On Friday i.e. 30th November, 2018, Quora, the popular platform to ask questions and connect with people who contribute unique insights and quality answers has suffered with a sensitive data breach regarding its users. As per their “SECURITY UPDATE” mail, a third party had gained access to the following data of users in an unauthorized way and was discovered !

• Account & User Information including name, email, IP, userID, one-way hashed password, user account settings, personalization data
• Public Actions and content including drafts
• Data imported from linked networks eg. contacts, demographic information, interests, access tokens
• Non-public actions like answer requests, downvotes, thanks

Though from the post, the Q&A that were written anonymously are not affected as Quora does not store the identities of people who post anonymous content.

We as avid users of Quora would like to ask Why are all the eggs in one single basket? As in why are access tokens and passwords residing in one single table of a database?

Access tokens are the auth tokens that Quora obtains from the 3rd party domain used to sign-in/ link with the Quora website/app on behalf of the user when one authorizes it. Which means, its just not Quora, but also the corresponding data from the connected accounts like Google and Facebook of the affected users have been leaked/ stolen !

The following actions are being currently taken by the Quora Security Team as per their mailer:

• Notifying all the users who are affected by this breach
• Logging out all the affected users from Quora platform(Remember they have flushed all the auth and session tokens to avoid further damage)
• Further investigations going on even though they know the root cause of the issue now

As a precautionary measure, requesting all the users of Quora to reset their passwords as well as start using password managers in order to avoid reuse of the same password on multiple platforms.

Hits: 135

Back in 2016, there was a news based on NIST publication, that SMS based Second Factor Authentication (2FA) is no more secure as it can be intercepted and there is no way for the application owner to confirm if the OTP sent to the designated user was the actual user who passed it back to the app !

Refer: NIST Publication

Yes, the insecurity cannot be ignored as recently Reddit, the social media network got breached using the same vulnerability.

Attacker bypassed the SMS based OTP !

Reddit learned about the data breach on June 19 and said that the attacker compromised a few of the Reddit employee’s accounts with its cloud and source code hosting providers between June 14 and June 18.

The hack was accomplished by intercepting SMS messages that were meant to reach Reddit employees with one-time passcodes, eventually circumventing the two-factor authentication (2FA) Reddit had in place attacks.

SMS based 2FA/ OTP is not secure.

While almost all the bank transactions that we perform online in India are secured by SMS based OTP (2FA), we need to think twice if we are really relying on the best standards.

This is definitely a wake up call to all the service providers who depend on SMS based OTP for Security and need to move over to App based Push or Code Generation platforms. eg. Google Authenticator, Authy, Duo etc.

Watch out for 7 different OTP Code Generator and Push based  2FA Apps.

Keep Defending !

Hits: 141

window.addEventListener("message", receiveMessage, false);

function receiveMessage(event)
{
  if (event.origin == 'https://www.linkedin.com') {
    let data = JSON.parse(event.data).data;
    if (data.email) {
      alert('Hi, ' + data.firstname + ' ' + data.lastname + '! Your email is ' + data.email + '. You work at ' + data.company + ' and you live in ' + data.city + ', ' + data.state + '.');
      console.log(data);
    }
  }
  console.log(event)
}

Continue reading “LinkedIn Autofill Vulnerability (Fixed !)” →

Hits: 148

Introduction and Details

WhiteRose ransomware  crypto-extortion encrypts user data with AES, and then requires a redemption in #Bitcoin(BTC) to decrypt the files.

File naming pattern: randomname_ENCRYPTED_BY.WHITEROSE

Example of an encrypted file:
BT2cJMtNeYlaKJHP_ENCRYPTED_BY.WHITEROSE

The activity of this crypto-extortioner is now being seen in the second half of March 2018. It is oriented towards English-speaking users, which does not prevent it from spreading around the world of course.

The note with the demand for redemption is called: HOW-TO-RECOVERY-FILES.TXT 

As shown above, the picture in the note has a WhiteRose in it built with ASCII characters.

