https://maxkersten.nl/2018/11/21/androidprojectcreator-the-how-and-why/

 

Malware can be easily hidden with Android apps and thus it’s important to have a tool to decomplie the APK into an understandable format. Most of these apps cost a pretty penny, so there are no cheap options when it comes to dissecting APKs, at least accurately. AndroidProjectCreator is a response to this vacuum and aims to provide an open-source version of these kinds of software. Check the link to try decompiling APKs and start malware hunting.

https://l.avala.mp/?p=285

The article provides a brief overview of IPv6 and its differences to IPv4. The main difference is that of security. IPv4 comes equipped with NAT, which is the technology which allows for private networks, IPv6 does have NAT, but it is not available in the default deployment. This means that any device using IPv6 is a global device and it can be pinged from anywhere, and your devices love to use IPv6. The main defense though, is that IPv6 still has firewalls and finding the global address is like finding a needle in the universe. The number of addresses for IPv4 is 4,294,967,296, compared to IPv6 which has a limit of 340,282,366,920,938,463,463,374,607,431,768,211,456. Unfortunately, the security in vastness has been wrinkled a bit. The writers within this piece created a tool called IPv666 Scanner, this scanner is able to generate address using a statistical model and then ping them to see if they’re being used. The creators ran it for a week at 20Mbps and identified 84,000 live hosts, 61,000 not being listed in any known data set for training. It will be interesting to see what can be done to potentially limit the effects of this new tool.

https://blog.avatao.com/The-three-fatal-bugs-behind-the-Facebook-breach/

 

The Facebook attack which was disclosed in September is still making waves within the cyber security community. A breach of one of the largest social media platforms has quite a bit to gleam from in terms of security. The main goal of the attack was to obtain access tokens of users. The bugs that allowed this to happen are as follows: the view-as feature allowed users to wish someone a happy birthday and incorrectly post a video, the video uploader created an access token with permissions for the mobile app, and when using the view-as feature the video uploader created an access token of the person you are viewing, instead of yourself. These bugs were exploited in an automated fashion to obtain access tokens of 30 million people. The website itself also has a challenge which simulates Facebook’s bugs, in case you ever want to brush up and learn from the mistakes of others.

https://tls13.ulfheim.net/

TLS stands for Transport Layer Security and is a cryptography protocol. Learning about the updated TLS 1.3 can be a bit daunting, but not impossible with the internet as a resource. The link provided at the top is an excellent breakdown of what every piece within TLS does and goes in great detail to ensure that it is all explained within a relatively sane manner. Understanding cryptographic protocols is important for a cyber security expert, so it is worth a peak if you plan on going down this path.

https://medium.com/asecuritysite-when-bob-met-alice/doh-what-my-encrypted-drive-can-be-unlocked-by-anyone-a495f6653581

Drive encryption is a common practice in the realm of IT to protect company information, but if that information is on an SSD then it may not be as safe as it seems. A recently released paper discovered that some SSDs don’t encrypt properly, so they can be bypassed easily. The manufacturers of these SSDs include Samsung and Crucial, both of which have been informed of the situation. It was also discovered that the master password for the Samsung MX300 was an empty string, 32 NULL characters to be precise. It is recommended to use software encryption instead of hardware encryption if your SSD is listed as one of the drives affected by the improper encryption situation.

https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/

An app by the name CoinTicker was discovered to be creating backdoors on the user’s Mac devices. The app installs two open-source backdoors when installed, EvilOSX and Eggshell. In a case where an app installs something it usually notifies the user by requesting permission to grant access to the root directory, this is subverted in this case by not attempting to access the root directory. It can be assumed that the backdoor would be used to steal any information relating to the user’s cryptocurrency wallet. The app was never legitimate to begin with as it was distributed through a website of similar spelling, but with misspellings in place and with the website being deployed back in July. This is a prime example of always making sure you double check the legitimacy of whatever your downloading and to know that an app doesn’t need root access to do major damage to you.

https://blogs.akamai.com/sitr/2018/10/having-the-security-rug-pulled-out-from-under-you.html

A vulnerability was discovered in a popular jQuery File Uploader widget. The vulnerability allowed for uploading a web shell and executing commands to the server. The vulnerability occurred when Apache removed support for .htaccess, this removal was for performance tuning and to prevent users from messing around with configured security settings on the server. Apache’s change left this widget and no doubt other creations open to attack. The author for the File Uploader widget updated their creation, but with nearly 8,000 forks of the same project it’s hard to estimate how many other authors have updated their projects to protect against the vulnerability. The main lesson to take from this is to be diligent in software development, as any update to some essential framework, server, or whatever can leave you vulnerable to attack or worse.

https://hackernoon.com/how-i-hacked-modern-vending-machines-43f4ae8decec

 

When vending machines started rolling out ways to pay through electronic means it was just a matter of time before hackers found ways to pay for their midday snack through more unscrupulous means. A certain brand of vending machines had a mobile app which allowed you to pay through your phone, this is the start of the hack. In general, if one where to download the APK for the app onto their machine, decompile it, take the java sources, enable debugging, rebuild it, create a new key, sign it, zip-align it, they would be able to find the database which houses the goods. The database is password protected, obviously, but there is one flaw, the encryption key for the password can be traced back to the phone’s IMEI, which gives you access to the database. At this point you can edit the wallet balance to whatever you desire and it would work with the vending machines. It is mind boggling how simple this hack is, along with the fact that there is no security or authorization which attempts to check the local balance with an online balance. This entire hack is a good lesson in what not to do in developing a mobile app with purchasing capabilities.

https://github.com/malwaredllc/byob

 

Botnets are one of the many cyber security threats which infect the internet landscape and one way to thwart them is to culture a better understanding of them by making your own. The link above provides the basic building blocks to creating your own botnet and to unleash it upon your own specifically designed testing ground. The Build-your-own-botnet (BYOB) provides the Remote Administration Tool (RAT) and Command & Control Server (C2), leaving the rest as a veritable playground for implementing your own unique code and features. Botnets are typically used to send spam mail, initiate DDOS attacks, spread malware, manipulate polls, etc., so knowing how to thwart botnets provides the knowledge to protects oneself from these attacks.

https://newsroom.fb.com/news/2018/09/security-update/

Attackers used an exploit found within the “view as” function that Facebook allows. The exploit allows for the attackers to steal the access tokens. Facebook has responded by fixing the exploit, contacting law enforcement, logging out the affected users and any users subjected to a “view as” look up within the past year, and Facebook has turned off the “view as” feature. Facebook is still in the early stages of the investigation and hopefully more details about the attack will follow.