Skip to main content

Posts

Showing posts from July, 2015

Leaked Zerofox documents outline Baltimore network infrastructure vulnerabilities

Several days ago a document from the corporation Zerofox was leaked on the internet. Zerofox is a domestic spying organization there is no other word for them. They are paid obscene amounts of money to monitor people's Twitter and Facebook accounts, and provide the results of their stalking to police departments and other people who are in theory bound to respect the autonomy of free political speech. In the document that was leaked, Zerofox claimed to have "mitigated" 19 "threats" and "monitored" hundreds of others. The document is available here . What constitutes a threat? Political speech that is critical of the police. At the top of the list of "physical threats" are #blacklivesmatter activists Deeray McKesson and Johnetta Elzie , neither of whom have ever been convicted of a violent crime AFAICT. The report recommends that police engage in "continuous monitoring" of the pair and justify this absurd response because they ha...

Cryptome publishes my Wikileaks findings

Those unfamiliar with my Wikileaks findings should read my (so far) four post series on my discover of malware within files available for download on the Wikileaks website that can, among other things, identify and track those reading infected files: 1st post  |  2nd post  |  3rd post  |  4th post   Note that my posts are lengthy and contain some technical information. If you aren't really into reading technical things you would probably prefer the summaries of my findings available in The Register or  Neue Zürcher Zeitung (for German speakers).  Because Wikileaks has refused to inform its users that the infected files are, in fact malicious, I went public with my findings. Cryptome has just published a letter with a brief explanation of the issues with the Wikileaks malware .  Cryptome is a long time advocate of government transparency, and had already been publishing leaked documents on their website for close to a dec...

PHP logging timestamp oddities

I noticed something odd yesterday while reviewing log data on one of the RHEL 7 web servers I look after. Peering through the PHP error log, I noticed that all of the timestamps were formatted using the Coordinated Universal Time (UTC ... because acronyms that make sense are for losers). [29-Jul-2015 14:26:04 UTC] PHP [redacted] on line 511 [29-Jul-2015 14:26:04 UTC] PHP [redacted] on line 530 [29-Jul-2015 14:26:04 UTC] PHP [redacted] on line 574 [29-Jul-2015 14:26:04 UTC] PHP [redacted] on line 607 [29-Jul-2015 14:26:04 UTC] PHP [redacted] on line 629 There is nothing wrong with UTC. UTC avoids the calamities inherent in the highly politicized, frequently changed, deeply flawed and inevitably pointless Daylight Savings rules. And unlike epoch-based timestamps, UTC is human readable. It's good stuff. Your hwclock should use it. With that said, with this particular server a decision was made for logging to consistently be Eastern Time. So I jumped through a number of hoops to ...

Hotmail is bouncing bugtraq mailing list emails from Yahoo

What really irks me about this is that I deliberately use gigantic, stupid MTAs like gmail and live mail to deliberately avoid this sort of garbage (deliberately). Those familiar with administrating large volume email can appreciate that you can perfectly configure your mail server and end up bounding all over the place because almost everyone with a mail server is not an actual email administrator and has no clue what they are doing. Email, like high school, is ultimately all about popularity . Even the least competent of email server owners will eventually get tech support to make sure google and microsoft can deliver to and receive from their Zimbra abomination. At least that's what I figured until I started getting bounces like the one below. It seems Microsoft has decided that Security Focus mailing lists are too dangerous. To step up the oddity of this policy, bounces only occur when the originating MTA is with Yahoo. I can receive email directly from securityfocus.com. I c...

Oh, Kaspersky

By accident I clicked on Eugene Kaspersky's Twitter account and I was greeted with this: What? Everything about this image is FABULOUS . First and foremost, it confirms my longstanding suspicion that any schmuck can make a few bucks in infosec, but to make bazillions you have to be an absolute drug-addled lunatic . But let's get back to the picture. So many questions. Are they standing in front of a green-screen in which someone embossed click-art from Windows 95 or did they pose in front of a cheaply painted wall, like when prison convicts take "click-clicks" to send to their pen pals ? Was I the only one who thought that maybe - just maybe - this was the album cover for an Autobahn reunion tour that I had somehow missed? These men are nihilists. Someone very much needs leak the inter-departmental memo that Kaspersky sent to demand that his least photogenic employees all wear form-fitting pastels to work. It would have to be one hell of a memo to ge...

Florida Division of Elections moved all of their campaign finance records and forgot to tell anyone

It's almost like .... they don't want people to look at the financial records for election candidates. For quite some time now, if you were a reporter or opposition researcher or political consultant and you wanted to dig up some dirt on a political candidate in Florida you would spend at least some time on the Florida Department of State's Division of Elections website. On that website was an application that I have always referred to as "Dodo", because its URL was doedoe.dos.state.fl.us and thanks to the miracle of modern browsers, typing "Dodo" into the address bar would usually get me there sooner or later. Dodo was the place to go to lookup campaign contribution records for both candidates and political committees (of which the most commonly known is a PAC) registered in the State of Florida. So you can imagine my surprise when, just for kicks, I decided to pay Dodo a visit and found this: Maybe I made a mistake. I looked up one of the boo...

