PHISHING ATTACKS ON TELECOMMUNICATION CUSTOMERS RESULTING IN ACCOUNT TAKEOVERS CONTINUE

<div dir="ltr" style="text-align: left;" trbidi="on"><h3 class="entry-title" style="clear: both; font-family: 'lucida grande', verdana, sans-serif; font-size: 12px; margin: 0px; padding: 0px; text-transform: uppercase;">PHISHING ATTACKS ON TELECOMMUNICATION CUSTOMERS RESULTING IN ACCOUNT TAKEOVERS CONTINUE</h3><div><div class="entry-summary" style="font-family: verdana, arial, helvetica, sans-serif; font-size: 13px; text-align: justify;">Phishing attacks targeting various telecommunication companies’ customers continue. Individuals receive automated telephone calls that claim to be from the victim’s telecommunication carrier. The IC3 released an advisory about this scam in May 2013. Since then, the attacks have increased and recently, victims have reported receiving SMS texts with a similar phishing message encouraging them to go to web sites to claim their reward. Victims are directed to a phishing site to receive a credit, discount or prize ranging from $100 to $2,500. The monetary amounts being offered are increasing to make the scam more enticing. A fraudulent web site example would be <span style="color: blue;">www.My(insertphone company name)900.com</span>. Other fraudulent web sites may contain words such as, MyBonus, ILove, ILike, Reward, Promo, or similar words, along with a telephone company’s name.</div><div style="font-family: verdana, arial, helvetica, sans-serif; font-size: 13px; text-align: justify;">The phishing site is a replica of one of the telecommunication carrier’s sites and requests the victim’s log-in credentials and the last four digits of their Social Security number. Once access is gained, the subject makes changes to the customer’s account and may place orders for mobile phones.</div><div style="font-family: verdana, arial, helvetica, sans-serif; font-size: 13px; text-align: justify;">The IC3 urges the public to be cautious of unsolicited telephone calls, e-mails and text messages, especially those promising some type of compensation for supplying account information. If you receive such an offer, verify it with the business associated with your account before supplying any information. Use the phone numbers that appear on your account statement to contact the business.</div><div style="font-family: verdana, arial, helvetica, sans-serif; font-size: 13px; text-align: justify;">If you have fallen victim to this scam, immediately notify your telecommunication carrier and file a complaint with the IC3, <a href="http://www.ic3.gov/" rel="ext" target="_blank">http://www.ic3.gov</a>.</div></div></div>

Security news PHISHING ATTACKS ON TELECOMMUNICATION CUSTOMERS RESULTING IN ACCOUNT TAKEOVERS CONTINUE

PHISHING ATTACKS ON TELECOMMUNICATION CUSTOMERS RESULTING IN ACCOUNT TAKEOVERS CONTINUE Phishing attacks targeting various telecommunication...

Read More..