There is a note added further as shown below:

The contents of the note about redemption: 
===================== [PersonalKey] ===================== 
[redacted base64] 
===================== [PersonalKey] ===================== 
The singing of the sparrows, the breezes of the northern mountains, and the smell of the earth. I'm sitting on a wooden chair next to a bush tree, I have a readable book in my hands and I am sweating my spring with a cup of bitter coffee. Today is a different day. 
Behind me is an empty house of dreams and in front of me, full of beautiful white roses. 
To my left is an empty blue pool of red fish and my right, trees full of spring white blooms. 
I drink coffee, I'll continue to read a book from William Faulkner. In the garden environment, peace and quiet. My life always goes that way. Always alone without even an intimate friend. 
I have neither a pet nor a friend; I am a normal person with fantastic wishes among the hordes of white rose flowers. Everything is natural. I'm just a little interested in hacking and programming. My only electronic devices for this project are for iPhone and iPod touch. 
Believe me, my only assets are the white roses of this garden. 
I think of the days and write at night, the story, the poem, the code, the exploit or the accumulation of the number of white roses, and I say to myself that the wealth is different friends of different races, languages, habits and religions, Not only being in a fairly stylish garden with full of original white roses. 
Today, I think deeply about the decision that has involved my mind for several weeks. A decision to freedom and at the cost of unity, intimacy, joy and love and is the decision to release the white roses and to give gifts to all peoples of the world. 
I do not think about selling white roses again. This time, I will plant all the white roses of the garden to bring a different gift for the people of each country. No matter where is my garden and where I am from, no matter if you are a housekeeper or a big company owner, it does not matter if you are the west of the world or its east, it's important that the white roses are endless and infinite. You do not need to send letters or e-mails to get these roses. Just wait it tomorrow. 
Wait for good days with White Rose. 
I hope you accept this gift from me and if it reaches you close to your eyes and feet. 
Thank you for trusting me. Now open your eyes. Your system has a flower like a small garden; A white rose flower. 
////////////////////////////////////////////////////////////////////////////////////////////// / 
[Recovery Instructions] 
I. Download qTox on your computer from [https://tox.chat/download.html] 
II. Create new profile then enter our ID in search contacts 
Our Tox ID: "6F548F21789 ***". 
III. Wait for us to accept your request. 
IV. Copy '[PersonalKey]' in "HOW-TO-RECOVERY-FILES.TXT" file and send this key with one encrypted file less size then 2MB for trust us in our Tox chat. 
IV.I. Only if you did not receive a reply after 24 hours from us, 
"TheWhiteRose@Torbox3uiot6wchz.onion". 
IV.II. For perform "Step IV.I" and enter the TOR network, you must download tor browser 
and register in "http://torbox3uiot6wchz.onion" Mail Service) 
V. We decrypt your two files and we will send you. 
VI. After ensuring the integrity of the files, We will send you payment info. 
VII. Now after payment, you get "WhiteRose Decryptor" Along with the private key of your system. 
VIII.Everything returns to the normal and your files will be released. 
////////////////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////// 
What is encryption? 
In cryptography, encryption is the process of encoding a message or information in such a way that only authorized parties can not access it. Encryption does not itself prevent interference, but denies the intelligible content to a would-be interceptor. In an encryption scheme, the intended information or message, referred to as plaintext, is encrypted using an encryption algorithm. 
For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. 
It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required. 
An authorized recipient can easily decrypt the message with the key provided by the originator to recipients but not to unauthorized users. 
in your case "WhiteRose Decryptor" software for safe and complete decryption of all your files and data. 
Any other way? 
If you look through this text in the Internet and realize that, please contact your antivirus support.

Technical Details:

Can be distributed by hacking through an unprotected RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injections, fake updates, repackaged and infected installers.

