https://Exploit.IN – site about network security and protection



happily transled from Russian to English by

27.11.2015 23:18: Dent in VPN allows you to identify the real IP address of the user
According to the VPN-provider Perfect Privacy, some VPN services can be used to determine the real IP address of the victim. According to experts, affected from malicious activity can be users of BitTorrent. The vulnerability affects those services that support forwarding.

A successful attack requires several conditions: the hackers must be in the same VPN network as the victim, and the user must connect to controlled by the hackers resource. Fraudulently forcing a victim to open a malicious file, an attacker who is able to redirect the port, can see her real IP address.

„The user of the VPN services, by connecting to your VPN server that uses a default route with a real IP address, as required by a VPN connection. This is the main problem“, – said the experts of Perfect Privacy.

„To suffer from such attacks and users of the BitTorrent client that access a VPN to download the content. It is likely, defenders of the rights holders can use this type of attack in the fight against piracy“, – told in Perfect Privacy.

Comments: 2

27.11.2015 23:15: Hungryhouse Service has reset the passwords of thousands of users
A major British online-service to order takeaway Hungryhouse has reset the passwords of thousands of users due to possible data leakage in third-party hosting company.

„We are not affiliated with your hosting company, in which there was a leak. However, when our Director of security found in the lists of leaked email addresses to some of the data of our customers, as a precaution we asked them to change passwords“, – said the head of Hungryhouse Scott Fletcher (Scott Fletcher).

According to one of the users of the service, Friday morning, November 27, he was contacted Hungryhouse and the representative of the reported discharge 10 thousand passwords in connection with the data breach. On the question of what caused the incident (a user suggested that it could be DDoS attack), the employee was unable to give an answer.


27.11.2015 23:07: Trend Micro published a report on Chinese cybercriminal underground
Trend Micro has published a report titled „Innovation Chinese cybercriminal underground“. The document talks about a wide range of services provided to Chinese hackers and new trends of China cybercriminal. He also sheds light on black market prices: for example, take spy app in the top App Store for $4000.

According to Trend Micro, spyware are really can be placed in the Apple App Store. For $4000, the Chinese hackers are willing to bypass the app store, publish it there malware that would spy on users, and get her in the top 5 paid apps using your own bustamove services. To get into the top 25 free apps more difficult it is to cost $7200. Trend Micro analysts write that the price has increased significantly since 2013: then this service has cost $3800.

However, the most destructive method of fraud presented in this report is undoubtedly the malicious market of PoS-terminals. Chinese cyber criminals have developed the mass production of PoS terminals infected with malware. Infected devices are selling at a knockdown price organizations that cater to businessmen. Sometimes the terminals pass through the hands of several dealers. Sale mainly organized through various B2B resources, for example,

In the end, the unsuspecting entrepreneurs buy malicious terminals, and allowed them in. By hackers no longer have to do almost anything: in some cases, PoS terminals generally send information about stolen credit cards automatically through SMS. Trend Micro reports that „catch“ one such point, which was installed in an infected PoS terminal was $236 000, the funds were stolen from the 1100 Bank cards.

Another well established manufacturing is the sale of panels, covers for ATMs. The skimming devices capable of stealing data from the magnetic stripe of the card, and fitted with a camera that can be used to record PIN codes. One such panel costs about $600. If you need a skimmer with a keyboard, for more efficient stealing PIN-codes, you will have to pay another $300. Primitive pocket skimmer for a fast card reader will cost $140.

Comments: 1

27.11.2015 23:00: Cisco Devices vulnerable to attack
At the conference Zeronights 2015 George Nosenko, security researcher at Digital Security, presented a paper entitled „Cisco IOS shellcode – all-in-one“, which talked about creating a generic shell codethat is portable between devices Cisco.

The shell code can be used as a payload of the exploit provides the attacker a command shell on the computer system. Cisco network equipment has a wide variety of architectures, types and versions of operating systems (firmware), which greatly complicates the development of universal shell code. George managed to create such a program that can be used to implement attacks on a variety of Cisco devices running Cisco IOS 15.1 Cisco IOS XE 3.3.

In the report, for example, a remote exploitation of vulnerabilities in network equipment by Cisco, has been demonstrated the possibility of an attacker who gained full control over the equipment. Was also described the process of creating a generic shell code. In addition, George has demonstrated such scenarios in which an attacker is able not only to run arbitrary commands and modify the configuration of equipment, but also to find other vulnerable equipment, and to attack it in automatic mode, redirect network traffic. In conclusion, the researcher described the opportunity the emergence of the worm propagating in the network infrastructure from break the Internet firewall to the router, from the router to the switch, etc.

