Scam Facebook Chat Verification Hijacking users account

Security researchers from Trend Micro are alerting of a new spam messages that are spoofing official Facebook Chat Team notification. The spam message is a fake Facebook Chat verification that asks user to verify and approve their accounts otherwise the account is going to be terminated.

This type of spam message may trick user and by the end allows cybercriminal to hijack Facebook accounts. The attack scenario looks as follows:

  1. Victim is asked to open a Pastebin URL and copy a Javascript code
  2. Next the victim instructed to open a shortened link that leads to Web console
  3. On Web console victim paste the Javascript code to validate the account but the reality the code is going to post scam on friends wall and subscribe victim to attackers Facebook group.

FB-chat-spam1Screenshot by TrendMicro for the spam message

This is a variant on the self-XSS attack. By pasting the code in the browser console, the user gives the code access to their account. The code usually posts the same scam on other people’s walls, and subscribes the user to pages controlled by the attacker – but it could do much worse things.” According to The official Facebook warning notes

If you receive a similar message make sure to Ignore the message and report it as a spam.

Share

WPScan WordPress Vulnerability Scanner

New version of the wordpress security assessment tool – WPScan, the tool already included in many popular pentest distributions such as BackBox Linux, Kali Linux ,Pentoo and SamuraiWTF.

The new release is 2.4 include new fingerprints for WP 3.8.3 & 3.7.3, 3.9 and addition vulnerabilities for wordpress CMS. There is also update for the theme list and plugins so the scanner allow to detect themes versions.

According to  change-logs WPScan Database Statistics:

  • Total vulnerable versions: 79; 1 is new
  • Total vulnerable plugins: 748; 55 are new
  • Total vulnerable themes: 292; 41 are new
  • Total version vulnerabilities: 617; 326 are new
  • Total plugin vulnerabilities: 1162; 146 are new
  • Total theme vulnerabilities: 330; 47 are new

WPscan

WPScan can by used for the following purposes:

  • Determine the version of WordPress CMS
  • Brute force usernames and passwords
  • List all installed modules and plugins
  • List installed themes

You can read the release notes over this link: http://wpscan.org/

Share

DSploit Android Toolkit for Security Testing

dSploit is a very comfortable tool that you can install on Android to run a pentest or network security assessment. The toolkit allows fingerprinting the remote operating systems and identifying different hosts, scans the network for system vulnerabilities and performing MITM to sniff sensitive information such as user’s password.
The features included in dSploit are:

  • WiFi Scanning & Common Router Key Cracking
  • Deep Inspection
  • Vulnerability Search
  •  Multi Protocol Login Cracker
  • Packet Forging with Wake On Lan Support
  • HTTPS/SSL Support ( SSL Stripping + HTTPS -> Redirection )
  • MITM Real-time Network Stats
  • MITM Multi Protocol Password Sniffing
  • MITM HTTP/HTTPS Session Hijacking
  • MITM HTTP/HTTPS Hijacked Session File Persistence
  • MITM HTTP/HTTPS Real-time Manipulation

dSploitMITM module screenshot from http://dsploit.net/ (click to enlarge)

The toolkit will help security officer or penetration tester to demonstrate how it is possible to exploit vulnerabilities and take control on targeted systems. the team have officially announced that they have a new nightly builds that you can download over this link: http://update.dsploit.net/nightly

Share
Heartbleed

End User Considerations For OpenSSL Vulnerabilities

OpenSSL vulnerabilities could enable a remote hacker to gain access to sensitive data, including secret keys and authentication credentials, via incorrect memory handling. Some of these vulnerabilities could also cause potential leak of non-encrypted information and DTLS (Datagram Transport Layer Security) data to be decrypted.

More than 50% of the web servers on the internet utilize OpenSSL to safeguard user accounts and data. Servers can take the form of chat servers, email servers, network applications, social media servers, virtual private networks (VPNs) and open source serves such as nginx and Apache.

Problems occur when OpenSSL trusts the length field from cyber criminals while it creates a response packet. The latest Heartbleed Bug vulnerability is a reminiscent; it was detected in OpenSSL implementations using the OpenSSL/DTLS Heartbeat extension. The attacker can exploit it on a server to read a portion of the server’s memory at a time – up to 64 KB – without any traces.

With the installed SSL certificates on a host running the effected version of OpenSSL, the private keys could be potentially compromised. With no method of finding which certificates are comprised, server hosts must generate new SSL certificates.

