White Paper: Practical hacking in IPv6 networks with Evil FOCA

Friday, August 30, 2013

We have released a white paper about practical hacking in IPv6 networks with Evil FOCA. This document describes IPv6 basic concepts, most common IPv6 current attacks and how to implement them with Evil FOCA. It's based on previous works released in Spanish by elladodelmal.com

Contents are: 
  • IPv6 concepts
  • Neighbor Spoofing
  • SLAAC attack with Evil Foca
  • Bridging HTTP (IPv6) - HTTPs (IPv4)
It's uploaded in slideshare, and you can download it. Hope you enjoy it.

Information leakage in Data Loss Prevention leader companies

Friday, August 16, 2013

Gartner has released a study that classifies the most important companies that offer Data Loss Prevention (DLP) solutions depending on their position, strategy, effectiveness, and market leadership. We have made a little experiment to test if these same companies control metadata leaks in their own services, as a potential sensible data leak point.

According to the "Magic Quadrant for Content-Aware Data LossPrevention" research made by Gartner in 2014 over 50% of companies will use some kind of DLP-solution to keep their private data safe but only 30% will use a content based solution. 

This same research lists which are the leading companies in terms of data loss prevention establishing a scale based on factors such as Content-Aware proportioned DLP, DLP-Lite products and if a DLP channel is available for the user to clarify doubts about regulatory compliances, for example.

This study made by Gartner determines which are the leader companies when preventing leaking information, establishing as measurement factors to generate leadership indicators as: provided content-aware DLP solutions, DLP-Lite products offered or if they provide a DLP channel to the user so he can clarify doubts about compliments, for instance.
Data Loss Prevention leading companies, by Gartner
Do these companies avoid information loss through metadata in their systems? We conducted an analysis of the main web pages of these aforementioned companies that were included in Gartner’s study using MetaShieldForensics. Metashield automatically downloaded and analyzed every document exposed on the corporative webs of the companies.
The following table displays the results. Every single company leaks metadata associated to their public documents that are being exposed on the Internet. Seemingly these documents are not being cleaned and are thereforea potential private information leaking point that is to be taken into account.

Information leakage exposed by companies that provide DLP tools and services
Based on this information we proceded to graph the data showing the amount of information being leaked by the studied DLP companies. Logically the companies that most suffer of information leaks also have more publicly available documents in their web pages.
Information leakage exposed by companies that provide DLP tools and services
Names or account names followed by internal directories where the documents were created are the most commonly leaked pieces of information. Another usual leak is the the software version being used when generating the document. This group of information is valuable for a potential attack.
Let’s see some details about the leaked information:
  • Users and user accounts: The internal usernames and their mail accounts are very noteworthy. This information can help the attacker to forge a more complex and sophisticated attack.
  • Paths to internal web services: Some of these provide valuable information about the internal network. For example, one of the documents contained an URL that points to an OpenNMS portal ( OpenNMS is offered by Symantec as a solution for network administrators for controlling critical services in remote machines.
  • Internal user directories: The most common directories that are found contain user information in default paths such as “Desktop, My documents…”. For example, “C:\Documents and Settings\holly_waggoner\M20Documents\****** Web\press\2004\” was detected in one of the DLP companies.
  • Network printers: This is also a very common leak. Network printers that expose information about their exact model and the server they’re associated with (either name or internal IP address).
  • Software used by the company:It is very common to leak the software being used by the company for generating a document. The most common piece of information refers to PDF documents which are very popular for publications.
  • Other metadata that exposes private information: A rather unusual but curious case is custom metadata generated in some documents which can result in a much more relevant leak than one can think at first sight. For example, properties like the subject of a specific email, an attachment or to whom it was sent can expose clues and evidence of internal business strategies like relations between companies or workers.

Metadata may still be widely unregarded when controlling information flow exposed on corporative webpages or simply sharing documents..
Information leak can happen at very different levels and in different ways. Document loss, non-controlled publication and non-intentioned document exposing is indeed a clear example of a problem to be avoided, however document metadata can’t be despised either, specially by a company that offers data loss prevention solutions.
Metadata and information leak shall not be regarded as a singular incident that only provides an attacker a document, an email or sensitive data. It’s also a process that a determined attacker will invest his time into. Depending on the implemented solutions and how protected the company is the attacker will gather all possible information taking advantage of every single leak (as inconsequential as they may seem) for getting to know his target and forging an attack.
The companies that offer solutions against information loss should take it into account in their own products. For example, erasing of metadata is a compulsory task for the Civil Service according to the "Esquema Nacional de Seguridad" (National Security Scheme) and LOPD. MetaShield Protector is a solution that some of them chosed.

Rubén Alonso Cebrián

Mobile banking and banking trojans

Tuesday, August 13, 2013

During 2012 there was an increase around 28% in mobile banking or M-Banking operations. Users can access their bank accounts from their mobile devices, mainly making use of a specifically created banking access applications. What benefits and problems bring us this new way of interacting with banks?

