Blog: 2013 Ekoparty Security Conference

The Ekoparty Security Conference 2013 took place in the beautiful city of Buenos Aires (Argentina), from 25 to 27 September, this event, the most important conference on security in Latin America, is now in its ninth year and 1,500 people attended. The slogan of this year's Conference was that Somebody's watching.

Like every year, the event took place at the Konex, a cultural complex created from a plant and the oil tank used from 1920 to 1992, which gives it a unique atmosphere for hosting the event.

As Defcon and other security events, presentations cover a wide variety of topics and discussions, Ekoparty is a forum where many security professionals have diverse research and development in computer security.

Before the event, there are some training courses for companies and professionals of security, with the content in connection with the defensive security, Digital Forensics, analysis of Malware or Pentesting - among other topics. At this time, I had the opportunity to present the training implementation threat Intelligence in organizations, the implementation of monitoring strategies, detection and defence. It was attended by the staff of Bank security, e-commerce companies and Government.

The first day begins with a panel discussion on the State of cyber-attacks and cyber-defense in Latin America, with the participation of regional experts on this subject. The evening there were workshops with all auditoriums filled to maximum capacity. I presented the intelligence OSINT script workshop.

As with any security event, Ekoparty has its competition for CTF (Capture The Flag), but on this occasion, it has a component particular that make it different from others. In this case, the competition was based on scenarios of attack and defence in which the participants have not only earned points by capturing a flag, they could also lose points by not being able to defend themselves, or when several teams attack. In addition, a team could transfer points to another team, which turned into a strategy very interesting game.

On the second day that the presentations of the Conference began. All were very interesting and with a lot of content and research, so I will speak on some of them.

Corey present Kallenberg nene signed execution of the BIOS. He talked about how a system BIOS can be compromised beyond the protection of manufacturers. Later Harri Hursti this Vote early and vote often, his speech was very interesting because at that time many countries have already implemented electronic voting systems and others are testing prototypes for their deployment.

He showed a series of vulnerabilities in these systems, which could allow unauthorized access to display the results, the manipulation of information, or even the violation of the privacy of citizens. It has even shown the possibility that it was possible to generate attacks denial of Service against these systems, preventing people from voting.

Also the second day, Francisco Falc n and Nahuel Riva of Core Security has made the presentation do you know who is watching you?: a thorough review of the attack surface of IP cameras. They showed some of the vulnerabilities of web cameras from leading manufacturers and showed us the prospect of people choosing poorly how many times implemented solutions which may become a risk to the security and confidentiality.

Corey Kallenberg made a presentation, BIOS Chronomancy, how a system BIOS can be committed by malware persisted on some computers, compromising systems beyond the operating system and applications.

Finally, to close the event, Carlos Penagos and Lucas Apa of IOActive has presented an interesting talk, compromising industrial facilities 40 Miles Away, vulnerabilities in wireless with industrial SCADA systems sensors read, and inject data in these devices using radio frequency (RF) transceivers in a 65 km radius. In addition, they presented a POC in a simulator on how an attacker could manipulate the temperature of these sensors, causing a disaster in increasing or decreasing the temperature.

As with all major security events, we had good discussions and we have learned the news of the search for our colleagues. But Ekopary has a Latino flavor that makes it different. It was a great event and you may be interested to attend the next editions. You can really enjoy the city and of course a Asado with colleagues and friends :)

Exploit targeted

In September Microsoft published information about a new Internet Explorer vulnerability – CVE-2013-3893. The vulnerability affects IE versions 6 through 11 for platforms from Windows XP through Windows 8.1. Later in September, the company released a patch closing the vulnerability.

Cybercriminals are happy to exploit such vulnerabilities because they are easy to monetize – the Internet Explorer remains popular.

Top 5 browsers according to http://gs.statcounter.com

This type of vulnerability is very dangerous because it allows the execution of arbitrary code on the target system. In late September, we discovered an exploit for the vulnerability, which uses an attack of the Use After Free type against the Internet Explorer’s HTML rendering engine –mshtml.dll.

We have recently discovered that a modification of the exploit was used in targeted attacks against a number of high-profile organizations in Japan.

The vulnerability is exploited only on those computers which are part of specific subnets of the target organizations’ networks:

Defining subnets in which computers will be attacked

If a computer’s IP address belongs to one of the ranges defined by the cybercriminals, the vulnerability will be exploited after a user visits an infected web page.

The following information is obtained in the first stage of the attack:

Operating system versionInternet Explorer versionLanguage used by the OSWhether Microsoft Office is installed

The exploit selects the appropriate ROP chain and shellcode based on the data obtained in this stage:

Choice of ROP chain and shellcode

It is worth mentioning that the exploit will not work on those Windows 7 systems which do not have Microsoft Office installed.

Checking OS version and whether Microsoft Office is installed

This is because today’s operating systems include mechanisms that make exploiting vulnerabilities more difficult. One of such mechanisms is ASLR (Address Space Layout Randomization). The exploit uses a clever trick to evade the mechanism: it loads a module compiled without ASLR support into the context of the browser process – the hxds.dll library.

Code after executing which hxds.dll is loaded

The library, which is part of the Microsoft Office package, does not support ASLR. It is loaded at known addresses in memory, after which the attackers use the ROP technology to mark the memory containing shellcode as executable.

The following shellcode is executed after the vulnerability has been successfully exploited:

It can be seen in the figure above that the shellcode decrypts its main part using 0x9F as key.

After decryption, the code searches for functions needed to download and launch the payload, finding them by their hashes:

Hashes of the functions used

When the search for the addresses needed is completed, the following activity takes place:

a malicious object named “runrun.exe” is downloaded from the attackers’ server:

Downloading the payload

Since the module downloaded is encrypted, the shellcode reads it from disk and decrypts it using 0x95 as key, after which the decrypted module is launched:

Decrypting the module downloaded

As mentioned above, the targeted attack used only one modification of the exploit for CVE-2013-3893. At the same time, the total number of modifications discovered to date amounts to 21. Attacks using this exploit have mostly been detected in Taiwan:

We have the following information on the servers from which the exploit’s payload has been downloaded:

A brief analysis of one of the payload’s variants (md5 - 1b03e3de1ef3e7135fbf9d5ce7e7ccf6) has shown that the executable module has encrypted data in its resources:

Encrypted data in the payload’s resources

The executable module extracts the data and converts it to a DLL module:

Extracting encrypted data

The DLL created by converting the data extracted from the payload is written to disk using the following path:
TempPath\tmp.dll (md5 - bf891c72e4c29cfbe533756ea5685314).

The library exports the following functions:

Functions exported by tmp.dll

When the library has been written to disk, it is loaded into the process’s address space and the ishk exported function is called:

Calling the ishk exported function

The library itself performs an injection into another process’s address space.

After launching, the malware communicates to a server in South Korea. The following requests are sent from the infected machine:

Requests sent from the infected machine

Kaspersky Lab detects the payload downloaded as Trojan-Dropper.Win32.Injector.jmli.

We detect the exploit as HEUR:Exploit.Script.Generic. 

Cyber course soldiers of Great Britain: he hired warriors to its Cyber working group

Military courses of Britain Cyber-Warriors: MoD to hire hundreds of Cyber geniuses and professionals for their Cyber military units.

British Ministry of defence announced that they are preparing a military team of cyber and welcomed protected more the professionals to join the units as the recruitment process is from October.

The British Government is segment a section of the military budget to develop a cyber-offensive unit by recruiting many cyber hackers, and experts. The announcement was made Sunday by the Secretary of defense of the country, Philip Hammond.

It is for the first time that UK will undergo a cyber-Warriors team official who will be assigned different tasks.

Hammond was reported by AFT saying "In response to the growing threat of cyber, we develop a full-spectrum cyber military capacity, including a strike capability, to improve the military capabilities of the United Kingdom".

The Secretary of defense said that a unit of cyber security simple is not enough scenarios in the cyber world are more offensive and security requirements become complex. In an interview with The Daily Mail, he said:

"We are going to build in Britain a cyber-strike capability so we can hit back in cyberspace against enemies who attack us, featuring cyber alongside the land, sea, air and space as a public military activity." "Our commanders can use cyber weapons alongside conventional weapons in future conflicts."

Hammond also said that this possibility is an excellent for all geniuses Cyber there because it will allow them to use their skills on a larger platform for the good of the nation.

Enchanting a patriotic slogan is a strategic step to attract computer geeks in Cyber army unit. Hammond added that these guards National Cyber will not have to go through tests of territorial fitness for the army. He added that the army of scanning is going to be a major reform.

The plan for the cybernetic unit was declassified by Hammond, when he gave information to reporters. Maintenance or briefing was conducted in the nuclear Bunker of MOD and that makes Hammond, first Secretary to the defence which has been interviewed or photographed it.

"Cyber weapons offer the enticing possibility to paralyze the enemy without inflicting lasting damage on them. No cities to do rebuild, no infrastructure to rebuild. "Hammond said, adding that innovation was quite in tune with the attitudes in the United States. "One of my American colleagues put to me like this: why would you want to bomb the airfield of someone if you could just stop it with a cyber-attack?"

In March this year, the US also announced that they prepare 40 new teams of cyber or units and they have stated that the reason for this decision is cyber-attacks that have been conducted by Iranian and Chinese pirates. General Keith Alexander who heads cyber command of the United States and the NSA officially announced 13 on forty units cyber dedicated solely for the purpose of offensive operations.

After the United States, Israel also announced its fight against Cyber training program a few months ago.

The report by the National Audit Office which was published in February questioned the ability of Britain to launch its own cyber units. The report said that Britain does not have enough Cyber geniuses who would be able to counter cyber attacks that are becoming more and more frequent.

The report also criticized the Government officials that they were not effective or tilted towards the promotion of technology, science and it also experts in education cited saying that it may take us "up to 20 years for the competence of the gap at all levels of education."

Members of the Great Britain also gave a warning message to the Government that they are very vulnerable to cyber attacks because of the reason for which our military depends much on communication cyber systems.

GlobalPost Twitter and site hacked by Syrian electronic army

The hardcore supporters of President Bashar Assad of Syrian electronic army Ul (sea) have hacked Web site the basis of new official Web site of the US Global Post and his Twitter account online.

Reason for hacking GlobalPost was mentioned by hackers in the Tweets sent via the official Twitter account of the site, whereby the GlobalPost found publication of the names of the alleged members of the sea.

Hackers left a message on website and the account Twitter of GlobalPost with a final warning. The message expressed in the following terms:

"Think twice before publishing unreliable information about the Syrian electronic Army (SEA). This time, stop us your Web site and take down your Twitter account, next time that you start to look for new jobs. »

GlobalPost has confirmed that its website and twitter account all the two were briefly hacked for the first time since the company began in January 2009.

The published article, the website and twitter account GlobelPost has been restored. However, the article with the names of the alleged members of sea was still available on the site. "We will delete not news and cover all aspects of ongoing, Syria war" said the GlobalPost.

GlobalPost is an American online news company that focuses on international news based on January 12, 2009.

Last month, I had shared a deep analysis on possible Cyber Armageddon where the sea can paralyze the defense down and the financial system of the United State. Notch of today is a peek on the sea how easily choose target and he hacks without any difficulty.

Syrian electronic army is on the list of terrorist groups of the FBI since September last for hacking US military

 

Israeli defence contractor ISPRA site hacked by AnonGhost

The hacktivist online with the AnonGhost handle was hacked and defaced a site belonging to a base of Israel defense contractor ISPRA Israel Web product Research Co. Ltd. dealing with developing, manufacturing and marketing of non-lethal riot control devices, crowd management, anti terror material gear and the police.

Hacker left a page for as well as a message on the site hacked against the State of Israel and in support of the Palestinian liberation movement. The message expressed in the following terms:

Hack is well known that the contractor is a direct supplier of Israeli Government after a page from the cache of the Israeli Ministry of defence.

Targeted and its mirror site link is available below:

http://www.ispraltd.com/
http://zone-h.org/mirror/ID/20886514

Produces Israel ISPRA Research Co. Ltd. was founded in 1969 is a private company, operating from two sites in Israel in the center of plant and R & D based in Zichron Yaakov of manufacturing, management and sales offices in Herzelia with customers everywhere in the world.

This is not the first time when AnonGhost has hacked an Israeli defense contractor, in past a Provider of Communication, the Israeli army had their website defaced by the same hacker.

At the time of the publication of that article, the site has been restored and work online.

John McAfee: My new Gadget will defeat NSA and protect the privacy of users

John McAfeewho is the founder of the antivirus McAfee said that it will unveil a gadget that would allow internet users protect their activities and private life of the eyes of the NSA spying.

He named the gadget such as D-central and said it will be designed with a cost of less than $ 100. He gave an interview Saturday at the convention center in San Jose McEnery. He said that "this device would be able to communicate with the tablets, Smartphones and other devices, cell phone and will create a chain of decentralized networks""." McAfee said, "because that these networks essentially floating around in the world of the web as private, networks it is almost impossible to nail them down".

During the conversation, McAfee acknowledged the fact that such a device could be used for the purpose of carrying out some wicked activities, but he took any criticism by simply adding "the telephone is used to detrimental effect".

The interview can be viewed on below, taking into account the Youtube link:

McAfee was the subject of some controversy over the period of the last 12 months. He is considered a legend in Silicon Valley because it succeeded in building his own company antivirus in a prominent consulting firm in the industry. However, it was the main suspect of a controversy last year when he was questioned by the authorities in Belize for the shooting of his neighbor. He said in an interview Saturday that he had nothing to do with the murder, and he flew from Belize just to avoid the $ 2 million bribe which he was to pay.

McAfee was the subject of some controversy over the period of the last 12 months. He is considered a legend in Silicon Valley because it succeeded in building his own company antivirus in a prominent consulting firm in the industry. However, it was the main suspect of a controversy last year when he was questioned by the authorities in Belize for the shooting of his neighbor. He said in an interview Saturday that he had nothing to do with the murder, and he flew from Belize just to avoid the $ 2 million bribe which he was to pay.

Keeping all things side, D-Central might be that move the most controversial ever did it. He said that he was brainstorming his mind on this idea for a few years now and has accelerated its efforts to design the gadget after the revelations that were made by Edward Snowden (the former contractor's NSA). Edward Snowden as we all know have escaped many classified information and documents of the NSA spy program. It is quite possible that the US Government may not allow him to sell the gadget in the United States. However, he is not worried about such restriction because he said that it may sell D-Central in many other countries of the world.

McAfee said "It is coming and can not be stopped".

He refused to give any information on this gadget, but a site of tender more information on this subject will be launched in 174 days.

 

U.S. says Iran hacked our marine computers

Some Navy officials said that some hackers of Iran entered computer networks unclassified US navy.

December 6, 2012, I reported that the Navy facing 110 000 cyber attacks every hour. Now, the Wall Street Journal has published a report on 27 September in which they said that the hacks against the United States Navy computers were made by some Iranian hackers. The report did not reveal the names of American officials who have developed such a claim against the Islamic Republic of Iran.

The report further stated that although U.S. Army officials have received a presentation on the recent intrusion, the Pentagon is denying all this hack.The allegation has emerged on the scene in the cyber-world at a time when the Iran itself is an important target of hacker attacks.

The Washington Post in 2012 published a report in which they affirmed that Israel and the USA helped each other to develop a computer virus of flame for spying against the Iran. The report also added that the cooperation to develop the virus was conducted between the CIA and the army of Israel.

The New York Times also published a report in June 2013, where they mentioned that President Barack Obama gave orders to launch a Cyber-attack against the nuclear program of Iran to the point the Stuxnet virus. The paper also added that this virus has been created by the United States through cooperation with Israel intelligence unit.

The malicious software was however detected by experts before Iran it could cause serious damage to the country's industrial site resources.

Attacks, the Iranian Government launched seat of defence which is goal for counter and negate any cyber attacks or to which are designed to damage or steal information from their nuclear facilities, security networks, banks, data centres and power stations.

Attacks, the Iranian Government launched seat of defence which is goal for counter and negate any cyber attacks or to which are designed to damage or steal information from their nuclear facilities, security networks, banks, data centres and power stations.