If you neglect Anti-Virus:

At least backup important files

List of extensions:

MS Office documents, OpenOffice, PDF, text files, databases, photos, music, video, image files, archives (at the time of writing this article)

Related Files:

<random> .exe – random name
HOW-TO-RECOVERY-FILES.TXT
WhiteRose Decryptor .exe

Locations:

Desktop
User Folders

WhiteRose Contact Channel:

https://tox.chat/download.html

Tox ID: “6F548F21789***”

Email: TheWhiteRose@Torbox3uiot6wchz.onion

Mail: http://torbox3uiot6wchz.onion

Hits: 111

Facebook’s recent controversies relating to Cambridge Analytica, consumers have been looking closer at the data Facebook collects from its users. You can take a look at all of the data Facebook has collected from you over the years at this webpage which is a lot—wall posts, photos, videos, messages and more. While it may be pretty scary how much data Facebook has from you, nearly all of it has been voluntarily provided by you. However, not all of the data it collects has been provided voluntarily, as Facebook has been scraping call log and message data from your phone for years.

The data appears to be from the Android call log and SMS metadata due to an unrestricted access to both through the “Read Contacts” permission. Only in Android 4.1 Jelly Bean was this oversight fixed so that the read contacts permission only gave access to contacts and not the call or message log as well.

When ArsTechnica emailed Facebook inquiring about their data collection, a spokesperson for the company said

The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it’s a widely used practice to begin by uploading your phone contacts.” In essence, the company says this data was used as part of its friend recommendation algorithm.

The application now explicitly asks for permissions to view your address book and call log, but even if you had denied the application access you may have inadvertently still been providing access because of how Android’s permissions worked.

If you’re curious what kind of data Facebook has collected from you over the years, download your archived data and take a look.

Continue reading “Facebook – You scraped our Calls & Messages too !” →

Hits: 132

No Serious HACKS, No Tough Trials, Just a Google Search Away !

The infamous French Security researcher named as “Robert Baptiste”  who goes with his twitter handle @fs0c131y with the Mr. Robot FameName “Eliot Anderson” just retweeted in public giving out a simple google search keyword to find all the aadhar cards that have been stored by multiple websites in a very insecure way on the microblogging site Twitter!

Google Search key:

“mera aadhar meri pehchan filetype:pdf “

At the time of writing this article, we could find approximately 216 results with the above keyword and below is the screenshot:

Using other keyword combinations, like “mera aadhar meri pehchan filetype:pdf  “, “mera aadhar meri pehachan filetype:pdf  ”  etc. we might end up digging millions of such aadhar cards !

Hope Govt. Of India takes a strict action against all these website owners/entities for exposing these sensitive documents !

Few domains found in the current search are:

• www.the-aiff.com
• starcardsindia.com
• www.4tigo.com
• vivekjyoticollege.in
• sxhsbanda.edu.in
• www.acce.in
• www.ssmahavidhvalaymirzapur.com

We could even find 8 Government Domains(gov.in) National Informatics Center Domains also(nic.in) from the first 3 Google Search Pages !

It is high time for  the UIDAI to go ahead and rethink about the Privacy Woes that we Indians are going to face with AADHAR being our primary identity !

Hits: 130

A malware infected computer of ISRO exposed India’s premier space research agency to hackers, claimed Indian and French security researchers on Sunday. The researchers also claimed that hackers could have taken control of ISRO’s command rocket launches using the vulnerability. Express has not been able to independently verify this claim.

The trojan malware, known as XtremeRAT, was detected in ISRO servers in December 2017 and was reported to the agency by an Indian researcher. ISRO reportedly responded and resolved the issue only after French researcher Robert Baptiste reached out to the agency on Twitter.

“ISRO in their conversation with me informed that that investigated and found a UTM login port that was not mapped internally to any systems.They claimed to have disabled that port for now,” said Baptiste quoting ISRO’s communication with him that Express has seen.

The XtremeRAT malware was found in ISRO’s Telemetry, Tracking and Command Networks (ISTRAC) that provides tracking support for all the satellite and launch vehicle missions of ISRO. “The malware was probably infected on a computer that had access to servers used for Tracking and Command (TTC) services that help launch vehicle lift-off till injection of a satellite. A computer which was probably used to command rocket launches and separation of a satellite. I say ‘probably infected’ because no one knows which computer was used,” said the Indian researcher in December 2017.

