It is not unusual to come across stolen identities on the web and this one is no exception. I came across a post in an underground forum listing a bunch of Emirates Skywards accounts. I picked a random account to verify the claims and the rest is pictured below:

Figure1: Skywards/Emirates account main page

Figure 2: Saved credit card information

Figure 3: Skywards member personal information

After going through the list, I reckon the accounts were compromised as a result of brute force attacks given the relative serial order of the listed accounts, and the inadequate authentication controls available on emirates.com.

Skywards members – update your passwords now! (more…)

Share / Save

Metasploit team has published two modules that exploit the recently announced DNS flaw. These are named “DNS BailiWicked Host Attack” for injecting individual uncached host records into the target nameserver’s cache, and “DNS BailiWicked Domain Attack” for replacing a target domain’s nameserver records in a target nameserver’s cache.

The above two modules require you run Metasploit Framework from the “trunk” development branch which is currently only supported on the Linux platform.

Here’s more from the official blog:

The first flaw is that since DNS (over UDP) is connectionless, it can easily be spoofed. The original primary mitigation against this was to make use of a 16-bit transaction ID which is used to correlate requests and replies that the attacker would have to guess in order to correctly spoof a reply packet. This makes spoofing harder, but not an insurmountable task; you just need to be able to send a whole lot of packets to eventually get one right at match the transaction ID chosen for the request packet.

The second flaw was that additional records would be inserted into the cache which were included in replies from another nameserver. This is core protocol functionality, however the original problem was somewhat mitigated by creating the in-bailiwick constraints that essentially limits the domain space for additional records that could be sent in the replies to hostnames from a given domain. Sounds reasonable; this prevents nameservers from doing malicious things to records in domains that they weren’t queried for or aren’t authoritative for, while still allowing nameservers who are authoritative for a domain to update the records they need to.

When you combine the attacks for these two flaws however, and introduce nameserver query recursion, an attacker can essentially cause the target nameserver to make as many queries as the attacker wants while also pretending to be the authoritative nameserver and spoofing the responses, achieving the birthday attack against the transaction ID and successfully updating the nameserver record for a domain to point to a malicious nameserver address. You can also use this trick to inject cache entries for individual hostname records as long as those hostnames are both not already cached, and also in-bailiwick.

(more…)

Share / Save

ISACA today introduced ITAF: A Professional Practices Framework for IT Assurance targeting the IT Auditing and Assurance professionals. The official release states:

ITAF^TM consists of compliance and good practice setting guidance:

• Provides guidance on the design, conduct and reporting of IT audit and assurance assignments
• Defines terms and concepts specific to IT assurance
• Establishes standards that address IT audit and assurance professional roles and responsibilities, knowledge, skills and diligence, conduct, and reporting requirements

Figure 1: The ITAF Structure

More info here

Share / Save

Security concerns truly bind us all together and this is very much applicable in the electronic world. Yesterday saw the release of software patches from almost every major operating system and network device vendor that fixes a critical vulnerability in the Domain Name System (DNS). This was a well coordinated release for a vulnerability which was first discovered almost six months ago by Dan Kaminsky of IOActive.

The specifics of the vulnerability are not being disclosed, however, it is being described as an inherent design flaw which allows for DNS poisoning – allowing false DNS information to be cached by a DNS server and served to clients requesting it – by using predictable TX IDs and source port numbers. This could potentially lead visitors trying to accessing their everyday websites to be redirected to phishing or malicious websites.

The patch deployment process itself is going to take a while for bigger DNS installations; expect some phishing attacks to target end-users within days. As of this writing, my ISP in Dubai is vulnerable according to Dan Kaminsky’s script that checks for the flaw in DNS servers.

For now, a good workaround is the use third-party DNS service such as OpenDNS which is not vulnerable to the discovered flaw.

NIST CVE-2008-1447 has more details and links to vendor patches.

Share / Save

Assessing security posture of network devices like routers and firewalls can become a nightmare when a security practitioner is faced with tens of devices with hundreds (sometimes thousands) of lines of configuration data to go through. Manually going through the entire configuration data may not always be the right course of action especially when faced with tight deadlines.

There is help available and it comes in the form of automation tools that can make our life easier. I will discuss a couple of tools that I have worked with and how they can support in auditing and vulnerability assessment activities. (more…)

Share / Save

Core Security Technologies has launched an iPhone debugger for native iPhone processes and libraries. Here’s the email sent out to the Securityfocus mailing lists:

———- Forwarded message ———-
From: Nicolas A. Economou <lists@corest.com>
Date: Tue, Jun 17, 2008 at 6:09 PM
Subject: iPhoneDbg Toolkit
To: pen-test@securityfocus.com, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, focus-apple@securityfocus.com

Hello!

We are proud to announce the release of the iPhoneDbg Toolkit, an effort towards iPhone exploit development.

You can find it here:
http://oss.coresecurity.com/projects/iphonedbg.html.

- What is the iPhoneDbg Toolkit?

This set of tools will enable you to delve into iPhone Binary Reversing.

* The iPhone Debugger allows you to debug running or newly-created native processes inside iPhone (iphonedbg).
* The Library Loader Patcher will allow to debug iPhone libraries (dyld_patcher).
* You can also build a tunnel from your PC to your iPhone through USB (iphone_tunnel.exe).

Thanks!
Nicolas (*)

Open Source Software
Core Security Technologies

—–
(*) I am a semi-senior exploit writer at Core Security Technologies. I’ve being working in computer security for 3 years and I am specialized in Windows exploits, mostly, and the development of exploit writing tools. I also developed some exploits for Linux and MacOS X.

Share / Save

Penetration testers often use port scanning as a first step to discover active hosts and to map-out active network services. This is often done without any hesitation once the written formalities are completed. That’s exactly what I did in one of my assignments that included AS/400 (now iSeries) systems, and things did not turn out as expected.

I issued an nmap service version and OS detection scan on the target network:

nmap -sV -O -iL case_4301_hosts_1.txt

All seemed to go well and I got my results, until about an hour later when the test subjects started to crawl and did not accept new requests. The system administrator ended up rebooting the affected systems which restored everything back to the way it was supposed to be. Good for me that it was a planned activity and no one was affected by it. (more…)

Share / Save

Damac Properties, the “largest private real estate developers in Middle East”, saw their customer database go up for sale on eBay UK for £750. This was confirmed by Damac who have since launched an investigation in to the matter.

The seller, “dubaigoods1” appears to be persistent about selling as many copies of the database; the item was reposted on eBay as “DUBAI PROPERTY/DEVELOPER INVESTOR DATABASE” without mention of Damac Properties, after the original item was removed by eBay. The below screenshot was taken a few minutes ago:

(more…)

Share / Save

As the Mars Lander vehicle touched down on Mars last Sunday in search for signs of life, back home on Earth the news took down the Phoenix Mars Mission website earlier today after it was compromised and led visitors to an external website.

It was the blogs section of the website that was compromised as it was vulnerable to Injection flaws that led the hacker “VITAL” adding a main blog entry as shown below:

(more…)

Share / Save

Canadian wireless device company, Research in Motion (RIM), maker of the popular Blackberry handheld communication device, has finally broken the silence surrounding Indian Government’ demands to handover the “keys” to decrypt secure email communications.

RIM claims that it not possible to handover the decryption keys and claims setting up a local datacenter would serve no purpose given the end-to-end security deployed in its solution. RIM further declared that its solution architecture is designed in a way that does not allow any third party including RIM to read the email data under any circumstances. (more…)

Share / Save