Indian Cyber Security Solutions - ICSS

Cybersecurity services that can protect your company:

Safesql: Tatic analysis tool for Go that protects against SQL injections

Posted on March 22, 2018March 22, 2018 by admin

SafeSQL

SafeSQL is a static analysis tool for Go that protects against SQL injections.

SQL Injection is one of the vulnerabilities in OWASP’s Top Ten List for Web Based Application Exploitation. These types of attacks takes place on Dynamic Web applications as they interact with the databases for the various operations.

How does SafeSQL work:

SafeSQL uses the static analysis utilities in go/tools to search for all call sites of each of the query functions in packages (database/sql,github.com/jinzhu/gorm,github.com/jmoiron/sqlx) (i.e., functions which accept a parameter named query,sql). It then makes sure that every such call site uses a query that is a compile-time constant.

The principle behind SafeSQL’s safety guarantees is that queries that are compile-time constants cannot be subverted by user-supplied data: they must either incorporate no user-controlled values, or incorporate them using the package’s safe placeholder mechanism. In particular, call sites which build up SQL statements via fmt.Sprintf or string concatenation or other mechanisms will not be allowed.

False positives:

If SafeSQL passes, your application is free from SQL injections (modulo bugs in the tool), however, there are a great many safety programs which SafeSQL will declare potentially unsafe. These false positives fall roughly into two buckets:

First, SafeSQL does not currently recursively trace functions in the call graph.

Only call MyQuery with compile-time constants, your program is safe; however, SafeSQL will report that (*database/sql.DB).Query is called with a non-constant parameter (namely the parameter to MyQuery). This is by no means a fundamental limitation: SafeSQL could recursively trace the query argument through every intervening helper function to ensure that its argument is always constant, but this code has yet to be written.

The second sort of false positive is based on a limitation in the sort of analysis SafeSQL performs: there are many safe SQL statements which are not feasible (or not possible) to represent as compile-time constants. More advanced static analysis techniques (such as taint analysis) or user-provided safety annotations would be able to reduce the number of false positives, but this is expected to be a significant undertaking.

Most Popular Training Courses at Indian Cyber Security Solutions:

Cybersecurity services that can protect your company:

Trape: People tracker on the Internet

Posted on March 21, 2018 by admin

Trape

Trape is a recognition tool that allows you to track people, the information you can get is very detailed. We want to teach the world through this, as large Internet companies could monitor you, obtaining information beyond your IP.

This tool has been published educational purposes in order to teach people how bad guys could track them or monitor them or obtain information from their credentials, we are not responsible for the use or the scope that may have the People through this project.

Trape – Some benefits

One of its most enticing functions is the remote recognition of sessions. You can know where a person has logged in, remotely. This occurs through a Bypass made to the Same Origin Policy(SOP)
Currently, you can try everything from a web interface. (The console, becomes a preview of the logs and actions)
Registration of victims, requests among other data are obtained in real time.
If you get more information from a person behind a computer, you can generate a more direct and sophisticated attack. Trape was used at some point to track down criminals and know their behavior.
You can do real-time phishing attacks
Simple hooking attacks
Mapping
Important details of the objective
Capturing credentials
Open Source Intelligence(OSINT)

Recognizes the sessions of the following services:

Facebook
Twitter
VK
Reddit
Gmail
tumblr
Instagram
Github
Bitbucket
Dropbox
Spotify
PayPal
Amazon
Foursquare (new)
Airbnb (new)
Hackernews (new)
Slack (new)

Example of execution:

In the option –url you must put the lure, can be a news page, an article something that serves as a presentation page.
In the –port option you just put the port where you want it to run.
Do you like to monitor your people? Everything is possible with Trape.
Do you want to perform phishing attacks? Everything is possible with Trape.
In the Files directory, located on the path: /static/files here you add the files with .exe extension or download files sent to the victim.

Most Popular Training Courses at Indian Cyber Security Solutions:

Cybersecurity services that can protect your company:

Chrome Zero: Chrome extension

Posted on March 20, 2018 by admin

Chrome Zero

Chrome Zero is a Google Chrome extension to protect users from microarchitectural and side-channel attacks.

