October 21, 2014

College student reports software vulnerability in school’s web service and then gets expelled

omnivox(LiveHacking.Com) –  A talented computer science major has been expelled from Dawson College in Montreal, Canada because he ran a test to check on the status of a security vulnerability which he had previously found and reported.

While developing a mobile app using Skytech’s Omnivox Web software, Hamed Al-Khabaz, along with fellow student Ovidiu Mija, discovered some “sloppy coding” that, if exploited, could disclose the personal information of thousands of students. The pair immediately notified the school’s technical staff and were told that  Skytech be notified. The two students were initial praised by Skytech, “These two students discovered a very clever security flaw, which could be exploited. We acted immediately to fix the problem, and were able to do so before anyone could use it to access private information.”

And this is how it should be, a flaw is discovered, it is reported, it is fixed and the people who find it are acknowledged for their efforts and for fully disclosing the error rather than using the information for some illegal activity.

However what happened next is bizarre. To verify that the flaw had been fixed, Hamed used Acunetix’s Web Vulnerability Scanner on the school’s web site. The use of the tool was detected by Skytech quickly and the President of Sytech called the student at his home and threatened him.

Skytech’s president Edouard Taza is reported to have told Hamend that his actions were considered as a cyber attack that he could go to jail. Hamed was then forced to sign a non-disclosure agreement. More bizarre than Sytech’s reaction was the reaction of the college which decided to expel the student. Al-Khabaz appealed but even the school’s academics dean and director general rejected his pleas.

The twist now means that the high-achieving computer science student, who acted in completely openly and with ethical reasons, has now been branded a criminal. If I buy a lock for my front door will I be arrested if I try to open it and see how strong it is?

“I saw a flaw which left the personal information of thousands of students, including myself, vulnerable,” he told the National Post. “I felt I had a moral duty to bring it to the attention of the college and help to fix it, which I did. I could have easily hidden my identity behind a proxy. I chose not to because I didn’t think I was doing anything wrong.”

It is reported that Skytech has offered Al-Khabaz a scholarship to finish his degree at another school however this information can’t be verified as both the Skytech and Dawson College websites are down.

The difference between an expoit and vulnerability

(LiveHacking.Com) – Any reader of this blog will inevitably come across words like vulnerability, exploit, malware, Trojan and so on. Some of these words have connected meanings but in themselves they have clear and separate definitions.  For example a Trojan is a type of malware, but not all malware is a Trojan. What about ‘vulnerability’ and ‘exploit’, are they they same thing? If not, what is the connection?

A vulnerability is a flaw in a system, or in some software in a system, that could provide an attacker with a way to bypass the security infrastructure of the host operating system or of the software itself. It isn’t an open door but rather a weakness which if attacked could provide a way in.

Exploiting is the act of trying to turn a vulnerability (a weakness) into an actual way to breach a system. A vulnerability can therefore be ‘exploited’ to turn it into viable method to attack a system.

In software (rather than whole systems including the people, the computers, the firewalls and the networks etc), the most common type of vulnerability is a memory error. These can be buffer overflows, heap corruptions or NULL pointer de-references. Once a memory issue has been discovered an attacker will try to exploit it by manipulating how the memory is corrupted in the hope to alter some aspect of the addressing (maybe a return address). This can then be used to make the CPU run code in another part of memory. If arbitrary code execution is achieved then the system can be exploited. The extent of the exploit will depend on the nature of the vulnerability,  if privilege elevation was achieved and the extent of technologies such as sand-boxing or address space layout randomization (ASLR).

Turning a software vulnerability into an exploit can be hard. Google, for example, rewards security researchers for finding vulnerabilities in its Chrome web browser. The payouts Google make are in the range of $500 to $3000. However it also runs competitions for security specialists to present exploited vulnerabilities. These exploits are rewarded much larger sums, as much as $60,000. The difference in payouts reflects the magnitude of the task when trying to exploit a vulnerability.