Wildcard DNS, Content Poisoning, XSS and Certificate Pinning

<div dir="ltr" style="text-align: left;" trbidi="on"><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Hi everyone, this time I'm going o talk about an interesting vulnerability that I reported to Google and Facebook a couple of months ago. I had some spare time last October and I started testing for vulnerabilities on a few companies with established bug bounty programs. Google awarded me with $5000,00 and Facebook payed me $500,00 for reporting the bugs.</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">I know you may be more interested on highly sophisticated exploits that allow </span><a href="http://seclists.org/fulldisclosure/2014/Mar/123" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">arbitrary file upload to the Internet</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">, with custom payloads that may lead to unexpected behavior like </span><a href="http://seclists.org/fulldisclosure/2014/Mar/332" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">closing Security Lists</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">. Hopefully this class of bugs is already </span><a href="http://seclists.org/fulldisclosure/2014/Mar/333" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">patched by Fyodor</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;"> and Attrition is offering an </span><a href="http://attrition.org/postal/asshats/" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">efficient exploit mitigation technique</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">.</span><br /><br /><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"></div><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">The title may be a little confusing, but I'm going to show that it's possible to combine all these techniques to exploit vulnerable systems.</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><b style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Content Poisoning and Wildcard DNS</b><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Host header poisoning occurs when the application doesn't validate full URL's generated from the HTTP Host header, including the domain name. Recently, the </span><a href="https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">Django Framework</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;"> fixed a few vulnerabilities related to that and </span><a href="https://twitter.com/albinowax" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">James Kettle</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;"> made an interesting </span><a href="http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">post discussing lots of attack scenarios</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;"> using host header attacks.</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">While testing this issue, I found a different kind of Host header attack that abuses the possibility to browse wildcard domains. Let's have a quick look at the </span><a href="https://en.wikipedia.org/wiki/Hostname" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">Wikipedia entry on Hostnames</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">:</span><br /><blockquote class="tr_bq" style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;"><div style="font-family: sans-serif; font-size: 13px; line-height: 19.200000762939453px; margin-bottom: 0.5em; margin-top: 0.4em;">"The Internet standards (<a href="https://en.wikipedia.org/wiki/Request_for_Comments" style="background-image: none; color: #0b0080; text-decoration: none;" title="Request for Comments">Request for Comments</a>) for protocols mandate that component hostname labels may contain only the <a href="https://en.wikipedia.org/wiki/ASCII" style="background-image: none; color: #0b0080; text-decoration: none;" title="ASCII">ASCII</a> letters 'a' through 'z' (in a case-insensitive manner), the digits '0' through '9', and the <a href="https://en.wikipedia.org/wiki/Hyphen" style="background-image: none; color: #0b0080; text-decoration: none;" title="Hyphen">hyphen</a> ('-'). <b>The original specification of hostnames in <a class="external mw-magiclink-rfc" href="https://tools.ietf.org/html/rfc952" rel="nofollow" style="color: #771100; text-decoration: none;">RFC 952</a>, mandated that labels could not start with a digit or with a hyphen, and must not end with a hyphen</b>. However, a subsequent specification (<a class="external mw-magiclink-rfc" href="https://tools.ietf.org/html/rfc1123" rel="nofollow" style="color: #771100; text-decoration: none;">RFC 1123</a>) permitted hostname labels to start with digits. No other symbols, punctuation characters, or white space are permitted."</div></blockquote><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">The fun part here is that the network stack from Windows, Linux and Mac OS X consider domains like -www.plus.google.com, www-.plus.google.com and www.-.plus.google.com valid. It's interesting to note that Android won't resolve these domains for some reason.</span><br /><br /><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxlG61Z6Q4jcuo9FC1VuxwOYJnN9YwpYuJ6KffsNgdYw_Y7I2FBgEAjqFlfXDxFNpPOIqRcdlxI9IsD6oh0-vVZv5SnOKVIvuWetsxKn3mJZNiUD63Ai9JCRwqlfTGBMO2MRBUmC7dbari/s1600/Screenshot_2014-03-30-10-54-39.png" imageanchor="1" style="color: #771100; margin-left: 1em; margin-right: 1em; text-decoration: none;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxlG61Z6Q4jcuo9FC1VuxwOYJnN9YwpYuJ6KffsNgdYw_Y7I2FBgEAjqFlfXDxFNpPOIqRcdlxI9IsD6oh0-vVZv5SnOKVIvuWetsxKn3mJZNiUD63Ai9JCRwqlfTGBMO2MRBUmC7dbari/s1600/Screenshot_2014-03-30-10-54-39.png" style="border: none; position: relative;" width="400" /></a></div><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQK4Y6BaVfXXe0BTKwpGq2xmlOgn83Rxtz8QSpqocnYm7jzP87GoGZTyranJRQU_tS8lpxhxstrcguFJWL3fl8s0ViWyLkRqz3JuWSEniadaRQuxXj3zTzbiadeIHVzEGh0mT4pcQvTysK/s1600/Screenshot+from+2014-03-30+10%5E%2556%5E%2513.png" imageanchor="1" style="color: #771100; margin-left: 1em; margin-right: 1em; text-decoration: none;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQK4Y6BaVfXXe0BTKwpGq2xmlOgn83Rxtz8QSpqocnYm7jzP87GoGZTyranJRQU_tS8lpxhxstrcguFJWL3fl8s0ViWyLkRqz3JuWSEniadaRQuxXj3zTzbiadeIHVzEGh0mT4pcQvTysK/s1600/Screenshot+from+2014-03-30+10%5E%2556%5E%2513.png" style="border: none; position: relative;" width="640" /></a></div><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Take, for example, the following URL: https://www.example.com.-.www.sites.google.com. If we compose an e-mail and paste it on the body, GMail will split them and the received message will have two “clickable” parts (</span><a href="https://www.example.com/" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">https://www.example.com</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;"> and </span><a href="http://sites.google.com/" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">sites.google.com</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">).</span><br /><div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;"><br /></div><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz62nb4dQq8QtT8tYtIARnohT2XWfM8zVKFKn0W_OQ1zzDlnFQCZsFNE4TN8dcZ5xP2WdHNu5oBlMMFGQvoNqniR0Y8Th7p1U1Vh12uOQAaUt5Ry6yp4mdrMNGEYt3t9kcQAuZ7HMfaiSu/s1600/test.png" imageanchor="1" style="color: #771100; margin-left: 1em; margin-right: 1em; text-decoration: none;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz62nb4dQq8QtT8tYtIARnohT2XWfM8zVKFKn0W_OQ1zzDlnFQCZsFNE4TN8dcZ5xP2WdHNu5oBlMMFGQvoNqniR0Y8Th7p1U1Vh12uOQAaUt5Ry6yp4mdrMNGEYt3t9kcQAuZ7HMfaiSu/s1600/test.png" style="border: none; position: relative;" width="640" /></a></div><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Most e-mail based notification use the very same host you are browsing in order to compose the notification messages: you see where this is going, right?</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Facebook has a wildcard DNS entry at zero.facebook.com. In order to exploit the flaw, we have to browse the service using a poisoned URL and perform actions that may need e-mail confirmation, checking whether Facebook mails the crafted URL to the user.</span><br /><br /><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDT9cHbHEJFUlwQ8jbfVqh-sHGmqcVXQz0X1RrZMZZkj7IQZFUGfmdxB8oFh3bMtHvSoL0pVpx9-lv_Yg-mE7PG91w0c0e4gsg72hfTiRUPW_kDvwey9yuijwgrPPn50PJD6lzTIQrdRN1/s1600/header2.PNG" imageanchor="1" style="color: #771100; margin-left: 1em; margin-right: 1em; text-decoration: none;"><img border="0" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDT9cHbHEJFUlwQ8jbfVqh-sHGmqcVXQz0X1RrZMZZkj7IQZFUGfmdxB8oFh3bMtHvSoL0pVpx9-lv_Yg-mE7PG91w0c0e4gsg72hfTiRUPW_kDvwey9yuijwgrPPn50PJD6lzTIQrdRN1/s1600/header2.PNG" style="border: none; position: relative;" width="640" /></a></div><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"></div><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">The only vulnerable endpoint that I found affected by this issue was the registration e-mail confirmation. You may be asking, how could one exploit this to attack a legitimate user?</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Suppose I want to attack the Facebook account from goodguy@example.com. I can create or associate a "duplicate" account using the "+" sign by browsing Facebook with these injected URL's. If I navigate to Facebook using an URL like https://www.example.com.-.zero.facebook.com, all I have to do is create the duplicate account goodguy+DUPLICATE@example.com. Most e-mail services like GMail and Hotmail don't consider what you type after the "+" and forward it to the original account.