The researcher says he stumbled on the ISRO vulnerability while using the search engine Shodan, that lets users find specific types of computers connected to internet using a variety of filters. “If Shodan can be used for searching hacked sites, I thought, why not search for infected servers? I filtered it down to region and ISRO showed up in the scan results,” said the Indian researcher.ISRO has not yet responded to Express’ request for a comment on the issue.

Researcher says search engine Shodan led him to ISRO’s vulnerability. “I did not dig any further as anything beyond that will probably be illegal,” he added. So what is XtremeRAT? It’s a commercially available remote access Trojan (RATs) used by hackers to conduct cyber espionage. There are numerous RATs that are available for free and can be purchased online, mostly from hacker forums or the dark web. The malware allows the hacker to dig deep into a specific target’s servers and databases and even sell off the access rights of their victims’ systems and their data to others.

“If infected with a trojan, the attacker owns the computer. The hacker can command the computer to do absolutely anything he wants. He just has to use the Remote Desktop Protocol  (RDP) to access a computer. Has there been a data loss? most likely yes,” says the Indian researcher.

Express reached out to ISRO’s public relations officer for a confirmation but did not receive a response. The Indian researcher claims he also tried to reach out to ISRO multiple times but got no response. He reached out to Computer Emergency Response Team and they responded to his email saying they will look into the issue. “However, no action was taken. I was about to give up and then I thought of contacting Robert Baptiste. He tweeted about it and then they seemed to magically care about it as the issue was in the public,” he says. Researcher says, the malware has hit sectors like –Energy, utilities, and petroleum refining.

Source: INDIAN DEFENCE RESEARCH WING

Hits: 128

DDOS Attack:

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.

Reflective DDoS attacks:

Using the technique  In simpler way lets try to understand the flow:

1. Attacker sends a request to a vulnerable server by spoofing its source IP address as that of the victim server
2. The vulnerable server responds to the spoofed IP address which is the victim server

Memcached Vulnerability:

What is Memcached:

Memcached is a Free & open source, high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. It is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.

Feature that makes Memcached vulnerable:

By design, memcached has a “STATS” command over UDP/TCP which enables the memcached server admin to query the server about the statistics that provide a visibility on the statistics of the server!

So since UDP is a protocol that does not require a tight handshake like TCP, when exposed to the internet in a unsecured way, is being used as an attack vector where the attacker uses the method to query the “STATS” of the server while spoofing its source IP Address as that of the victim’s server.

As we tested (On TCP), the query size would hardly be in bytes and the response shall almost 100 times the size is being sent to the victim’s server which amplifies the attack.

And thats how the attackers are using memcached servers UDP STATS command to perform an AMPLIFIED REFLECTIVE DDOS ATTACK.

At the time of writing this article, we could find 1,04,301 memcached servers(Not all are exposed on UDP) in Shodan!

Please refer to the Shodan Report: https://www.shodan.io/report/zoEvusDg

IP Addresses List updated:

Using the shodan api, we were able to collate 58,486 IP Addresses and we shall try our best to maintain this list updated in a bi-weekly schedule. You can find the IP Addresses from the link below:

https://github.com/aarvee11/memcached-server-iplist

Did Memcached(Open Source) feel responsible?

Absolutely YES ! There was an issue raised on github which is still open at the time of writing this article. As well the CVE-2018-1000115 has been assigned to the vulnerability.

As well 5 days back, there has been a commit with the comment as shown below to DISABLE UDP BY DEFAULT!

Quick Workaround for existing servers:

Disable UDP listener on your memcached server. If not feasible, please implement the following:

1. Use a network policy to disable UDP traffic to your memcached server from internet
2. If your monitoring servers use UDP Protocol to query memcached servers, then use an IP whitelist
3. If incase you do not have a firewall that can perform the above action, try using a UDP Proxy and open the traffic only from this server and maintain your IP Whitelists on this UDP Proxy servers (eg. NGINX)

Please feel responsible about the internet world and would request all the memcached admins out there in the world to go ahead and secure their servers and NOT CONTRIBUTE to such attack vectors!

As always we say:

Keep Defending !

Hits: 190