Sep 25 2011

Doppelganger Domain Attack

Doppelganger Domain AttackDomain typo-squatting is commonly used to spread malware to users whom accidentally misspell a legitimate domain in their web browser. A new type of domain typo-squatting takes advantage of an omission instead of a misspelling.

A Doppelganger Domain is a domain spelled identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/subdomain and domain, to be used for malicious purposes. Doppelganger Domains have a potent impact via email as attackers could gather information such as trade secrets, user names and passwords, and other employee information.

Each company in the Fortune 500 was profiled for susceptibility to Doppelganger Domains and 151 companies (or 30%) were found to be susceptible. In large corporations, email usage is extremely high and the likelihood of some email being mis-sent is high which could result in data leakage.

Security researcher Peter Kim and Garrett Gee who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

WhitePaper : Doppelganger.Domains.pdf

Sep 22 2011

DIY Botnet Kit Spotted in the Wild

Security researchers from GData, have spotted a DIY (do it yourself) botnet kit, available for sale at selected underground communities.

Aldi Bot Builder

1 x Builder + stub + updates + installation assistance = €10 ***
This price even dropped down to €5, less than two weeks ago.

The main functions of “Aldi Bot” v1.0 are:
– Possibility to carry out DDoS attacks
– SOCKS; bot owner can use victim’s pc as proxy
– Firefox password stealer; stealing passwords saved in Firefox database
– Remote execution of any file

An update to v2.0 added the following functions to the ones already in use:
– Pidgin password stealer; stealing passwords from the instant messenger Pidgin
– jDownloader password stealer; stealing passwords from a downloader of one-click hoster

The author prides himself with a video, hosted on Youtube, which apparently shows an “Aldi Bot” DDoS attack against the website of the German Federal Police (www.bka.de).

Sep 20 2011

Hackers Break SSL Encryption

SSL BreaksResearchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.

At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they’re protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal account, Duong said. Two days after this article was first published, Google released a developer version of its Chrome browser designed to thwart the attack.

Sep 15 2011

DroidSheep – Android Application for Session Hijacking

DroidSheep – One-click session hijacking using your android smartphone or tablet computer.

DroidSheep

DroidSheep makes it easy to use for everybody. Just start DroidSheep, click the START button and wait until someone uses one of the supported websites. Jumping on his session simply needs one more click. That’s it.

What do you need to run DroidSheep?
– You need an android-powered device, running at least version 2.1 of Android
– You need Root-Access on your phone (link)
– You need DroidSheep

Which websites does DroidSheep support?
– amazon.de
– facebook.com
– flickr.com
– twitter.com
– linkedin.com
– yahoo.com
– live.com
– google.de (only the non-encrypted services like “maps”)

Download: droidsheep-current.apk

Sep 13 2011

6 SCADA 0-Day Exploits

A security researcher has disclosed a laundry list of unpatched vulnerabilities and detailed proof-of-concept exploits that allow hackers to completely compromise major industrial control systems.

SCADA Exploits

Security researcher Luigi Auriemma disclosed the attacks against six SCADA (Supervisory Control and Data Acquisition) systems including US giant Rockwell Automation.

The step-by-step exploits allowed attackers to execute full remote compromises and denial of service attacks.

Some of the affected SCADA systems were used in power, water and waste distribution and agriculture.

Such zero-day information disclosure was generally frowned upon in the information security industry because it exposed customers to attack while published vulnerabilities remained unpatched.

Attacks against SCADA systems were particularly controversial because exploits could affect a host of machinery from lift control mechanisms to power plants.