Some of my favorite sessions from Microsoft’s Ignite Conference (Mark Russinovich & Paula Januszkiewicz)

Malware Hunting with Sysinternals Tools
Date: May 6, 2015 from 5:00PM to 6:15PM Day 3 Arie Crown Theater BRK3319
Speakers: Mark Russinovich

Adventures in Underland: What Your System Stores on the Disk without Telling You
Date: May 8, 2015 from 12:30PM to 1:45PM Day 5 E450 BRK3320
Speakers: Paula Januszkiewicz

Recalling Windows Memories: A Useful Guide to Retrieving and Analyzing Memory Content
Date: May 8, 2015 from 9:00AM to 10:15AM Day 5 S102 BRK2342
Speakers: Paula Januszkiewicz

Hidden Talents: Things Administrators Never Expect from Their Users Regarding Security
Date: May 7, 2015 from 3:15PM to 4:30PM Day 4 N231 BRK3323
Speakers: Paula Januszkiewicz

The Ultimate Hardening Guide: What to Do to Make Hackers Pick Someone Else
Date: May 7, 2015 from 10:45AM to 12:00PM Day 4 S503 BRK3343
Speakers: Paula Januszkiewicz

Hack Proof Your Clients And Servers in a Day – (Ignite Session)

This video was recorded at Microsoft Ignite conference last week, and it was one of my favorite sessions. Marcus Murray and Hasain Alshakarti demonstrate some hacks using the Metasploit Framework, Mimikatz, and PowerShell. They show you how easy it is to gain access to any system, to steal the passwords from Windows servers and clients, and also how easy it has become to evade anti-virus. They also offer many reasons why you should not be using the same passwords on more than one website. My advice is of course to start using LastPass everywhere. Here’s a referral link for Last Pass Premium: https://lastpass.com/f?169066 … Enjoy the video@!

Microsoft releases fix-it for IE 8 0-day- Hackers Steal 45 million from ATMs

2 Big Stories today I want to mention…. Microsoft once again rushed to release a hotfix for all of its’ Windows XP users that were stuck on Internet Explorer 8, as there was a zero (0-day) day vulnerability found last week that was utilizing around 9 different popular websites to redirect unsuspecting users to Exploit Kit Malware attacks. This 0-day was so important because any business or home user that still has a 32-bit Windows XP computer is forced to use Internet Explorer 8 for Windows Updates. This exploit was first seen on the United States’ Department of Labor website. All a user had to do while browsing with IE8 is visit a specific frame and they were automagically redirected to a malicious black-hole website that served up enough malware to take over their computer. Brian Krebs reported ” several security vendors reported that the U.S. Department of Labor Web site had been hacked and seeded with code designed to exploit the flaw and download malicious software.” If you are running Internet Explorer 8, or if you are on WIndows XP then you need to go and download and run this Microsoft Fix-It before your computer becomes part of a botnet…. or you could risk it and wait until Tuesday. This exploit is already part of Metasploit and at least 8 other websites have been fingered as also hosting this attack.

In other news, most likely one of the most profitable ATM hacks in history has been thwarted and it is now being reported that 1 young hacker is dead and 7 more face trial after being busted after stealing $45 million in a cyberheist that had cybercrooks actually going to thousands of ATMs with hacked debit or credit cards and collecting cash all over the world. It looks like they actually were able to lift the daily limits that are placed on credit/debit cards, and were able to literally collect as much money as the ATM’s had in them before being caught. Nakedsecurity.com explains the heist rather well, so i will pass it off to them and you can read it here…

Emetv4 Beta adds new feature “Audit Only” to protect from crashes

Emet v4Beta was first introduced here on the Microsoft Security and Research Defense Technet Blog. I have deployed the v3.5 tech preview to most of my secure workstations, so I inquired about upgrade paths and it looks like you should uninstall previous releases as well as delete the Emet registry keys before installing Emet v4 Beta. The registry keys to delete are located at "HKEY_LOCAL_MACHINESOFTWAREMicrosoftEMET*"

If you want to download the Beta version, here is a link to the download page. I have just begun testing out this new version, and so far the best feature that is now included is the option to only audit and not crash the program. Also, when an application trips a mitigation response, you can see one or more little boxes that pop up in the lower right hand corner of the desktop, and in some cases the boxes quickly blink and scroll up the screen as the exception happens multiple times. Then you can go into the EMET control panel and turn off the mitigation that is mentioned in the box if you want the program to continue to run despite the issue.

