Quora Data Breach

On Friday i.e. 30th November, 2018, Quora, the popular platform to ask questions and connect with people who contribute unique insights and quality answers has suffered with a sensitive data breach regarding its users. As per their “SECURITY UPDATE” mail, a third party had gained access to the following data of users in an unauthorized way and was discovered !

  • Account & User Information including name, email, IP, userID, one-way hashed password, user account settings, personalization data
  • Public Actions and content including drafts
  • Data imported from linked networks eg. contacts, demographic information, interests, access tokens
  • Non-public actions like answer requests, downvotes, thanks

Though from the post, the Q&A that were written anonymously are not affected as Quora does not store the identities of people who post anonymous content.

We as avid users of Quora would like to ask Why are all the eggs in one single basket? As in why are access tokens and passwords residing in one single table of a database?

Access tokens are the auth tokens that Quora obtains from the 3rd party domain used to sign-in/ link with the Quora website/app on behalf of the user when one authorizes it. Which means, its just not Quora, but also the corresponding data from the connected accounts like Google and Facebook of the affected users have been leaked/ stolen !

The following actions are being currently taken by the Quora Security Team as per their mailer:

  • Notifying all the users who are affected by this breach
  • Logging out all the affected users from Quora platform(Remember they have flushed all the auth and session tokens to avoid further damage)
  • Further investigations going on even though they know the root cause of the issue now

As a precautionary measure, requesting all the users of Quora to reset their passwords as well as start using password managers in order to avoid reuse of the same password on multiple platforms.

Hits: 20

Share it on your Social Network !

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

iOS Safari Self DOS Attack

A security researcher with the github handle pwnsdx has found a way to crash and restart any Apple device using Safari by just rendering a webpage !

POC Code: https://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aeahttps://gist.github.com/pwnsdx/ce64de2760996a6c432f06d612e33aea


CLICK ON THIS LINK ONLY IF YOU ARE NOT USING SAFARI BROWSER ON AN APPLE DEVICE

Sabri Haddouche tweeted a proof-of-concept webpage with just 15 lines of code

The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use.

Anything that renders HTML using Safari on a Apple device is affected

That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code careful before opening it !

Hits: 22

Share it on your Social Network !

Facebook twitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

OTP-SMS-Insecure?

Back in 2016, there was a news based on NIST publication, that SMS based Second Factor Authentication (2FA) is no more secure as it can be intercepted and there is no way for the application owner to confirm if the OTP sent to the designated user was the actual user who passed it back to the app !

Refer: NIST Publication

Yes, the insecurity cannot be ignored as recently Reddit, the social media network got breached using the same vulnerability.


Attacker bypassed the SMS based OTP !

Reddit learned about the data breach on June 19 and said that the attacker compromised a few of the Reddit employee’s accounts with its cloud and source code hosting providers between June 14 and June 18.

The hack was accomplished by intercepting SMS messages that were meant to reach Reddit employees with one-time passcodes, eventually circumventing the two-factor authentication (2FA) Reddit had in place attacks.

SMS based 2FA/ OTP is not secure.

While almost all the bank transactions that we perform online in India are secured by SMS based OTP (2FA), we need to think twice if we are really relying on the best standards.

This is definitely a wake up call to all the service providers who depend on SMS based OTP for Security and need to move over to App based Push or Code Generation platforms. eg. Google Authenticator, Authy, Duo etc.

Watch out for 7 different OTP Code Generator and Push based  2FA Apps.


Keep Defending !

Hits: 32

Share it on your Social Network !

Facebook twitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

LinkedIn Autofill Vulnerability (Fixed !)

Not just Facebook, a new vulnerability discovered in Linkedin’s popular AutoFill functionality found leaking its user’s sensitive information to third party websites without the user even knowing about it.

LinkedIn provides an AutoFill plugin for a long time that other websites can use to let LinkedIn users quickly fill in profile data, including their full name, phone number, email address, ZIP code, company and job title, with a single click.

