Observations regarding the EC-Council DNS Hijack (Certified Ethical ‘Hijacking’)

 

Over the weekend, EC-Council’s website experienced what appears to be a DNS Hijacking. Steve Ragan has an excellent overview of the events on his CSO Online blog, which can be found here.

It becomes clear after reading the blog post that the particular IP address used with the DNS redirect has a very interesting history:

  • The same IP address was utilized by a user who appeared briefly in the #Linode IRC channel earlier this year (January 2014).  The user in question alludes to a SQL dump of a Linode database which included older forum credentials, which coincides with this story.
  • Additionally, the IP address in question made the news in early February 2014 when it was used to compromise the “Realm of the Mad God” domain.  It has been confirmed that malware was being served to visitors during that time and you can check out details of the VirusTotal report here.
  • This IP address is registered with Ecatel Network (NL).  Unfortunately, Ecatel has had a unique reputation among hosting providers over the years (securing the #1 ‘Bad Host’ position in 2010) and has been known to have IP ranges that are included on many reputation based blacklists.

Considering the above, I decided to use urlQuery.net before visiting the EC-Council site to reduce any chance of potential malware being served.  (“urlQuery.net is a service for detecting and analyzing web-based malware. It provides detailed information about the activities a browser does while visiting a site and presents the information for further analysis.”)

urlQuery scan for http://www.eccouncil.org appeared to be clean

ec_ecatel

 urlQuery scan for http://www.eccouncil.org/certification displayed some IDS alerts

ecatel_ec_cert

It was interesting that the Suricata IDS results from urlQuery.net were different considering they were the same source IP.  Regardless, other IP addresses owned by Ecatel (NL) appear to have similar IDS and RBN alerts.

I came across some analysis of the ‘ZeroAccess’ Rootkit from 2010 which claimed that it originated from Ecatel networks and attributes particular ties to certain organizations.

I was curious about the malware that was previously served from the “RoTMG” domain and figured it could have potentially compromised someone at EC-Council.  There were reports in some gaming related forums that the malware included a keylogger:

ec_keyWith a keylogger being a possibility, it is not unlikely that the mail account credentials for EC-Council could have been compromised this way if the user in question visited the “RoTMG” site.  Having access to the contents of this email account most likely aided in the domain redirect request to Ecatel.

The fact that this particular EC-Council email account potentially contained unencrypted sensitive data is a story unto itself. This is also quite surprising considering that just last year (May 2013), EC-Council experienced an issue where directories were able to be viewed without authorization on their web server.  You can read more about the “Godzilla” incident here.

It seems as though it may be time to implement some sort of reputation check when domains are pointed to or transferred to blacklisted IP’s/ranges.  This should hold especially true for hosting providers or IP ranges with such a well known and longstanding “bad” reputation.  This could have aided in keeping control of the domain, but not necessarily have mitigated any of the possible PII issues that may have been discovered.

–Special thanks to @ArmyTra1n3d for helping with all of this and a shout-out to @SynAckPwn for the great references.

Opening and previewing documents within the browser

 

This is a follow-up to the previous post, “Dropbox…opening my docs?

As it turns out, Dropbox views/opens certain file types in order to convert them to a compatible format so they are easily accessible via web browser for its users.  This makes sense and is common practice for many cloud storage services to provide the convenience of browser access while not needing any additional software to open these documents.

So at first, I was under the impression that only Dropbox had opened the HoneyDocs files.  Now I realize the possibility that any cloud storage service (which provides thumbnail previews or allows access to certain types of documents within a browser) may also need to open these files and copy/index some of the content within.  The other services could have been possibly blocking the external resources from being loaded within the documents that included the embedded links or disregarding them altogether.  This turned out to be a theoretical security issue that Andrew Bortz (Security Team Lead at Dropbox) decided to address, as mentioned in this Hacker News thread.  

Some additional privacy concerns are addressed here, “Three Reasons Why Dropbox Previews Are Security & Privacy Nightmares.”  One suggestion that came up was to grant users the ability to disable this ‘preview’ functionality.  That seems like a reasonable request, especially for users who exclusively use the desktop client and do not have much use for browser specific features on their accounts.

Because of all the official responses and statements, I certainly have a better understanding of the “effects of rendering low-quality previews.”  I still plan on using Dropbox because it does certainly provide benefits, but I will also be more aware of what goes on in the background regarding server-side processes.  With that said, I would recommend looking into Boxcryptor or TrueCrypt if privacy takes precedence over convenience in your situation.

 

 

Dropbox…opening my docs?