Comments: 1

27.11.2015 22:43: Hackers broke into the website of the IG
Not only the hacktivists of Anonymous are fighting is prohibited on the territory of the Russian Federation an Islamic state in cyberspace. Independent hacker group Ghost Sec (which, however, they are a movement of Anonymous) hacked into the website of the propaganda of ISIS in the Tor network. Hackers subtly mocking the extremists.

After hacking on campaign resource Isdarat new banner pharmaceutical website, which sells bitcoins for any funds from Viagra to Prozac. Besides the banner the hackers left a message:

„Too many ISIS. Calm down. Too many people involved in this ISIS shit. Please watch this wonderful advertising until we update our infrastructure to provide you with larger LIH content you so crave.“

How the members Sec Ghost hacked website, unknown. But recently, information security expert Cattle Turban (Scot Terban) said in his blog that the members of the IG allow absolutely „children’s“ mistakes when creating websites. It should at least say that the IG often sites are running vulnerable versions of WordPress.


26.11.2015 01:23: United Airlines took six months to close the vulnerability
In may 2015 United Airlines have established their own rewards program for vulnerabilities. Airline rewards specialists, not money, and free air miles. So, in July of this year, Vince Jordan (Jordan Wiens) from Florida, tore a real jackpot and received from the airline the maximum reward is 1 million miles. Because the rules of the program prohibit to divulge information about bugs, what was the problem, discovered by Vince, is unknown.

But now, thanks to the developer of Westergren Randy (Randy Westergren) the whole world knew that the experts of United Airlines more than half a year could not fix a critical vulnerability in the official mobile app.

Westergren complained about the sluggishness of the airline on his blog and said he first heard about the rewards program United Airlines last summer. The researcher was not going to participate in the race for prizes, but two weeks after the start of the program, out of curiosity, still have the United Airlines app and created an account MileagePlus. A little work with the program, Westergren discovered the vulnerability associated with direct object references, which allowed him to make changes to the code, to add a room specially created test account MileagePlus, and then to access your personal data.

„I had access to information about departures of all flights and their arrival, to the payment receipts that contained information on methods of payment and the last four digits of credit card numbers, personal data of passengers (telephone number and contact person in emergency situations). I was even able to change or cancel a flight,“ says Westergren.

The researcher managed to gain access to email addresses and barcodes booked tickets. That is, the attacker, in his place, easily could steal purchased tickets, deceiving mobile portal, with the help of available information.


26.11.2015 00:53: Found a way to predict the number of American Express cards
Well-known information security expert Samy Kamkar (Samy Kamkar), author of the Samy worm, learned to predict what will be the card number American Express after its re-issue. The researcher also collected the tiny device, which was given the name MagSpoof. Device whose components cost about $10, able not only to predict the numbers of the cards but also to deceive PoS terminals.

Tiny MagSpoof, whose size is comparable to the size of a coin, consists of a base Board, the Atmel ATtiny85 microcontroller, driver L293D H-Bridge, battery, led, capacitor, resistor, copper wire and buttons. To assemble such a device it is not difficult, besides Kamkar has published all the raw data and instructions on your blog. However, without the algorithm that was developed by the expert, the gadget is almost useless.

If carder has been stolen the data on the card, he’ll easily be able to predict what will be the number after the reissue, when the user will block the stolen card. Will only calculate the new expiry date that is not difficult, if the offender knew the validity of the previous card. It turns out that hackers can steal data on maps at the same speed with which American Express generates them.

After 3 months Kamkar created a device MagSpoof to automate the process of generation of numbers and to show the American Express, what danger can represent such an algorithm. The device is able to store data for hundreds of Bank cards. In addition, MagSpoof emits a strong electromagnetic signal, using which you can fool the sensor to the reader: MagSpoof sends a wireless signal that simulates a physical scan of the card.

This attack does not allow to know the four-digit CVV number, what is the scope of the attack is reduced.


26.11.2015 00:49: Updating web framework Django with security fixes
Published corrective releases web framework Django 1.9rc2, 1.8.7 and 1.7.11, which fixes the vulnerability (CVE-2015-8213), allowing to read the contents of any variable configuration. For example, an attacker can learn the contents of settings, including sensitive data such as encryption keys and passwords to the database. Vulnerability also manifests itself in Django 1.6 and earlier releases, whose support has been discontinued. Django users are advised to install the update or to switch to using actual branches of the framework.

The problem is caused by a bug in the implementation of the filter „date“, allowing the use of an incorrect date format, instead of which you pass the name of the configuration parameter and get its value (the function is django.utils.formats.get_format() were treated not only customize the formatting of dates, but also carried out the substitution of other configuration options). The vulnerability occurs in applications that use the filter „date“ on the data coming from the outside.


