0

Peeking at Pkybot

For the past few months ASERT has been keeping an eye on a relatively new banking malware (“banker”) known as “Pkybot”. It is also being classified as a variant of “Bublik”, but the former is much more descriptive of the malware.

This post will take a peek at some of the bits and pieces of Pkybot and the campaign using it. The visibility provided can help organizations better understand, detect, and protect against this current threat.

Sample

One of the recent samples analyzed by ASERT has the following hashes:

MD5: 9028d9b64a226b750129b41fbc43ed5e

SHA256: 38eb7625caf209ca2eff3fa46b8528827b7289f1

At the time of this writing it has a VirusTotal detection ratio of 16/57 with just about all the detections being generic in nature. One positive for reverse engineers though is that this sample comes unpacked.

Pkybot

While there’s been some research into the malware already [1] [2], a review and fleshing out never hurts.

Encrypted Bits

Pkybot contains a number of interesting items that are encrypted with the XTEA encryption algorithm. The key used is generated at runtime from a hardcoded seed value (DWORD):

It can also be generated using this Python code snippet. Along with the generated XTEA key, this IDA Continue reading

0

India withdraws draft encryption policy following controversy

The Indian government has withdrawn a controversial draft encryption policy, with a minister stating that the document was not the final view of the government.Under the policy, consumers would have been required to store the plain texts of encrypted information for 90 days from the date of a transaction and provide the text to law enforcement agencies when required under the laws of the country. The government would have also specified the algorithms and the length of the encryption keys used by different categories of people.The policy was largely seen as meeting the need for access to information by law enforcement agencies, and included similar restrictions on business users as well. It also called for Internet services providers to enter into unspecified agreements with the government.To read this article in full or to leave a comment, please click here

0

Renewing ipSpace.net Subscription before It Expires

One of my subscribers asked me: “My subscription is valid till early December. How could I renew it now (due to budgetary reasons)?”

While I already had the process to do just that, there was no link that one could use (you had to know the correct URL). I’ve fixed that – you’ll find the renewal link on the first page of my.ipSpace.net

0

Twistlock

Twistlock is the first ever security suite that focuses on vulnerability management and policy enforcement of containers (i.e. Docker, runc, rkt) and container host environments. Twistlock provides tools and analytics that make it easier for developers, infrastructure teams, and security professionals to deploy and run containers securely. Here with more is CTO, John Morello.

0

US Congress members urged to communicate using encrypted apps

Congress members and staff are being urged by a civil rights group to use encrypted smartphone apps such as WhatsApp and Signal rather than traditional cellular networks.Unlike cellular networks which use weak and outdated encryption, some of the newer apps use strong and modern encryption to protect their customers' communications, the American Civil Liberties Union has written in a letter Tuesday to officials in the U.S. Senate and House of Representatives.The move is not going to cost a lot. Many members of Congress already have smartphones and the apps like Signal and WhatsApp are free and can be easily downloaded from app stores. Besides, Apple’s FaceTime and iMessage apps are already built into Apple’s iOS mobile operating system and thus are available to every member or staffer with an iPhone, according to ACLU's letter to Frank J. Larkin, Senate Sergeant at Arms and Paul D. Irving, House Sergeant at Arms.To read this article in full or to leave a comment, please click here

0

US legislation requiring tech industry to report terrorist activity dropped

The U.S. Senate Intelligence Committee has dropped a provision that would have required Internet companies to report on vaguely-defined terrorist activity on their platforms, a move that was strongly opposed by the industry and civil rights groups.The controversial section 603 was included in the Intelligence Authorization Act for Fiscal Year 2016 but Senator Ron Wyden, a Democrat from Oregon, had put a hold on the bill, stating that he wanted to work with colleagues to revise or remove the provision so that the rest of the bill could move forward.On Monday, Wyden said that the "vague & dangerous" provision had been removed from the bill and he would now be lifting the hold on it.To read this article in full or to leave a comment, please click here

0

US drops effort to make tech industry report terrorist activity

The U.S. Senate Intelligence Committee has dropped a provision that would have required Internet companies to report on vaguely-defined terrorist activity on their platforms, a move that was strongly opposed by the industry and civil rights groups. The controversial section 603 was included in the Intelligence Authorization Act for Fiscal Year 2016 but Senator Ron Wyden, a Democrat from Oregon, had put a hold on the bill, stating that he wanted to work with colleagues to revise or remove the provision so that the rest of the bill could move forward. On Monday, Wyden said that the "vague & dangerous" provision had been removed from the bill and he would now be lifting the hold on it.To read this article in full or to leave a comment, please click here

0

Open Virtual Network (OVN)

Open Virtual Network (OVN) is an open source network virtualization solution built as part of the Open vSwitch (OVS) project. OVN provides layer 2/3 virtual networking and firewall services for connecting virtual machines and Linux containers.