Chrome Zero implements JavaScript Zero, a fine-grained policy-based system which allows changing the behavior of standard JavaScript interfaces and functions. Using so-called policies, Chrome Zero enforces certain restrictions to a website to protect users from malicious JavaScript. The policies allow to quickly adapt the permission system to protect against any newly discovered attack.

Chrome Zero is a proof of concept implementation that defends against these attacks. It installs as a Chrome extension and protects functions, properties, and objects that can be exploited to construct attacks. The basic idea is very simple, functions are wrapped with replacement versions that allow injection of a policy. This idea of wrapping functions (and properties with accessor properties, and certain objects with proxy objects) goes by the fancy name of virtual machine layering.

Chrome Zero: Extension blocks 11 JavaScript-based side-channel attacks:

Experts say that currently there are eleven state-of-the-art side-channel attacks that can be performed via JavaScript code running in a browser.

Each attack needs access to various local details, for which it uses JavaScript code to leak, recover, and gather the needed information before mounting the actual side-channel attack.

After looking at each of the eleven attacks, researchers say they’ve identified five main categories of data/features that JavaScript side-channel attacks attempt to exploit: JS-recoverable memory addresses, accurate timing (time difference) information, the browser’s multithreading (web workers) support, data shared among JS code threads, and data from device sensors.

Chrome Zero has a minimum performance impact:

Experts said that despite the extension’s intrusive behavior, tests showed a minimum performance impact of only 1.54% on resource usage, and an indiscernible page loading latency ranging from 0.01064s and 0.08908s —depending on the number of protection policies active at runtime.

The extension may be very well able to thwart even future and unknown Chrome zero-days as well, mainly because of its habit of rewriting dangerous functions to safer versions.

Most Popular Training Courses at Indian Cyber Security Solutions:

Cybersecurity services that can protect your company:

List of 29 Different Types of USB Attacks

Posted on March 19, 2018March 19, 2018 by admin

Attacks of USB

Attacks of USB is the driver-related attacks family in which an attacker plugs in a compromised malicious USB device that causes the host to download a specific malicious driver crafted in such a way as to execute malicious code on the host.

Researchers from the Ben-Gurion University of the Negev in Israel have identified 29 ways in which attackers could use USB devices to compromise users’ computers.

These 29 exploitation methods in four different categories, depending on the way the attack is being carried out.

A) By reprogramming the USB device’s internal microcontroller. The device looks like a particular USB device (e.g.: charger), but carries out the operations of another (e.g.: keyboard —injects keystrokes).

B) By reprogramming the USB device’s firmware to execute malicious actions (such as malware downloading, data exfiltration, etc.).

C) By not reprogramming USB device firmware, but leveraging flaws in how operating systems normally interact with USB protocols/standards.

D) USB-based electrical attacks.

Reprogrammable microcontroller USB attacks:

Rubber Ducky – a commercial keystroke injection attack platform released in 2010. Once connected to a host computer, the Rubber Ducky poses as a keyboard and injects a preloaded keystroke sequence.
PHUKD/URFUKED attack platforms – similar to Rubber Ducky, but allows an attacker to select the time when it injects the malicious keystrokes.
USB driveby – provides quick covert installation of backdoors and overriding DNS settings on an unlocked OS X host via USB in a matter of seconds by emulating an USB keyboard and mouse.
Evilduino – similar to PHUKD/URFUKED, but uses Arduino microcontrollers instead of Teensy. Also works by emulating a keyboard/mouse and can send keystrokes/mouse cursor movements to the host according to a preloaded script.
Unintended USB channel – a proof of concept (POC) USB hardware trojan that exfiltrates data based on unintended USB channels (such as using USB speakers to exfiltrate data).
TURNIPSCHOOL (COTTONMOUTH-1) – a hardware implant concealed within a USB cable. Developed by the NSA.
RIT attack via USB mass storage – attack described in a research paper. It relies on changing the content of files while the USB mass storage device is connected to a victim’s computer.
Attacks on wireless USB dongles – a category of attacks first explored with the release of the KeySweeper attack platform by Samy Kamkar, a tool that covertly logs and decrypts keystrokes from many Microsoft RF wireless keyboards.
Default Gateway Override – an attack that uses a microcontroller to spoof a USB Ethernet adapter to override DHCP settings and hijack local traffic.

Maliciously reprogrammed USB peripheral firmware attacks:

Smartphone-based HID attacks – first described in a research paper for which researchers created custom Android gadget drivers to overwrite how Android interacted with USB devices. The malicious driver interacted with the Android USB gadget API to simulate USB keyboard and mouse devices connected to the phone.
DNS Override by Modified USB Firmware – researchers modified the firmware of a USB flash drive and used it to emulate a USB-ethernet adapter, which then allowed them to hijack local traffic.
Keyboard Emulation by Modified USB Firmware – several researchers showed how poisoning the firmware of USB flash drives, an attacker could inject keyboard strokes.
Hidden Partition Patch – researchers demonstrated how a USB flash drive could be reprogrammed to act like a normal drive, creating a hidden partition that cannot be formatted, allowing for covert data exfiltration.
Password Protection Bypass Patch – a small modification of a USB flash drive’s firmware allows attackers to bypass password-protected USB flash drives.
Virtual Machine Break-Out – researchers used USB firmware to break out of virtual machine environments.
Boot Sector Virus – researchers used a USB flash drive to infect the computer before it boots.
iSeeYou – POC program that reprograms the firmware of a class of Apple internal iSight webcams so that an attacker can covertly capture video without the LED indicator warning.

Attacks based on unprogrammed USB devices:

CVE-2010-2568 .LNK exploit used by Stuxnet and Fanny malware.
USB Backdoor into Air-Gapped Hosts – attack used by the Fanny malware, developed by the Equation Group (codename for the NSA). Attack uses USB hidden storage to store preset commands tha map computers in air-gapped networks. Info on networks is saved back to the USB flash drive’s hidden storage.
Data Hiding on USB Mass Storage Devices – a large collection of tricks of hiding malware or stolen data inside a USB flash drive (eg.: storing data outside of the normal partitions, hiding the file inside an invisible folder by making that folder’s icon and name transparent, etc.).
AutoRun Exploits – depending on how host computers were configured, some PCs would auto-execute predetermined files located on a USB device’s storage. There’s an entire malware category dedicated to this called autorun malware.
Cold Boot Attacks – aka the RAM dump attack. Attackers can store a memory dumper on a USB flash drive and extract left-over data from RAM by booting from a USB device.
Buffer Overflow based Attacks – Several attacks that rely on exploiting OS buffer overflows when a USB device is inserted into a computer. This happens because operating systems will enumerate the devices and functions (run certain predetermined operations) when a USB device is inserted.
Driver Update – very complex attack that relies on obtaining a VeriSign Class 3 Organizational Certificate and submitting drivers to Microsoft that are automatically delivered and installed on user PCs when a certain SUB device is inserted. This attack is possible, but very hard to pull off in the real world.
Device Firmware Upgrade (DFU) – attackers can use the Device Firmware Upgrade (DFU), a legitimate process supported by the USB standard, to update local legitimate firmware to a malicious version.
USB Thief – a USB flash drive based data-stealing malware that was recently discovered by ESET.
Attacks on Smartphones via the USB Port – attackers can hide and deliver malware (malicious) via USB phone chargers.
USBee attack – make a USB connector’s data bus give out electromagnetic emissions that can be used to exfiltrate data.

Electrical attacks:

USB Killer – permanently destroy devices by inserting a USB device that triggers an electrical surcharge.

Most Popular Training Courses at Indian Cyber Security Solutions:

Cybersecurity services that can protect your company:

Algo VPN: Set up a personal IPSEC VPN in the cloud

Posted on March 17, 2018March 17, 2018 by admin

Algo VPN

Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC VPN. It uses the most secure defaults available, works with common cloud providers, and does not require client software on most devices.

The ‘VP of all Networks’ is strong, secure and tidy. It uses the least amount of software necessary to get the job done.

Don’t bother with commercial VPNs

Really, the paid-for services are just commercial honeypots. If an attacker can compromise a VPN provider, they can monitor a whole lot of sensitive data.

Paid-for VPNs tend to be insecure: they share keys, their weak cryptography gives a false sense of security, and they require you to trust their operators.

OpenVPN: Requires client software

OpenVPN’s lack of out-of-the-box client support on any major desktop or mobile operating system introduces unnecessary complexity. The user experience suffers.

Speaking of users, they’re required to update and maintain this software too. That is a recipe for disaster.

Algo VPN Features:

Supports only IKEv2 with strong crypto: AES-GCM, SHA2, and P-256
Generates Apple profiles to auto-configure iOS and macOS devices
Includes a helper script to add and remove users
Blocks ads with a local DNS resolver (optional)
Sets up limited SSH users for tunneling traffic (optional)
Based on current versions of Ubuntu and strongSwan
Installs to DigitalOcean, Amazon EC2, Microsoft Azure, Google Compute Engine, or your own server.

Anti-features:

Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
Does not install Tor, OpenVPN, or other risky servers
Does not depend on the security of TLS
Does not require client software on most platforms
Does not claim to provide anonymity or censorship avoidance
Does not claim to protect you from the FSB, MSS, DGSE, or FSM.

Designed to be disposable:

Algo to be easy to set up. So one can start it when they need it, and tear it down before anyone can figure out the service, routing their traffic through.

Setup is automated. Just answer a few questions, and then Algo will build VPN.

It has automated the setup process for Apple devices, too. Algo just gives a file that AirDrop to anyone’s device. Press ‘install’ and got VPN. Or ‘VPNs.’

No one have to choose just one VPN gateway that could make 20 on different services; Digital Ocean in Bangalore, EC2 in Virginia or any other combination.

Most Popular Training Courses at Indian Cyber Security Solutions

Cybersecurity services that can protect your company:

ezXSS: Test Blind Cross Site Scripting

Posted on March 15, 2018 by admin

Blind Cross Site Scripting

Blind cross site scripting (BXSS) is a variation of stored XSS, where the injection point and the execution point are different. It’s harder to find and certainly requires a different methodology than testing for stored (non-blind), reflected, or even DOM-based XSS.

Typically, with stored Blind cross site scripting, the payload is executed on the same page it was injected in.

ezXSS: Test Blind Cross Site Scripting

ezXSS is an easy way to test blind Cross Site Scripting.

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application. XSS is amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

Features of ezXSS:

Easy to use dashboard with statics, payloads, view/share/search reports and more
Payload generator
Instant email alert on the payload
Custom javascript for extra testing
Prevent double payloads from saving or alerting
Share reports with other ezXSS users
Easily manage and view reports in the system
Search for reports in no time
Secure your system account with extra protection (2FA)
The following information is collected on a vulnerable page:
The URL of the page
IP Address
Any page referer (or share referer)
The User-Agent
All Non-HTTP-Only Cookies
Full HTML DOM source of the page
Page origin
Time of execution
its just ez

Required

PHP 5.5 or up
A domain name (consider a short one)
An SSL if you want to test on https websites (consider Cloudflare or Let’s Encrypt for a free SSL)

Blind Cross site Scripting (XSS) Vulnerability Detection

One of the major features that XSS Hunter offers is the ability to find blind XSS. This is a vulnerability where an XSS payload fires in another user’s browser (such as an administrative panel, support system, or logging application) which you cannot “see” (e.g. it does not fire in your browser). XSS Hunter addresses this by recording extensive information about each payload fire in its database.

Most Popular Training Courses at Indian Cyber Security Solutions

Cybersecurity services that can protect your company:

Critical bugs in CredSSP allow remote code execution on Servers

Posted on March 14, 2018March 14, 2018 by admin

CredSSP allow remote code

The newly discovered Credential Security Support Provider protocol (CredSSP) vulnerability on the Windows platform allows hackers to use Remote Desktop Protocol (RDP) and Windows Remote Manager (WinRM) to remotely steal data or run malicious code. The CredSSP protocol was originally designed to provide cryptographic authentication when Windows hosts use RDP or WinRM for remote connections.

This vulnerability (CVE-2018-0886) was discovered by a researcher at a company named Preempt Security. There is a logical encryption vulnerability in the CredSSP protocol. A hacker can use a wireless connection to initiate a man-in-the-middle attack. Physical connection to the network, you can also initiate a remote call (Remote Procedure Call) to steal the authentication information in the computer process.

How Does CredSSP Attack Work?

An attacker can exploit this vulnerability in conjunction with a man-in-the-middle attack. The attacker will set up the man-in-the-middle, wait for a CredSSP session to occur, and once it does, will steal session authentication and perform a Remote Procedure Call (DCE/RPC) attack on the server that the user originally connected to (e.g., the server user connected with RDP). An attacker which have stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default.

CredSSP attack could be mounted list:

An attacker with WiFi/Physical access – If an attacker has some physical access to your network, then he could easily launch a man-in-the-middle attack. If you also have WiFi deployed in areas of your network, you might be vulnerable to key reinstallation attacks (KRACK), thus making all machines that do RDP via WiFI exposed to this new attack.

Address Resolution Protocol (ARP) poisoning – Despite being an old attack technique, many networks are still not 100% protected from ARP poisoning. If this is the case in your network, this new vulnerability means an attacker with control of one machine could easily move laterally and infect all machines in the same network segment.

Attacking sensitive servers (including domain controllers) – Sometimes, an attacker has control of several workstations in an organization and needs to find a way to infect sensitive business-critical servers (which might require higher privileges).

Most corporate internal networks use the Windows RDP protocol for remote login. Preempt’s researchers reported this vulnerability to Microsoft last August but until now Microsoft released a patch for the vulnerability.

Most Popular Training Courses at Indian Cyber Security Solutions

Cybersecurity services that can protect your company:

Agrigento: Identify privacy leaks in Android apps

Posted on March 13, 2018March 13, 2018 by admin

Agrigento

Agrigento is a tool to identify privacy leaks in Android apps by performing black-box differential analysis on the network traffic. It performs root cause analysis of non-determinism in the network behavior of Android apps.

Agrigento works in two steps: first, Agrigento establishes a baseline of the network behavior of an app; then, modifies sources of private information, such as the device ID and location, and detects privacy leaks by observing deviations in the resulting network traffic. The main contribution of this work is to make black-box differential analysis practical when applied to modern Android apps.

Agrigento sources:

Agrigento is able to eliminate the different sources of non-determinism by intercepting calls from the app to certain Android API calls and recording their return values, and in some cases replacing them (either by replaying previously seen values or by returning constant values).

It records the timestamps generated during the first run of each app and replays the same values in the further runs.
It records the random identifiers (UUID) generated by the app.
It records the plaintext and ciphertext values whenever the app performs encryption.
The instrumented environment sets a fixed seed for all random number generation functions.
It replaces the values of system-related performance measures (e.g., free memory, available storage space) with a set of constants.

Agrigento requires other modules to be installed on the Android device:

[Xposed].
[CryptoHooker] – Collect contentextual information.
[Changer] – Modify the values of private information sources.
[JustTrustMe] – Handle certificate pinning.
[Android Mock-location] – Allow to set mock location through ADB.

Agrigento Network Behavior:

Agrigento looks for privacy leaks at all levels of the tree, i.e., in all parts of the HTTP request: the domain, path, key, and values, as well as the headers and the payload. In the current implementation Agrigento includes parsers for application/x-www-form-urlencoded, application/json, and any content that matches a HTTP query format. However, it can be easily extended with parsers for further content types.

Most Popular Training Courses at Indian Cyber Security Solutions

Cybersecurity services that can protect your company: