Facebook Badness

As an infosec company we don't tend to blog about Facebook scams such as "Free £100 Tesco voucher" or "Apple is giving away 1000 iPads because the boxes are scuffed" - surely a new box is cheaper + we'd be here all day tracing them!

However, this one peaked our interest as it is something that could just as well affect a company as an individual. This is pretty much a classic phishing exercise with a bit of social engineering thrown in for good measure, it's quite well executed though so on with the details..

I had a private Facebook message from a family member come through which cc'd a number of other family members/friends. This is what the message looked like (blurred to protect the innocent!):

Alarm bells started ringing; a PM with a generic message along with a URL shortened using "t.co" which is a classic obfuscation technique.  The "Facebooky" looking thumbs up adds a certain amount of credibility as it was posted by another family member, surely they can be trusted, right?

44Con - Cracking Lotus Domino Passwords

Following my presentation on penetration testing in a Notes/Domino environment (slides will be uploaded soon!) I had a couple of queries about the software used in the Notes ID file password cracking demo & where to download the local access protection tool.

The software was Passware's latest and greatest "Passware Password Recovery Kit Forensic V12" which their marketing manager, Nataly, had been kind enough to allow us to use a beta version for 44Con.

The difference between this software and any of the others that we've tried is that this allows multiple ID files to be loaded in and cracked in a batch along with other file types!

SmartScreen Filter Revisited

Following up on the blog post last year about Microsoft downloading potentially private/sensitive files due to SmartScreen filter we thought that we'd take a look at IE10 on Windows 8. Files used in testing were old versions of cmd.exe so should be "known good" on any whitelists.

Yet again we found that files that you download are hoovered up by Microsoft servers a short time after!

Bsides London Challenge 6 Solution

As it's the day after Bsides London which was excellent with some talented presenters I thought I'd post my solution to challenge 6 - Finding Nero.

Linky --> Bsides_Walkthrough.pdf

Enjoy!
Fully

Foxconn Lotus Domino Breakdown

Following Swagg Security's release of some Foxconn info (http://pastebin.com/DbHu7xCQ) I thought I'd take a quick look at the Lotus Notes stuff they posted whilst munching my sarnies. Please note that this is a quick (20 minute) crack/breakdown and not a week of real research!

The leaked "MailUsers.txt" file in the torrent contained two types of Domino hash formats; weak/unsalted (user1) and salted (user2)

user1:D3D44EED37928E47777F1B6C937F4068
user2:(GcE5LxKhZO5riNHlvasU)

SmartScreen Filter Going Too Far?

Chatting to a friend earlier who had noticed requests for files on his server coming from unknown IP addresses.  Nothing weird about that, happens all the time...

BUT the files being requested had UNIQUE filenames known only to person-X and person-Y!

Looking in to this the issue is caused by IE9's SmartScreen protection. Files you download with IE are subsequently downloaded by a 3rd party, presumably for analysis. This could cause a serious breach of privacy and is DEFAULT behaviour.