For end users, the biggest problem is that they have to wait for website operators to take appropriate measures to patch these vulnerabilities. So even if security breakdowns like the Heartbleed bug exposes sensitive data on your computers and company devices, you can only take measures to alleviate the risk(s) as the root issue must be fixed by server operators.

While enterprises should always perform a comprehensive assessment of their digital identity, incorporating these measures can significantly mitigate the risks of OpenSSL vulnerabilities:

Monitoring

Network monitoring could be the difference maker to your cyber security as it can detect an adversary’s intention before any harm is caused to your system. More specifically, advanced monitoring systems enable enterprises to receive proactive insights on network-related activities, allowing for the appropriate action for neutralizing OpenSSL vulnerabilities and other threats.

Monitoring services can also protect your organization’s reputation by intercepting threats to your digital identity before the public does. Reputable services are also backed by a proactive staff following strict process for quickly communicating up-to-date information to clients.

Updating passwords

The most recommended measure for enterprise users is to change passwords for all major web-connected services. Taking this action also updates the authorization tokens that usually get compromised in an OpenSSL breach. Password management apps like LastPass work well for generating strong passwords, and you can even generate passwords in OS X on Mac computers.

Administration should also ensure employees are not sharing passwords with people outside the company. Additionally, previously entered passwords should not be reused because if attackers gain access to one of the systems, they can exploit components running the same code.

Two-step authentication

A lot of frequently used web services let users enable a two-step authentication process that can add an additional layer of authentication by asking for a code through a smartphone application, or a text message.

Entering the password from a device other than the main system in order to gain access may not prevent all risks, but it can make the job difficult for people looking to grab your credentials. Two-factor authentication also works with enterprise social media tools such as Buffer and HootSuite.

Share
medium

PayPal released a fingerprint payments mobile application

PayPal payment system launched a mobile application to allow Samsung smartphone owners in 25 countries have the ability to authorize payments using the fingerprint. New biometric authentication procedure replaces the traditional user name and password.

Survey of users in the United States showed that the majority of them ( 53 %) believe the new procedure to be more comfortable .

While the press release have not disclosed the key characteristics for PayPal biometric authentication  , including the percentage of false positives. this new innovative solution can be a good enhancement to the system usability but from the security prospective there is no changes compared to traditional authentication.

Heartbleed vulnerability, made it clear that any new technology should consider several factor authentication. Standard authentication using login and password will not totally prevent attacks on remote system.

Share

Subterfuge Automated Man-in-the-Middle Attack Framework

Subterfuge is a python based tool that you can use for testing Man-In-The-Middle attacks. the program will start to sniff network traffic and wait to have user login to online websites such as gmail , twitter, facebook and more.  Next it will display accounts information.

Beside the session hijacking module there are other modules that can be used for scanning the network, perform an HTTP code injection or Denial of service.  there is also a Tunnel Block to prevent certain protocols from accessing the internet including PPTP, Cisco IPSec, L2TP, OpenVPN, SSH.

Another module is the Network View where it provides a rapid sync to represent victim information in real-time. another addition is Evilgrade which allow attacker to spoof operating system update and provide victim patches shipped with backdoor.

subterfugescreenshot for Subterfuge with modules (click to enlarge)

 You can read more about Subterfuge on the following link: http://code.google.com/p/subterfuge/

Share
Heartbleed

Heartbleed Critical Vulnerability in OpenSSL

The security community is actively discussing over this week the openssl vulnerability that allows attacker to exploit the Heartbeat TLS and receive 64KB in the RAM memory. The attack can be repeated continuously to get sensitive information from end users such as their passwords.

Many online servers were affected by this critical vulnerability while patching openssl will not totally solve the situation. Administrators need to install new certificate for the servers and all account passwords should be changed.

The vulnerability was reported last Friday by codenomicon and on Monday a security fix were released and included in openssl 1.0.1g. Script based on python for Nmap were also issued to detect the vulnerable server and published for testing any active bug.

Heartbleed is one of the more serious bugs up to now because the attacker can take all the information without any traces which makes it complex to monitor and identify the attack. The real number of the attack is unknown up to now.

This makes that security testing for software’s and programs is one of the best way to secure the applications and end users and such glitches can rise at any moment. If you are using openssl make sure that you have applied the entire security requirement and you can also use snort signature to detect and monitor Heartbleed exploitation on your facilities.

Share