrical grid sees GE rush patches

General Electric is pushing patches for protection relay bugs that, if exploited, could open up transmission systems to a grid-scale attack.

The company hasn’t published much by way of detail, but spoke to Reuters after this Black Hat abstract was published (the talk will be delivered to the July conference in Les Vegas).

The three New York University researchers say they cracked the homebrew encryption in the ancient GE Multilin systems. The abstract is light on detail, but it appears the researchers found a hardcoded password: “we completely broke the home brew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations. Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack”.

Reference:

https://www.theregister.co.uk/2017/04/27/ge_rushing_patches_to_grid_systems_ahead_of_black_hat_demonstration/

Comment:

Any nations civilian infrastructure is the soft underbelly for warfare.  If you can turn off the lights, or cut out regular communication channels, then you can plummet any country into disarray within minutes.  Protecting the civilian infrastructure, is too important to be left to commercial organisations, who look for the cheapest solutions.  You can imagine the opportunities for hacking that electrical smart meters offer, along with the internet of things.

Go – SCP Book – Secure Coding practices

Go Language – Web Application Secure Coding Practices is a guide written for anyone who is using the Go Programming Language and aims to use it for web development.

This book is collaborative effort of Checkmarx Security Research Team and it follows the OWASP Secure Coding Practices – Quick Reference Guide v2 (stable) release.

The main goal of this book is to help developers avoid common mistakes while at the same time, learning a new programming language through a “hands-on approach”. This book provides a good level of detail on “how to do it securely” showing what kind of security problems could arise during development.

The book is available as mobi or epub.

Reference:

https://www.gitbook.com/book/checkmarx/go-scp/details

THE STORY OF GETTING SSH PORT 22

I wrote the initial version of SSH in Spring 1995. It was a time when telnet and FTP were widely used.

Anyway, I designed SSH to replace both telnet (port 23) and ftp (port 21). Port 22 was free. It was conveniently between the ports for telnet and ftp. I figured having that port number might be one of those small things that would give some aura of credibility. But how could I get that port number? I had never allocated one, but I knew somebody who had allocated a port.

The basic process for port allocation was fairly simple at that time. Internet was smaller and we were in very early stages of the Internet boom. Port numbers were allocated by IANA (Internet Assigned Numbers Authority). At the time, that meant an esteemed Internet pioneer called Jon Postel and Joyce K. Reynolds. Among other things, Jon had been the editor of such minor protocol standards as IP (RFC 791), ICMP (RFC 792), and TCP (RFC 793). Some of you may have heard of them.

To me Jon felt outright scary, having authored all the main Internet RFCs!

Anyway, just before announcing ssh-1.0 in July 1995, I sent this e-mail to IANA:

From ylo Mon Jul 10 11:45:48 +0300 1995
From: Tatu Ylonen <ylo@cs.hut.fi>
To: Internet Assigned Numbers Authority <iana@isi.edu>
Subject: request for port number
Organization: Helsinki University of Technology, Finland

Dear Sir,

I have written a program to securely log from one machine into another
over an insecure network.  It provides major improvements in security
and functionality over existing telnet and rlogin protocols and
implementations.  In particular, it prevents IP, DNS and routing
spoofing.  My plan is to distribute the software freely on the
Internet and to get it into as wide use as possible.

I would like to get a registered privileged port number for the
software.  The number should preferably be in the range 1-255 so that
it can be used in the WKS field in name servers.

I'll enclose the draft RFC for the protocol below.  The software has
been in local use for several months, and is ready for publication
except for the port number.  If the port number assignment can be
arranged in time, I'd like to publish the software already this week.
I am currently using port number 22 in the beta test.  It would be
great if this number could be used (it is currently shown as
Unassigned in the lists).

The service name for the software is "ssh" (for Secure Shell).