New Version of Metasploit Targets IPv6 Risks

(LiveHacking.Com) – Rapid7 has released a new version of Metasploit, its popular penetration testing toolkit, with new functionality to assess the security of IPv6 enabled systems. With Metasploit 4.2 users can test whether IPv6 addresses on their network are vulnerable to cyber-attacks. The framework includes hundreds of working remote exploits for a variety of platforms and the new IPv6 tests are important for organizations that have not methodically implemented an IPv6 network but rather has allowed it to creep in as operating systems and devices starting enabling IPv6 functionality by default.  For example, the default setting in Windows 7 and Windows Server 2008 is to give a higher priority to the IPv6 interface, rather than the IPv4 address, for management traffic and network shares.

“The number of IPv6-enabled systems has quadrupled over the last three years, broadening the attack surface for cyber attackers, with over 10% of the world’s top web sites now offering IPv6 services,” said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project.

Since IPv6 runs in parallel with IPv4 it is often not as well managed as an existing IPv4 network. It is essential that companies perform security assessments to audit IPv6-enabled internal and external hosts. Rapid7 cite the example of organizations who have blocked zone transfers on their DNS servers for IPv4, but left this common flaw wide open on IPv6. Another real world example is the use of firewalls that have been correctly configured to  filter IPv4 traffic but that accept all IPv6 traffic. Further more, some older Intrusion Prevention Systems (IPS) may even be completely unaware of IPv6 traffic.

Metasploit 4.2 is available immediately from rapid7.com. The new features are available in both the open source and commercial editions of Metasploit.

 

 

Rapid7 Introduces Metasploit Community Edition

(LiveHacking.Com) – To coincide with the second anniversary of Rapid7’s acquisition of the Metasploit project, it has announced that as of version 4.1 of Metaploit, there will now be a Metasploit Community Edition, a free commercial product that is available for both personal and professional use. Metasploit Community Edition includes the same network discovery, data import, and Nexpose integration as its Metasploit Pro counterpart.

Rapid7 are releasing the Metasploit Community Edition to address the growing gap between two types of users: The security researchers and developers who want a powerful platform to build custom tools and exploits using the console interface and the security and IT professionals that use the Metasploit Framework to conduct security assessments and verify vulnerabilities.

The free Community Edition provides a simple path for identifying targets, selecting an exploit, and launching it. Sessions can be managed through the user interface and have full access to the extensive post-exploit modules built into the Metasploit Framework.

“The best way to tackle the increasing information security challenge is to share knowledge between practitioners, open source projects and commercial vendors,” said HD Moore, Rapid7 CSO and Metasploit chief architect. “With that in mind, we’ve combined the Metasploit Framework with Rapid7’s commercial development to bring together the best of both worlds – the collaboration of security researchers around the world with quality-tested and stable commercial features. The new Metasploit Community Edition will greatly help security professionals seeking to understand risk and improve their security programs without needing to increase budgets.”

Metasploit Community Edition is available today as part of the Metasploit 4.1 release.

Hacker Halted Set as Venue For North American CyperLympics Competition

(LiveHacking.Com) – The Global CyberLympics got underway on September 18th with the European Championships held in Budapest. Now on October the 25th, the world’s first international team ethical hacking championship comes to North America as part of Hacker Halted Miami.

The games, which are officially endorsed by the U.N.‘s cybersecurity executing arm, will be made up of both offensive and defensive security challenges. Teams will vie for regional championships, followed by a global hacking championship final to determine the world’s best cybersecurity team. The EC-Council is sponsoring the events with over $400,000 worth of prizes.

The Deloitte Netherlands team won the grueling European Championships and they will now represent Europe in the world finals in 2012. The North America Championships, which has been slimmed down to one competition from two (East and West), will decide which team will represent the USA and Canada.

