[SECURITY] [DSA 3647-1] icedove security update
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Defense in depth -- the Microsoft way (part 42): Sysinternals utilities load and execute rogue DLLs from %TEMP%
Moxa SoftCMS CVE-2016-5792 SQL Injection Vulnerability
Microsoft Internet Explorer and Edge CVE-2016-3289 Remote Memory Corruption Vulnerability
Microsoft Windows Kernel 'Win32k.sys' CVE-2016-3308 Local Privilege Escalation Vulnerability
Microsoft Internet Explorer and Edge CVE-2016-3326 Information Disclosure Vulnerability
[SECURITY] [DSA 3646-1] postgresql-9.4 security update
Directory Traversal Vulnerability in ColoradoFTP v1.3 Prime Edition (Build 8)

Most of the times we care about and focus on external threats, looking for actors that may attack us via phishing emails, vulnerable web services, misconfigured network devices, etc.
However, sometimes the threat may come from the inside. In fact, it is not so uncommon to have disloyal/disgruntled employees exfiltrating information from the company (e.g. Intellectual Property to competitors, confidential information to the press, etc.). In such situations, a full forensics analysis of the employees devices (workstation, mobile, etc.) is required to understand what happened and get comprehensive timeline of the events.">/private/var/mobile/Containers/Shared/AppGroup//, where applications can store data with the aim to be shared with other apps or extensions.

Another interesting background information we need to remember is the fade-out effect on iOS. Every time a user presses the Home button or receives a call while using an application, iOS will make a snapshots">WhatsApp
">iLab1:/private/var/mobile/Containers/Shared/AppGroup root# tree 332A098D-368C-4378-A503-91BF33284D4B
|-- Axolotl.sqlite
|-- ChatSearch.sqlite
|-- ChatStorage.sqlite
|-- Contacts.sqlite
">ChatStorage.sqlite, where it is saved the actual content of the messages exchanged. Among the tables of interest, one of the most important is ZWAMESSAGE, which contains, among others, the messages exchanged, their timestamp, the name of the user involved in the chat. Other tables worth to be analyzed are ZWACHATSESSION, ZWAGROUPMEMBER, ZWAGROUPINFO and ZWAMEDIAITEM, which stores references to the multimedia files exchanged, indication of the users involved, timestamps, and the path where the file has been stored.
As also recently mentioned by J. Zdziarski on his blog [1], an interesting feature of Whatsapp is that deleted chats are not actually deleted form the database. This because when a SQLite record is being deleted, for performance reasons it is not actually wiped/purged from the database immediately, but marked as free and eventually overwritten later on when that storage space is needed. Therefore by simply using a tool like SQLite-parser [2][3], you can quickly carve out deleted record from your Whatsapp chat database.
However, as matter of facts, you will find this feature in most applications using SQLite storage databases, since most of them do not handle properly this aspect.

Last but not least, the Snapshot feature">convesations_v29, which contains the list of active conversations as showed in the Chats">encrypted_cids_v29, which contains the conversation ids of the secret chats.

Other than the (expected) behavior already found in Whatsapp, which means that deleted records are not immediately purged out of the database and therefore can be recovered, Telegram messages from secret chats are stored in clear in the">/Document/Attachments/ folder.

  • Screen Snapshots can be retrieved as well. Signal has an option Enable Screen Security">Conclusions
    This was a brief overview of what you can find in case of investigating messaging applications in iOS environment. Nothing rocket science for sure, but still important things to remember during the analysis that are often overlooked.
  • ting


    [1] WhatsApp Forensic Artifacts: Chats Arent Being Deleted, http://www.zdziarski.com/blog/?p=6143
    [2] Python Parser to Recover Deleted SQLite Database Data, http://az4n6.blogspot.ch/2013/11/python-parser-to-recover-deleted-sqlite.html
    [3] SQLite-parser, https://github.com/mdegrazia/SQLite-Deleted-Records-Parser

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


    Security researchers are eager to poke holes in the chip-embedded credit and debit cards that have arrived in Americans' mailboxes over the last year and a half. Although the cards have been in use for a decade around the world, more brains trying to break things are bound to come up with new and inventive hacks. And at last week's Black Hat security conference in Las Vegas, two presentations demonstrated potential threats to the security of chip cards. The first involved fooling point-of-sale (POS) systems into thinking that a chip card is a magnetic stripe card with no chip, and the second involved stealing the temporary, dynamic number generated by a chip card and using it in a very brief window of time to request money from a hacked ATM.

    Double trouble

    Chip card technology—often called EMV for EuroPay, MasterCard, and Visa for the three companies that developed the chip card standard—is supposed to offer significant security benefits over the old magnetic stripe card system. Magnetic stripe cards have a static card number written into their magnetic stripe, and if a POS system is infected with malware, as was the case in the infamous Target and Home Depot hacks, then a malicious actor can take those card numbers and make counterfeit purchases with them. An EMV card, by contrast, uses a chip to transmit a dynamic number that changes with each purchase. That makes it a lot harder to steal a card number and reuse it elsewhere.

    But that doesn’t mean it’s impossible. Late last year, security researcher Samy Kamkar demonstrated that he could calculate a replacement American Express card number based on the previous card number, replicate the credit card’s magnetic stripe information on a programmable chip, and use it to make purchases around town, much like the now-defunct Coin card. Kamkar was even able to do this with chip cards—the magnetic stripe on the back of every card has two tracks of data that tell card readers information like cardholder name, the card’s number, its expiration date, etc. Track 2 data will tell a card reader if the card has a chip and needs to be dipped—otherwise it can be swiped. Kamkar’s solution was to alter the Track 2 data and spoof the card reader to tell it that the card only has a magnetic stripe, no chip, thus bypassing the entry of a dynamic number.

    Read 16 remaining paragraphs | Comments


    (credit: Frank Derks)

    Over at Wired, Andy Greenberg reports that security researchers have discovered how to use software defined radio (SDR) to remotely unlock hundreds of millions of cars. The findings are to be presented at a security conference later this week and detail two different vulnerabilities.

    The first affects almost every car Volkswagen has sold since 1995, with only the latest Golf-based models in the clear. Led by Flavio Garcia at the University of Birmingham in the UK, the group of hackers reverse-engineered an undisclosed Volkswagen component to extract a cryptographic key value that is common to many of the company's vehicles.

    Alone, the value won't do anything, but when combined with the unique value encoded on an individual vehicle's remote key fob—obtained with a little electronic eavesdropping, say—you have a functional clone that will lock or unlock that car.

    Read 4 remaining paragraphs | Comments

    Microsoft Windows Kernel 'Win32k.sys' CVE-2016-3309 Local Privilege Escalation Vulnerability
    Multiple IBM Products CVE-2016-0341 Local Information Disclosure Vulnerability

    Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called "golden key"—which allows users to unlock any device that's supposedly protected by Secure Boot, such as phones and tablets.

    The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.

    And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.

    Read 8 remaining paragraphs | Comments

    GNU glibc CVE-2014-9761 Stack Buffer Overflow Vulnerability
    QuickerBB 0.7.0 - Register Cross Site Scripting Vulnerability
    Microsoft Education - Stored Cross Site Web Vulnerability
    [CORE-2016-0006] - SAP CAR Multiple Vulnerabilities
    Internet Storm Center Infocon Status