Yours sincerely,

Tatu Ylonen <ylo@cs.hut.fi>

... followed by protocol specification for ssh-1.0

The next day, I had an e-mail from Joyce waiting in my mailbox:

Date: Mon, 10 Jul 1995 15:35:33 -0700
From: jkrey@ISI.EDU
To: ylo@cs.hut.fi
Subject: Re: request for port number
Cc: iana@ISI.EDU

Tatu,

We have assigned port number 22 to ssh, with you as the point of
contact.

Joyce

There we were! SSH port was 22!!!

On July 12, 1995, at 2:32am, I announced a final beta version to my beta testers at Helsinki University of Technology. At 5:23pm I announced ssh-1.0.0 packages to my beta testers. At 5:51pm on July 12, 1995, I sent an announcement about SSH (Secure Shell) to the cypherpunks@toad.com mailing list. I also posted it in a few newsgroups, mailing lists, and directly to selected people who had discussed related topics on the Internet.

CHANGING THE SSH PORT IN THE SERVER

By default, the SSH server still runs in port 22. However, there are occasions when it is run in a different port. Testing use is one reason. Running multiple configurations on the same host is another. Rarely, it may also be run without root privileges, in which case it must be run in a non-privileged port (i.e., port number >= 1024).

The port number can be configured by changing the Port 22 directive in /etc/ssh/sshd_config. It can also be specified using the -p <port> option to sshd. The SSH client and sftp programs also support the -p <port> option.

Reference:

https://www.ssh.com/ssh/port

WikiLeaks releases CIA manual on how to turn a Samsung TV into a secret microphone

The latest releases by WikiLeaks appear to include descriptions of CIA-developed malware that could turn Samsung TVs into recording devices.

Details about the British-made ‘Extending’ and the CIA’s ‘Weeping Angel,’ both recently stolen from the CIA, were released by WikiLeaks on Friday.

The documents outline programs that can make certain Samsung TVs into recording devices via a USB drive placed in the televisions, The Hill reported.

The audio channels from the TVs would be rerouted from its microphone to the CIA.

Depending on the veracity of the documents, the initiative might have been developed jointly by Britain’s MI5, which first developed the software, and the CIA.

The British ‘Extending’ and American ‘Weeping Angel’ describe plans for turning certain Samsung TV models into recording devices,

The software differ in which Samsung models they are able to hack. Samsung’s F8000 model was named in documents pertaining to ‘Weeping Angel.’

Reference:

http://www.dailymail.co.uk/news/article-4434572/Wikileaks-CIA-documents-prepares-charge-Assange.html

NSA-leaking Shadow Brokers just dumped its most damaging release yet

Friday’s release—which came as much of the computing world was planning a long weekend to observe the Easter holiday—contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date.

“It is by far the most powerful cache of exploits ever released,” Matthew Hickey, a security expert and co-founder of Hacker House, told Ars. “It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it. A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective.”

One of the Windows zero-days flagged by Hickey is dubbed Eternalblue. It exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. Another hacking tool known as Eternalromance contains an easy-to-use interface and “slick” code. Hickey said it exploits Windows systems over TCP ports 445 and 139. The exact cause of the bug is still being identified. Friday’s release contains several tools with the word “eternal” in their name that exploit previously unknown flaws in Windows desktops and servers.

The full list of tools documented by Hickey are:

  • ETERNALROMANCE — Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 over TCP port 445)
  • ENTERNALCHAMPION, ETERNALSYSTEM — Remote exploit up to Windows 8 and 2012
  • ETERNALBLUE — Remote Exploit via SMB & NBT (Windows XP to Windows 2012)
  • EXPLODINGCAN — Remote IIS 6.0 exploit for Windows 2003
  • EWORKFRENZY — Lotus Domino 6.5.4 and 7.0.2 exploit
  • ETERNALSYNERGY — Windows 8 and Windows Server 2012
  • FUZZBUNCH — Exploit Framework (Similar to Metasploit) for the exploits.

