La saison de la chasse aux cyber-vilains est ouverte, avec eGambit

Cette année, la saison de la chasse aux cyber-vilains ouvre un peu plus tôt et vous allez pouvoir choisir d'y participer, surtout si vous êtes fatigués par les malwares et les pirates qui arrivent à contourner la plupart de vos produits de sécurité: antivirus, proxy, firewall, sécurité des systèmes et des applications, etc.

Il suffit de s'équiper d'un vrai cyber-arsenal défensif, pour reprendre l'avantage sur cet échiquier géant qui interconnecte sociétés et individus. Nous donnons un rapide aperçu dans cet article.

Notre société, TEHTRI-Security, est spécialisée dans les tests d'intrusions simulant des attaques de type cyber-espionnage. Depuis notre création en 2010, des multinationales et des services gouvernementaux nous demandent de trouver tous les chemins utilisables par des "pirates" internes ou externes, qui permettraient de contourner leurs systèmes de défense, de manière furtive ou non.

En 2012, notre taux de succès étant de 100% sur de telles simulations d'actions de cyber-espionnage, nous avons décidé de construire un cyber-arsenal défensif, sorte d'antidote aux cyber-menaces.

Ce projet s'appelle eGambit. Son objectif consiste à lutter efficacement contre des personnes et des outils qui auraient la capacité à pénétrer réellement les infrastructures de nos partenaires.

[ Read the full content of this entry ]

Gmail App Security Issues on iPhone/iPad/iPod

Here is a quick note that will help at having a look at the behavior of the GMAIL application on iOS (iPhone/iPod/iPad). We focus on updated iOS 5.0.1 with the latest GMAIL App (1.1.0) taken from the Apple Store at the time of this writing. Google will probably patch these security issues more quickly than the time for you to read these humble thoughts.

Some believe it might be more secure to read emails through supposed to be light applications on i-devices, as the emails are probably more localized on the remote web resources, etc.

Through the eyes of an attacker, let's see that a stolen/lost/powned iPhone/iPad could for example help at revealing the content of your emails, contacts, etc.

Moreover, important authentication schemes do not follow Apple security guidelines for developers. This might help an attacker at retrieving interesting cookies in clear text, and then it's possible to hijack a Gmail session and to steal sensitive information as you'll see further.

A fresh new vulnerability ? Let's read...

[ Read the full content of this entry ]

GooglePlus Reader: Privacy Checker

Here is a quick post related to privacy issues with some Google Plus readers.
The main problem is that some Google Plus readers might reveal your IP address (and technical stuff), to the remote owners of G+ profiles, while you browse/read them.

This privacy issue is related to the technical way that pictures of remote profiles are loaded in the readers, in order to be displayed (look at the structure of the web pages if you need more details, etc).

This could be used to either track people using Google Plus, or to create more advanced threats.

Here is an example with the iPhone App called "Google+". 

This application is "vulnerable" to  those privacy issues, because it tries to load pictures directly from the remote web sites, whereas a standard web browser would use Google services only.

Disabling iPhone Tracking ? Do it Yourself (DiT?DiY)

An iPhone iOS4 built-in tracking feature was recently discussed publicly as sharp people, Alasdair Allan and Pete Warden, created an opensource application called iPhone Tracker.

A file called "consolidated.db", that exists on iPhones and 3G iPads, contains enough information to map users movements thanks to tracking capabilities containing interesting stuff, like MAC Addresses of Access Points, GSM details, etc.

Since it became more public (and beyond the fact that it was already known..), tons of people are thinking that it could be a malicious feature from Apple. Here in this blog, we won't focus on political or strategic answers.

We just want to play our role: looking at technical security issues in this world of never-ending growing dependancies between humans and technologies. By the way, we don't want to repeat excellent analysis that already exist on many places over the web.

[ Read the full content of this entry ]

Quick BlackBerry Security Check

Here is just a quick note related to the security of BlackBerry devices. At the beginning, it was written for some non technical contacts who told us that they got lost related to recent exploits against BB devices seen in newspapers, etc. 

So, it you happen to be a lucky BlackBerry owner, or an administrator of a large BB network, here is an easy and quick way to check the security of your smartphone(s).
You or your end users just have to browse this web page from your device:

For now, this web page will freely do basic checks for you, and will report if you look like being potentially vulnerable against this list of exploits:

About iPhone iOS 4.3 Personal Hotspot

Apple CEO Steve Jobs announced new features and products. One of those masterpieces is a new option called “Personal Hotspot”. This new functionality transforms your iPhone into a Wireless Access Point, so that you can share your 3G connections. This will be released in few days with the next iPhone update (iOS 4.3). So now let's share few words about this new (awesome) Apple add-on, with geeky and security eyes. The question asked: is that secure to turn your iPhone into a Wireless Access Point?

As you can see, once you’ll have downloaded the future iOS 4.3 on your iPhone 4, the improved “Settings” panel will propose a “Personal Hotspot” sub-menu. Then if you enable Wifi, this option will allow you to connect multiple devices to a single iPhone, which will become a Wireless Access Point. Like that, you should be able to share your cellular data connection with up to five devices at once (up to three devices over Bluetooth, one device over USB, and three devices over Wifi, knowing that hotspot tethering plans might have to be subscribed with your carrier).

On Apple web site, it's written that every connection is password protected and secure, so we wanted to have a quick check of those new options.

BlackHat DC 2011: Inglourious Hackerds

We are currently at the awesome BlackHat DC event, with hundreds of attendees coming from many different countries worldwide. We were invited here for the BlackHat Briefings, in order to give a talk, called "Inglourious Hackerds, Targeting Web Clients".