In general, the AutoFill button only works on specifically “whitelisted websites,” but 18-year-old security researcher Jack Cable of Lightning Security said it is not just the case.

Cable discovered that the feature was plagued with a simple yet important security vulnerability that potentially enabled any website (scrapers) secretly harvest user profile data and the user would not even realise of the event.A legitimate website would likely place a AutoFill button near the fields the button can fill, but according to Cable, an attacker could secretly use the AutoFill feature on his website by changing its properties to spread the button across the entire web page and then make it invisible.

Since the AutoFill button is invisible, users clicking anywhere on the website would trigger AutoFill, eventually sending all of their public as well as private data requested to the malicious website, Cable explains.

Here’s How attackers can exploit the LinkedIn Flaw:

  • User visits the malicious website, which loads the LinkedIn AutoFill button iframe.
  • The iframe is styled in a way that it takes up the entire page and is invisible to the user.
  • The user then clicks anywhere on that page, and LinkedIn interprets this as the AutoFill button being pressed and sends the users’ data via postMessage to the malicious site.

Cable discovered the vulnerability on April 9th and immediately disclosed it to LinkedIn. The company issued a temporary fix the next day without informing the public of the issue.

Proof of Concept

The exploit flowed as follows:

  1. The user visits the malicious site, which loads the LinkedIn AutoFill button iframe.
  2. The iframe is styled so it takes up the entire page and is invisible to the user.
  3. The user clicks anywhere on the page. LinkedIn interprets this as the AutoFill button being pressed, and sends the information via postMessageto the malicious site.
  4. The site harvests the user’s information via the following code:
window.addEventListener("message", receiveMessage, false);

function receiveMessage(event)
{
  if (event.origin == 'https://www.linkedin.com') {
    let data = JSON.parse(event.data).data;
    if (data.email) {
      alert('Hi, ' + data.firstname + ' ' + data.lastname + '! Your email is ' + data.email + '. You work at ' + data.company + ' and you live in ' + data.city + ', ' + data.state + '.');
      console.log(data);
    }
  }
  console.log(event)
}

The fix only restricted the use of LinkedIn’s AutoFill feature to whitelisted websites only who pay LinkedIn to host their advertisements, but Cable argued that the patch was incomplete and still left the feature open to abuse as whitelisted sites still could have collected user data.Besides this, if any of the sites whitelisted by LinkedIn gets compromised, the AutoFill feature could be abused to send the collected data to malicious third-parties.

LinkedIn Comments on the issue reported:

“We immediately prevented unauthorized use of this feature, once we were made aware of the issue. We are now pushing another fix that will address potential additional abuse cases, and it will be in place shortly,” the company said in a statement.

“While we’ve seen no signs of abuse, we’re constantly working to ensure our members’ data stays protected. We appreciate the researcher responsible reporting this, and our security team will continue to stay in touch with them.”

Although the vulnerability is not at all a sophisticated or critical one, given the recent Cambridge Analytica scandal wherein data of over 87 million Facebook users was exposed, such security loopholes can pose a serious threat not only to the customers but also the company itself.

Timeline

04/09/18 – Issue discovered and reported to LinkedIn

04/10/18 – Patch deployed by LinkedIn to restrict to whitelisted websites

04/10/18 – Asked for clarification if any fix was planned to prevent whitelisted websites from abusing this

04/19/18 – Additional patch from LinkedIn

Continue reading “LinkedIn Autofill Vulnerability (Fixed !)”

Hits: 50

Share it on your Social Network !

Facebook twitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

WhiteRose Ransomware

Introduction and Details

WhiteRose ransomware  crypto-extortion encrypts user data with AES, and then requires a redemption in #Bitcoin(BTC) to decrypt the files.

File naming pattern: randomname_ENCRYPTED_BY.WHITEROSE

Example of an encrypted file:
BT2cJMtNeYlaKJHP_ENCRYPTED_BY.WHITEROSE

The activity of this crypto-extortioner is now being seen in the second half of March 2018. It is oriented towards English-speaking users, which does not prevent it from spreading around the world of course.

