Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Penetration Testing. Show all posts

Cybercriminals Recruit Experts for Advanced Ransomware Development

 

Businesses and cybercriminals alike are seeking skilled cybersecurity professionals, with the latter advertising for talent capable of developing dark AI models and penetration-testing tools, commonly used for ransomware. These efforts aim to strengthen their malware and reduce the risk of detection by defenders.

Telegram chats and forums such as the Russian Anonymous Marketplace (RAMP) are popular platforms for recruiting such talent. According to Cato Networks' "Q3 SASE Threat Report," these forums feature advertisements for developers to create malicious versions of tools like ChatGPT, showcasing the growing technical sophistication of cybercriminal operations.

The increasing demand for technical expertise reflects the recent success of law enforcement and private companies in dismantling botnets and aiding victims. "They definitely want to make sure all the effort they're putting into their software is not going to be turned over when somebody finds a vulnerability," said Etay Maor, chief security strategist at Cato Networks. Cybercriminals are now mirroring corporate practices to ensure their tools are robust.

As cybercriminal organizations grow, their structures increasingly resemble legitimate businesses, with specialized roles for software development, finance, and operations. Leading groups such as LockBit, RansomHub, and Akira have adopted these practices to improve efficiency and profitability. "These emerging groups and platforms bring new and interesting ways to attack," stated Recorded Future.

The first half of 2024 witnessed the appearance of 21 new ransomware groups, though many are likely rebranded versions of older entities. During this period, cybercriminals claimed over 2,600 breaches, a 23% rise from 2023, according to Rapid7. Malware development is also evolving, with languages like Rust and Go gaining popularity alongside traditional C and C++.

Roles within these organizations are becoming more specialized, including geographic-focused tasks like mule recruitment for financial fraud. "When you're talking about financial fraud, mule recruitment has always been a key part of the business," Maor explained, highlighting the professionalization of cybercrime.

Recent arrests of members from major ransomware groups like ALPHV/BlackCat and the release of decryption tools by law enforcement agencies illustrate the growing pressure on cybercriminals. These developments push groups to enhance their security measures.

Economic instability in conflict zones has contributed to a growing pool of skilled individuals turning to cybercrime. "There's people losing jobs in Eastern Europe because of the current war situation," Maor noted. For some, joining cybercrime networks becomes a necessity to survive financially.

Security Researcher Outsmarts Hackers with Fake Ransomware Tool

 

The debate surrounding the ethics and practicality of "hacking back" remains a heated topic within the cybersecurity community. When organizations face cyberattacks, is retaliating against the attacker a viable option? While opinions differ, one fact remains clear: breaking the law is breaking the law, regardless of intent.

However, in a fascinating case of strategic ingenuity rather than retaliation, a security researcher and penetration tester successfully infiltrated a notorious dark web criminal marketplace. This was less an act of hacking back and more a bold example of preemptive defense.

Quoting American philosopher Robert Maynard Pirsig, Cristian Cornea, the researcher at the heart of this operation, opened his riveting Medium post with, “Boredom always precedes a period of great creativity.” Inspired by these words, Cornea devised a clever honeypot strategy to target potential ransomware hackers frequenting the BreachForums marketplace on the dark web.

His plan revolved around creating a fake ransomware tool called the "Jinn Ransomware Builder," designed to lure cybercriminals. This supposed tool offered features to help bad actors deploy ransomware attacks. In reality, it was a honeypot—an elaborate trap with some real functionalities but embedded with hardcoded and backdoored command-and-control callbacks.

“Jinn Ransomware Builder is actually a honeypot,” Cornea explained, “but some of the features presented above are real.” For instance, the tool could initiate a remote connection and open a process with a server-hosted “CmD.eXE” executable. Other features, such as multi-language support and AES encryption, were merely designed to make the tool appear more authentic and appealing to malicious actors.

Cornea emphasized that his actions were performed within a controlled and simulated environment, ensuring no laws were broken. “I strictly discourage anyone else from executing such actions themselves,” he warned. He stressed the importance of staying on the ethical side of hacking, noting that the line between good and bad hacking is dangerously thin.

