October 2014 – SWITCH Security-Blog

A look at a phishing website

Yesterday we came across a phishing website under .ch where we were able to download the phishing kit. A phishing kit is an archive file which contains all the relevant files for hosting a phishing website. In this case, the archive contained some static HTML, JS and image files for hosting the phishing form, but also a PHP file for sending the data to the perpetrator, and – most interestingly –an .htaccess file. The .htaccess file is a configuration file used by some popular web servers, which allows the user of a website to override a subset of the server’s global configuration for the directory that the file is located in and all its sub-directories.

A phishing website is frequently only accessible from the targeted country. In our case, this was controlled by the .htaccess file which contained a large list of IP address ranges from where it is allowed to access the site. As an incident handler, we often get reports of malicious websites that we cannot verify with IP addresses from Swiss ISPs. An unwary user might think that the phishing website has already been taken down, but that is not the case. The user is just not allowed to access the phishing website from its IP address.

Continue reading “A look at a phishing website”

IT-Security-Links #65

Why privacy matters: In this TED talk, Glenn Greenwald makes the case for why you need to care about privacy, even if you’re “not doing anything you need to hide”.
Is your Network Attached Storage (NAS) secure? A proof-of-concept worm was written by security researcher Jacob Holcomb to illustrate how vulnerable such data stores are to malicious attacks.
SSLv3: POODLE (Padding Oracle On Downgraded Legacy Encryption) is a new attack on the legacy SSLv3 protocol which is considered easier to exploit than similar previous attacks against SSL/TLS. A Security Advisory is available here (PDF). To test if your client is vulnerable SANS setup a Poodle test page. And Heise published a good background article (in german).
Shellshock: Michael Smith (Akamai) explains why the Shellshock battle is only beginning: The “long tail” challenge of the recently discovered Bash vulnerability. A Shellshock exploit is aleady included in the Mayhem botnet malware kit.
SandWorm is a zero-day vulnerability impacting all supported versions of Microsoft Windows including Windows Server 2008 and 2012.
Awareness: The US-CERT reminds users to protect against email scams and cyber campaigns using Ebola as a theme.
Beware of the air gap risks! Adi Shamir explains at the opening keynote for the Black Hat Europe conference why air-gapped networks are not as secure as usually anticipated. Have fun!

The October 2014 issue of our SWITCH Security Report is available!

A new issue of our monthly SWITCH Security Report has just been released.

The topics covered in this report are:

Same again? Fingerprint sensor on new iPhone 6 hacked using same method as for previous model
Up in the air: drones, balloons and unresolved security issues
Google’s Transparency Report shows Swiss authorities becoming more data-hungry
Hacked through your fridge: how secure is the Internet of Things?
The Clipboard: Interesting presentations, articles and videos

The Security Report is available in both english and german language.

»» Download the english report. »» Download the german report.

Did you miss our previous Security Report? Click here to go to the archive.

IT-Security-Links #64

Shellshock I: Shellshock is a term dating from World War I and it refers to the effect of the trauma of battle on troops. But since last week it’s also the name of a serious GNU Bourne Again SHell (Bash) vulnerability, or to be more exact, a series of vulnerabilities (currently CVE-2014-6271,-7169, -7186,-7187,-6277,-6278). Comprehensive technical overviews are available from SANS (PDF) and TrendMicro (PDF).
Shellshock II: Web servers are indeed currently at the highest risk of being exploited, but the command shell exists all over the Internet. For example there’s also an attack vector in OpenVPN. And Shellshock could also be used to hack VOIP systems.
DMCA-Takedowns: Warner Bros. Entertainment must now release key information about its automated scheme to send copyright infringement notices to websites.
WordPress-Security: Security researcher Ryan Dewhurst released the WPScan Vulnerability Database, a one-stop shop for the latest WordPress, plug-in and theme vulnerabilities.
Google and Dropbox launched Simply Secure to improve online security. The newly created organization aims to make security technologies easier to use.
How to deal with old Java-based enterprise applications? Deutsche Bank London helped develop an “application self-defense tool” that sits below the application to detect and prevent attacks and apply virtual patches.