For example I have only had problems with the SimExec mitigation, and it has so far affected Internet Explorer and Microsoft Word 2013. I went in and disabled the SimExec settings for these applications and have not had any more problems running Word or IE so far. Once you install the Beta you can read the manual located in the Program Files directory.
32 bit Windows: C:Programs FilesEMET 4.0 (Beta)
64 bit Windows: C:Programs Files (x86)EMET 4.0 (Beta)

Cleaning Up after Citadel – Department of Justice Ransomware (FakeDRM.bj)

Citadel Malware Screen

Citadel Malware Ransomware Screen

A client of mine was hit with a variant of the Citadel Ransomware yesterday. He was just surfing the web and looking for a movie to watch, when he was hit by the drive-by download. It placed a big old warning message with Your Computer Has Been Blocked on the left and The United States Department OF Justice warning on the right, and a picture of a naked girl in a sexual position near the bottom, while asking for a moneypak payment to unlock the computer.
Upon receiving the computer, I rebooted and used a Kaspersky Rescue CD to boot and scan the harddrive. It found the following files… 4 files labeled as “Trojan.Downloader.WMA.FakeDRM.bj” and 10 files labeled as “Win32.Katusha.n”. The exact filenames don’t matter because they are just a bunch of random letters and numbers. After I deleted these 14 items with Kaspersky, I took out the cd and rebooted.

Upon reboot, the computer came on and about a minute after being on, the warning screen came back on, which I was happy about because I wanted to get a closer look and a picture. Upon looking at the bottom of the screen I noticed there was a small black square that was blurry but changing and I moved aroung and noticed a picture of me there, as the web cam was recording and putting my picture right in the page next to the naked girl porno warning. I covered up the webcam with some tape and started to begin experimenting with the computer to see what I could do. After taking a picture of the screen for documentation purposes, I tried to do a few things and was surprised that it actually let me open up some windows and folders, I immediately noticed that it had created another false partition and a bootsect.bak. I rebooted into safemode and deleted all the recent temporary files and then used RogueKiller to run a quick scan and removal of about 8 registry keys and a batch file. I was still not out of the woods, but I was in total control of this bad boy at this point.

I downloaded MalwareBytes and let that scan and it found 15 items, mostly in the ProgramData folder. Check out the pictures for more detailed info. After deleting everything MalwareBytes found I uninstalled Microsoft Security Essentials and installed BitDefender. This is not the first time I have seen Microsoft Security Essentials fail to protect against older known malware. After removing everything to this point and rebooting, the computer seems back to normal, I am still searching through the registry and all folders for any remaining traces. Bitdefender and MalwareBytes are both returning completely clean and it really wasnt that difficult to remove this so I am still wary that there may be traces left behind. Scan findings 1Kasperskyrescuescan

HackInTheBox Security Conference Slides (PDFs)

Here is the Schedule And Presentation Calendar
D1T1 – Barisani and Bianco – Practical Exploitation of Embedded Systems.pdf
D1T1 – Chris Wysopal – Data Mining a Mountain of Vulnerabilities.pdf
D1T1 – Lucas Adamski – Firefox OS and You.pdf
D1T1 – Petko Petkov – History of the JavaScript Security Arsenal.pdf
D1T1 – Philippe Langlois and Emmanuel Gadaix – 6000 Ways and More.pdf
D1T1 – The Pirate Bay – Data is Political – NO SHOW
D1T2 – Don Bailey – Hackers, The Movie – A Retrospective.pdf
D1T2 – Haroon Meer – You and Your Research.pdf
D1T2 – Marc Heuse – IPv6 Insecurity Revolutions.pdf
D1T2 – Mark Dowd & Tarjei Mandt – iOS6 Security.pdf
D1T2 – Meder Kydyraliev – Defibrilating Web Security.pdf
D1T2 – Wes Brown – Supercomputing, Malware and Correlation.pdf
D1T3 – Charlie Miller – Attacking NFC.pdf
D1T3 – F Raynal & G Campana – An Attack Path to Jailbreaking Your Home Router.pdf
D1T3 – John Draper – A Historical Look at the Personal Computer and Phreaking.pdf
D1T3 – Jose Nazario – Tracking Large Scale Botnets.pdf
D1T3 – Paul Sebastian Ziegler – Hacking in the Far East.pdf
D1T3 – The Grugq – OPSEC – Because jail is for wuftpd.pdf
D2T1 – Chris Evans – Element 1337 in the Periodic Table – Pwnium.pdf
D2T1 – Katie Moussouris – How to Get Along with Vendors Without Really Trying.pdf
D2T1 – Ollie Whitehouse – Finding the Weak Link in Binaries.pdf
D2T1 – Paul Vixie – Silo Busting in Information Security – NO SLIDES
D2T1 – Rodrigo Branco – A Scientific Study of Malware Obfuscation Technologies.zip
D2T1 – Shreeraj Shah – XSS and CSRF Strike Back Powered by HTML5.pdf
D2T2 – Fyodor Yarochkin and Vladimir – Messing up the Kids Playground.pdf
D2T2 – Jeremiah Grossman – Why Web Security is Fundamentally Broken.pdf
D2T2 – Raoul Chiesa – Information Warfare and Cyberwar.pdf
D2T2 – Saumil Shah – Innovative Approaches to Exploit Delivery.pdf
D2T3 – Emmanuel Gadaix – Something MEGA.pdf
D2T3 – Felix FX Lindner – Hacking Huawei VRP.pdf
D2T3 – Mikko Hypponen – Behind Enemy Lines.pdf
D2T3 – OPENBOTTLE PANEL – NO SLIDES
D2T3 – Stefano Zanero – Behaviour-Based Methods for Automated Scalable Malware Analysis.pdf
D2T123 – IOS SECURITY PANEL – NO SLIDES