This operation highlights the creativity and strategic thinking ethical hackers use to combat cybercrime, reinforcing that innovation and legality must go hand in hand.

Ransomware Gangs Actively Recruiting Pen Testers: Insights from Cato Networks' Q3 2024 Report

 

Cybercriminals are increasingly targeting penetration testers to join ransomware affiliate programs such as Apos, Lynx, and Rabbit Hole, according to Cato Network's Q3 2024 SASE Threat Report, published by its Cyber Threats Research Lab (CTRL).

The report highlights numerous Russian-language job advertisements uncovered through surveillance of discussions on the Russian Anonymous Marketplace (RAMP). Speaking at an event in Stuttgart, Germany, on November 12, Etay Maor, Chief Security Strategist at Cato Networks, explained:"Penetration testing is a term from the security side of things when we try to reach our own systems to see if there are any holes. Now, ransomware gangs are hiring people with the same level of expertise - not to secure systems, but to target systems."

He further noted, "There's a whole economy in the criminal underground just behind this area of ransomware."

The report details how ransomware operators aim to ensure the effectiveness of their attacks by recruiting skilled developers and testers. Maor emphasized the evolution of ransomware-as-a-service (RaaS), stating, "[Ransomware-as-a-service] is constantly evolving. I think they're going into much more details than before, especially in some of their recruitment."

Cato Networks' team discovered instances of ransomware tools being sold, such as locker source code priced at $45,000. Maor remarked:"The bar keeps going down in terms of how much it takes to be a criminal. In the past, cybercriminals may have needed to know how to program. Then in the early 2000s, you could buy viruses. Now you don't need to even buy them because [other cybercriminals] will do this for you."

AI's role in facilitating cybercrime was also noted as a factor lowering barriers to entry. The report flagged examples like a user under the name ‘eloncrypto’ offering a MAKOP ransomware builder, an offshoot of PHOBOS ransomware.

The report warns of the growing threat posed by Shadow AI—where organizations or employees use AI tools without proper governance. Of the AI applications monitored, Bodygram, Craiyon, Otter.ai, Writesonic, and Character.AI were among those flagged for security risks, primarily data privacy concerns.

Cato CTRL also identified critical gaps in Transport Layer Security (TLS) inspection. Only 45% of surveyed organizations utilized TLS inspection, and just 3% inspected all relevant sessions. This lapse allows attackers to leverage encrypted TLS traffic to evade detection.

In Q3 2024, Cato CTRL noted that 60% of CVE exploit attempts were blocked within TLS traffic. Prominent vulnerabilities targeted included Log4j, SolarWinds, and ConnectWise.

The report is based on the analysis of 1.46 trillion network flows across over 2,500 global customers between July and September 2024. It underscores the evolving tactics of ransomware gangs and the growing challenges organizations face in safeguarding their systems.

Hyundai's IPO Documents Reveal Cybersecurity Measures Amid Rising Data Breach Concerns

 

Hyundai’s recent IPO filing sheds light on its cybersecurity stance, offering a detailed look at the obstacles the company has encountered while safeguarding customer data. The red herring prospectus of Hyundai Motor India Ltd (HMIL) not only assesses its financial standing but also exposes past cybersecurity breaches, outlining the company’s risk management strategies.

The IPO launch comes at a time when cybersecurity is a top priority for global businesses, especially in the automotive sector, which increasingly depends on connected technologies. Hyundai's documents disclose two significant data breaches—one in December 2022 and another in February 2023. In both cases, hackers exposed customer information on the dark web.

Hyundai IPO: Key Cybersecurity Disclosures

The first breach, in December 2022, resulted in customer data being leaked online. Following the attack, Hyundai implemented extensive penetration tests to detect vulnerabilities and managed to remove the stolen information from the dark web, according to Autocar Professional. After a second breach in February 2023, the company quickly disabled the vulnerable APIs hackers had used to exploit the system. Hyundai’s prospectus notes the persistent challenge of securing data against cyberattacks, emphasizing that while efforts have been made, the risk of future breaches remains. Hackers may still seek unauthorized access, potentially impacting vehicle operations and customer data, the document warns.