Errors with Nikto installation or operation within OpenVAS

When installing the vulnerability scanner application Nikto/Nikto2 using yum with RedHat Enterprise Linux 7 or CentOS 7 or even Scientific Linux 7, the odds are good that you will encounter some irritating problems. Namely, the installation will fail while requiring a dependency that appears to not exist for the version of linux you are using. Fun! So you probably think you are safe if you install OpenVAS , a prepackaged suite of security utilities that includes Nikto as a plugin. But you would be wrong! Installing OpenVAS from an RPM will succeed, and everything will look fine, until you try to use Nikto within OpenVAS, which will result in a fatal error. Nikto is included in the Extra Packages for Enterprise Linux/EPEL yum repository all recent versions of RedHat linux, which is part of the Fedora Project. While it contains third party applications, it is not a third party repository like RPMFusion or Atomicorp . I have only very rarely had problems with the EPEL yum repo, and t...

Cryptome torrents draw concerns

Those following Cryptome on Twitter saw some messages that were a little nerve-wracking yesterday. The flood of torrents attributed to Cryptome are not ours. Could be ruses, smears to spread malware. Maybe by HT types. — Cryptome (@Cryptomeorg) July 22, 2015 Some of many [CRYPTOME] torrents gushing wildly recently, could contain [Hacking Team] malware to smear Cryptome https://t.co/3bZ22OQBou — Cryptome (@Cryptomeorg) July 22, 2015 A similar warning was posted to the front page of Cryptome's website: The link in Cryptome's message led me to a Kickass Torrents user account that had been opened ~3 weeks previously under the name Cryptome. The account uses the Cryptome website logo. Similar accounts were created on Monova and Lime Torrents. Putting together an archive for a website you aren't affiliated with, whose content is already free and widely available and has been for many years, isn't necessarily unheard of (?). But doing so while ostensibly...

Malware discovered in the Stratfor email file dump provided by Wikileaks is not limited to torrents - curated content on the Wikileaks website also infected

Several months ago I identified malicious software contained within a torrent available for download from Wikileaks . The torrent was the most recent and most complete copy of what Wikileaks titled the "Global Intelligence Files" - a large trove of emails and attachments from defense contractor Stratfor. The story as it is widely understood is that former Lulzsec member and hacktivist Jeremy Hammond was involved in the acquisition of these files from Stratfor and provided them to Wikileaks. Among the many files included in the leak I have identified 18 that have malicious software; most of those are embedded within PDF and DOC files. Some of the attacks I discovered are old, others are less old. Only two of the 18 files are blocked from downloading using Google Chrome's malware protection service, for example. In a second post, I decompile one of these two (older) files using PE Explorer and Hex-Rays IDA to demonstrate how the file corrupts the Microsoft Connection Manage...

Hector Monsegur (formerly sabu of Lulzsec) has responded to my analysis of the Wikileaks Global Intelligence Files

Some time ago I wrote two blog posts about my discovery about a series of malware-infected files within a torrent being circulated by global whistleblower organization Wikileaks. The torrent file was one of the latest versions of what Wikileaks has named the "Global Intelligence Files" - a large cache of documents obtained from the email spool of a government contractor known as Stratfor. Since my discovery I have made several attempts to contact Wikileaks: @wikileaks sorry to contact here but no other means Ive identified sec issues with most recent torrent here: https://t.co/oeBLtLgDeb — Josh Wieder (@JoshWieder) May 3, 2015 @wikileaks I have some very basic info here http://t.co/cvjY4xWuIr and here: http://t.co/74Xbmxjmy7 can provide more as needed — Josh Wieder (@JoshWieder) May 3, 2015 In addition to Twitter I have attempted to email just about every address I could find on their site (none of them work), as well as attempting to use the chat functi...

The Florida Local Government Investment Trust website was hacked by a spammer affiliated with ExoClick & Alibaba Group & they haven't told anyone

The Florida Local Government Investment Trust manages money for counties and clerks throughout the state of Florida. They handle bonds that are AAA rated by S&P; pooling assets for municipalities throughout the state to increase their buying power. The Trust was created in 1991. The Florida Local Government Investment Trust maintains a website based on Wordpress, floridatrustonline.com (I highly recommend that readers do not visit the website from an unsecured browser/computer - preferably using a platform like TAILS ). The website contains a description of the Trust, the legislation under which it carries its mandate (Florida Statute 218.415 (16) (a) and 163.01), a list of employees and trustees as well as a series of financial reports covering the last year. The floridatrustonline.com domain is registered to  Earl Donaldson , an employee of the Florida Association of Court Clerks. Donaldson's LinkedIn page lists him as a Network Engineer. The website is hosted on ...