The note with the demand for redemption is called: HOW-TO-RECOVERY-FILES.TXT 

As shown above, the picture in the note has a WhiteRose in it built with ASCII characters.

There is a note added further as shown below:

The contents of the note about redemption: 
===================== [PersonalKey] ===================== 
[redacted base64] 
===================== [PersonalKey] ===================== 
The singing of the sparrows, the breezes of the northern mountains, and the smell of the earth. I'm sitting on a wooden chair next to a bush tree, I have a readable book in my hands and I am sweating my spring with a cup of bitter coffee. Today is a different day. 
Behind me is an empty house of dreams and in front of me, full of beautiful white roses. 
To my left is an empty blue pool of red fish and my right, trees full of spring white blooms. 
I drink coffee, I'll continue to read a book from William Faulkner. In the garden environment, peace and quiet. My life always goes that way. Always alone without even an intimate friend. 
I have neither a pet nor a friend; I am a normal person with fantastic wishes among the hordes of white rose flowers. Everything is natural. I'm just a little interested in hacking and programming. My only electronic devices for this project are for iPhone and iPod touch. 
Believe me, my only assets are the white roses of this garden. 
I think of the days and write at night, the story, the poem, the code, the exploit or the accumulation of the number of white roses, and I say to myself that the wealth is different friends of different races, languages, habits and religions, Not only being in a fairly stylish garden with full of original white roses. 
Today, I think deeply about the decision that has involved my mind for several weeks. A decision to freedom and at the cost of unity, intimacy, joy and love and is the decision to release the white roses and to give gifts to all peoples of the world. 
I do not think about selling white roses again. This time, I will plant all the white roses of the garden to bring a different gift for the people of each country. No matter where is my garden and where I am from, no matter if you are a housekeeper or a big company owner, it does not matter if you are the west of the world or its east, it's important that the white roses are endless and infinite. You do not need to send letters or e-mails to get these roses. Just wait it tomorrow. 
Wait for good days with White Rose. 
I hope you accept this gift from me and if it reaches you close to your eyes and feet. 
Thank you for trusting me. Now open your eyes. Your system has a flower like a small garden; A white rose flower. 
////////////////////////////////////////////////////////////////////////////////////////////// / 
[Recovery Instructions] 
I. Download qTox on your computer from [https://tox.chat/download.html] 
II. Create new profile then enter our ID in search contacts 
Our Tox ID: "6F548F21789 ***". 
III. Wait for us to accept your request. 
IV. Copy '[PersonalKey]' in "HOW-TO-RECOVERY-FILES.TXT" file and send this key with one encrypted file less size then 2MB for trust us in our Tox chat. 
IV.I. Only if you did not receive a reply after 24 hours from us, 
"TheWhiteRose@Torbox3uiot6wchz.onion". 
IV.II. For perform "Step IV.I" and enter the TOR network, you must download tor browser 
and register in "http://torbox3uiot6wchz.onion" Mail Service) 
V. We decrypt your two files and we will send you. 
VI. After ensuring the integrity of the files, We will send you payment info. 
VII. Now after payment, you get "WhiteRose Decryptor" Along with the private key of your system. 
VIII.Everything returns to the normal and your files will be released. 
////////////////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////// 
What is encryption? 
In cryptography, encryption is the process of encoding a message or information in such a way that only authorized parties can not access it. Encryption does not itself prevent interference, but denies the intelligible content to a would-be interceptor. In an encryption scheme, the intended information or message, referred to as plaintext, is encrypted using an encryption algorithm. 
For technical reasons, an encryption scheme usually uses a pseudo-random encryption key generated by an algorithm. 
It is in principle possible to decrypt the message without possessing the key, but, for a well-designed encryption scheme, considerable computational resources and skills are required. 
An authorized recipient can easily decrypt the message with the key provided by the originator to recipients but not to unauthorized users. 
in your case "WhiteRose Decryptor" software for safe and complete decryption of all your files and data. 
Any other way? 
If you look through this text in the Internet and realize that, please contact your antivirus support.

Technical Details:

Can be distributed by hacking through an unprotected RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injections, fake updates, repackaged and infected installers.

 

If you neglect Anti-Virus:

At least backup important files

 

List of extensions:

MS Office documents, OpenOffice, PDF, text files, databases, photos, music, video, image files, archives (at the time of writing this article)

 

Related Files:

<random> .exe – random name
HOW-TO-RECOVERY-FILES.TXT
WhiteRose Decryptor .exe

Locations:

Desktop
User Folders

WhiteRose Contact Channel:

https://tox.chat/download.html

Tox ID: “6F548F21789***”

Email: TheWhiteRose@Torbox3uiot6wchz.onion

Mail: http://torbox3uiot6wchz.onion

 

Hits: 15

Share it on your Social Network !

Facebook twitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

Facebook – You scraped our Calls & Messages too !

Facebook’s recent controversies relating to Cambridge Analytica, consumers have been looking closer at the data Facebook collects from its users. You can take a look at all of the data Facebook has collected from you over the years at this webpage which is a lot—wall posts, photos, videos, messages and more. While it may be pretty scary how much data Facebook has from you, nearly all of it has been voluntarily provided by you. However, not all of the data it collects has been provided voluntarily, as Facebook has been scraping call log and message data from your phone for years.

The data appears to be from the Android call log and SMS metadata due to an unrestricted access to both through the “Read Contacts” permission. Only in Android 4.1 Jelly Bean was this oversight fixed so that the read contacts permission only gave access to contacts and not the call or message log as well.

When ArsTechnica emailed Facebook inquiring about their data collection, a spokesperson for the company said

The most important part of apps and services that help you make connections is to make it easy to find the people you want to connect with. So, the first time you sign in on your phone to a messaging or social app, it’s a widely used practice to begin by uploading your phone contacts.” In essence, the company says this data was used as part of its friend recommendation algorithm.

The application now explicitly asks for permissions to view your address book and call log, but even if you had denied the application access you may have inadvertently still been providing access because of how Android’s permissions worked.

If you’re curious what kind of data Facebook has collected from you over the years, download your archived data and take a look.

Continue reading “Facebook – You scraped our Calls & Messages too !”

Hits: 10

Share it on your Social Network !

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

AADHAR CARDS LEAK | Google Search “mera aadhar meri pehchan filetype:pdf”

No Serious HACKS, No Tough Trials, Just a Google Search Away !

The infamous French Security researcher named as “Robert Baptiste”  who goes with his twitter handle  with the Mr. Robot FameName “Eliot Anderson” just retweeted in public giving out a simple google search keyword to find all the aadhar cards that have been stored by multiple websites in a very insecure way on the microblogging site Twitter!

 

Google Search key:

“mera aadhar meri pehchan filetype:pdf “

At the time of writing this article, we could find approximately 216 results with the above keyword and below is the screenshot:

Using other keyword combinations, like “mera aadhar meri pehchan filetype:pdf  “, “mera aadhar meri pehachan filetype:pdf  ”  etc. we might end up digging millions of such aadhar cards !

Hope Govt. Of India takes a strict action against all these website owners/entities for exposing these sensitive documents !

Few domains found in the current search are:

  • www.the-aiff.com
  • starcardsindia.com
  • www.4tigo.com
  • vivekjyoticollege.in
  • sxhsbanda.edu.in
  • www.acce.in
  • www.ssmahavidhvalaymirzapur.com

We could even find 8 Government Domains(gov.in) National Informatics Center Domains also(nic.in) from the first 3 Google Search Pages !

It is high time for  the UIDAI to go ahead and rethink about the Privacy Woes that we Indians are going to face with AADHAR being our primary identity !

Hits: 28

Share it on your Social Network !