Source: http://qz.com/79818/why-you-should-access-online-banking-on-your-smartphone-rather-than-your-computer/
Specific applications for accessing banks accounts (downloaded mainly from official app stores like Apple Store or Google Play for the sake of security and availability) ease our access making it quicker and avoiding  in some way phishing attacks, that are more common in a "browser and link" environment.

But the use of this kind of applications involve other risks. Apps are supposed to be reviewed, tested and analyzed before making them available for users. Among other measures, Google Play uses “Bouncer”, an automatic system to dinamically analyze applications before making them public. Unfortunately it does not avoid this official shop hosting quite a lot of malware for these devices, hidden in legitimate applications as well as in applications which simulate belonging to real bank entities but only steals credentials. Apple Store implements a better protection, because of its policy being much more restrictive when allowing an application to be uploaded to the store.

So far, we have seen applications which simulate to be an official application, necessary to operate with a bank from a mobile device. These are usually offered from fraudulent repositories or from the official store (during a short time, until it is detected). But there are other ways. Although not too many cases of this kind has been detected, malware previously hosted in the device could try to steal information from the legitimate bank application. For infecting the device in first place, the user has to install an application that contains malware or that "is" malware, although it may come from an email attachment, or even an infected PC. Then, it would be enough to get keystrokes or network data sent by the legitimate application.

The guilty ones
Zeus (Zbot) malware with its multiple variants, is the most popular baking trojan. Programmed in C++ (and PHP for its "server" side) it was first seen during 2007 and supposed a real revolution in malware's world, given its specialization and ability to obtain bank credentials while in Windows boxes. It has evolved during time, adapting and getting better to avoid new security systems.

Zeus could be purchased in black market for 2500-3000 €, providing a complete information arsenal for "learning to steal". Aside, scammers may buy additional modules to improve funcionality or even use it as a service, renting infected botnets. In 2011 its source code was leaked, generating some other versions manteined by "the community". SpyEye is a very popular banking trojan too, with quite a lot of plugins and advanced funcionality.
Zeus based malware is constantly improving, trying to make money selling the product. As an example, a new variant of banking malware "as a service" that showed up in 2013 is "KINS" (Kasper internet non security) developed from Zeus and adding SpyEye features.
Source: https://blogs.rsa.com/is-cybercrime-ready-to-crown-a-new-kins-inth3wild/
Malware and phones

While security in online banking improves, integrating the cell phone as a second factor authentication, malware (specially Zeus and its variants) had to adapt and infect as well these devices. So, the term "MitMo" (Man in the mobile) was established for a kind of Zeus variant that tried to avoid online bank security by infecting smartphones as well and, obtaining in this way the SMS used for authentication. The user (with her PC already infected) is asked to download and execute an application for his smartphone. This malware for mobile devices has to work together with the trojan infecting the victim's system. By themselves, they are not expected to specifically steal bank information while in the smartphone.

But new variants for Android have been spotted, specifically designed for stealing users from a particular bank. Kaspersky has alerted about a malware that, aside from stealing all kind of information from the smartphone itself, it is able to communicate via POST commands to a C&C server. But the most interesting feature is that it is specifically programmed to obtain the bank account balance for users registered with Sberbank Russian bank (sending a SMS to a free number available for their clients). It also intercepts every SMS and calls related to this bank. So this may be considered the first approach to a basic feature in PC banking trojans, that have been programmed long ago sepecifically for every bank.

Source: http://www.securitylab.ru/news/442700.php
At the moment, it has been only detected in Russia, cradle (among other Eastern countries) for most of the sophisticated banking trojans.

Antonio Bordón Villar

(re) Introducing Evil Foca (DEFCON Edition)

Wednesday, August 7, 2013

Evil Foca was introduced in early April, as a tool to make local networks pentesters and auditors life easier. In a simple way and with a very simple interface too, it allows to automate different attacks, showing how insecure local networks may be "indoors". Among them:
  • Man In The Middle (MITM) over IPv4 with ARP spoofing.
  • MITM over IPv4 with DHCP ACK injection.
  • MITM over  IPv6 with Neighbor advertisement spoofing.
  • MITM over IPv6 with SLAAC attack.
  • Rogue DHCPv6 attacks.
  • DoS (Denial of service) over IPv4 with ARP spoofing.
  • DoS over IPv6 with SLAAC DoS.
  • DNS Hijacking.
Even more, during DEF CON 21, celebrated a few days ago in Las Vegas, a new version of Evil FOCA (DEFCON Edition) was introduced. The main feature added for this version is the implementation of a full automated Web Proxy Auto-Discovery attack.

This presentation, quite successful according to some witnesses, showed live what you can get with IPv6 (enabled by default in Windows) MITM attacks, and how easy it is to leverage protocol vulnerabilities with Evil Foca.
IPv6 attacks with Evil Foca. New version does not include ads
Slides are available here:

You can now download Evil Foca from here: http://www.informatica64.com/EvilFoca/download.aspx