hacking

比利時合法化「道德滲透 (ethical hacking)」法案

在 Hacker News 上看到的「Belgium legalises ethical hacking (law.kuleuven.be)」，原文在「Belgium legalises ethical hacking: a threat or an opportunity for cybersecurity?」，比利時政府官方的荷蘭語與法語的 PDF 檔案在這邊可以取得，但裡面包括了其他法案的資訊，這邊是讀英文版的文章...

標題提到的 ethical hacking 不確定有沒有比較好的中文詞彙，先暫定用這個。

先講結論，看完以後可以感覺到是個很糟的法案，應該會本來灰色地帶的 ethical hacking 全部打進黑色或直接全部放 0-day？

要符合比利時法律裡面的 ethical hacking 有四個條件：

The first condition set by the law is that ethical hackers cannot have the intent to cause harm or to obtain illegitimate benefits with their activities. The law therefore excludes that ethical hackers request payment in order to reveal any potential vulnerabilities that they discovered, unless this has been agreed upon in advance, for example as part of a bug bounty programme or a CVDP. Extorsion is not an activity endorsed by the law.

第一條的限制包括了不得取得利益，除非單位已經有提供 bug bounty program 之類的獎勵。

The second condition mandates that ethical hackers report any uncovered cybersecurity vulnerability as soon as possible to the Centre for Cyber Security Belgium (CCB), which is the national computer security incident response team of Belgium. Ethical hackers also need to report their findings to the organisation they were investigating, the latest at the time they are notifying the CCB over a vulnerability.

第二條是強制要回報給政府單位 (CCB)，加上第一條的限制，所以是要免費提供給政府。

The third condition requires ethical hackers to not go further in their hacking than necessary and proportionate in order to uncover a cybersecurity vulnerability. Ethical hackers have to limit themselves to those activities that are strictly necessary for the objective of notifying a cybersecurity vulnerability. This condition is for example breached if a vulnerability is discoverable with less intrusive means than those chosen by the ethical hacker. Ethical hackers are also required to ensure that their activities do not affect the availability of the services of the organisation under investigation.

第三條限制滲透行為只限於證明弱點或是漏洞。

The final condition is an obligation for ethical hackers to not disclose information about the uncovered vulnerability to a broader public without the consent of the CCB. Ethical hackers can therefore not report on uncovered cybersecurity vulnerabilities in the media, for example by noting it in a blog post, unless they have the authorisation of the CCB.

第四點是政府沒有同意以前不得列漏給其他人。

在飯店裡攻擊企業的高階主管

算是為什麼企業要提供 Full Routing VPN 的一個攻擊管道的說明...

這篇介紹了在飯店裡透過 WiFi 攻擊企業的高階主管，想辦法塞木馬取得資訊，或是滲透進企業內部的網路：「Hackers are using hotel Wi-Fi to spy on guests, steal data」。

Those behind the campaign have continually evolved their tactics and malware payloads, blending phishing and social engineering with a complex Trojan, in order to conduct espionage on corporate research and development personnel, CEOs, and other high-ranking corporate officials.

有點介於 APT 與一般性的攻擊中間...

BGPmon 推出 BGP Stream 警告異常的 BGP 流量劫持

也是兩個禮拜前的新聞，在「OpenDNS BGP Stream Twitter Feed」這邊提到了 BGPmon 將會推出 BGP Stream 服務，將偵測到的 BGP 異常變化發到 Twitter 上。

其中 BGPmon 在幾個月前被 OpenDNS 併購 (2015 年 3 月)，而 Cisco 則在上上個月底併購了 OpenDNS (2015 年 6 月)。而在過幾天的 DefCon 23 上將會透露更多細節。

前陣子 Hacking Team 洩漏的資料中就用到了 BGP hijack 來取回控制權：

That nugget that emerged from the 400 Gb of stolen Hacking Team data posted online where Italian law enforcement used Hacking Team’s Remote Control System monitoring software to regain control over a number IP addresses it was watching that were already infected with Hacking Team software by hijacking BGP routes in order to redirect traffic and regain control over a target’s machines.

除了示警外，另外一方面 BGP 上的簽名技術也愈來愈重要了，只是不知道最終會怎麼做...

Hacking Team 的 BGP Routing Hijack

Hacking Team 的事情告訴我們，只能是能做的，都有人會包成 Total Solution 賣。

洩漏出來的資料說明了 Hacking Team 在 2013 年幹的 BGP Routing Hijack：「How Hacking Team Helped Italian Special Operations Group with BGP Routing Hijack」。

The Wikileaks document described how the Italian ROS reached out to Hacking Team to work together on recovering the VPS server that ran on 46.166.163.175. In ROS terminology, the server was called “Anonymizer”. The emails also revealed that this server relays updates to another back end server called “Collector” from which ROS presumably recovers the targets’ data.

然後：

When we look at historical BGP data we can confirm that AS31034 (Aruba S.p.A) indeed started to announce the prefix 46.166.163.0/24 starting on Friday, 16 Aug at 2013 07:32 UTC. The Wikileaks emails outline how ROS complained to Hacking Team that the IP was reachable only via Fastweb but not yet through Telecom Italia, concluding not all RCS clients were able to connect back to the server immediately, since the prefix was not seen globally. BGP data further confirms this per the visualization below.

這些主要的 ISP 分別是：

AS12874 Fastweb
AS6939 Hurricane Electric, Inc.
AS49605 Reteivo.IT
AS4589 Easynet
AS5396 MC-link Spa

時間線：

這也證明了「鎖 IP」的方法其實還是很危險的。

Hacking Team 購買 Flash Exploit 的信件

前情提要：「Hacking Team 被黑而洩漏出來的資料」。

在「How a Russian hacker made $45,000 selling a 0-day Flash exploit to Hacking Team」這邊提到了 Hacking Team 被黑而洩漏出來的信件，透漏了俄羅斯的人賣 Flash Exploit 給 Hacking Team 的過程。

從內容就可以看出不同的賣法，包括「首次」與「獨家」都是可以談的條件：

1) The price is US$45,000.00 for the non-exclusive sale of any special discount for the "first" deal together will be greatly appreciated :)

然後有些東西是另外加密通信的：

The two men then exchanged PGP keys, which they used to exchange a number of encrypted messages, presumably one including how Toporov would like to be paid.

然後還有 invoice：

而買了幾個建立關係後，後面還會有 discount：

Now your discount on the next buy is -5k and -10k is for a third bug.

最近應該會有不少人跳下去解讀洩漏出來的資料...

Hacking Team 被黑而洩漏出來的資料

這幾天資安領域最熱鬧的消息莫過於 Hacking Team 被黑之後洩漏出來的 400GB+ 的資料：「Hacking Team hacked, attackers claim 400GB in dumped data」、「Hacking Team hacked, attackers claim 400GB in dumped data」。

洩漏的資料可以在 GitHub 上的「hackedteam」取得，或是透過 BitTorrent 取得 (i.e. 51603bff88e0a1b3bad3962614978929c9d26955)。

烏雲上的「人手一份核武器 - Hacking Team 泄露（开源）资料导览手册」這篇寫得很完整了，現在的系統已經整合到這樣，於是要對這個人做任何事情都很容易：

也因為這次的 leak 而使得不少軟體在修正 0day exploit...

This is the correct way to patch Flash pic.twitter.com/ZKgbu1Qkf0

— Jonathan Zdziarski (@JZdziarski) July 8, 2015

好精緻的核武...