Análise das duas vulnerabilidades do Java

Java 0day analysis (CVE-2012-4681)


A couple of days ago, a Java 0day was found running like crazy in the wild. While a lot of defense bunnies where asking "WWMAD" (What will my Antivirus do?), we decide to dive into Java for the details of the vulnerability and as we expected, the unpatched vulnerabilities used in the Gondvv exploit were more than one (When we said, "dive deep into Java", we actually meant open our new Infiltrate 2013 Master Class slide deck which will include a full day of Java auditing).
The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check.

The beauty of this bug class is that it provides 100% reliability and is multiplatform. Hence this will shortly become the penetration test Swiss knife for the next couple of years (as did its older brother CVE-2008-5353). 

As a final note, the bug was introduced in Java 7.0 released in July 28, 2011. While you are feeling the rush of blood going through your veins while by getting all those shell being pop, think that somewhere not far way (Probably a 10hs flight from some of the major airports in Norte Americana) was enjoying it non-stop for quite some time now.

Vulnerabilidade crítica no Java

O subtítulo diz tudo: ""Please, for the love of your computer, disable Java on your browser."

Attack targeting critical Java bug added to hack-by-numbers exploit kit


On Monday night, about 24 hours after the vulnerability became public, attack code exploiting it was added to BlackHole, an exploit kit sold in underground forums, security researchers said. A quick inspection of the BlackHole attack by antivirus provider F-Secure found it used many of the same coding conventions contained in a proof-of-concept exploit published earlier by security researcher Joshua Drake. It also added to the Metasploit exploit framework used by penetration testers and hackers.

"There being no latest patch against this, the only solution is to totally disable Java," F-Secure researchers wrote. "Since this is the most successful exploit kit + zero-day... que horror. Please, for the love of your computer disable Java on your browser."

Researchers from Symantec on Tuesday reported two websites that are actively wielding the exploit, up from the single site discovered on Sunday.


Artigo completo na ArsTechnica

Big brother meets the internet

ou como espiar todo o tráfego (de uma parte) da internet:

Big Brother on a budget: How Internet surveillance got so cheap 
Deep packet inspection, petabyte-scale analytics create a "CCTV for networks."

When Libyan rebels finally wrested control of the country last year away from its mercurial dictator, they discovered the Qaddafi regime had received an unusual gift from its allies: foreign firms had supplied technology that allowed security forces to track nearly all of the online activities of the country’s 100,000 Internet users. That technology, supplied by a subsidiary of the French IT firm Bull, used a technique called deep packet inspection (DPI) to capture e-mails, chat messages, and Web visits of Libyan citizens.

The fact that the Qaddafi regime was using deep packet inspection technology wasn’t surprising. Many governments have invested heavily in packet inspection and related technologies, which allow them to build a picture of what passes through their networks and what comes in from beyond their borders. The tools secure networks from attack—and help keep tabs on citizens.

Narus, a subsidiary of Boeing, supplies “cyber analytics” to a customer base largely made up of government agencies and network carriers. Neil Harrington, the company’s director of product management for cyber analytics, said that his company’s “enterprise” customers—agencies of the US government and large telecommunications companies—are ”more interested in what's going on inside their networks” for security reasons. But some of Narus’ other customers, like Middle Eastern governments that own their nations’ connections to the global Internet or control the companies that provide them, “are more interested in what people are doing on Facebook and Twitter.”


texto completo no site da ArsTechnica

Mind hackers

'Mind hackers' could get secrets from your brainwaves

Security researchers have used cheap Emotiv headsets to capture people's subconscious responses to stimuli and use them to uncover data directly from their subjects' brains. It's a theoretical risk to privacy and security that could become significant with further advances in technology

notícia completa no site da ZDnet

Um hack "épico"

Mat Honan da Wired sofreu um ataque "épico", para usar o termo dele mesmo: ficou sem as suas contas da Google e Twitter e sem todos os seus dados iPhone, iPad, e MacBook. Tudo graças a vulnerabilidades de autentição. O caso vem contado num artigo da Wired:

How Apple and Amazon Security Flaws Led to My Epic Hacking
By Mat Honan     August 6, 2012

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook. 

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz. 


Sites de embaixadas portuguesas atacados

Sites de embaixadas portuguesas atacados por piratas informáticos


Os sites de várias embaixadas portuguesas, incluindo em Teerão, Londres e Madrid, foram nos últimos dias alvo de ataques de piratas informáticos que, em alguns casos, deixaram assinaturas que ainda permanecem visíveis.

Foram registados dois ataques separados assinados pelos grupos Net-DeViL e Sanfour 25, sendo que o primeiro alterou páginas das embaixadas no Irão, Reino Unido e Republica Checa deixando uma mensagem anti-Estados Unidos da América. O ataque da Sanfour 25 visou as embaixadas de Berlim, Madrid e Maputo e atingiu zonas dos sites que, normalmente, não são visitados pelos utilizadores. [interessante frase]

O grupo Sanfour 25 visou ainda o site da Autoridade Nacional para a Proibição das Armas Químicas. A mensagem deixada pelo grupo Net-DeViL já foi retirada, mas a assinatura deixada pelo Sanfour 25 continuava, ao final da manhã de hoje, ainda visível nas páginas que visou. Neste último caso, as páginas em questão foram substituídas por uma página em branco onde se pode ler, no canto superior esquerdo, as palavras “Sanfour 25”, assinatura do grupo. 

A informação inicial foi remetida à Lusa pelo site websegura e confirmada pela Lusa nos sites das embaixadas de Berlim e Madrid, tendo fonte diplomática explicado que, no caso de Madrid, o site está alojado num servidor em Portugal.

A informação sobre o ataque terá sido canalizada inicialmente pela embaixada em Berlim, tendo Madrid remetido também a informação para Lisboa. A Lusa contactou a embaixada de Portugal em Maputo, que disse desconhecer a situação porque está com uma falha temporária de Internet.

Recomendações sobre a BIOS

New BIOS guidelines aim to keep malware out of computer's nether regions

A US governmental organization in charge of standardizing scientific measurements and technologies has proposed new security guidelines for the BIOS mechanisms that most computers rely on to boot up.
The new guidelines are intended to make the Basic Input/Output System more resistant to malware attacks that target the system firmware. Over the past few years, at least two trojans, one called Mebromi and another proof-of-concept demonstration, have been able to survive reboots operating-system reinstalls and evade antivirus protection by burrowing deep inside an infected computer.
"Unauthorized modification of a BIOS firmware by malicious software constitutes a significant threat because of the BIOS's unique and privileged position within the PC architecture," the new set of guidelines, which were published earlier this week by the National Institute of Standards and Technology, stated. "Malicious BIOS modification could be part of a sophisticated, targeted attack on an organization—either a permanent denial of service or a persistent malware presence."
The guidelines, which pertain to BIOSes found in computer servers, detail four proposed features, including authenticated update mechanisms, an optional secure local update mechanism, firmware integrity protections, and a mechanism to prevent system components for bypassing BIOS protections. In April NIST published proposed guidelines for BIOSes found in PCs.
Interested parties have until September 14 to comment on the proposed server guidelines. Comments may be sent by e-mail to