Recognizing these vulnerabilities is vital for investors, especially considering the legal risks the company could face if customer data is compromised. Hyundai has actively outlined its cybersecurity efforts, stressing that protecting customer information is a top priority for the company.

Hyundai’s Next Steps in Cybersecurity

Hyundai’s cybersecurity efforts include assembling a specialized team to manage vulnerabilities and monitor potential cyber threats continuously. This proactive approach is increasingly necessary as cyberattacks become more advanced, particularly with the rise of connected vehicles and IoT technologies.

The automaker adheres to both national and international cybersecurity standards, consistently updating its protocols to align with the evolving threat landscape. This commitment is not just about data protection; it reflects the company’s awareness that consumer trust is key to maintaining its brand reputation as it moves forward with its IPO.

With these cybersecurity incidents in mind, it’s clear that the automotive industry must stay alert in protecting sensitive data. For companies like Hyundai, which handle vast amounts of customer information, the threat of cyber exploitation remains a major concern.

Offensive Security Necessitates a Data-driven Approach for CISOs

 

There remains a significant disparity in utilisation of resources between defensive and offensive cybersecurity technologies. When comparing the return on investment (ROI) for defensive and offensive investments, security experts discovered that offensive security routinely outperforms defensive security. For example, penetration testing not only identifies vulnerabilities, but it also addresses and seals potential access sites for hackers. 

This recognition should drive organisations and their security leaders to consider why there is so little investment in offensive security solutions. Many CISOs recognise a clear market gap in offensive security tactics, with acquired tooling fatigue unable to satisfy the changing needs of modern enterprises. CISOs must now look into how a data-driven approach may generate a proven ROI for each offensive security expenditure they make. 

Data science and cybersecurity: A powerful duo

In an era of digital transformation and networked systems, cybersecurity incidents have increased tremendously. Businesses face a slew of dangers, including unauthorised access and malware attacks. To tackle this, data science may give analytics that assist security leaders in making informed decisions about their cyber resiliency plans and tactics. 

Data analytics, whether powered by security providers and in-house technology like AI/ML or threat intelligence feeds, entails identifying patterns and insights from cybersecurity data, generating data-driven models, and developing intelligent security systems. By analysing relevant data sources from security testing across assets, systems, customers, and industries (including network activity, database logs, application behaviour, and user interactions), they may deliver actionable intelligence to secure their assets.

However, the most significant component of data analytics is that it improves data-driven decision-making by giving much-needed context and proof behind user behaviours, whether authorised or unauthorised. Data-Driven Decision Making in Offensive Security Data-driven decision-making is the foundation for effective offensive security. Here's how it takes place.

• Threat Intelligence: Data analytics allows organisations to gather, process, and analyse threat intelligence. Defenders obtain real-time insights from monitoring indicators of compromise (IoCs), attack patterns, and vulnerabilities. These findings inform proactive steps like fixing key vulnerabilities and modifying security rules. 

• Behavioural analytics: Understanding user behaviour is critical. Data-driven models detect anomalies and highlight questionable activities. For example, unexpected spikes in data exfiltration or atypical login patterns will prompt an alarm. Behavioural analytics can also help uncover insider threats, which are becoming increasingly prevalent. 

Challenges and future directions 

While data analytics can boost offensive security and decision-making, major challenges persist. Data quality is critical for accurate and actionable intelligence; as the phrase goes, "Garbage in, garbage out." Balancing privacy and ethics can also be difficult, but because security testing data should be free of PII, this should not be the primary focus, but rather intelligence that can help make better decisions.

Ultimately, offensive security practitioners must anticipate adversary attacks. However, the future seems promising, as data analytics can propel offensive security as a viable and evidence-based strategy. With analytics, security executives can proactively defend against attacks. As threats develop, so should our data-driven defences.