The Global CyberLympics is supported by the International Multilateral Partnership Against Cyber Threats (IMPACT), which is part of the International Telecommunications Union (ITU). The ITU is the United Nations specialized agency for information and communication technologies.

“The Global CyberLympics could help to foster a greater sense of partnership and cooperation between countries on the issue of cybersecurity,” said Mohd Noor Amin, Chairman of IMPACT when the competition was originally announced.

LiveHacking.Com is proud to be an official partner of the Global CyberLympics.

New Service Brings Crowdsourcing to Penetration Testing

(LiveHacking.Com) – Crowdsourcing, a term first used back in 2006, has proved a popular way to outsource tasks to large groups or communities (i.e. “the crowd”), where small actions by large numbers can achieve quick results. This idea has now been adopted in the area of penetration testing. Hatforce.com is a new service which rewards ethical hackers for performing penetration tests for willing clients.

The idea is simple. A client signs up to the Hatforce.com web site and offers a financial reward, say $70, for every vulnerability found in their web site or software. Ethical hackers then sign up to Hatforce.com and sign a legal agreement giving them the authority to “hack” the clients resource. If any vulnerabilities are found then they are paid.

The idea of asking “the crowd” to engage in security related tasks was popularized by Google with its Chromium Security Awards scheme. Under Google’s scheme software developers are rewarded for finding security related bugs in Google’s Chrome browser and in the WebKit HTML and Javascript engine. To date Google has paid out hundreds of thousands of dollars in rewards and some people like Sergey Glazunov have become semi-famous for their consistent work in find security holes.

Hacker Halted 2011 Lands in Miami for October Conference – LiveHacking.com Official Media Partner

(LiveHacking.Com) – The EC-Council has lined up the world’s top information security experts for Hacker Halted 2011. This year’s conference will take place from October 21-27 at the InterContinental Miami. LiveHacking.com is proud to be an official media partner of the 2011 conference.

The conference is split into two distinctive parts. From October 21 to October 24 is ‘Hacker Halted | Academy’, a series of technical training & certification classes led by world class instructors. Among the courses will be the renowned Certified Ethical Hacker (CEH) program (a recently accepted certification of DoD Directive 8570.01M Change 2). Then from October 25 to October 27 is ‘Hacker Halted | Conference’. With a comprehensive agenda, and an international line up of speakers, the Hacker Halted Conference promises to be one of the best information security conferences this year.

Keynote speakers highlights at Hacker Halted 2011 include:

  • Bruce Schneier, Chief Security Technology Officer at BT, best-selling author of Applied Cryptography, developer of cryptographic algorithms, such as AES-finalist Twofish, and de facto spokesperson for the information security field
  • George Kurtz, Worldwide Chief Technology Officer and Executive Vice President of McAfee, former CEO of Foundstone, before it was acquired by McAfee, and co-author of Hacking Exposed: Network Security Secrets & Solutions.
  • Philippe Courtot, chairman and CEO of Qualys, former chairman and CEO of Signio (acquired by VeriSign), and former member of the Board of Trustees for The Internet Society.

Other speakers include Barnaby Jack, of the Black Hat 2010 ATM hacking demonstration fame and Moxie Marlinspike, Fellow at the Institute of Disruptive Studies, who has discovered numerous high profile security vulnerabilities, including flaws in SSL/TLS.

Global CyberLympics Starting in September – Endorsed by U.N.’s Cybersecurity Arm

(LiveHacking.Com) – The U.N.‘s cybersecurity executing arm has officially endorsed the EC-Council’s upcoming Global CyberLympics. This new Olympic style ethical hacking championship will start this September across six continents with the aim of fostering better cooperation and communication on cybersecurity issues on the international stage.

The games will be made up of  both offensive and defensive security challenges. Teams will vie for regional championships, followed by a global hacking championship final to determine the world’s best cybersecurity team. The EC-Council is sponsoring the events with over $400,000 worth of prizes.

