One Mail to Rule Them All
This small research project was conducted over a four-week period a while back, so current methods may differ as password restoration methods change. While writing this blog post, the Gizmodo writer Mat Honan’s account was hacked with some clever social engineering that ultimately brought numerous small bits and pieces of information together into one big chunk of usable data. The downfall in all this is that different services use different alternative methods to reset passwords: some have you enter the last four digits of your credit card and some would…
The Leaky Web: Owning Your Favorite CEOs
I have been researching new ways to get data about people easily by using different sources; I found something interesting and simple, which I presented to some people at IOAsis in Las Vegas a couple of weeks ago. You can find the slides here. Most websites use the email address as a user name for authentication, but few websites use specific user names. When registering on a website, if the email address you want to use is already taken by an existing account, the website tells you that….
Impressions from Black Hat, Defcon, BSidesLV and IOAsis
A week has passed since the Las Vegas craziness and we’ve had some time to write down our impressions about the Black Hat, Defcon and BSidesLV conferences as well as our own IOAsis event. It was great for me to meet lots of people—some of who I only see once a year in Las Vegas. I think this is one of the great things about these events: being able to talk for at least a couple of minutes with colleagues and friends you don’t see regularly (the Vegas craziness doesn’t…
IOActive Las Vegas 2012
That time of the year is quickly approaching and there will be nothing but great talks and enjoyment. As a leading security and research company, IOActive will be sharing a lot of our latest research at BlackHat USA 2012, BSidesLV 2012, and IOAsis. And, of course, we’ll also be offering some relaxation and party opportunities, too! This year we are proud to be one of the companies with more talks accepted than anyone else at BlackHat USA 2012, an incredible showing that backs up our team’s hard work: · SEXY…
The Value of Data
Have you ever entered an office and seen a pile of money sitting unattended and easily accessible on a desk? How many people in your company have a key or combination to a safe with money inside and can open that safe without any controls? Do you leave money in a non-secure place that everyone knows about and can freely access? Your probable answer to all these questions is NO, which makes sense—what doesn’t make sense is how so many companies don’t think the same way about data….
Invensys Wonderware InTouch 10 DLL Hijack
ICS-CERT originally released Advisory ICSA-12-177-01P on the US-CERT Portal on July 05, 2012. The web page’s release was delayed to provide the vendor with enough time to contact customers concerning this information. Independent researcher Carlos Mario Penagos Hollmann has identified an uncontrolled search path element vulnerability, commonly referred to as a DLL hijack, in the Invensys Wonderware InTouch application. Successfully exploiting this vulnerability could lead to arbitrary code execution. ICS-CERT has coordinated the report with Invensys, which has produced an upgrade to address this vulnerability. Mr. Hollmann has validated that…
WellinTech KingView and KingHistorian Multiple Vulnerabilities
Independent researchers Carlos Hollmand and Dillon Beresford identified multiple vulnerabilities in WellinTech’s KingView and a single vulnerability in WellinTech’s KingHistorian applications. These vulnerabilities can be exploited remotely. WellinTech has created a patch, and the researchers have validated that the patch resolves these vulnerabilities in the KingView and KingHistorian applications.
Reversal and Analysis of the Zeus and SpyEye Banking Trojans
Although the core functionality of SpyEye is similar to its main rival Zeus, SpyEye incorporates many advanced tricks to hide its presence on the local system. This document includes a deep technical analysis of the bot’s advanced hooking and injection mechanisms, as well as its core functionality used to hijack and steal user information. Zeus is an advanced piece of malware, so getting it to a reversible state was not a trivial exercise since it incorporates multiple layers of custom, portable, executable encryption. IOActive reverse engineers stripped each encryption layer…
Wonderware Archestra ConfigurationAccessComponent ActiveX stack overflow
The Wonderware Archestra ConfigurationAccessComponent ActiveX control that is marked “safe for scripting” is suffering from a stack-overflow vulnerability. The UnsubscribeData method of the IConfigurationAccess interface is using wcscpy() to copy its first parameter into a static-sized local buffer. Attackers can exploit this vulnerability to overwrite arbitrary stack data and gain code execution.
XBMC File Traversal Vulnerability
XBMC is an award-winning, free, and open source (GPL) software media player and entertainment hub for digital media. XBMC is available for Linux, OSX, and Windows. Created in 2003 by a group of like-minded programmers, XBMC is a nonprofit project run and was developed by volunteers located around the world. More than 50 software developers have contributed to XBMC, and 100-plus translators have worked to expand its reach, making it available in more than 30 languages.