</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">In this case, all e-mails that Facebook sent to confirm that association had the poisoned links.</span><br /><br /><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzgQTAP80FrjBIPedsu3CpdbGt3Xwpf9oz-NllxZuxudZWIxBC9AtebL7-EViV3KCjZ16_Gssqa-Qq-skuGYHHc3c6jEatOmY37yVfl-7gHGXRiM_gYg6xTGHK-3i2Xg_e03vDvJT1WF8/s1600/Screenshot_2014-03-30-10-54-39.png" imageanchor="1" style="color: #771100; margin-left: 1em; margin-right: 1em; text-decoration: none;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzgQTAP80FrjBIPedsu3CpdbGt3Xwpf9oz-NllxZuxudZWIxBC9AtebL7-EViV3KCjZ16_Gssqa-Qq-skuGYHHc3c6jEatOmY37yVfl-7gHGXRiM_gYg6xTGHK-3i2Xg_e03vDvJT1WF8/s1600/Screenshot_2014-03-30-10-54-39.png" style="border: none; position: relative;" width="640" /></a></div><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">This can also be used to poison password reset emails, but Facebook forms were not affected. They quickly fixed that by hard coding the proper URL to their e-mail confirmation system. It's also possible (but not recommended) to fix these issues by sending notifications with relative links instead of complete URL's ("please click </span><a href="http://www.example.com.-.zero.facebook.com/" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">here</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">" instead of "please click on the specified url: </span><a href="http://www.example.com/" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">www.example.com</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">.-.</span><a href="http://zero.facebook.com/" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">zero.facebook.com</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">").</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><b style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">XSS and Wildcard DNS</b><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">While searching for these issues on Google I quickly found wildcard domains like:</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://w00t.drive.google.com/" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">https://w00t.drive.google.com</a><br /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://w00t.script.google.com/" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">https://w00t.script.google.com</a><br /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://w00t.sites.google.com/" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">https://w00t.sites.google.com</a><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">In case you're wondering how to quickly find these wildcard domains, you can download and lookup for them on the </span><a href="https://scans.io/" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">scans.io datasets</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">. You can find these references on the Reverse DNS records or by searching for SSL certificates issued to wildcard domains, like *.sites.google.com.</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">During my initial tests, I was unable to craft URL's using .-. inside the drive.google.com domain (got 500 error messages) and all I could do was creating URL’s like this: https://www.example.com-----www.drive.google.com.</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">When you browse Google Drive using this URL, upload a File to a Folder and try to Zip/Download it asking for an e-mail confirmation (“Email when ready”), the e-mail confirmation message will be like this:</span><br /><br /><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCcAJbzwk2OwevRxY2A35xnIsyg6FCvgXyzplnA1q_v1Hw2sPRoKsOJUjezNoeCztjZBXUsR6BLNHgHcmU4ZzGTGE6n8CnmQQ7_U9FtPQSKxt3nm1__WDLjEYlVq1C9ciqBNOAVYF_W_l-/s1600/zipp.PNG" imageanchor="1" style="color: #771100; margin-left: 1em; margin-right: 1em; text-decoration: none;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCcAJbzwk2OwevRxY2A35xnIsyg6FCvgXyzplnA1q_v1Hw2sPRoKsOJUjezNoeCztjZBXUsR6BLNHgHcmU4ZzGTGE6n8CnmQQ7_U9FtPQSKxt3nm1__WDLjEYlVq1C9ciqBNOAVYF_W_l-/s1600/zipp.PNG" style="border: none; position: relative;" width="640" /></a></div><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">The "ready for downloading" link would point to https://www.example.com-----www.drive.google.com/export-result?archiveId=REDACTED. So far no big deal, I was still unable to poison the links... And phishing yourself is not that useful =)</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">I kept testing different URL's until I found a weird behavior on Google DNS Servers. When typing URL's containing a domain you control followed by a certain number of "-" and the wildcard domain from Google, the resolved IP would be the one from the URL you control.</span><br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; margin-left: auto; margin-right: auto; padding: 4px; position: relative; text-align: center;"><tbody><tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvEuCQy5AhF1z6DbWkMK2gsWIyIGYbXhIlL7BSAMrB5XFZuXxnjxyl47vDKBUEZHV_fymg6OYL-y0Uz1Assz3Fdbc7p2uSKvSxd-vyRUvBa5jL87Ss1LfAY8zsxeu0x0T3WjBUOICSWswL/s1600/dns.PNG" imageanchor="1" style="color: #771100; margin-left: auto; margin-right: auto; text-decoration: none;"><img border="0" height="538" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvEuCQy5AhF1z6DbWkMK2gsWIyIGYbXhIlL7BSAMrB5XFZuXxnjxyl47vDKBUEZHV_fymg6OYL-y0Uz1Assz3Fdbc7p2uSKvSxd-vyRUvBa5jL87Ss1LfAY8zsxeu0x0T3WjBUOICSWswL/s1600/dns.PNG" style="border: none; position: relative;" width="640" /></a></td></tr><tr><td class="tr-caption" style="font-size: 12px;">My highly sophisticated Fuzzer in action</td></tr></tbody></table><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">For some reason, there was a glitch on their DNS servers, more specifically in the regexp that stripped "--" from the domain prefixes. I'm not sure why they performed these checks but that may have something to do with </span><a href="https://en.wikipedia.org/wiki/Internationalized_domain_name" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">Internationalized Domain Names</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">.</span><br /><br /><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; margin-left: auto; margin-right: auto; padding: 4px; position: relative; text-align: center;"><tbody><tr><td><a href="https://xkcd.com/1171/" style="color: #771100; margin-left: auto; margin-right: auto; text-decoration: none;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyWdZgHb6AEQGuAdX-y4RpgtzSaXRwoQAvtel_Nr7k9GRNif81x2i8op9RlKJfmzeXWadlD-N44hqxZyVoUlSFW4LTULOFqCFApYtOnZLcmt5tNAHCU8OFa0gCThybE1YXVyYmMEUyGHCU/s1600/perl_problems.png" style="border: none; position: relative;" width="640" /></a></td></tr><tr><td class="tr-caption" style="font-size: 12px;">XKCD's take on the bug</td></tr></tbody></table><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Some Google domains affected by this issue (October 2013):</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://www.blogger.com/goog_622517707" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">docs.google.com</a><br /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://www.blogger.com/goog_622517707" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">docs.sandbox.google.com</a><br /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://www.blogger.com/goog_622517707" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">drive.google.com</a><br /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://www.blogger.com/goog_622517707" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">drive.sandbox.google.com</a><br /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://www.blogger.com/goog_622517707" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">glass.ext.google.com</a><br /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://www.blogger.com/goog_622517707" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">prom-qa.sandbox.google.com</a><br /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://www.blogger.com/goog_622517707" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">prom-test.sandbox.google.com</a><br /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://www.blogger.com/goog_622517707" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">sandbox.google.com</a><br /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://www.blogger.com/goog_622517707" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">script.google.com</a><br /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://www.blogger.com/goog_622517707" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">script.sandbox.google.com</a><br /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://www.blogger.com/goog_622517707" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">sites.google.com</a><br /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="http://sites.sandbox.google.com/" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">sites.sandbox.google.com</a><br /><div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;"><br /></div><div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Now that I can impersonate a Google's domain, it's possible abuse the Same Origin policy and issue requests on behalf of a logged user. <a href="http://twitter.com/lcamtuf" style="color: #771100; text-decoration: none;">lcamtuf</a> already told us about <a href="http://lcamtuf.blogspot.com.br/2010/10/http-cookies-or-how-not-to-design.html" style="color: #771100; text-decoration: none;">HTTP cookies, or how not to design protocols</a>. What happens if we control www.example.com and the logged user from drive.google.com visits the crafted URL http://www.example.com---.drive.google.com?