Role of AI in Revolutionizing Penetration Testing

Penetration testing is a critical component of any cybersecurity program. It involves simulating a real-world attack on an organization's systems and infrastructure to identify vulnerabilities that can be exploited by hackers. However, traditional penetration testing methods can be time-consuming, labor-intensive, and expensive.

To address these challenges, cybersecurity experts are exploring the use of artificial intelligence (AI) in penetration testing. AI-based penetration testing tools can automate the process of vulnerability scanning and testing, making it faster, more efficient, and less expensive.

According to MakeUseOf, AI-based penetration testing can help organizations "detect weaknesses in their defenses and pinpoint areas for improvement." The technology can also help organizations stay ahead of the ever-evolving threat landscape by quickly identifying and addressing vulnerabilities as they arise.

In recent news, The Hacker News reports on a new AI-based penetration testing solution that is 'breaking the mold' of traditional penetration testing. The solution combines AI and machine learning to create a more comprehensive and accurate testing environment.

Cybersecurity expert Joe Robertson notes that "AI-powered penetration testing solutions have the potential to revolutionize the industry." He adds that "the use of AI in penetration testing can help organizations stay ahead of the curve by identifying and addressing vulnerabilities before they can be exploited by attackers."

However, as with any emerging technology, there are potential risks and challenges associated with the use of AI in penetration testing. AI-based tools must be carefully configured and calibrated to ensure that they are accurate and effective. Additionally, AI-based tools may struggle to identify certain types of vulnerabilities that require a more nuanced approach.

Mark Stevens, another cybersecurity expert, recommends that organizations carefully evaluate AI-based solutions before implementing them and ensure that they are used in conjunction with other testing methods. He emphasizes that "AI-based penetration testing is not a panacea. It is a tool that can complement and enhance traditional penetration testing methods."

AI-based penetration testing is a fascinating and promising advancement in the field of cybersecurity. AI-based tools can help businesses keep ahead of the constantly changing threat landscape by automating testing and utilizing machine learning. To make sure that these tools are precise and useful, it is crucial to thoroughly assess them and utilize them in conjunction with other testing techniques. It's conceivable that we'll see even more ground-breaking solutions that use AI to improve cybersecurity as the market develops. AI's position in cybersecurity has a bright future.

After Hundreds of Penetration Tests, Here are Top 5 Lessons

 

To keep applications safe, developers must strike a balance between creativity and security frameworks. Correlating business logic with security logic will pay dividends in terms of safety.

Web applications are the most common vectors used by attackers to carry out breaches. Web applications were the point of entry for roughly 70% of all breaches studied, according to Verizon's "Data Breach Investigations Report". 

After performing over 300 Web application penetration tests, developers continue to make the same security mistakes that lead to vulnerabilities. They frequently do not use secure frameworks and instead attempt to write their own security code and authentication processes.

It's worth noting how much pressure developers are under to get products to market as soon as possible. They are rewarded based on how many features they can introduce as quickly as possible, rather than how securely they can introduce them. This results in security shortcuts and, in the long run, vulnerabilities in Web applications.

Five Lessons for More-Secure Apps

Pen testers act as the devil's advocate, reverse engineering what application developers create to demonstrate where and how attackers gain access. The findings have highlighted common fundamental errors. Here are five lessons that software development companies can learn to improve the security of their applications.

Attackers continue to use cross-site scripting (XSS):  For a long time, XSS has been a popular Web application vulnerability. It was removed from the Open Web Application Security Project (OWASP) top 10 list in 2021 due to advancements in application development frameworks, but it is still visible in nearly every penetration test we conduct.

Although it is frequently thought to be low risk, XSS risks can be severe, including account takeover, data theft, and complete compromise of an application's infrastructure. Many developers believe that using a mature input validation library and setting proper HttpOnly cookie attributes is sufficient, but when custom code is used, XSS bugs still find their way in. Consider WordPress sites: an XSS attack on an administrator is critical because the credentials allow the user to load plug-ins, which then execute code-like malicious payloads on the server.

Automated scanners don't go far enough: If you only scan Web applications with automated tools, vulnerabilities are likely to slip through the cracks. These tools employ fuzzing, a technique that injects malformed data into systems, but this technique can result in false positives.

Scanners aren't always up to date with modern Web development and don't always produce the best results for JavaScript single-page applications, WebAssembly, or Graph. Complicated vulner
abilities necessitate a handcrafted payload to validate, rendering automated tools ineffective.

Although human analysis is required for the most accurate and detailed analysis of vulnerabilities and exploits, these scanners can be used as a supplement to quickly find the low-hanging fruit.
When authentication is homegrown, it's usually too weak

When it comes to Web application security, authentication is everything: When developers attempt to create their own forgotten password workflow, they frequently do so in an insecure manner.

Pen testers frequently have access to other users' information or have excessive privileges that are not appropriate for their role. This causes horizontal and vertical access control problems, allowing attackers to lock users out of their accounts or compromise the application.

It all comes down to how these protocols are implemented. For example, Security Assertion Markup Language (SAML) authentication is a single sign-on protocol that is becoming more popular as a means of increasing security, but if it is implemented incorrectly, you will have opened more doors than you have closed.

Attackers target flaws in business logic: Developers examine features to see if they meet the needs of the customer. They frequently fail to consider how an attacker might use that feature maliciously from the other side of the lens.

A good example is an e-commerce website's shopping cart. It is business-critical, but it is frequently insecure, resulting in serious vulnerabilities such as zeroing out the total at checkout, adding items after checkout, or replacing products with different SKUs.

It's difficult to blame developers for focusing on the primary use case and failing to recognise other, usually malicious, uses. Their performance is determined by how well they deliver the feature. Executives must consider the other side of the coin and recognise that business logic should correspond to security logic. The most important business features, such as a shopping cart or authentication workflow, are probably not suitable for a junior developer.

There's no "out of scope" in a good penetration test: Because of the number of resources and assets that go into them, web applications can quickly become complex. Back-end API servers that enable the main application's functionality must be considered.

It's critical to share all of those external assets, as well as how they connect to what the developers built, with penetration testers. The developer may regard those assets as "out of scope" and thus not responsible for them, but an attacker would not respect that line in the sand. Nothing is "out of scope," as penetration tests demonstrate.

A Question of Balance

When software development companies are aware of some of the most common risks, they can engage with security auditors more effectively and make penetration tests less painful. No company wants to limit the creativity of its developers, but by balancing creativity with security frameworks, developers understand where they have leeway and where they must adhere to the guardrails that keep applications safe.

During a Pen-Test University Of Kentucky Unveiled A Data Breach

 


Cyberspace witness a rapid surge in cyberattacks as hackers continue to steal millions of documents at an alarming rate. A thorough penetration test is important to counter their attempts throughout the year. 

Likewise, The University of Kentucky did an annual cybersecurity assessment revealing a website flaw that enables an unauthorized person to probably purchase a copy of their College of Education database. There were no financial, health, or social security data leaked in the database, which restricted identity fraud potential.

The material stolen mainly contained emails and passwords as per the letter of violation issued by the university. There have been no SSNs or financial details leaked in it. 

Penetration tests are intended to evaluate the safety, the testing tools imitate actual attack scenarios that detect and expose security holes that can result in stolen records, impaired credentials, intellectual property, PII, cardholder data, personal, protected health, data ransom, or other detrimental business results. 

Although in the last five years the UK has enhanced cybersecurity, and the issue has been spotted, the UK will now implement extra security measures. The database for the training and the testing of K-12 schools in Kentucky and other states is part of the free resource scheme known as a Digital Driver's License. \

The information in the breach included the names, e-mail addresses, and addresses of Kentucky teachers and students and more than 355,000 individuals in every 50 states and 22 other nations. UK authorities have alerted and notified the relevant regulatory bodies and the affected school districts. This breach had an impact on the university's Digital Driver’s License platform, an internet portal that was established by the university in the early 2000s in the course of an Open Source Tools for Instructional Support program (OTIS). 

“The University of Kentucky has spent more than $13 million on cybersecurity in last five years alone,” said Brian Nichols, UK’s chief information officer. “We have increased cybersecurity investments and enhanced our mitigation efforts in recent years, which enabled us to discover this incident during our annual inspection process conducted by an outside entity. Although the potential for identity theft is limited, we take this incident seriously and it is unacceptable to us. As a result, we will be taking additional measures to provide even more protection going forward. UK's chief concern is end-user privacy and protection and we are making every effort to secure end-user data.”

HconSTF v0.5 codename 'Prime' Released


HconSTF is Open Source Penetration Testing Framework based on different browser technologies, Which helps any security professional to assists in the Penetration testing or vulnerability scanning assessments.

Hcon is very delighted to announce this, After around 14 months its released, HconSTF v0.5 codename 'Prime'  is here

Noticeable things for this version :
Now its more enhanced for,
  • Web Penetration Testing
  • Web Exploits Development
  • Web Malware Analysis
  • Osint , Cyber Spying and Doxing !!
  • and moch more with lots of hidden features

so HconSTF v0.5 briefly,
  • based on Firefox 17.0.1
  • Designed in Process based methodology
  • Less in size (40mb packed-80mb extracted), consumes less memory
  • More than 165+ search plugins
  • New IDB 0.1 release integrated
  • underlined Logging for each and every request
  • more NEW scanners for DomXSS, Reflected XSS
  • New reporting features like note taking, url logging for easy report making
  • Smart searchbox - just select and it will copy it and just change search engine to search
  • Integrated Tor, AdvoR, I2p and more proxies
  • New Grease monkey scripts (18 scripts)
More details can be found here.

Download


BackTrack 5 R3 will be released on Aug 13th, 2012 - BT5 R3


The BackTrack Development team has planned to release an R3 revision of Backtrack Penetration Testing distribution in 2 weeks.

According to the official statment, the new release focuses on bugfixes and over 50 new tool additions – making it the most potent revision yet.

"We have released a BT5 R3 preview in BlackHat Vegas for the enjoyment of conference attendees, which can be found in their delegate bags."

" The DVD contains a BT5 R3 Gnome, 32 bit edition – burnt as an ISO (as opposed to an image). We will be taking in our last bug reports and tool suggestions from the BH / Defcon crowds for our upcoming official release, which will be on August 13th, 2012."

Current BT5 users can simply upgrade to the latest release using the regular update commands. More details will be released along with the full listing of new tools on the 13th of August.

Finally Maltego updated version 3.1 and CaseFile 1.0 released

After 2 years, finally Maltego updated version 3.1 is released. Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.

Get it from here:
http://www.paterva.com/web5/client/download.php

source:
http://maltego.blogspot.in/2012/02/maltego-31-and-casefile-10-its-live.html

BackBox Linux 2.01 Released ! ~ Penetration Testing Distribution


BackBox released BackBox Linux v2.01 .The new release include features such as Ubuntu 11.04, Linux Kernel 2.6.38 and Xfce 4.8.0.

BackBox is a Linux distribution based on Ubuntu. It has been developed to perform penetration tests and security assessments. Designed to be fast, easy to use and provide a minimal yet complete desktop environment, thanks to its own software repositories, always being updated to the latest stable version of the most used and best known ethical hacking tools

Changelog:
  • System upgrade
  • Performance boost
  • New look
  • Improved start menu
  • Bug corrections
  • New sections such as Forensic Analysis, Documentation & Reporting and Reverse Engineering
  • New Hacking tools and updated tools such as dradis 2.8, ettercap 0.7.4.2, john 1.7.8, metasploit 4.2, nmap 5.51, set 2.5.2, sleuthkit 3.2.1, w3af 1.0, weevely 0.5, wireshark 1.6.3, etc.