OVN is built on the same architectural principles as VMware's commercial NSX and offers the same core network virtualization capability — providing a free alternative that is likely to see rapid adoption in open source orchestration systems, Mirantis: Why the Open Virtual Network (OVN) matters to OpenStack.

This article uses OVN as an example, describing a testbed which demonstrates how the standard sFlow instrumentation build into the physical and virtual switches provides the end-to-end visibility required to manage large scale network virtualization and deliver reliable services.

Open Virtual Network

The Northbound DB provides a way to describe the logical networks that are required. The database abstracts away implementation details which are handled by the ovn-northd and ovn-controllers and presents an easily consumable network virtualization service to orchestration tools like OpenStack.


The purple tables on the left describe a simple logical switch LS1 that has two logical ports LP1 and LP2 with MAC addresses AA and BB respectively. The green tables on the right show Continue reading

0

More Sites Turn Up With Cisco Router Malware

SYNful Knock has been found at 199 IP addresses so far.

0

Using POX components to create a software defined networking application

When network engineers are learning the concepts of software defined networking and SDN controllers, they may want to experiment with SDN network scenarios before learning to write programs to be used by the SDN controllers.

POX is a simple-to-use SDN controller that is bundled with the Mininet SDN network emulator and is used in education and research as a learning and prototyping tool. POX components are Python programs that implement networking functions and can be invoked when POX is started. POX comes with a few stock components ready to use.

In this tutorial, we will use stock POX components to implement basic switching functionality with loop prevention in a software defined network, without writing any code. Then, we will explore how the SDN controller programs the OpenFlow-enabled switched in a network created using the Mininet network emulator.

Prerequisite knowledge required

This tutorial assumes you already have the the prerequisite knowledge defined in the list below. If you need to understand more about any of the topics listed below, the list provides links to resources that offer enough information to prepare you to work through this tutorial.

• You have a basic understanding of Ethernet networks, IP networking, and software Continue reading

0

Spousetivities at VMworld EMEA

Spousetivities returns to VMworld EMEA this year with a new set of activities. If you haven’t registered yet, here’s a quick look at the pretty impressive set of tours and activities that are planned.

• Montserrat and Wine Country: The famous Monastery of Montserrat, one of the black Madonnas of Europe, Santa Cova, a fantastic lunch of local Catalan country cuisine, and wine tasting. What more could one want?
• Costa Brava and Medieval Girona: It’s not every day you get the opportunity to tour a medieval walled city founded by the Romans in the 1st century.
• Wines of Catalunya: Personal tours with local, resident wine makers arranged exclusively for Spousetivities participants.
• Medieval mountain village and panoramic trails: Cobblestone streets and stone houses in a medieval mountain village, then a four-course lunch in a traditional Catalan country restaurant followed by a light hike to some great look-outs, streams, rivers, and waterfalls.

For more detailed descriptions of the activities, I encourage you to visit the Spousetivities site. When you’re ready to get signed up, head on over to the registration page. These are some pretty great activities!

0

Zerodium’s million dollar iOS9 bounty

Zerodium is offering a $1 million bounty for a browser-based jailbreak. I have a few comments about this. The two keywords to pick up on are "browser-based" and "untethered". The word "jailbreak" is a red-herring.

It's not about jailbreaks. Sure, the jailbreak market is huge. It's really popular in China, and there are reports of $1 million being spent on jailbreaks. But still, actually getting a return on such an investment is hard. Once you have such a jailbreak, others will start reverse engineering it, so it's an extremely high risk. You may get your money back, but there's a good chance you'll be reverse-engineered before you can.

The bigger money is in the intelligence market or 0days. A "browser-based" jailbreak is the same as a "browser-based" 0day. Intelligence organizations around the world, from China, to Europe, and most especially the NSA, have honed their tactics, techniques, and procedures around iPhone 0days. Terrorist leaders are like everyone else, blinging themselves out with status displays like iPhones. Also, iPhone is a lot more secure than Android, so it's actually a good decision (intelligence organizations have hacked Android even more).

Every time Apple comes out with a new version (like iOS9), they Continue reading

0

How Rapid Spanning Tree Protocol (RSTP) Handles Topology Changes

For this exploration I'm using Arista's Virtual Extensible Operating System (vEOS) version 4.15.0F running in GNS3(Which is pretty awesome).  The virtual switches have been configured in rapid-pvst mode.

Here is the topology:
EtherSwitches have been added only to capture traffic off monitoring sessions set up on Switch1 and Switch2 to look at in Wireshark.  The Ubuntu server can be ignored for the purposes of this blog entry.