A separate analysis by researcher Kevin Beaumont found three zerodays affecting Windows systems. They are Esteemaudit-2.1.0.exe, a Remote Desktop exploit that installs an implant on Windows Server 2003 and XP; Eternalchampion-2.0.0.exe, which also works against SMB; and the previously mentioned Eternalblue. Beaumont found four other exploits that he believes may be zerodays, including Eskimoroll-1.1.1.exe, a Kerberos attack targeting domain controllers running Windows Server 2000, 2003, 2008 and 2008 R2; Eternalromance-1.3.0.exe, Eternalromance-1.4.0.exe, an update of Eternalromance-1.3.0.exe; and Eternalsynergy-1.0.1.exe,  a remote code-execution attack against SMBv3.

With the exception of Esteemaudit, the exploits should be blocked by most firewalls. And best practices call for remote desktop connections to require use of a virtual private network, a practice that should make the Estememaudit exploit ineffective. Microsoft also recommends that organizations disable SMBv1, unless they absolutely need to hang on to it for compatibility reasons, which may block Eternalblue. That means organizations that are following best practices are likely safe from external attacks using these exploits. There’s no indication any of the exploits work on Windows 10 and Windows Server 2016, although it’s possible the exploits could be modified to work on these operating systems.

Still, the public distribution of some of the NSA’s most prized hacking tools is sure to cause problems. In a post published by the Lawfare website, Nicholas Weaver, a security researcher at the University of California at Berkeley and the International Computer Science Institute, wrote:

Normally, dumping these kinds of documents on a Friday would reduce their impact by limiting the news cycle. But Friday is the perfect day to dump tools if your goal is to cause maximum chaos; all the script kiddies are active over the weekend, while far too many defenders are offline and enjoying the Easter holiday. I’m only being somewhat glib in suggesting that the best security measure for a Windows computer might be to just turn it off for a few days.

Besides the risk the exploit leaks pose to Windows users all over the world, they are likely to further tarnish the image of the NSA. The highly secretive agency reportedly had at least 96 days to warn Microsoft about the weaponized Windows exploits released today, according to this account from Emptywheel. It points to a January 8 Shadow Brokers leak that references some of the same exploits.

We hack banks

Friday’s dump also contains code for hacking into banks, particularly those in the Middle East. According to this analysis by Matt Suiche, a researcher and cofounder of Cloud Volumes, Jeepflea_Market is the code name for a 2013 mission that accessed EastNets, the largest SWIFT service bureau in the Middle East. EastNets provides anti-money laundering oversight and related services for SWIFT transactions in the region. Besides specific data concerning specific servers, the archive also includes reusable tools to extract the information from Oracle databases such as a list of database users and SWIFT message queries.

“This would make a lot of sense that the NSA compromise this specific SWIFT Service Bureau for Anti-money laundering (AML) reasons in order to retrieve ties with terrorists groups,” Suiche wrote. “But given the small number (74) of SWIFT Service Bureaus, and how easy it looks like to compromise them (e.g. 1 IP per Bank) — How many of those Service Bureau may have been or are currently compromised?”

Suiche also found evidence that Al Quds Bank for Development and Investment, a bank in Ramallah, Palestine, was specifically targeted.

The release also contains the software for “Oddjob”, an implant tool and backdoor for controlling hacked computers through an HTTP-based command server. Other implants have names such as Darkpulsar-1.1.0.exe, Mofconfig-1.0.0.exe, and PluginHelper.py. With the exception of minor generic detections for engines related to a “packer” that conceals Oddjob, none of the implants were detected by antivirus programs at the time this update was going live. AV companies are almost certainly in the process of pushing out updates.

The Shadow Brokers have captured the attention of the intelligence community in the US and around the world. Some of the previous weapons-grade leaks, for instance, exploited unpatched vulnerabilities in Cisco Systems firewalls. Researchers from security firm Kaspersky Lab, meanwhile, have confirmed the leaked code they analyzed bears unique signatures tied to Equation Group, Kaspersky’s name for a state-sponsored group that operated one of the most advanced hacking operations ever seen. In January, Shadow Brokers claims it was suspending operations, after making one last inflammatory release. Friday’s dump shows the group was still holding plenty more incendiary material.

Reference:

https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/

%d bloggers like this: