Free Courses and Wargame in March
Mkit Argentina is back with everything in 2012!!
Here are the best IT Security events in March:
GratuitoFree Computer Forensics Course
In this course the attendees will learn the secrets of virtualization in forensic environments, for investigation and results presentations.
Speaker: Ing. Gustavo Daniel Presman -CCE - EnCE - FCA - NPFA - EnCI 
Date
Thursday, March 15th, 2012, from 6:30 pm until 9:30 pm (GMT-3, Argentina)
Signup and more information: http://www.mkit.com.ar/eventos/forense/
Free Ethical Hacking Course
In this course we will cover the hottest Hacking techniques, by performing them in a practical lab
Topics
|
Speaker:
Dates
March Tuesday 6th and Thursday 8th, 2012, from 6:30 pm until 10 pm (GMT-3, Argentina)
Signup and more information: http://www.mkit.com.ar/eventos/hacking/
Wargame Extreme!!
The first WARGAME EXTREME of the year comes to Mkit Argentina!!
Test your Hacking knowledge in this amazing computer challenge!!
Have fun discovering the access path and reach the final objective!!
Date
Friday March 2nd, 2012, from 6:30 pm until 10 pm (GMT-3, Argentina)
Signup and more information: http://www.mkit.com.ar/eventos/wargame/
See you there!!
Source: Mkit Argentina Blog
Facebook or SET ?
The title refers to SET (Social Engineering Toolkit), as proven repeatedly and sometimes acts as a platform facebook spread of phishing.
Again, we observed a modest, permissive design error by Facebook that allow an attacker to generate a vector for the spread of phishing. Again, there are no reports so far on the misuse of this feature.
Previously published an article that is directly related to this attack: Social Engineering via "I like" button, if not read it yet, we invite you to do a quick review to a better understanding of the possible combinations.
As detailed in the previous article, an attacker can make the design decision to increase the reliability and reputation of a note, and then modify it and post links to malicious content in it. In this particular case we add the possibility of generating 2 new additives that make it "striking" the note when you click on a link course harmless.
First, we can insert photos in the note, something known long ago. In our case we were able to insert the image from an external URL using HTML code on the note.
Example:
<img SRC="http://www.mkit.com.ar/imagen.jpg" alt="imagen"></img>
Second, through trial and error, we insert a "a href" with the possibility of moficar name hyperlink.
Example:
<a href="http://www.dominiomalicioso.com/malware.exe">http://www.mkit.com.ar/blog</a>
Again, an attacker can "hide" Thanks to these features, the redirection to a contaminated site or with an elaborate hoax to make the user to fall into their trap.
In routine testing of the operation of "Possible" attack, we see certain behavior:
- If you share the note on the wall and, if added as a hyperlink name the expression "http://", and try to click on the link of note in the wall, you will be redirected to the site says the NAME of the link no matter what the "a href". in the example above, it redirects to "http://www.mkit.com.ar/blog" instead of "http:// www.dominiomalicioso.com/malware.exe ".
- Wall Redirect WITH "Http://"
-
If you share the note on the wall and, if not added as no expression hyperlink name such as "http://", it appears in the publication of the wall as plain text, if you ever get into the preview of the note.
- Wall Redirect WITHOUT "Http://"
- If you try to click on the hyperlink in the note, then in any way going to be directed to the point where our "a href".
- Redirect From Inside the Note
We may also use Short URLs to obfuscate a little reading the status bar to prevent users who pay a little more attention.
In this particular case, select a topic of current interest to see the curiosity. The redirection is done to a script within the same domain that keeps track of visitors to measure the impact it would have if we publish malicious content.
- Victims Counter
In a rough set of 300 nodes, a Monday 1:30 am, just 40 minutes of publication, this is the partial result:
As much as my contacts to trust me and know that for that reason are free of worry (I hope at least ..), create a habit on the user to supply the level of design flaws by modern applications day.
In this case, is a personal account, with few nodes. Imagine if someone's account with more than 1000 contacts were stolen! Within minutes, an attacker would be layers of stealing hundreds and hundreds of data or compromise the amount of equipment.
Possible solution:
Do not allow users to use HTML tags to create notes: Certainly, there is little "aesthetic" leave the raw URL without changing its name. However, it could be a differentiation between users "Corporate" and "Regular" and give extra permissions to the first most likely make good use of this feature.
Educate the user: Having the "Advance" phishing vector previously reported, we believe in this and in most cases, the most efficient and effective way to prevent an attack, the user and instill discipline will gradually safe practices when surfing on social networking much like any network. Reading the status bar is still extremely important before clicking on any hyperlink.
Source: Gustavo Nicolas Ogawa, from Mkit's Blog redaction
Facebook Simplifies Phishing Attacks
Again, we present a 0 day in facebook phishing techniques. Fortunately we have not seen the technique in operation. Through continuous research of the platform, we can deduce certain vectors of attack to warn security experts and developers, before the vectors are exploited on a massive scale, thereby reducing their future effectiveness.