</div><div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;"><br /></div><div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Request goes to legitimate site:</div><div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;"><br /></div><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-4zLE8xic-pjuKdxxYdjtOG2EW-iTWgcm5Z9oNBoPbyLBRw0LE-GI-ylRbH710V1zErPaahmL7TIAIRXDOh_jOwJJySecSfdllc5R795g5tHGzHTLCD2wNhwmJKTRuhPPYaW29Qni279A/s1600/req1.PNG" imageanchor="1" style="color: #771100; margin-left: 1em; margin-right: 1em; text-decoration: none;"><img border="0" height="520" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-4zLE8xic-pjuKdxxYdjtOG2EW-iTWgcm5Z9oNBoPbyLBRw0LE-GI-ylRbH710V1zErPaahmL7TIAIRXDOh_jOwJJySecSfdllc5R795g5tHGzHTLCD2wNhwmJKTRuhPPYaW29Qni279A/s1600/req1.PNG" style="border: none; position: relative;" width="640" /></a></div><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Requests goes to the user-controlled site, in this case my own server running nginx:</span><br /><br /><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyn-4uGhDs74twtqb9wbzYMaE2ACIGusC20DT-XOEeYVbOurPXFIQROWt8YTPQr8FTBI8UdNOjMX-B-q8Ilxq-EcFacG30qSxlpqnQ-77nj459dz7e1cMGCM5gJllRQ0dRBu-thfgCoCDl/s1600/req2.PNG" imageanchor="1" style="color: #771100; margin-left: 1em; margin-right: 1em; text-decoration: none;"><img border="0" height="520" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyn-4uGhDs74twtqb9wbzYMaE2ACIGusC20DT-XOEeYVbOurPXFIQROWt8YTPQr8FTBI8UdNOjMX-B-q8Ilxq-EcFacG30qSxlpqnQ-77nj459dz7e1cMGCM5gJllRQ0dRBu-thfgCoCDl/s1600/req2.PNG" style="border: none; position: relative;" width="640" /></a></div><div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;"><br />This leverages to a XSS-like attack: you have now bypassed the same origin and you can steal cookies and run scripts on the context of the site, for example.</div><b style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Certificate Pinning and Wildcard DNS</b><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">So far so good, but what if we were performing the same tests on Google Chrome, which enforces Certificate Pinning for their domains? I didn't notice at first, but I accidentally found an issue on Chrome too: it was failing to perform the proper HSTS checks for these non-RFC compliant domains.</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Other parts of the network stack were processing and fetching results from these "invalid" DNS names, but TransportSecurityState was rejecting them and therefore HSTS policies didn't apply. They simply removed the sanity checks to make TransportSecurityState more promiscuous in what it process.</span><br /><br /><div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;"></div><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfkFGxyIDrnr7ipkShsLS-FOjrsnX9daIq2ahScPqVrfomfU9YKRshfJQqIqHXmsyAZXZ4v8dXb64qsxVlVEqqnu-xhnRZphZNpaY0H5YaGeNew_x_4_E6WjbgzKwaU8LiD2OYOjGVB0za/s1600/pinning1.PNG" imageanchor="1" style="color: #771100; margin-left: 1em; margin-right: 1em; text-decoration: none;"><img border="0" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfkFGxyIDrnr7ipkShsLS-FOjrsnX9daIq2ahScPqVrfomfU9YKRshfJQqIqHXmsyAZXZ4v8dXb64qsxVlVEqqnu-xhnRZphZNpaY0H5YaGeNew_x_4_E6WjbgzKwaU8LiD2OYOjGVB0za/s1600/pinning1.PNG" style="border: none; position: relative;" width="640" /></a></div><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"><br /></div><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNUQZzqyb2PdUx1ep_ntj3JYXRxDG0iL9q-Nt-xK4FCfAb9mUGw2l5WIf5-rNcIEJj2RxE6qxNG31jvQLEnAP8apJpCp66euLrNzimV-NOC4czJexLtRp-CrOHGn7m70i_-YufLHjfmXsk/s1600/pinning2.PNG" imageanchor="1" style="color: #771100; margin-left: 1em; margin-right: 1em; text-decoration: none;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNUQZzqyb2PdUx1ep_ntj3JYXRxDG0iL9q-Nt-xK4FCfAb9mUGw2l5WIf5-rNcIEJj2RxE6qxNG31jvQLEnAP8apJpCp66euLrNzimV-NOC4czJexLtRp-CrOHGn7m70i_-YufLHjfmXsk/s1600/pinning2.PNG" style="border: none; position: relative;" width="640" /></a></div><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">You can easily reproduce this on Chrome prior to v31: proxy Chrome through OWASP ZAP (accepting its certificate), visit URL’s like https://sites.google.com and Chrome will display a “heightened security” error message. If you type URL’s like https://www-.sites.google.com or https://www-.plus.google.com Chrome offers the option to “Proceed anyway”. If you're in Turkey right now you don't need to do nothing, the </span><a href="http://googleonlinesecurity.blogspot.com.br/2014/03/googles-public-dns-intercepted-in-turkey.html" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">Turkish Telecom does all the MITM job for you</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">.</span><br /><br /><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIqLSU7k2bJBFd-EKHbWKSeVhKjh75_q5QzL11t2HWp-HiFYKkhZHbr6g8KElSxR4VII0Y0v0K7NIQtZcZu-3S2gBy0FMTMdieG-u3HyaNpRFbQwUh7KCKU9KPRog5Rda8K8EfaDeHyDuh/s1600/1.PNG" imageanchor="1" style="color: #771100; margin-left: 1em; margin-right: 1em; text-decoration: none;"><img border="0" height="604" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIqLSU7k2bJBFd-EKHbWKSeVhKjh75_q5QzL11t2HWp-HiFYKkhZHbr6g8KElSxR4VII0Y0v0K7NIQtZcZu-3S2gBy0FMTMdieG-u3HyaNpRFbQwUh7KCKU9KPRog5Rda8K8EfaDeHyDuh/s1600/1.PNG" style="border: none; position: relative;" width="640" /></a></div><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><div class="separator" style="background-color: white; clear: both; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2hdOxdD5PXlvCqiu9ELXpnVbKkXGvuIajjw2eO_JS3Gn6T04vq6uWbW9Vk8-DbsbbqI8Mf_wNWuU4CEWP8PVP3NeUt96hOPpodOzbQX94FOKLbGrq9RNBnYmvPkUTy1KPkSnCjMeA4xIW/s1600/2.PNG" imageanchor="1" style="color: #771100; margin-left: 1em; margin-right: 1em; text-decoration: none;"><img border="0" height="602" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2hdOxdD5PXlvCqiu9ELXpnVbKkXGvuIajjw2eO_JS3Gn6T04vq6uWbW9Vk8-DbsbbqI8Mf_wNWuU4CEWP8PVP3NeUt96hOPpodOzbQX94FOKLbGrq9RNBnYmvPkUTy1KPkSnCjMeA4xIW/s1600/2.PNG" style="border: none; position: relative;" width="640" /></a></div><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">It's worth mentioning that when you issue a wildcard certificate for your host, it will be valid for a single level only. Certificates issued to *.google.com should not be trusted when used on domains like abc.def.google.com.</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">The hardcoded list of domains and pinned certificates from Chrome can be found here:</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">- </span><a href="https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json</a><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">During my analysis, I found that 55 out of 397 domains with Transport Security enabled had wildcard entries on their DNS. A nation sponsored attacker, with a </span><a href="https://twitter.com/lucabruno/status/450239917000781825" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">valid and trusted CA</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;"> could simply MITM your traffic and inject requests to these invalid domains, circumventing the HSTS policies and stealing session cookies, for example.</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Google did not assign a CVE for that bug, but they fixed that within a couple of weeks. Chrome 32 and 33+ (the one that changed the SSL warning from red to yellow) are not affected by this issue.</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">In times of </span><a href="https://www.imperialviolet.org/2014/02/22/applebug.html" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">Goto fails</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">, it was really interesting to follow the Chromium's tracker, their internal discussions, tests performed and so on. The commits fixing these issues can be found </span><a href="https://codereview.chromium.org/54623005/" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">here</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">.</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><b style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Conclusion</b><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">Google and Facebook security teams were both great to deal with. The bug was quite fun as well because it was different from the traditional OWASP Top 10 issues.</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">And because the industry totally </span><a href="http://blog.secureideas.com/2013/09/industry-issues-new-vulnerabilities-and.html" style="background-color: white; color: #771100; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px; text-decoration: none;">needs new Vulnerability terminologies</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">, anyone willing to refer to these attacks shall name them Advanced Persistent Cross Site Wildcard Domain Header Poisoning (or simply APCSWDHP).</span><br /><br style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;" /><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; line-height: 20.790000915527344px;">In case you're from NSA and want to use this technique to implant our DNS's, please use the codename CRAZY KOALA so we could better track them when the next Snowden leaks your documents</span></div>

