IBM X-Force Exchange

The IBM X-Force Exchange is a database of current security information. It compiles found vulnerabilities, known exploits, and malicious IPs. I signed up for the service for free and interface is very sleek and clear looking. The main screen is just IP after IP popping up as dangerous. There is a counter of malicious IPs logged in the last hour and there are over 1,000. Of course 99.9% of them are in the spam category but it looks like every once in a while one is flagged with scanning, malware, or command & control. There are also interest feed like found vulnerabilities, security related blog posts, and recent big topics like China scanning IP’s, PoSeidon POS malware, and IRC botnets. There are options to  add things to “Collections” which let you save reports on IPs to look at later.

IBM claims that their service is “One of the largest and most complete catalogs of vulnerabilities in the world” and that they log 25 billion security events per day. Users have access to over 700 terabytes of raw data, the rate of which will continue to grow the more users there are. The platform is designed to foster communication between security teams at different companies so that everyone can be better protected from cybercrime.

This platform is a big deal in the security community and will help centralized the knowledge gained by professionals. It will thwart a lot of loss sophisticated cybercriminals but the problem is that it doesn’t help against targeted attacks. It is more of a band-aid than a set of armor that keeps companies from falling for the same attack twice.

Ryan Frank

Links:

http://finance.yahoo.com/news/ibm-opens-threat-intelligence-combat-100000781.html

https://exchange.xforce.ibmcloud.com/

Seagate NAS Remote Code Execution

Here’s a fun one! Looks like if you have a Seagate NAS device it’s possible to run code as root without having to authenticate!

So how in the world can an attacker whatever code they want on your NAS? Well, it starts with a trio of out of date core technologies. PHP 5.2.13 (released in 2010), CodeIgnitor 2.1.0 (released 2011), and Lighttpd 1.4.28 (released in 2010). Of course, old software doesn’t necessarily mean it’s bad, and in this case,  Lighttpd 1.4.28 is fine and dandy (with the exception that it runs as root). The versions of PHP and CodeIgnitor, in this case, have some issues. Versions of PHP prior to 5.3.4 have an issue that allows users to specify file paths that include a NULL byte, allowing user-controlled data to prematurely terminate file paths. That’s quite a problem, but the version of CodeIgniter they’re using has a doozy of an oversight. Session tokens created by versions prior to 2.2.0 contain a serialized PHP associative array (aka hash) that’s encrypted with a custom algorithm. In this case, that has contains user-controllable data, so it’s pretty trivial to extract the encryption key. As a matter of fact, the key is the same for every device! Once you get the key and decrypt it, obviously you can modify the data until the cows come home and re-encrypt it and be on your way.

That’s cool, so what fun things can we do with these vulnerabilities? Well… it just so happens the web application that the NAS uses doesn’t appear to maintain session info on the server, it’s all stored in the session cookie! That must mean there’s some good stuff in that cookie, right? Correct! Inside that cookie there’s three key/value entries that are of interest to this exploit, username, is_admin, and language. So what makes these fun? Well, once a session has been established and the username field is present in the cookie, the system no longer validates the credentials, so a user can change the field and authenticate as whoever they want. Is the is_admin field really what I think it is? Can I really just change it to yes and self-elevate myself to admin in the web interface? Yes! Yes you can! Ok cool, now what about this language field? Remember the PHP bug I mentioned above? Yeah, that, it’s used to generate a file path of the code we want to execute.

Now we have the pieces, how do we pwn one of these NAS’s? Simple!

  1. Write a php file to the NAS, this can be done by HTTP log file poisoning
  2. Get a session cookie
  3. Modify the language variable so it contains the path of the file you just created
  4. Make a request with this new cookie
  5. ???
  6. Profit.

The author of the article was also nice enough to create a Metasploit module so you can test it for yourself (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/seagate_nas_php_exec_noauth.rb)

There’s currently no fix, although Seagate is very much aware of the issue, and according to one count there’s upwards of 2500 public facing NAS’s that are vulnerable.

-Matt Smicinski

Sources: https://beyondbinary.io/advisory/seagate-nas-rce/

Another Leaky Cloud – Dropbox gets Breached

It seems as though it’s been a double whammy for the cloud storage service, Dropbox, this week. After announcing a bug that caused peoples files to get deleted unintentionally they have been victim to a third-party breach. Hackers infiltrated a third-party service used for storing peoples Dropbox logins and made a database out of them. The hackers are taking Bitcoin donations to show more of the database.

Don’t worry, Dropbox has reset everyone’s passwords already, and most of the passwords were expired anyway. However, you should still change your password. This also goes to show the internet is a dangerous place and you should only use a typewriter. Also, buy tinfoil hats or the government will read your thoughts.

http://9to5mac.com/2014/10/13/hackers-claim-to-have-a-database-of-nearly-7-million-dropbox-credentials-service-denies-it-was-breached/

Home Depot contains malware, but not before 56 million cards were impacted.

A few weeks ago, there were evidence that Home Depot had a security breach when credit cards were put up for sale on a black market website. This was already covered by this blog in this post. Since then, Home Depot has not only confirmed a breach, but that it had existed from April to September 2014. The release also tells that the malware was found in American and Canadian stores installed in the self-checkout machines, and have been removed from use. There were no signs of data breaches in normal checkout machines, Mexican stores, American or Canadian online websites. Despite card information being compromised, there were no signs that PIN numbers were recorded. Home Depot has also finished installing enhanced encryption in U.S stores on September 15 and Canadian stores are expected to be finished in early 2015. The breach was closed but after 56 million cards were affected. The malware used in this breach was reported to not have been seen in other attacks, however there are signs that this breach was done by the same group of hackers responsible for Target last year. According to Krebsonsecurity.com, the thieves were stealing card information up to five days after first signs of the breach on September 2nd. As of September 22, 2014, Home Depot holds the record for the largest retail card breach. Second place goes to TJX with 45.6 million cards and third place goes to Target with 40 million.

-David Mauriello

iCloud Hacked: Celebrity Photos Leaked to the World

On August 31 approximately 200 private pictures of various celebrities were posted to 4chan.  Users of 4chan spread the pictures to other social networks and websites such as Imgur, Reddit, and Tumblr. McKayla Maroney, the Olympic gold medalist is among the group of people who had their photos released to the public.  The pictures released of her are underage.  That is classified as possession and distribution of child pornography.  Twitter user @IgnacioGordo tweeted a link featuring a countdown clock that threatens to release photos of Emma Watson and at the bottom of the page it states, “Never forget, the biggest to come thus far.”  Apple’s iCloud service is believed to have been breached and that is how the hackers acquired personal videos and photos.  Apple later confirmed that the hackers gathered the photos from iCloud and reassured that the service itself is not vulnerable.  Very targeted attacks were used to steal account information such as passwords.  The gathered information along with time allowed the hackers to break in.  Apple has stated that they are working with the FBI to locate and charge those responsible for the leak.