It was a pretty nice opportunity for us to explain some of our tricks related to client-side attacks in a web environment. For example, we talked about the vulnerabilities we found in 2010, that could allow you to either hack a remote web browser, or to counter-attack, etc.
Indeed we explained how we got some 0days against multiple different devices, by either fuzzing or pentesting those tools with  a blackbox behavior, exactly like when we do penetration tests on highly sensitive places for our customers.

Black Hat Briefings, Abu Dhabi, UAE 2010

This week, we got invited as speakers at the very new IT Security event in the Middle East: Black Hat Abu Dhabi 2010. This event got three tracks of Briefings with more than twenty renowned speakers plus some trainings over four days, with tons of attendees - many of them coming from the GCC area.

Thanks to the support of local organization involved in IT and Security ( TRA Telecommunications Regulation Authority + UAE CERT (aeCERT) + Khalifa University ), this event was wonderful and moreover, it happened in a marvelous place ( Emirates Palace ).

On our side, we had a slot for a one hour talk, called "Extrusion and Web Hacking". Our goal was to share concepts related to data exfiltration and bounces off a remote compromised web server. Indeed, we are all focusing on how people try to get an illegal access. But it's quite interesting to think about how the bad guys are trying to escape from the remote controlled devices or computers, once they're in, as we gonna see in this article.

CVE-2010-1752: Back to the Mac

Exploiting CFNetwork (Apple)

In February 2010, TEHTRI-Security found a stack overflow related to CFNetwork on Apple products, through the code used to handle URL. As we've been doing ethical hacking and penetration tests for more than 15 years on highly sensitive networks, we automatically contacted Apple security folks, in order to help at improving their products.

Basically, we found that by visiting a maliciously crafted website, it could lead to an unexpected application termination or arbitrary code execution. Let's have a look at some details related to our works and to Apple patches.

In this article we will only focus on threats and exploits that worked against iPhone, iPod touch, Mac OS X and Mac OS X server.

Please notice that Apple customers were never threaten by those security issues, as TEHTRI-Security only shared technical information with the Cupertino security team directly, and as tested robust upgrades are now available to the public.

Web In The Middle, Attacking Clients: FireSheep

Hack In The Box Amsterdam 2010 - TEHTRI-Security

There are so much news related to this new offensive Firefox extension, called FireSheep, that I wanted to share tiny thoughts here. 

This tool allows an attacker to use data collected through frames sniffed off the network, by displaying potential local victims directly in her Firefox. 

Then it's possible to abuse those clear text sessions caught from the local network. For example, one can directly impersonate a Facebook or Twitter session, etc, that occurred without ciphering on the network.

Hack In The Box SecConf, Kuala Lumpur, Malaysia 2010

Last week, we were invited at the famous HITBSecConf event organized by L33tdawg and his extended team (people from NL + MY). This amazing event got hundreds of people coming from all over the world, down to the center of Kuala Lumpur. You could easily meet either evil/good hackers, phone phreakers, IT managers, lockpickers, senior IT security people, etc. 

Many activities were proposed to the attendees, like special technical workshops, hacking challenges, lockpicking activities, and of course international talks & advanced trainings.

The first couple of days, we organized a new offensive training in a room full of 16 students coming from very interesting places like cutting-edge

[ Read the full content of this entry ]

New training "Hunting Web Attackers" full of 0days

TEHTRI-Security will release many 0days and offensive technologies during a new training called : "Hunting Web Attackers"

For the very first time, it will be proposed during HackInTheBox SecConf Malaysia 2010 in October, in Kuala Lumpur.

Some 0days will be disclosed under a NDA (for students only) and will help at fighting back web attackers, as we already explained in the past in China and in Singapore (SyScan).

As a teaser, this blog message contains one of our remote 0day exploits. We also found 0days against Zeus, Eleonore, CrimePack, etc.

[ Read the full content of this entry ]

Web In The Middle, Attacking Clients

TEHTRI-Security was invited to give a talk called "Web In The Middle, Attacking Clients", at the first Hack In The Box Europe, Amsterdam ( ).

During our talk, we released multiple advisories and we explained many issues related to some vulnerabilities. You can find more public information through the slides available online. Here are some related details that we wanted to share with you :

o CVE-2010-1752: TEHTRI-Security inside the iPhone iOS4

TEHTRI-Security found a stack overflow in CFNetwork API, through the code used to handle URL.

[ Read the full content of this entry ]

The Empire Strikes Back

As announced by email (FD, BT..) we released 13 0days and new offensive concepts against most of the tools currently used by web attackers, like web shells, exploit packs, etc, during our new talk. It happened mid-june in Singapore, during the SyScan International Conference :

We proposed new methods to counter-strike intruders with our new exploits giving you remote shells, remote SQL injection, permanent XSS and dangerous XSRF, against remote tools used by attackers.

It's time to have strike-back capabilities for real, and to have alternative and innovative solutions against those security issues.

[ Read the full content of this entry ]

French Touch

From what we got in our logs those months, we got many security issues coming from french IP addresses. Seems that there are many funny curious people or so called friends out there. The most incredible logs we got, are coming from some public services (gov) like, for example, the postal mail service, and the national energy department. Either they are compromised and someone is bouncing from there networks, or they are really curious.

[ Read the full content of this entry ]

TEHTRI-Security: This is not a game

Hi all, welcome to our new blog. We already had a facebook account, a twitter account and a web site. But we found that a blog would help us at providing some different kind of things like tiny technical texts to share, etc. This will allows us to put some ideas, logs, tech stuffs, etc, without thinking to much, compared to classical official articles, etc. Have fun here on our blog, and welcome to you.

[ Read the full content of this entry ]