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

ISRO infected by XTREMERAT | Source: INDIAN DEFENCE RESEARCH WING

A malware infected computer of ISRO exposed India’s premier space research agency to hackers, claimed Indian and French security researchers on Sunday. The researchers also claimed that hackers could have taken control of ISRO’s command rocket launches using the vulnerability. Express has not been able to independently verify this claim.

The trojan malware, known as XtremeRAT, was detected in ISRO servers in December 2017 and was reported to the agency by an Indian researcher. ISRO reportedly responded and resolved the issue only after French researcher Robert Baptiste reached out to the agency on Twitter.

“ISRO in their conversation with me informed that that investigated and found a UTM login port that was not mapped internally to any systems.They claimed to have disabled that port for now,” said Baptiste quoting ISRO’s communication with him that Express has seen.

The XtremeRAT malware was found in ISRO’s Telemetry, Tracking and Command Networks (ISTRAC) that provides tracking support for all the satellite and launch vehicle missions of ISRO. “The malware was probably infected on a computer that had access to servers used for Tracking and Command (TTC) services that help launch vehicle lift-off till injection of a satellite. A computer which was probably used to command rocket launches and separation of a satellite. I say ‘probably infected’ because no one knows which computer was used,” said the Indian researcher in December 2017.

The researcher says he stumbled on the ISRO vulnerability while using the search engine Shodan, that lets users find specific types of computers connected to internet using a variety of filters. “If Shodan can be used for searching hacked sites, I thought, why not search for infected servers? I filtered it down to region and ISRO showed up in the scan results,” said the Indian researcher.ISRO has not yet responded to Express’ request for a comment on the issue.

Researcher says search engine Shodan led him to ISRO’s vulnerability. “I did not dig any further as anything beyond that will probably be illegal,” he added. So what is XtremeRAT? It’s a commercially available remote access Trojan (RATs) used by hackers to conduct cyber espionage. There are numerous RATs that are available for free and can be purchased online, mostly from hacker forums or the dark web. The malware allows the hacker to dig deep into a specific target’s servers and databases and even sell off the access rights of their victims’ systems and their data to others.

“If infected with a trojan, the attacker owns the computer. The hacker can command the computer to do absolutely anything he wants. He just has to use the Remote Desktop Protocol  (RDP) to access a computer. Has there been a data loss? most likely yes,” says the Indian researcher.

Express reached out to ISRO’s public relations officer for a confirmation but did not receive a response. The Indian researcher claims he also tried to reach out to ISRO multiple times but got no response. He reached out to Computer Emergency Response Team and they responded to his email saying they will look into the issue. “However, no action was taken. I was about to give up and then I thought of contacting Robert Baptiste. He tweeted about it and then they seemed to magically care about it as the issue was in the public,” he says. Researcher says, the malware has hit sectors like –Energy, utilities, and petroleum refining.

 

Source: INDIAN DEFENCE RESEARCH WING

Hits: 20

Share it on your Social Network !

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

Update: IP Address List | 1.3Tbps DDOS Attack on GITHUB | Survived | Blame: memcached?

DDOS Attack:

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.

Reflective DDoS attacks:

Using the technique  In simpler way lets try to understand the flow:

  1. Attacker sends a request to a vulnerable server by spoofing its source IP address as that of the victim server
  2. The vulnerable server responds to the spoofed IP address which is the victim server

 

Memcached Vulnerability:

What is Memcached:

Memcached is a Free & open source, high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. It is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.

Feature that makes Memcached vulnerable:

By design, memcached has a “STATS” command over UDP/TCP which enables the memcached server admin to query the server about the statistics that provide a visibility on the statistics of the server!

So since UDP is a protocol that does not require a tight handshake like TCP, when exposed to the internet in a unsecured way, is being used as an attack vector where the attacker uses the method to query the “STATS” of the server while spoofing its source IP Address as that of the victim’s server.

As we tested (On TCP), the query size would hardly be in bytes and the response shall almost 100 times the size is being sent to the victim’s server which amplifies the attack.

And thats how the attackers are using memcached servers UDP STATS command to perform an AMPLIFIED REFLECTIVE DDOS ATTACK.

At the time of writing this article, we could find 1,04,301 memcached servers(Not all are exposed on UDP) in Shodan!

 

Please refer to the Shodan Report: https://www.shodan.io/report/zoEvusDg

IP Addresses List updated:

Using the shodan api, we were able to collate 58,486 IP Addresses and we shall try our best to maintain this list updated in a bi-weekly schedule. You can find the IP Addresses from the link below:

https://github.com/aarvee11/memcached-server-iplist

Did Memcached(Open Source) feel responsible?

Absolutely YES ! There was an issue raised on github which is still open at the time of writing this article. As well the CVE-2018-1000115 has been assigned to the vulnerability.

As well 5 days back, there has been a commit with the comment as shown below to DISABLE UDP BY DEFAULT!

 

Quick Workaround for existing servers:

Disable UDP listener on your memcached server. If not feasible, please implement the following:

  1. Use a network policy to disable UDP traffic to your memcached server from internet
  2. If your monitoring servers use UDP Protocol to query memcached servers, then use an IP whitelist
  3. If incase you do not have a firewall that can perform the above action, try using a UDP Proxy and open the traffic only from this server and maintain your IP Whitelists on this UDP Proxy servers (eg. NGINX)

Please feel responsible about the internet world and would request all the memcached admins out there in the world to go ahead and secure their servers and NOT CONTRIBUTE to such attack vectors!

As always we say:

Keep Defending !

Hits: 118

Share it on your Social Network !

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail

Annabelle Ransomware – Decryption Tool Available

Discovered by security researcher Bart, Annabelle Ransomware includes everything but the kitchen sink when it comes to screwing up a computer. This includes terminating numerous security programs, disabling Windows Defender, turning off the firewall, encrypting your files, trying to spread through USB drives, making it so you can’t run a variety of programs, and then to sweeten the pot, it overwrites the master boot record of the infected computer with a silly boot loader.

 

Thankfully,  MalwareHunterTeam was able to extract the source code from the obfuscated executable so that we can get a better glimpse as to what this program is doing.

When first run, Annabelle will configure itself to start automatically when you login to Windows. It then terminates a variety of programs such as Process Hacker, Process Explorer, Msconfig, Task Manager, Chrome, and more.

It then configures Image File Execution registry entries to make it so you cannot launch a variety of programs such as the ones listed above and others such as Notepad++, Notepad, Internet Explorer, Chrome, Opera, bcdedit, and many more.

The ransomware will then try to spread itself using autorun.inf files. This method is fairly useless when it comes to newer versions of Windows that do not support an autoplay feature.

Well all this is done, it will start encrypting the computer with a static key. When encrypting files it will append the .ANNABELLE extension to the encrypted file’s name.

It will then reboot the computer and when the user logs in, it will display the lock screen shown at the top of this article. The lock screen has a credits button that when clicked shows the below screen that states a developer named iCoreX0812 made the program and a way to contact them on Discord.

 

As a finishing touch, the developer decided to also run a program that replaces the master boot record of the infected computer so that it shows a “props” screen when the computer restarts

Overall, this ransomware was developer to be a PITA and to show off the developer’s skills rather than to actually generate ransom payments.

The good news is that this ransomware is based off of Stupid Ransomware and is easily decryptable. As it uses a static key, Michael Gillespie was able to update his StupidDecryptor in order to decrypt this variant.

By replacing the MBR, running Rkill in safe mode to clean up the IFEO registry entries, using Michael’s decryptor to decrypt the files, and then a few security scans to remove any left overs you should be able to get your computer back to normal.

Source: BleepingComputer

Hits: 66

Share it on your Social Network !

FacebooktwitterredditpinterestlinkedinmailFacebooktwitterredditpinterestlinkedinmail