 

I had the opportunity recently to beta-test HoneyDocs, a web app that generates documents that can ‘buzz home.’ This is done by a unique, embedded GET request that is initiated when the generated document has been opened.

Several use cases came to mind, but I was most interested in seeing if my cloud storage services were manipulating my files in a way that I may not have been aware of.

My experience:

Uploaded Documents to Dropbox Personal Account with Private Folders (not shared)

  • Uploaded “passwords” documents generated by HoneyDocs.
  • These were uploaded with both the client application as well as the web interface.

dbox1What’s this?  A ‘Buzz’ from the recently uploaded documents?

  • The first successful ‘buzz’ took approximately 10 minutes.
  • I attempted to re-create this by deleting the files in question and re-uploading the same HoneyDocs files, but was unable to get further ‘buzz backs’ with the same files.
  • The IP appears to be an Amazon EC-2 instance in Seattle

dbox2

So now I’m curious…are the files being accessed for de-duplication purposes or possibly malware scanning?  If so, then why are the other file types not being opened?  It appears that only .doc files are being opened…

I then uploaded more HoneyDocs files to my Dropbox folder, this time from a different computer and ISP to rule out any of those variables.

All .doc embedded HoneyDocs appear to have been accessed…from different Amazon EC-2 instance IPs.

dbox3

Further digging into the HoneyDocs data reveals a suspicious User Agent, LibreOffice.  Now I’m curious if this is still an automated process or one that involves human interaction? [Update: As better explained here, this is certainly automated and not as suspicious]

dbox4

 All in all, I made 3 attempts to upload embedded documents and all appeared to be opened from different Amazon instances.  This could have something to do with how Dropbox’s storage architecture is configured while utilizing Amazon S3 buckets.

Regardless, the .doc files seemed to have been opened for some reason.  I’d like to know why…

If you are curious, I encourage you to test it out on your own!  You can sign-up for a free HoneyDocs account here.

[Update:  Please check out the follow-up to this post here]

No end to end encryption for Skype…now what??

Some big news that came out this past week was the fact that Microsoft is monitoring Skype conversations to some extent.  This was verified by Jurgen Schmidt in a recent article from “The H Security.”

I’m assuming this may have been done by Microsoft to better position themselves in case of any government requests for data.  I understand the reasoning, but was disappointed to hear about it nonetheless.

Well, the good news is that we do not have to use Skype.  I feel this was a good wake up call to be more aware of encrypted communications.  We didn’t think too much of this before the recent Skype news, but rather trusted that the encryption was still in place.

A fellow WNC InfoSec member recently brought to my attention ‘Off The Record’ (OTR) and it’s available use with Pidgin and Google Talk.  OTR allows for encryption, authentication, deniability and perfect forward secrecy in case your key is compromised.  This all seemed great and I thought I had found a viable alternative to Skype.

Unfortunately, Google recently  announced they will be moving away from XMPP and transitioning to their Google Hangouts platform for instant messaging.  This will undoubtedly break the OTR capabilities in Pidgin/Adium, in my opinion.

Now what??

Well, the same WNC InfoSec member who educated me on OTR also passed along some info on Jitsi.  Utilizing the ZRTP encryption protocol, Jitsi offers an open source solution to VOIP communication.  You can check out more features here.

Looking forward to testing out Jitsi further and seeing if it can be a reliable/secure form of communication.  I am also very interested in hearing your experiences with secure alternatives to Skype, so please leave a comment below!

 

Stumbling across SecurityTube.net

I came across a “tcpdump > wireshark” video from Hack3rCon 2010.  Kenneth Scott, a.k.a. pwrcycle, goes through an excellent primer for tcpdump and shows off his ridiculous “screen” ninja skills.  Check it out if you haven’t seen it already.

After watching this video and having my mind blown, I asked why have I not been to securitytube.net before?!?!  I was amazed that a resource like this even existed and I wanted more of it!

This lead me to start digging into their “Megaprimers” section.  Topics include: Metasploit Framework, Exploit Research, Windows/Linux Assembly, Buffer Overflows, etc.

I have just started the Linux Assembly Megaprimer and am loving it so far.  The videos are easy to digest and follow, while beginner to intermediate concepts are taught along the way.  *Please note that this is one of the three recommended primers to view before moving on to Exploit Research.

I am coming to find that I really enjoy learning about exploit development,   so I signed up for an Intro to Exploit Development workshop next week.  I feel more confident having been able to get a head start on some of the concepts that will be covered, thanks to SecurityTube!

So if you haven’t visited, what are you waiting for?!  Go check them out now and start increasing that skill-set.  :)