Only VLAN 1 is present on all switches and Switch1 is configured to be the primary root, while Switch2 is configured to be the secondary. Here's the current state of the network:

First it's important to note that only a single thing will trigger a topology change event - the transition of a non-Edge port from a non-Forwarding to a Forwarding state. Why?  Because this newly Forwarding port could possibly provide a better path to a given destination MAC address than there was before, and the CAM table will need to be updated to reflect that and prevent the same MAC being displayed on more than one port.  It sounds strange that a loss of a Forwarding port doesn't trigger a topology change event, but think about it - in a Continue reading

0

Volkswagen has a technology problem: It fixes things by hiding them

Volkswagen is in a lot of trouble for installing software on some of its diesel cars that figures out when they are undergoing emissions tests so it can adjust the cars to put out nitrogen oxide at acceptable levels.That’s likely to win the company billions of dollars in fines, but it’s not the first time the company has hidden problems rather than fix them.Just last month, security researchers delivered a paper that showed three ways to get around the Volkswagen lockout system that prevents its cars from being started unless the correct key with the correct chip embedded is used to crank it over.The paper was noteworthy for the ingenuity of the three attacks it outlines but also for the length of time it sat on the shelf before being delivered to the public. It was ready to go back in 2013 but Volkswagen got a court order to block it then, and that was nearly a year after the researchers had told the manufacturers of the hardware about it under the principle of responsible disclosure.To read this article in full or to leave a comment, please click here

0

DockerCon EU 2015: Site is Live with First Confirmed Speakers

¡Hola Mundo! We are excited to share with you the DockerCon Europe 2015 website with helpful information for the upcoming event in Barcelona, including the first batch of speakers. The Call for Proposals (CFP) closed at the beginning of this … Continued

0

Adding a Full API to PicOS

Pica8′s PicOS is a Linux network OS based on Debian. This makes it easy for our customers to integrate their own tools or applications within PicOS. We are compatible with all the leading DevOps tools, such as Puppet, Chef, and Salt; and of course, we support OpenFlow.

But what if you would like to have an application on the switch itself to manipulate its data path? This is beyond the standard DevOps model and is not aligned with the traditional OpenFlow model, which uses a centralized controller.

Typically the requirement for such an application would be:
- A switch using traditional L2/L3, as well as an API to override those L2/L3 forwarding decisions.
- The API could be called on the switch itself while the application is running on the switch (that requirement would forbid a centralized OpenFlow controller).

For this use case, most network equipment vendors have an SDK (Software Development Kit) to program native applications running directly on the switch. A good example would be the Arista EOSSdk.

One big issue with those SDKs is that they are “sticky.” Once you develop your application, it only runs on the SDK provided by your vendor, so you Continue reading

0

The Open Networking Cheat Sheet

A variety of open projects target the network. This cheat sheet keeps track of who's doing what at OpenDaylight, OpenFlow, OVS, OpenStack, ONOS, and Open Compute.

The post The Open Networking Cheat Sheet appeared first on Packet Pushers.

0

Michigan sues HP over $49 million project that’s still not done after 10 years

Hewlett-Packard has faced no end of financial and legal woes in recent months, and on Friday it was hit with one more: A new lawsuit filed by the state of Michigan over a $49 million project the state says is still not completed after 10 years.The contract dates back to 2005 and called for HP to replace a legacy mainframe-based system built in the 1960s that is used by more than 130 Secretary of State offices.MORE ON NETWORK WORLD: 26 crazy and scary things the TSA has found on travelers HP was given a 2010 deadline to deliver a replacement, but it failed to do so, the state says, leaving the Michigan Department of Technology, Management and Budget and SOS staff dependent on the old technology for functions such as vehicle registration.To read this article in full or to leave a comment, please click here

0

3 times Facebook has genuinely scared me

There's no doubt Facebook is a wonder of engineering, a site that brings on vast amounts of data for a user despite it being scattered throughout data centers and external sources. No question, Mark Zuckerberg and crew have engineered a marvel.But there are times when it really spooks me. It comes with friend recommendations. Somehow, this site has the capacity to recommend people that I know in real life but have absolutely no online connections to whatsoever. It's happened so often it can't be a coincidence, either. Three recent examples come to mind: Example 1: While closing the suggestion box for recommended friends, up popped the name of my acupuncturist, whom I haven't seen in six months. She is not in my Outlook contact list, only on my cellphone. Now, I frequently share stories about holistic news and have my naturopathic doctor among my friend's list, but why of the dozens of acupuncturists in northern Orange County did she come up?To read this article in full or to leave a comment, please click here

0

Critical Flash Player updates patch 23 flaws

Adobe Systems released new updates for Flash Player to patch critical vulnerabilities that could allow attackers to install malware on computers.The updates fix a total of 23 flaws, of which 18 can potentially be exploited to execute malicious code on the underlying systems. Adobe is not aware of any exploits being publicly available for the fixed vulnerabilities.The other flaws could lead to information disclosure, bypassing of the same-origin policy mechanism in browsers and memory leaks. Two of the patches are adding or improving protections against vector length corruptions and malicious content from vulnerable JSONP callback APIs used by JavaScript programs running in browsers.To read this article in full or to leave a comment, please click here