Security news Wildcard DNS, Content Poisoning, XSS and Certificate Pinning

Hi everyone, this time I'm going o talk about an interesting vulnerability that I reported to Google and Facebook a couple of months ago...

Read More..

Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed bug)

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="post-body" style="background-color: white; color: #333333; font-family: Arial, sans-serif; font-size: 13px;"><span class="byline-author" style="color: #666666; margin: 0px; padding: 0px;"><br /></span><span style="color: black; font-family: inherit; line-height: 1.15; vertical-align: baseline; white-space: pre-wrap;">You may have heard of “Heartbleed,” a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. </span><span style="color: #222222; font-family: inherit; line-height: 1.15; vertical-align: baseline; white-space: pre-wrap;">We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, App Engine, <span style="color: black; line-height: normal; white-space: normal;">AdWords, DoubleClick, Maps, Maps Engine, Earth, Analytics and Tag Manager</span>.  Google Chrome and Chrome OS are not affected. </span><span style="color: black; font-family: inherit; line-height: 1.15; vertical-align: baseline; white-space: pre-wrap;">We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this -- </span><a href="http://www.google.com/about/appsecurity/patch-rewards/" style="font-family: inherit; line-height: 1.15; text-decoration: none;"><span style="color: #1155cc; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">and encourage others to report them</span></a><span style="color: black; font-family: inherit; line-height: 1.15; vertical-align: baseline; white-space: pre-wrap;"> -- so that that we can fix software flaws before they are exploited. </span><br /><span style="font-family: inherit; line-height: 1.15; white-space: pre-wrap;"><br /></span><span style="font-family: inherit; line-height: 1.15; white-space: pre-wrap;">If you are a Google Cloud Platform or Google Search Appliance customer, or don’t use the latest version of Android, here is what you need to know:</span><br /><span style="font-family: inherit; font-weight: bold; line-height: 1.15; white-space: pre-wrap;"><br /></span><span style="font-family: inherit; font-weight: bold; line-height: 1.15; white-space: pre-wrap;">Cloud SQL</span><br /><span style="font-family: inherit; line-height: 1.15; vertical-align: baseline; white-space: pre-wrap;">We are currently patching Cloud SQL, with the patch rolling out to all instances today and tomorrow. In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances. Please find </span><span style="color: #1155cc; font-family: inherit; line-height: 1.15; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://developers.google.com/cloud-sql/docs/access-control#appaccess" style="text-decoration: none;">instructions here</a></span><span style="font-family: inherit; line-height: 1.15;">.</span><br /><span style="font-family: inherit; font-weight: bold; line-height: 1.15; white-space: pre-wrap;"><br /></span><span style="font-family: inherit; font-weight: bold; line-height: 1.15; white-space: pre-wrap;">Google Compute Engine</span><br /><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: inherit;"><span style="background-color: transparent; color: black; vertical-align: baseline; white-space: pre-wrap;">Customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL. Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library. Please find </span><span style="background-color: transparent; color: #1155cc; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="http://developers.google.com/compute/docs/security-bulletins" style="text-decoration: none;">instructions here</a></span>.</span><br /><span style="font-family: inherit; font-weight: bold; line-height: 1.15; white-space: pre-wrap;"><br /></span><span style="font-family: inherit; font-weight: bold; line-height: 1.15; white-space: pre-wrap;">Google Search Appliance (GSA)</span></div><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: inherit;"><span style="background-color: transparent; color: black; vertical-align: baseline; white-space: pre-wrap;">Engineers have patched GSA and issued notices to customers. More information is available in the </span><a href="http://google.com/enterprise/portal" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Google Enterprise Support Portal</span></a><span style="background-color: transparent; color: black; vertical-align: baseline; white-space: pre-wrap;">.</span></span><br /><span style="font-family: inherit; font-weight: bold; line-height: 1.15; white-space: pre-wrap;"><br /></span><span style="font-family: inherit; font-weight: bold; line-height: 1.15; white-space: pre-wrap;">Android</span></div><div dir="ltr" style="line-height: 1.15; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: inherit; vertical-align: baseline; white-space: pre-wrap;">All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners).</span><br /><span style="font-family: inherit; line-height: 1.15; white-space: pre-wrap;"><br /></span><span style="font-family: inherit; line-height: 1.15; white-space: pre-wrap;">We will continue working closely with the security research and open source communities, as doing so is one of the best ways we know to keep our users safe. </span></div><br /><b><i>Apr 12</i></b>: Updated to add Google AdWords, DoubleClick, Maps, Maps Engine and Earth to the list of Google services that were patched early, but inadvertently left out at the time of original posting.<br /><br /><b><i>Apr 14</i></b>: In light of new research on extracting keys using the Heartbleed bug, we are recommending that Google Compute Engine (GCE) customers create new keys for any affected SSL services. Google Search Appliance (GSA) customers should also consider creating new keys after patching their GSA. Engineers are working on a patch for the GSA, and the <a href="http://google.com/enterprise/portal">Google Enterprise Support Portal</a> will be updated with the patch as soon as it is available.<br /><br />Also updated to add Google Analytics and Tag Manager to the list of Google services that were patched early, but inadvertently left out at the time of original posting.<br /><br /><b><i>Apr 16: </i></b>Updated to include information about GSA patch.<div style="clear: both;"></div></div><div class="post-footer" style="background-color: white; color: #666666; font-family: Arial, sans-serif; font-size: 13px; line-height: 1.4em; margin: 0.75em 0px;"><div class="post-footer-line post-footer-line-1"><span class="post-comment-link"></span><a href="http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html" title="permanent link">Permalink</a></div></div></div>

Security news Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed bug)

You may have heard of “Heartbleed,” a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. We’ve ass...

Read More..

Heartbleed Will Linger "For Many Months to Come"