The Global CyberLympics is supported by the International Multilateral Partnership Against Cyber Threats (IMPACT), which is part of the International Telecommunications Union (ITU). The ITU is the United Nations specialized agency for information and communication technologies.

“The Global CyberLympics could help to foster a greater sense of partnership and cooperation between countries on the issue of cybersecurity,” said Mohd Noor Amin, Chairman of IMPACT. “By sharing knowledge, training and resources, we can help to improve the level of cybersecurity in many countries and regions around the world.”

Regional championships will be held in various locations across different continents, and co-hosted with reputable IT/information security conferences and tradeshows, as follows:

  • North America (Eastern) | Hacker Halted USA – Miami, USA
  • North America (Western) | TakeDownCon – Las Vegas, USA
  • South America | H2HC – Sao Paolo, Brazil
  • Europe | Hacktivity – Budapest, Hungary
  • Middle East & India | GITEX – Dubai, UAE
  • Asia Pacific | Hacker Halted APAC – Kuala Lumpur, Malaysia
  • Africa | TakeDownCon – Johannesburg, South Africa

The EC-Council hope to hold the world final during the first quarter of 2012.

LiveHacking.Com is proud to be an official partner of the Global CyberLympics.

TakeDownCon Dallas 2011 Information Security Conference Starts Today

TakeDownCon Dallas 2011 starts today. This 2 day conference, which is in its debut year, is designed for technical information security and IT professionals of all levels.

The first keynote will be given by Josh Shaul and Alex Rothacker on the Anatomy Of A Database Attack. Today’s web-accessible databases are especially susceptible to attacks, partially because of the appeal of their lucrative repositories of data, and partially because IP entry affords hackers a broader range of methods with which to invade and gain access to database information. In this presentation, the Josh and Alex will describe some of the sophisticated methods used in invading enterprise databases, as well as provide guidelines and best practices on security and compliance in a variety of database systems including Oracle, Microsoft SQL Server, IBM DB2, and Sybase.

Other first day presentations include:

A full schedule can be found here and the synopsis here.

TakeDownCon Dallas takes place at the InterContinental Dallas and is sponsored by Live Hacking, among others. Some of the supporting organizations of the event include the FBI InfraGard’s North Texas Chapter and NAISG’s Dallas Chapter.

LiveHacking.com will bring you news, interviews and photos from the event.

 

Metasploit Framework 3.7.0 Released

Two months after the release of the Metasploit Framework 3.6, the Metasploit team has announced the availability of Metasploit Framework 3.7.0. Since V3.6 the developers have focussed on one of the least-visible, but most important pieces of the Metasploit Framework; the session backend. This overhaul increases performance in the presence of many sessions and allows for a larger number of concurrent incoming sessions in a more reliable manner.

Metasploit now ships with 685 exploit modules of which 35 are new, 355 auxiliary modules (15 new), and 39 post modules (17 new).

V3.7 also includes some new features:

  • Support for SMB signing, enabling pass-the-hash and stolen password attacks against Windows 2008 Server environments.
  • The Microsoft SQL Server mixin (and all modules) now supports NTLM authentication.
  • Data import backend has undergone a rewrite, speeding up most import tasks by a factor of four.
  • OS information is now normalized to make fingerprinting more accurate and easier to deal with.

Highlights from the new modules include:

  • Apple iOS Backup File Extraction: Extract sensitive data from iTunes backup files (location, call history, SMS content, pictures, etc).
  • Exploits for two different Adobe Flash vulnerabilities exploited in the wild.
  • Code execution modules for MySQL and PostgreSQL when a valid login is available.
  • Exploit for the Accellion File Transfer Appliance Default Encryption Key flaw found by Rapid7.
  • Over ten new exploits for HP Network Node Manager (plus an HP OpenView exploit).
  • Post-exploitation module for privilege escalation through the .NET Optimizer Service.
  • Post-exploitation modules for stealing stored WinSCP and VNC passwords.