Thank YOU to Security Monkey’s Chief Monkey for the links…

Here’s All You Need to Know about Apples UDID Mess…

In the words of the Anonymous post on Pastebin …

Update: Anonymous post more info on Pastebin here:
Ip addresses given as another clue: “for the moment we think its quite safe to mention these clues:
3 IPs were involved, 2 of them were like:

206.112.75.XX

153.31.184.XX

“In July 2012 NSA’s General Keith Alexander (alias the Bilderberg Biddy) spoke
at Defcon, the hacker conference in Las Vegas, wearing jeans and a cool EFF
t-shirt (LOL. Wtf was that?). He was trying to seduce hackers into improving
Internet security and colonoscopy systems, and to recruit them, ofc, for his
future cyberwars. It was an amusing hypocritical attempt made by the system to
flatter hackers into becoming tools for the state, while his so-righteous
employer hunts any who doesn’t bow to them like fucking dogs.

Well…
We got the message.
We decided we’d help out Internet security by auditing FBI first. We all know
by now they make Internet insecure on purpose to help their bottom line. But
it’s a shitty job, especially since they decided to hunt us down and jail our
friends.

It’s the old double standard that has been around since the 80’s. Govt Agencies
are obsessed with witchhunts against hackers worldwide, whilst they also
recruit hackers to carry out their own political agendas.

You are forbidden to outsmart the system, to defy it, to work around it. In
short, while you may hack for the status quo, you are forbidden to hack the
status quo. Just do what you’re told. Don’t worry about dirty geopolitical
games, that’s business for the elite. They’re the ones that give dancing orders
to our favorite general, Keith, while he happily puts on a ballet tutu. Just
dance along, hackers. Otherwise… well…

In 1989 hagbard (23yrs old) was murdered after being involved into cold war spy
games related to KGB and US. Tron, another hacker, was
murdered in 1998 (aged 26) after messing around with a myriad of cryptographic
stuff (yeah, it’s usually a hot item) and after making cryptophon easily
accesible for the masses. And then you have Gareth Williams (31), the GCHQ
hacker murdered and “bagged” inside a MI6’s “safe” house (we’d hate to see what
the unsafe ones look like) in August of 2010 after talking about being curious
about leaking something to Wikileaks with fellow hackers on irc. And the list
goes on. It’s easy to cover up when they want to, hackers often have complex
personalities, so faking their suicide fits well.

You are welcome to hack what the system wants you to hack. If not, you will be
punished.

Jeremy Hammond faces the rest of his productive life in prison for being an
ideological motivated political dissident. He was twice jailed for following
his own beliefs. He worked until the end to uncover corruption and the
connivance between the state and big corporations. He denounces the abuses and
bribes of the US prison system, and he’s again facing that abuse and torture at
the hands of authorities.

Last year, Bradley Manning was tortured after allegedly giving WikiLeaks
confidential data belonging to US govt… oh shit. The world shouldn’t know how
some soldiers enjoy killing people and even less when they kill journalists. Of
course, the common housewife doesn’t deserve to know the truth about the
hypocrisy in the international diplomacy or how world dictators spend money in
luxury whilst their own people starve. Yep, the truth belongs only to the
elite, and if you are not part of them (forget it, that won’t happen), fuck
yourself.

People are frustrated, they feel the system manipulating them more than ever.
Never underestimate the power of frustrated people.
For the last few years we have broke into systems belonging to Governments and
Big corporations just to find out they are spending millions of tax dollars to
spy on their citizens. They work to discredit dissenting voices. They pay their
friends for overpriced and insecure networks and services.

We showed how former govt and military officials were making new businesses
using their government relationships.
They funnel public money to their own interests for overpriced contracts for
crap level services. They use those
relationships to extra-officially resolve affairs involving their businesses.

We exposed a criminal System eliminating those who think different;
criminalizing them. This System won’t tolerate those who dig for the truth, it
can’t. So no one has the right to question anything coming from this system. if
you buy a piece of hardware or software you just need to use it as it was
supposed to be used: anything else is forbidden.
No tinkering allowed.

If you buy a Playstation, you are not allowed to use it as you want to — you
can only use it the Sony wants you to. If you have found a way to improve
something, just shut up. You are not allowed to share this info with anyone
else and let them make improvements, too. We are not the real owners of
anything anymore. We just borrow things from the System. Shiny, colorful
things, we agree to play with for a fee. A fee for life.
Because this system works only if you keep working to buy new things.
Not important if they are good things, just buy new crap, even better like that.
So everything gets outdated soon.

You home, stuff, car and computer, you will pay for everything you have for all
of your life. All the time: a monthly fee, forever until you die. That’s the
future; nothing is really yours. LAAS – Life As A Service.
You will rent your life.

And better hurry up and work all day if you want to stay alive. Work ’til
you’re exhausted and don’t think. No — thinking is bad. Play games instead, do
drugs too, why not? Or go to the movies. The Entertainment Industry is here to
resolve all your philosophical and trascendental problems. Shiny colorful crap.
but please don’t think too much.
Thinking is dangerous.

Accept the offer, it’s the perfect deal.
You get all those amazing shiny colorful beads.
It will only cost you freedom…and your life.
Indians did it with Manhattan.
There’s nothing to worry about it, is there?

And what if you are a lone wolf who quietly outside the system, doing your own
thing, without saying a word? They will be mad as hell. They will try to find
you. You will be fucked up anyway, sooner or later. Because the system wants
you clearly identified, with all your personal details well packed into a
government database so it can make its watchdogs’ lives easier.

Security researchers are often questioned and their movements tracked by Secret
Service, FBI and other shits. They are asked about their projects, who their
clients are, who they are talking to, what they know about other hackers, etc..
So be a good monkey, follow the rules, head down and you’ll get some coins
that let you keep renting your life.

But hey! Wait…
We are hackers…
We are supposed to look beyond the rules, to find things others don’t see. And
THE SYSTEM, yeah the whole fucking system, it’s just another system.
…and we do that.
we hack systems.

This is our next challenge: to decide whether to become tools for the system,
or for ourselves. The system plans to use us to hold the next in their endless
wars, their cyberwars.
Hackers vs. hackers, slaves vs slaves.


We are trapped.

Jack Henry Abbott, a writer who was incarcerated almost his whole life for his
crimes, wrote before hanging himself: “As long as I am nothing but a ghost of
the civil dead, I can do nothing…”, the ‘civil dead’ are those, like himself,
who had their autonomy systematically destroyed by the state. Now his words
extend to cover all of us. We have seen our own autonomy being systematically
destroyed by the State. We are becoming ghosts of our dead civil rights.

criminals.
So yes we are criminals, we are the criminals our dear system have created:
Argumentum ad Baculum

In a world where you fear the words you use to express yourself. Where you are
punished for choosing the wrong ones, we have just decided to follow our own
way. There’s no worst kind of slavery than one where you are afraid of your own
thoughts.

Governments around the globe are already in control of us in real life, and
they have now declared war on the people to take over the Internet.
It’s happening now. It’s not waiting for you to wake up.
So now my dear friends, it’s your turn to decide where you belong,
and what you are made of.

“When the people fear the government there is tyranny, when the government
fears the people there is liberty.”
― Thomas Jefferson”

Rotten Apple

Another Apple Mess

http://pastebin.com/nfVT7b0Z

Note: An Apple UDID could be used in combination with other data to connect devices to their owners’ online user names, e-mail addresses, locations and even Facebook profiles. (Aldo Cortesi)

Here they gave links to an encrypted file with 1,000,001 Apple device UDIDs and accompanying user data.
The file must be unencrypted and instructions are given later in the pastebin post.

Apparently, the UDIDs have been taken from an FBI Special Agent Christopher Stangl, (rumor has it via a Java exploit earlier in the year). According to sources close to the matter… Among the data on his notebook was a file named NCFTA_iOS_devices_intel.csv which contained a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers and addresses.
Read more here
http://par-anoia.net/releases.html

Here are some links from major internet sites covering the story…

http://arstechnica.com/security/2012/09/1-million-ios-device-ids-leaked-after-alleged-fbi-laptop-hack/

http://thenextweb.com/apple/2012/09/04/antisec-hackers-leak-1000001-apple-device-ids-allegedly-obtained-fbi-breach/

http://www.wired.com/threatlevel/2012/09/hackers-release-1-million-apple-device-ids-allegedly-stolen-from-fbi-laptop/

https://www.networkworld.com/community/node/81331

http://techcrunch.com/2012/09/04/apple-udid-leak-theres-no-proof-yet-of-fbi-involvement-but-heres-why-you-should-still-care/

http://bits.blogs.nytimes.com/2012/09/04/hackers-claim-to-have-12-million-apple-device-records/