<div dir="ltr" style="text-align: left;" trbidi="on"><h3 class="post-title entry-title" itemprop="name" style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 18px; font-weight: normal; margin: 0px; position: relative;"><div class="featured-image" style="font-size: 16px; line-height: 22.17599868774414px;"><img alt="heartbleed" height="227" itemprop="image" src="http://res.cloudinary.com/hacksurfer/image/upload/t_HeaderImage4/v1397946543/s5h8ahi2tikbrejcrrjd.jpg" title="heartbleed" width="640" /></div><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">It’s been nearly two weeks since the Heartbleed bug was made public -- two weeks of massive coverage from news outlets across the globe as the security of online services used my much of the world was called into question. </span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">Now things are beginning to settle down. Most of the major players have announced that they’ve shored up the vulnerability that left them open to leaking sensitive data. The first arrest has been made in connection with Heartbleed, a 19-year-old London, Ont. man accused of the </span><a href="http://business.financialpost.com/2014/04/16/rcmp-heartbleed-charges-hacker-cra/?__lsa=5bdc-10b7" style="color: black; font-size: 16px; line-height: 22.17599868774414px; text-decoration: none;">theft of 900 social insurance numbers</a><span style="font-size: 16px; line-height: 22.17599868774414px;"> from the Canada Revenue Agency’s Website, and users across the world have received a slew of “please reset your password” emails.</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><img alt="Heartbleed" src="http://res.cloudinary.com/hacksurfer/image/upload/v1397946655/dlaj7zfr4d4mcvvuf6hl.jpg" style="float: right; font-size: 16px; line-height: 22.17599868774414px; margin: 0px 0px 10px 10px;" title="" /><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">But there’s a long way to go, and it may be awhile before one of the biggest bugs in recent memory is truly “fixed.”</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">“I think things are going to be lingering for many months to come, just because that’s the nature of the way patches get implemented and holes get fixed,” said Marc Gaffan, co-founder of Incapsula. “I would imagine if we did a survey three or six months from today we’d find astonishing results in terms of how many organizations have not patched [the Heartbleed OpenSSL vulnerability].”</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">The big players have patched things up by now, but OpenSSL is widely used, the figure most often being quoted a massive two-thirds of web servers.</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">“As you start moving away from that nucleus, you get more and more organizations that are less up to date, less able, less willing to patch their systems,” Gaffan said, describing the way a typical vulnerability is addressed. Heartbleed is certainly major, but that isn’t going to change the nature of the way people react.</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">And we haven’t even touched on the billions of users, many who may not follow through on their end due to ignorance or laziness or simply because they just don’t care. That’s exactly what Justin Balthrop argued on Medium when discussing a </span><a href="https://medium.com/cyber-security/9ed56d483eb" style="color: black; font-size: 16px; line-height: 22.17599868774414px; text-decoration: none;">huge problem that’s at the core of this Heartbleed mess -- passwords</a><span style="font-size: 16px; line-height: 22.17599868774414px;">:</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><blockquote style="font-size: 16px; line-height: 22.17599868774414px;">I have 268 passwords on 268 different websites. At least that’s what my password manager says. I actually stopped saving new passwords a while back, so the real number of passwords I should change now that Heartbleed has been revealed is even higher than that. How many of those passwords do you think I’m going to change? It took me 10 minutes just to find the change password form for my bank! What about the average computer user who uses the same password for every website and doesn’t understand the details of the exploit? How many passwords will they change?<br /><br />Not very many.</blockquote></h3><h3 style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; margin: 0px; position: relative;">A Look at Heartbleed's Popularity</h3><h3 class="post-title entry-title" itemprop="name" style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 18px; font-weight: normal; margin: 0px; position: relative;"><span style="font-size: 16px; line-height: 22.17599868774414px;">We thought it would be interesting to use our HackSurfer data to conduct a little sociological experiment. Which of the two major cybersecurity moments of the past five months is garnering more discussion: the Heartbleed bug or the Target breach?</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><br style="font-size: 16px; line-height: 22.17599868774414px;" /><img alt="Target v Heartbleed.png" height="399px;" src="https://lh6.googleusercontent.com/kBam_ydQAquiARpzLMLSkGherUhWoEKjvdJfIC2SU3FFhY5IxhDXcIoh3WgAPTWmjeaqeYVmWPq8eSy574ukccy-Hg3QVFzbPyGkcc6PGK17CNvtj20SRxmXvXUF7BQgFg" style="-webkit-transform: rotate(0rad); border-style: none; font-size: 16px; line-height: 22.17599868774414px;" title="" width="598px;" /><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">As you can see, they both took up a massive chunk of the discussion, but Heartbleed is even more “popular” than Target over it’s respective period. This may reflect how far reaching the vulnerability is, which is hardly surprising given the amount of posts and articles we’ve seen here at HackSurfer regarding the bug.</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">“I don’t think that this has been overplayed [in the media],” Gaffan said. “Given the ubiquitousness of OpenSSL plus the potential damage that this vulnerability can create, it does create a pretty big hole out there.”</span></h3><h3 style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; margin: 0px; position: relative;">Who Left the Curtains Open?</h3><h3 class="post-title entry-title" itemprop="name" style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 18px; font-weight: normal; margin: 0px; position: relative;"><span style="font-size: 16px; line-height: 22.17599868774414px;">So what is Heartbleed?</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">It’s a small bug that’s been in existence for the past two years and affects many websites that collect personal and financial information. That little padlock icon you see along with “https” on most browsers is meant to assure users that everything is safe. Heartbleed discovered that’s not necessarily been the case. </span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">Michael Hamlin, an X-Force security architect with IBM, explained the problem with Heartbleed using the typical household analogy on a </span><a href="http://ibm.biz/heartbleed" style="color: black; font-size: 16px; line-height: 22.17599868774414px; text-decoration: none;">recent IBM podcast</a><span style="font-size: 16px; line-height: 22.17599868774414px;">.</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">Imagine all of your usernames, passwords and other data is written on a big stack of paper sitting on your desk.</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">“They’re in your house. They’re locked up. They’re secure,” Hamlin said. “We think about SSL that way. We trust the servers' encrypting our sessions, and we provide our usernames and passwords. They’re encrypted. But if a burglar walks up and looks through the window and there's a stack of papers on the desk now, it can read the first page, whatever is exposed on the top page, and that's kind of how this vulnerability works. It was like not drawing the curtains shut. It left that chunk of memory open to anybody that requested it.”</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">Perhaps most importantly, they discovered that </span><a href="http://www.bloomberg.com/news/2014-04-14/heartbleed-hackers-steal-encryption-keys-in-threat-test.html" style="color: black; font-size: 16px; line-height: 22.17599868774414px; text-decoration: none;">private encryption keys could be stolen</a><span style="font-size: 16px; line-height: 22.17599868774414px;"> through the vulnerability.</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">As Codenomicon, the security firm that discovered the flaw (Google engineer Neel Mehta discovered it independently as well), described, “These are the crown jewels, the encryption keys themselves. Leaked secret keys allow the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will.”</span></h3><h3 style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; margin: 0px; position: relative;">What Should I Do? What Will Hackers Do?</h3><h3 class="post-title entry-title" itemprop="name" style="background-color: white; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 18px; font-weight: normal; margin: 0px; position: relative;"><span style="font-size: 16px; line-height: 22.17599868774414px;">There are three main things a website owner should do, whether they’re tiny or a huge SAAS platform, said Gaffan:</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><ol style="font-size: 16px; line-height: 22.17599868774414px;"><li style="margin: 0px 0px 0.25em; padding: 0px;">Patch your infrastructure; make sure that you’ve implemented the fix to the Heartbleed vulnerability.</li><li style="margin: 0px 0px 0.25em; padding: 0px;">Reissue certificates with a new private key, just in case it was stolen when the vulnerability existed.</li><li style="margin: 0px 0px 0.25em; padding: 0px;">Websites that run with persistent cookies (if you’re constantly logged in to social media for example) leave users vulnerable if that cookie information is stolen; log out of all them and log back in; “Given that the vulnerability is now fixed with most of the bigger providers, that means that those credentials will be no longer snatchable.”</li></ol><span style="font-size: 16px; line-height: 22.17599868774414px;">One problem: many smaller businesses still operate with the mentality that they’re a small target and therefore can operate without being on cybercriminals’ radar.</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">“What people don’t actually realize is that in this era of automation, smaller and smaller websites are being hacked today just because they’re out there on the internet,” Gaffan said. “There are scanners that are available already today that can tell you if a website is vulnerable to Heartbleed or not. If I’m a bad guy, what I would do is start scanning a couple of million websites each day and compiling a list of who I need to go after. Once I’d compiled that list, I’d build another automated tool that all it does is hit Heartbleed vulnerable servers and try to pull out usernames and passwords. That’s something that is going on all the time with other vulnerabilities.”</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">If you’re a user, how do you know the websites you’re visiting are safe? There’s several options. Use a tool just like criminals are: scanners. Many companies are offering the ability to check for Heartbleed (like</span><a href="http://safeweb.norton.com/heartbleed" style="color: black; font-size: 16px; line-height: 22.17599868774414px; text-decoration: none;">Norton</a><span style="font-size: 16px; line-height: 22.17599868774414px;">, for example). There are dozens of apps springing up, and there’s even </span><a href="http://arstechnica.com/security/2014/04/now-theres-an-easy-way-to-flag-sites-vulnerable-to-heartbleed/" style="color: black; font-size: 16px; line-height: 22.17599868774414px; text-decoration: none;">browser extensions</a><span style="font-size: 16px; line-height: 22.17599868774414px;"> that can make confirming a site is safe simple and easy.</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><span style="font-size: 16px; line-height: 22.17599868774414px;">Except, there’s one big problem with all of that. As The Guardian reported last week, researchers are claiming that most popular </span><a href="http://www.theguardian.com/technology/2014/apr/16/heartbleed-bug-detection-tools-flawed" style="color: black; font-size: 16px; line-height: 22.17599868774414px; text-decoration: none;">Heartbleed detection tools are flawed</a><span style="font-size: 16px; line-height: 22.17599868774414px;">:</span><br style="font-size: 16px; line-height: 22.17599868774414px;" /><blockquote style="font-size: 16px; line-height: 22.17599868774414px;">A deluge of tools then hit the internet promising to help people determine whether the web services they were using or hosting were affected. But 95% of the most popular ones are not reliable, according to London-based security consultancy and penetration testing firm Hut3.<br /><br />“A lot of companies out there will be saying they've run the free web tool and they're fine, when they're not,” Hut3’s Edd Hardy told the Guardian. “There's absolute panic. We're getting calls late at night going 'can you test everything'.”</blockquote><span style="font-size: 16px; line-height: 22.17599868774414px;">Unfortunately, that means you may have to make sure the tool you’re using to stay safe is providing safe and accurate results.</span></h3></div>

Security news Heartbleed Will Linger "For Many Months to Come"

It’s been nearly two weeks since the Heartbleed bug was made public -- two weeks of massive coverage from news outlets across the globe as t...

Read More..

Andriod Stay Safe From Virus

<div dir="ltr" style="text-align: left;" trbidi="on"><div><h4 style="border: 0px; box-sizing: border-box; color: #3cb44b; font-family: 'Avenir Next LT W02 Demi', Helvetica, Arial, sans-serif; font-size: 36px; font-weight: normal; line-height: 1.1; margin: 20px 0px; padding: 0px; vertical-align: baseline;">How To Stay Safe From Andriod Virus:</h4><ul style="border: 0px; box-sizing: border-box; color: #505957; font-family: AvenirNextLTW02-Regular, Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; list-style-image: initial; list-style-position: initial; margin: 20px 0px 20px 20px; padding: 0px; vertical-align: baseline;"><li style="border: 0px; box-sizing: border-box; font-family: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Make sure the Android system setting ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download app installs</li><li style="border: 0px; box-sizing: border-box; font-family: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Download a mobile security app like Lookout’s app that protects against malware as a first line of defense</li></ul><div style="border: 0px; box-sizing: border-box; color: #505957; font-family: AvenirNextLTW02-Regular, Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 20px; margin-top: 20px; padding: 0px; vertical-align: baseline;">Check out the full advertisement for the malware toolkit below:</div><div style="border: 0px; box-sizing: border-box; color: #505957; font-family: AvenirNextLTW02-Regular, Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; margin-bottom: 20px; margin-top: 20px; padding: 0px; vertical-align: baseline;"><a href="https://blog.lookout.com/wp-content/uploads/2014/03/dendroid-advert-copy.png" style="-webkit-transition: color 150ms, border 150ms; border: 0px; box-sizing: border-box; color: #3cb44b; font-family: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-decoration: none; transition: color 150ms, border 150ms; vertical-align: baseline;"><img alt="dendroid-advert copy" class="aligncenter size-full wp-image-15366" src="https://blog.lookout.com/wp-content/uploads/2014/03/dendroid-advert-copy.png" style="border: none; box-sizing: border-box; font-family: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: auto; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" width="100%" /></a></div></div><ul style="border: 0px; box-sizing: border-box; color: #505957; font-family: AvenirNextLTW02-Regular, Helvetica, Arial, sans-serif; font-size: 16px; line-height: 24px; list-style-image: initial; list-style-position: initial; margin: 20px 0px 20px 20px; padding: 0px; vertical-align: baseline;"><li style="border: 0px; box-sizing: border-box; font-family: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; margin-bottom: 20px; margin-top: 20px; padding: 0px; vertical-align: baseline;">This week, researchers found Dendroid, a custom “Remote Access Toolkit” (RAT) for Android targeting customers from Western countries, and yes, it breached Google Play. A RAT is a type of malware that is used to remotely control the devices it is installed on. The toolkit is being sold for $300 to anyone who wants to automate the malware distribution process. The creator promises that the malware can take pictures using the phone’s camera, record audio and video, download existing pictures, record calls, send texts, and more.</div><div style="border: 0px; box-sizing: border-box; margin-bottom: 20px; margin-top: 20px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: 'Avenir Next LT W02 Demi', Helvetica, Arial, sans-serif; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">All Lookout users are protected from this threat.</span></div><div style="border: 0px; box-sizing: border-box; margin-bottom: 20px; margin-top: 20px; padding: 0px; vertical-align: baseline;"><span id="more-15352" style="border: 0px; box-sizing: border-box; font-family: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"></span></div><div style="border: 0px; box-sizing: border-box; margin-bottom: 20px; margin-top: 20px; padding: 0px; vertical-align: baseline;"><a href="https://blog.lookout.com/wp-content/uploads/2014/03/DendroidControlPanel.png" style="-webkit-transition: color 150ms, border 150ms; border: 0px; box-sizing: border-box; color: #3cb44b; font-family: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-decoration: none; transition: color 150ms, border 150ms; vertical-align: baseline;"><img alt="Dendroid Control Panel" class="alignright size-full wp-image-15361" src="https://blog.lookout.com/wp-content/uploads/2014/03/DendroidControlPanel.png" style="border: none; box-sizing: border-box; font-family: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: auto; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" width="100%" /></a></div><div style="border: 0px; box-sizing: border-box; margin-bottom: 20px; margin-top: 20px; padding: 0px; vertical-align: baseline;">On top of all of these features, the toolkit comes with a business model that is highly reminiscent of Russian custom malware toolkits. The author is selling the toolkit online, demanding payment in currencies like Bitcoin, and provides a warranty promise that the malware will remain undetected. Want to evade detection and get into Google Play? This toolkit will help you do just that. While this type of complete toolkit based approach is common in the Russian underground, especially with banking trojans, this type of model is unusual to find in the U.S.</div><div style="border: 0px; box-sizing: border-box; margin-bottom: 20px; margin-top: 20px; padding: 0px; vertical-align: baseline;">What’s more, it looks as if Dendroid was designed with evading Play Store security in mind. Amongst its numerous features, Dendroid features some relatively simple — yet unusual — anti-emulation detection code that helps it evade detection by Bouncer, Google’s anti-malware screening system for the play store. Malware-detecting programs like Bouncer, use “emulation” in order to log and understand the behaviors of software so that it can look for risky behavior to remember and block that behavior in the future. However, by using “anti-emulation” code, malware writers can attempt to hide by not executing any bad code, which might alert the detection system.</div><div style="border: 0px; box-sizing: border-box; margin-bottom: 20px; margin-top: 20px; padding: 0px; vertical-align: baseline;">As Dendroid is a new threat, detections are very low right now. We only detected a single application infected with Dendroid and it has already been removed from the Play Store, however, the developer’s account is still open.<br />This toolkit is different from the majority of custom Android malware solutions in other ways as well. Most of these solutions typically just offer a few pieces of code for the wannabee malware author to insert into an innocent target application. More sophisticated features, such as command and control of infected devices, is then left up to the operator to implement. Dendroid, on the other hand, offers a full command and control infrastructure with a control panel every bit as feature rich as some of the more sophisticated Russian botnets.</div><div style="border: 0px; box-sizing: border-box; margin-bottom: 20px; margin-top: 20px; padding: 0px; vertical-align: baseline;">Available for $300 in cryptocurrencies such as Bitcoin or Litecoin (and PayPal if the seller trusts you), Dendroid offers its customers a list of advanced spyware features and complete command and control backed up by its promise of a lifetime warranty.</div></li></ul></div>

Security news Andriod Stay Safe From Virus

How To Stay Safe From Andriod Virus: Make sure the Android system setting ‘Unknown sources’ is unchecked to prevent dropped or drive-by-down...

Read More..

