Ready to Start Your Career?
November 3, 2017
UNM4SK3D: Pwn2Own, FireEye, and Google
November 3, 2017
#zerodayParticipants in the Mobile Pwn2Own 2017 competition recently produced exploits for exploits for the iPhone 7, Samsung Galaxy S8, and other mobile devices. Nothing like a little friendly competition, right? For those unfamiliar, this competition is a two-day event hosted by Trend Micro's Zero Day Initiative (ZDI) and promotes the disclosure of vulnerabilities during the competition, with rewards in excess of $500,000. According to ZDI, once the vulnerabilities are disclosed, vendors will have 90 days to issue a fix before ZDI provides an advisory with mitigation suggestions. Standout competitors from the competition include 360 Security who found a bug in the Samsung Internet browser.Tencent Keen Security Lab discovered "our vulnerabilities in the Apple iPhone 7 running iOS 11.1, that could lead to a remote code execution through a WiFi bug and escalate privileges to persist through a reboot," earning them $110,000. In related news, Apple has patched iOS, macOS, macOS High Sierra, Sierra, and El Capitan against the KRACK vulnerability recently disclosed in the WPA2 Wi-Fi security protocol. The update is part of iOS 11.1 and includes patches for 13 other bugs. Despite the patches included in 11.1, thanks to Tencent Keen, there will need to be further patches for the newly discovered zero day.
This vulnerability appears to be caused by a remark in the Wi-Fi standard that suggests to clear the encryption key from memory once it has been installed for the first time. When the client now receives a retransmitted message 3 of the 4-way handshake, it will reinstall the now-cleared encryption key, effectively installing an all-zero key. -Mathy VanhoefGet the full details on KRACK. Read last week's 'UNM4SK3D.'
#leaktheanalystFireEye CEO Kevin Mandia just informed the media that the hacker who allegedly breached FireEye earlier this year was taken into custody yesterday, 11/2. Sounds like#caughttheanalystBack in July, the alleged hacker, whose name has not yet been released to the media, managed to hack the personal online accounts of a Senior Threat Intelligence Analyst at Mandiant, a Virginia-based cybersecurity firm owned by the FireEye. In doing so, the anonymous hacker leaked nearly 32 megabytes of data belonging to the analyst, Adi Peretz. At the time, the hacker proclaimed they had complete access to the company's entire internal network as a part of their#leaktheanalyst mission.In this latest announcement, Mandia stated that FireEye had to spend a 'tremendous' amount of its time and effort into "investigating the hacker's initial claims, which costs the company a lot, both in efforts and money." It seems as though the hacker did not actually have access to the company's corporate network but instead was able to use credentials to compromise Peretz's social media and email. Meanwhile, FireEye CEO maintained that he is glad with this arrest the hacker will be brought to justice, saying, "I am pleased that, in this case, we were able to impose repercussions for the attacker and achieve a small victory for the good guys."
It was fun to be inside a giant company named “Mandiant” we enjoyed watching how they try to protect their clients and how their dumb analysts are trying to reverse engineer malware and stuff. This leak was just a glimpse of how deep we breached into Mandiant, we might publish more critical data in the future. -Original Pastebin post from hackerFor the original#leaktheanalyst article on Cybrary, check out this edition of 'UNM4SK3D.'
#recaptchaCybrary's neighbors at the University of Maryland were able to crack Google’s reCaptcha service using an automated attack they developed. CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart, was introduced by Google in 2014 to most of its public services in an effort defeat bots and scripts. This new attack, which has about 85% accuracy, abuses the audio challenge option of Google’s reCaptcha V2 service. In what they are calling 'unCaptcha,' researchers use this method to identify words or numbers spoken in an audio clip. Using a free speech-to-text engine found online and advanced phonetic mapping techniques, they select the audio option of the reCaptcha services with browser automation software.Then, this triggers the download of the sound file and the free online speech-to-text services can determine the audio word challenge. “After performing phonetic mapping on each of the individual speech recognition services’ predictions, we ‘assemble’ their responses to obtain a single answer,” researchers wrote. “After a candidate string of digits has been assembled, unCaptcha organically (with uniform timing randomness between each character) types the solution into the field and clicks the ‘Verify’ button.” It appears Google, however, is aware of the many flaws in reCaptcha, as tools like 'ReBreakCaptcha' are able to defeat the reCaptcha security via a script leveraging Google’s own APIs to capture audio challenges as sound files.
We evaluate unCaptcha using over 450 reCaptcha challenges from live websites, and show that it can solve them with 85.15 percent accuracy in 5.42 seconds, on average. -University of Maryland researchers Kevin Bock, Daven Patel, George Hughey, and Dave Levin.The Tripwire blog dives in-depth on Google's use of reCaptcha. Explore this post for more.