2012年6月18日 星期一

資安八卦鏡:打造個資大盜痛恨的企業網站



Get ready for security breach and data leakage! Sooner or later.


上次寫文章給雜誌好像已經是快一年前了 @@
如今個資法來勢洶洶,我和Birdman花了好些心力寫了一篇資安小品「資安八卦鏡:打造個資大盜痛恨的企業網站」獻給全台灣勞苦功高的網管和開發人員!
目前雜誌只刊出1/3,剩下2/3要等待電子版。 XD

For every piece of sensitive information, you need to consider salt, hash, and encryption.

我們從駭客的角度去想怎麼樣的網站最難搞,首先,駭客入侵之後遇到加密資料就得破密,而破密需要運算資源,駭客得去養肉雞或買專業破密設備,這都需要耗費他的成本,所以只要網站把加密工作做得嚴嚴實實,撒鹽巴,搞雜湊,玩密碼學,這樣駭客就算偷到東西也不會happy!可惜還蠻多網站沒有這樣做的... chroot的Allen很用心地從無辜用戶角度收集一卡車沒有嚴嚴實實加密用戶密碼的網站...我的密碼沒加密

Every webmaster must often review the website for one-line trojan/backdoor.

再者,駭客進來後,絕對會意猶未盡,所以他會在網站上放後門,方便以後進進出出。但我們發現這樣的事實卻只有壞人知道,好人都很少知道,所以我們一定要告訴大家,在這篇文章我們整理了三個又愛又恨的一句話木馬,各位務必舉一反三,提高意識和警覺!

What if malicious document is uploaded via Web interface, would that count as APT? Ahha!

最後許多網站會提供上傳文件的介面,這都是很頭疼的地方,說穿了,後面是誰在開啟這些文件,還不就是人!那如果今天上傳的"履歷"是惡意文件,上傳的論文或作業是惡意文件,上傳的"民眾陳情"是惡意文件,上傳的"貸款申請書"是惡意文件,那該怎麼辦?這不正是APT攻擊嗎? 不囉嗦,XecScan最喜歡吃APT ;-)

各位對文章有甚麼想法與指教,歡迎來信 benson @ xecure-lab.com 交流。

2012年6月13日 星期三

Mila 釋出CVE-2012-0158 惡意文件測試包

我們的朋友 mila, 常常都在蒐集惡意程式與惡意文件樣本, 提供很多資安研究員分析的材料, 真是佛心來的 ! 非常感謝 :D
http://contagiodump.blogspot.tw/
幫她打打廣告


最近 Mila 貢獻了一包 CVE-2012-0158 的樣本, 我們很快用專業的 APT 惡意文件分析引擎 XecScan ( http://scan.xecure-lab.com ) 掃描了這90個樣本, 這包樣本都可以準確被我們 100% 偵測到 :)
不過我卻發現有3個檔案不是 CVE-2012-0158 而是 CVE-2010-3333

所以應該是 87個檔案是 CVE-2012-0158
而下面這三個是 CVE-2010-3333

125b8babb6ee4442efc75a5688c6bb5d0c71f8a685bcdff6b4043f3a829e65eb_Oded - Working.rtf

abbd1fa4dde11b94360338de8b5a2af7b09c6149ce1633797da825d5843cea7f_Criteria.doc

ec8b9c68872257cec2552ac727348c09314658d9497085f8a19f58004476c9b8_info.doc

2012年6月9日 星期六

Xecure Lab got security warnings for suspected state-sponsored attacks

As we all know "This site may harm your computer" warning and for years every site owner had tried hard not to get that label. Few days ago Google announced a Gmail warning message for the targets of state-sponsored attacks. Cool! How did Google do it? They can’t go into the details as those explanations would be helpful to the bad guys.
Nevertheless, at Xecure Lab, we regularly scan our personal Gmail accounts too for APT emails (our XecMail has a plugin for it) and there were no signs of APT attacks in our record recently. Surprisingly, we had chance to witness this Google state-sponsored attackers warning message:

(in English)

(in Chinese)

We speculated Google did the analysis not from "inside" by scanning the emails, e.g. looking for APT document exploit, but from "outside" by probably monitoring account login attempts involving known malicious sources or traffic protocols.

Anyway, we followed the Protect yourself now instructions, a few suggestions were given:
1. Watch out before you click a link.
2. Use a strong password.
3. Update software to the latest.
4. Enable 2-step verification.

Great, only the last one was something new at that moment, and we would like to give it a try.

With 2-step verification, Google will send SMS code to your phone when login sucessfully but with any strange device:

Oops, that means one has to repeat the above 2-step verification several times once a month, if not everyday. We also tried the "Call your phone" alternative instead of sending text, the call was from the phone number +1 (650) 353XXXX.

Lastly, when we changed the password in Google account, we'd have to go through the whole 2-step verification again. Right, a trade-off between security and convenience. ;-)

2012年6月5日 星期二

數位簽章最新用途...幫駭客蓋章!

這實在太讚了, 根據外電指出, Flame 事件中, 居然用數位簽章. 這次印章被幹走居然是偉大的微軟公司簽章...

難怪前兩天Windows Update緊急撤消了幾個簽章, 抖抖

http://www.f-secure.com/weblog/archives/00002377.html