NASA radio waves News

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNlPSpsHIYo1FVse4IB0VdZ5c-pVWMAI_gu2DwUbwKtXT9wzou23wvkfJbJJVMpMlA0spUF1_BJbQFoAWOHT-05jkePbW9NpQRg9j967lDpyeiKW_nPr2gTDqR9V1M9jMievPKqBVJjrw/s1600/Screen_Shot_2013-12-29_at_7.59.29_AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNlPSpsHIYo1FVse4IB0VdZ5c-pVWMAI_gu2DwUbwKtXT9wzou23wvkfJbJJVMpMlA0spUF1_BJbQFoAWOHT-05jkePbW9NpQRg9j967lDpyeiKW_nPr2gTDqR9V1M9jMievPKqBVJjrw/s1600/Screen_Shot_2013-12-29_at_7.59.29_AM.png" /></a></div><div style="-webkit-font-smoothing: subpixel-antialiased; background-color: white; border: 0px; font-family: Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.9950008392334px; margin-top: 10px; outline: 0px; padding: 0px; vertical-align: baseline;"><br /></div><div style="-webkit-font-smoothing: subpixel-antialiased; background-color: white; border: 0px; font-family: Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.9950008392334px; margin-top: 10px; outline: 0px; padding: 0px; vertical-align: baseline;">The National Security Agency is using secret wireless technology that allows it to access and alter data on computers, even when they are not connected to the Internet, according to a New York Times report.</div><div style="-webkit-font-smoothing: subpixel-antialiased; background-color: white; border: 0px; font-family: Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.9950008392334px; margin-top: 10px; outline: 0px; padding: 0px; vertical-align: baseline;">Since 2008, the agency has been increasingly using a "covert channel of radio waves" that can transmit from hardware installed in the computers, according to NSA documents and experts interviewed by the Times. Signals can then be sent to briefcase-size relay stations miles away, according to the report.</div><div style="-webkit-font-smoothing: subpixel-antialiased; background-color: white; border: 0px; font-family: Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.9950008392334px; margin-top: 10px; outline: 0px; padding: 0px; vertical-align: baseline;">The NSA has also installed surveillance software on nearly 100,000 computers around the world, according to the Times. The newspaper said the Chinese Army was a frequent target of such technology but said there was no evidence that the agency used either technology inside the US.</div><div style="-webkit-font-smoothing: subpixel-antialiased; background-color: white; border: 0px; font-family: Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.9950008392334px; margin-top: 10px; outline: 0px; padding: 0px; vertical-align: baseline;">Repeating earlier denials that its data collection activities are arbitrary or unconstrained, the NSA rejected any comparison to Chinese attackers who have been accused to planting similar software on computers belonging to US companies and government agencies.</div><div style="-webkit-font-smoothing: subpixel-antialiased; background-color: white; border: 0px; font-family: Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.9950008392334px; margin-top: 10px; outline: 0px; padding: 0px; vertical-align: baseline;">"NSA's activities are focused and specifically deployed against -- and only against -- valid foreign intelligence targets in response to intelligence requirements," the NSA said in a statement. "In addition, we do not use foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of -- or give intelligence we collect to -- U.S. companies to enhance their international competitiveness or increase their bottom line."</div><div style="-webkit-font-smoothing: subpixel-antialiased; background-color: white; border: 0px; font-family: Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.9950008392334px; margin-top: 10px; outline: 0px; padding: 0px; vertical-align: baseline;">The surveillance agency also asserted that a complex web of laws, regulations, and policies governed its use of such tools and that "continuous and selective publication" of the agency's techniques was "detrimental to the security of the United States and our allies."</div><div style="-webkit-font-smoothing: subpixel-antialiased; background-color: white; border: 0px; font-family: Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.9950008392334px; margin-top: 10px; outline: 0px; padding: 0px; vertical-align: baseline;">Last month, a Der Spiegel report detailed how the agency's Office of Tailored Access Operations intercepts deliveries of electronic equipment to plant spyware to gain remote access to the systems once they are delivered and installed. According to that report, the NSA has planted backdoors to access computers, hard drives, routers, and other devices from companies such as Cisco, Dell, Western Digital, Seagate, Maxtor, Samsung, and Huawei.</div><div style="-webkit-font-smoothing: subpixel-antialiased; background-color: white; border: 0px; font-family: Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.9950008392334px; margin-top: 10px; outline: 0px; padding: 0px; vertical-align: baseline;">The German news magazine also described a 50-page product catalog of tools and techniques used by a program called ANT, which stands for Advanced or Access Network Technology, to send and receive signals to devices.</div><div style="-webkit-font-smoothing: subpixel-antialiased; background-color: white; border: 0px; font-family: Helvetica, Arial, sans-serif; font-size: 15px; line-height: 19.9950008392334px; margin-top: 10px; outline: 0px; padding: 0px; vertical-align: baseline;">President Obama is expected to announce on Friday the changes to the NSA he is expected to adopt based on recommendations from a presidential task force. The panel, which was appointed by President Obama in the wake of disclosures made this summer by former NSA contractor Edward Snowden, has reportedly proposed stricter standards for NSA data searches and that a third party be responsible for storing phone records collected by the agency.</div></div>

Security news NASA radio waves News

The National Security Agency is using secret wireless technology that allows it to access and alter data on computers, even when they are no...

Read More..

EC-COUNCIL Website has been Hacked

<div dir="ltr" style="text-align: left;" trbidi="on"><h2 class="title" style="background-color: white; border-bottom-color: rgb(226, 226, 226); border-bottom-style: solid; border-top-color: rgb(226, 226, 226); border-top-style: solid; border-width: 3px 0px 1px; font-family: Arial, Helvetica; font-size: 25px; margin: 0px; padding: 5px 0px; vertical-align: baseline;">Snowden’s Passport on the Site:</h2><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHi0k3fBi6q3jYU6NTVPZMtskjHapBJQp0vxRlqCm41RGRVj1qHfJO4shhOoRY5bHux_bkkyhXPZAkebP1Nss3M31Y2jh2fsC0BWqMid-ICkCvnLbEtZFuawO-KHQL7qLb_rvdEhqhREc/s1600/snowden.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHi0k3fBi6q3jYU6NTVPZMtskjHapBJQp0vxRlqCm41RGRVj1qHfJO4shhOoRY5bHux_bkkyhXPZAkebP1Nss3M31Y2jh2fsC0BWqMid-ICkCvnLbEtZFuawO-KHQL7qLb_rvdEhqhREc/s1600/snowden.jpg" width="640" /></a></div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;">As of Saturday, February 22, 2014 at 8:00pm EST, it seems like the main website operated by EC-Council has been hacked.  On the site is an image of Edward Snowden’s passport and text stating, “owned by certified unethical software security professional -Eugene Belford”.</div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;">Edward Snowden, the man who turned whistle-blower against the National Security Agency (NSA) and revealed its global spying program, was trained by EC-Council as a Certified Ethical Hacker (CEH).</div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;">The hack maybe a DNS hijacking attack,  the information below kind of point that way:</div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;">Server:            75.75.75.75</div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;">Address:         75.75.75.75#53</div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;">Non-authoritative answer:</div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;">Name: eccouncil.org</div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;">Address: 93.174.95.82</div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><a href="http://www.securityorb.com/wp-content/uploads/2014/02/ECATEL.jpg" style="border: 0px; color: black; margin: 0px; padding: 0px; text-decoration: none; vertical-align: baseline;"><img alt="ECATEL" class=" wp-image-6468 alignleft" height="201" src="http://www.securityorb.com/wp-content/uploads/2014/02/ECATEL-300x201.jpg" style="border: 1px solid rgb(204, 204, 204); box-sizing: border-box; display: inline-block; float: left; height: auto; margin: 5px 10px 10px 0px; max-width: 100%; padding: 2px; vertical-align: middle; zoom: 1;" width="300" /></a></div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><br /></div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><br /></div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><br /></div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><br /></div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;"><br /></div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;">As of Feb. 23, it seems as though EC-Council has not gained control of their website.  An update was posted on the EC-Council site stating:</div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;">“owned by certified unethical software security professional</div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;">Obligatory link: http://attrition.org/errata/charlatan/ec-council/ -Eugene Belford</div><div style="background-color: white; border: 0px; color: #505050; font-family: Arial, Helvetica; font-size: 12px; line-height: 18px; margin-bottom: 15px; padding: 0px; vertical-align: baseline;">P.S It seems like lots of you are missing the point here, I’m sitting on thousands of passports belonging to LE (and .mil) officials”</div></div>

Security news EC-COUNCIL Website has been Hacked

Snowden’s Passport on the Site: As of Saturday, February 22, 2014 at 8:00pm EST, it seems like the main website operated by EC-Council has b...

Read More..