System requirements
  • 32-bit or 64-bit processor
  • 256 MB of system memory (RAM)
  • 4.4 GB of disk space for installation
  • Graphics card capable of 800×600 resolution
  • DVD-ROM drive or USB port
The ISO images (32bit & 64bit) can be downloaded from the following location: http://www.backbox.org/downloads

THC(The Hacker's Choice) SSL DOS tool released

Today the German hacker group “The Hacker’s Choice” officially released a new DDoS tool. The tool exploits a weakness in SSL to kick a server off the Internet.

Technical details can be found at http://www.thc.org/thc-ssl-dos.

“We decided to make the official release after realizing that this tool leaked to the public a couple of months ago” said a member of THC who wants to remain anonymous.

The tool departs from traditional DDoS tools: It does not require any bandwidth and just a single attack computer (“bot”).

The THC-SSL-DOS attack is en par with other resource exhausting DDoS attacks. Some of those methods played a vital role in demonstrations against oppressive governments (like the DDoS attack against Iran’s leader) and against companies that violate free speech (like the DDoS attack against Mastercard for closing Wikileak’s non-profit donation account because of an alleged typo/misspelling in the application form).

“Here at THC the rights of the citizen and the freedom of speech are at the core of our research”, says a member of THC in a private interview this morning.

“We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.”, Says a THC member, referring to 3 major vulnerabilities disclosed in SSL over the past 3 years.

To list the 3 major vulnerabilities here THC explains: “In 2009 a vulnerability was disclosed that broke the encryption of SSL. De-facto making all SSL traffic unsafe. In 2011 various Certification Authorities got hacked. De-facto making all SSL traffic unsafe _again_.”

“We warned in 2002 about giving hundreds of commercial companies (so called Certification Authorities) a master key to ALL SSL traffic.”, says Fred Mauer, a senior cryptographer at THC. “Only a real genius can come up with such an idea!”.

“And last but not least the immense complexity of SSL Renegotiation strikes again in 2011 with the release of THC-SSL-DOS.”.

“It’s time for a new security model that adequately protects the citizens.”.

The THC-SSL-DOS tool is a Proof Of Concept tool to disclose fishy security in SSL. It works great if the server supports SSL Renegotiation. It still works if SSL Renegotiation is not supported but requires some modifications and more bots before an effect can be seen.

Our tests reveal that the average server can be taken down from a single IBM laptop through a standard DSL connection.

Taking on larger server farms who make use of SSL Load balancer required 20 average size laptops and about 120kbit/sec of traffic.

All in all superb results.

Interesting here is that a security feature that was supposed to make SSL more secure makes it indeed more vulnerable to this attack:

SSL Renegotiation was invented to renegotiate the key material of an SSL connection. This feature is rarely used. In fact we could not find any software that uses SSL Renegotiation. Yet it’s enabled by default by most servers.

An old saying comes true all over again: Complexity is the enemy of security.

“Renegotiating Key material is a stupid idea from a cryptography standpoint. If you are not happy with the key material negotiated at the start of the session then the session should be re-established and not re-negotiated”, says THC.

Zexplo v1.0 Released - Penetration Testing Toolkit

About Zexplo v1.0:Zexplo is Penetration Testing Toolkit written in Python. They released the first version of Zexplo has 6 enumeration modules for various network scanning operations such as zping, zarpcache, ztcpscan, znmapport etc and 1 exploit (filecopa). In addition to this it also has some exciting modules for man in the middle (MITM) attack and autopwn. You will also see tools such as Injector (inject modules into running process)and Encoder (with triple layer of XOR).


Features:
  • Presents 6 enumeration modules and 1 exploit
  • Includes Injector tool for injecting chosen modules into running processes
  • Special encoder featuring triple layer XOR encoder for shellcodes
  • Simple and easy to use interface even for beginners

Requirements:

  • Linux OS
  • Python (version < 3.0 and > 2.4)
  • Scapy - powerful packet manipulation program