26.11.2015 00:48: hotel Chain Hilton confirmed the data breach
Tuesday, November 24, the management of Hilton hotels announced that hackers stole from its computer systems, PoS terminals credit card data. The degree of leakage is not specified, however, the company warned about the attack of all its customers who used a credit card with Hilton Worldwide in the period from 18 November to 5 December and from 21 April to 27 July this year.

With the help of malware, hackers managed to steal information such as cardholders names, numbers and expiration dates of cards, and secret security codes. The management of the hotel assured clients that the incident has not affected their home addresses and personal identification numbers.

Recall that the investigation of possible data breaches at Hilton Worldwide became known in September of this year. A month earlier the Visa company sent confidential financial institutions warning about the incident that occurred in the period from 21 April to 27 July 2015.


25.11.2015 02:20: Europol is looking for bitcoin transactions
Police service the European Union has placed on its website the ads associate with the skills of tracing bitcoin transactions. As stated in the text of a vacancy, a new specialist for the project „collection and analysis of open codes“ with the support of Europol and kibernetiki will have to start work in February 2016. Successfully passed the interview the candidate will receive support from specialist intelligence.

Among the main requirements to the candidates – „a basic understanding of the track and anchor the bitcoin transaction, as well as obvious interest in the blockchain-technologies“, they also need „to know how to operate tools anonymization and encryption, illegally used by criminals.“

The successful candidate will work in the headquarters of the organization in the Hague. Part of his work would be involved in compiling quarterly reports about „emerging trends, threats, and schemes“ in the world of cybercrime, and special attention will be given to anonymization and encryption.

From the announcement it is clear that Europol considers bitcoin transactions as a form of „open-source“ intelligence, the method of intelligence-gathering through analysis and a wide range of information available to the public data, as it is defined by the FBI.


25.11.2015 02:14: FSB and SORM can’t intercept some actions of subscribers
The SORM equipment is not able to meet the requirements for transfer to security services of several actions of cellular subscribers. This was discovered during a joint investigation of the Federal communications Agency and the FSB. It is, for example, about SMS in roaming and diverted calls. About this at the conference „SORM-2015,“ said Deputy Director General NIIR Igor Kokoshkin.

Although the requirements for SORM equipment is strictly regulated, and the equipment passes obligatory certification in special centers that have state accreditation from the regional directorates of FSB in the Federal communication Agency began to receive complaints that the SORM technique does not always provide them with the necessary information. By the end of 2013, the number of such complaints has become critical, so the decision was made to establish the Centre and relevant research, explained Igor Kokoshkin.

Kokoshkin presented three examples of actions of the subscribers, non-latching equipment of SORM. First, it SMS for special services, the object dispatches from roaming to another subscriber located in its home network. Secondly, it DTFM signalstransmitted by pressing the keys telefonnogo subscriber apparatus after establishing the connection to them. Finally, contrary to the requirements of the national legislation, it is impossible by the unique identification number of the phone (IMEI) to figure out what challenges did the subscriber in the case of connection services „unconditional call forwarding“.


25.11.2015 02:10: Vonteera Trojan uses certificates to disable antivirus
Researchers have found an option FOR setting unwanted ads on the user’s computer. After a more detailed analysis of the program named Vonteera, was classified as a Trojan due to some modifications that she performs on the infected system.

During the analysis the experts noticed that the malware adds a total of 13 certificates in the category of „Untrusted certificates“ in the Windows certificate store. They include certificates for antivirus ESS Distribution companies, Avast, AVG Technologies, Avira, Baidu, Bitdefender, ESET, Lavasoft, Malwarebytes, McAfee, Panda Security, ThreatTrack Security, Trend Micro. Thus Trojan provides a defense against detection by antivirus solutions. Moreover, the user will not be able to download files from sites that use these certificates. Created Trojan service appinf.exe is designed to check for certificates and their recovery in case of removal by the user.

Once on the target system, Vonteera creates a Windows scheduler Task Scheduler multiple tasks to display advertising banners at equal intervals of time. Also the Trojan creates a new service appinf.exe and modifies shortcuts for the desktop, the taskbar and start menu for Internet browsers Internet Explorer, Firefox, Chrome, Opera and Safari. Thus, when you run one of these applications loaded a script to randomise redirects the user while working with browser.

In the case of Internet Explorer Trojan adds a new module Browser Helper Object (BHO). If you are using Google Chrome, operates Vonteera key ExtensionInstallForcelist that defines the list of apps and extensions that are installed „silently“, and all the requested permissions. These programs can’t be uninstalled by the user.

Powered by Exploit.IN © 2005-2015