Every time we post a link, either on our wall or the wall of someone else's content is generated which Facebook calls "Preview"
After copying the link in the sector to make the publication, the preview is generated and provides information on one page which redirects to the link, read Domain Name + Forwarding link .
If we wanted, we could delete the link to the publication sector and make it look just the preview.In this way alone would be enough to click on the image preview or Link to be redirected.
- Post Without Link on Comment
In the same way, we could post malicious content as Facebook allows us to Link more than 1 content by post, but only allows one preview.
- 2 links in 1 Post
As we see in the image appears in both the preview link + Hotmail, and also appears in the Comment link for Gmail.
Now, taking advantage of these facilities provided by the application and making the URL shorteners, an attacker would be able in theory, to increase the chances of getting infected by a single publication containing 3 directions:
-
Malicious link
-
The name of the alleged link to be redirected
-
Original link
Looking in detail the image with true redirect can distinguish the following:
- Text Comment from FB.
- Name hyperlink (Sign In).
- Link in plain text (login.live.com).
- Review of the page.
Looking in detail the false image redirect we can see:
- Comment Text Short URL FB + (A PoC mode redirects to gmail.com) ---> It prompts the user to login from the link.
- Hyperlink Name (Sign Up) ---> Sign Up If pressed, the redirection would be to the origianal site, so its modification to avoid in a way that the user clicks. Sign Up = Register.
- Comment on the page:
If you want to log on, follow the link above or the following LINK: http://goo.gl/93aP6. To create an account SIGN UP tighten
Another example:
- Malicious
If you use a service to "Unzip" we cut the link produces the following result:
- Expand
Featured Site: http://longurl.org/
As shown in the result, the redirection is done to http://login.liveS.com/ which is not the same as https://login.live.com/
There are 4 key factors in the attack:
- Facebook allows us to write more than 1 hyperlink per publication
- Facebook creates a "Preview" page
- Facebook in the preview, make a detail of the "name link" (manipulated)
- Facebook lets us modify the contents of the publication.
There is a negative factor in the attack:
- The original redirect hyperlink preview CAN NOT CHANGE. Ergo, even if the attacker changes the name of the redirect link, if the user clicks on that link, it will be redirected to the original anyway.
From the Negative factor, we deduce (very easily), that the chances of effectiveness, are reduced to 50% as 2-1 link with redirection leads us to an attack site, and 1 leads us to the authentic site. However, as demonstrated in the case of Sign In / Sign Up, would achieve a diversion "semantics" of such redirection.
Of the key factors of the attack, we can deduce:
- A user easily fall into the trap of being a phishing 0 day.
- Previewing increases the reliability of the redirection
- Facebook it increases the reliability of the publication
- The "Link Name" is the second key to phishing because we can change at will, thus increasing the reliability provided by the user to click.
To avoid falling victim to a phishing scam of this nature, we recommend a conscious use of social networks. Do not trust everything it seems.
- Read carefully the status bar posing the mouse over the hyperlink to see the direction it points.
- If it is a "Short URL" enter somewhere expansion redirection links to view original.
Source: Gustavo Nicolas Ogawa, from Mkit's Blog Redaction
Hack x Colombia – What Happened
As I told you a few weeks ago, I've just finished my talk at the Hack X Colombia community event, which took place in Bogotá and Medellín.
On this talk, I spoke about the typical Web security attacks, including SQL Injection and Cross-Site Scripting (XSS). Unfortunately, because of timing issues I wasn't able to finish the talk, and were only able to speak about the first subject.
However, the talk was carried on perfectly fine and the people received me wonderfully.
I'd like to thank the event organization for allowing me to participate, and all of the assistants for staying during my talk.
For those of you who wish to see the talk, here is the link:
https://mkit.webex.com/mkit/ldr.php?AT=pb&SP=MC&rID=96630287&rKey=e0643df9e3428292
You'll have to install the WebEx Client, at the following link: http://www.webex.com/play-webex-recording.html
Here is the PDF presentation of the talk (Spanish): Hack_X_Colombia_-_Seguridad_Web
See you next time!
Tags
Recent Posts
- Free Courses and Wargame in March
- Facebook or SET ?
- Facebook Simplifies Phishing Attacks
- Information Security Incident Treatment – First Part
- Hack x Colombia – What Happened
Archives
- January 2012 (1)
- October 2011 (13)
- September 2011 (14)
- August 2011 (5)
- July 2011 (7)
- June 2011 (8)
- May 2011 (3)
- April 2011 (7)
- March 2011 (2)
- February 2011 (2)
- December 2010 (2)
- November 2010 (5)
- October 2010 (4)
- September 2010 (6)
- August 2010 (3)
- June 2010 (4)
- May 2010 (3)
- April 2010 (3)
- March 2010 (2)
- February 2010 (6)
- January 2010 (16)
- December 2009 (6)
- November 2009 (2)
- October 2009 (7)
- September 2009 (12)
- August 2009 (4)
- July 2009 (4)
- June 2009 (4)
- May 2009 (4)