Uber Tracking your location after completing your Ride.

Uber has said that it will track your location for 5 mins after completing your ride.
It claims, it will help in better consumer experience as location is key in it's game.

Till now we do not know how long it has been tracking its users after completing their ride. I did happen to read the wired article, which says how Uber has a "God View" and how it is a source of entertainment at parties :|
Yes, Uber app in the background can also track your location.



To disable the tracking, you will need to disable location permission on ur phone;
for all your apps or Uber specific location permission(Android Marshmallow and above)

Rise of the Mirai Botnet

 

Mirai Botnet is the one which you might have heard that kicked dyn out of gear.
Thats right it is indeed the recruiter of an army of zombies ie. unsecured Internet Connected devices.

Internet connected devices such as your computer, router, webcam etc are all vulnerable to this malware.

The malware follows a simple strategy of compromising the internet connected devives by

Take Over the Device

using the default username and password of the device to gain access and add it to its army.
It also uses BruteForce Dictionary attack to gain passwords.

Clear the hurdles

Mirai also kills any existing malwares on the devices, so that it maximizes its potential. It also prevents
remote login so that it can not be stopped in the middle of the attack.

Execute

Once Mirai is in control of the device it waits for commands to be executed by the central server.


The Do-Not List: It also has a list which it refrains from scanning.(for unknown purpose or to prevent from gaining attention.)

Once the botnet has enough devices in its army, it begins attacking the target via DDOS.



How to Prevent Mirai.?
Change your default/ weak password of your devices.

Disable remote logging/ wan . (if not used.)


Attack on DYN.
DYN is a DNS management systems which helps in the lookup of the the domain names to the IP addresses.
Since this DNS infra was attacked by mirai botnet the DNS lookupsites like amazon, twitter and many other sites were unable to access to the consumers.

The attack was mitigated by using scrubbing services (the traffic is rerouted to new servers or data centers which identifies fake trafficfrom the real one)
On rebooting the devices, the attack can be stopped.

The source code has been released on one of the hacker forums,
https://github.com/jgamblin/Mirai-Source-Code

 

Watchout for Gooligan- Check if you are affected now!

Gooligan is a malware that affects android os phones particularly V4 &5. This malware was reported first mid of 2016. This malware steals the authentication tokens of your google accounts such as drive, mail etc and installs adwares which inturn generates revenue for the installed apps.

More Details:https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi

List of Apps installed by Gooligan: http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

Check here if your account is being compromised
https://gooligan.checkpoint.com/

If you find your account is compromised then it would be safe to do a clean install of the OS on your phone, a  factory reset on your phone wont get you that far. Also change passwords immediately of your google accounts. Gooligan does not access user data nor modifies OS/ system files.

Use Google Play Store to download apps and be careful while installing apps from 3rd party websites.

Paytm POS app rolled back on Security Concerns

Paytm which has been in the news ever since the demonetisation drive in India, had rolled out a POS app. This app has been rolled back citing security concerns highlighted by the concerned parties.

The current app allows payment via QR code. Customer scans the QR code of the merchant via the app to make the payment. Transferring money instantly to the destined account/ wallet. This is a secure way to make a payment because QR code payments use tokens to make the transaction. 

What was the problem with the new POS app?

This new feature would require the customer to key in his card number and PIN into the Paytm app of the merchant. 

As we are aware of key loggers and other screen grabbing softwares which can be installed by the merchant in his device, the unaware customer keys-in his card details into the Paytm app of the merchant while being unaware that it is being recorded by the key logger app thus the customer's card data is compromised.

Paytm has said repeatedly that it is a PCI-DSS (Payment Card Industry Data Security Standard ) and conducts several security audits. One of the main requirement to comply to PCI DSS is that the merchant should not hold card data of its customer in it's systems. While it might be true that Paytm does not hold customer card data, but this new feature in this application would allow the customer to pay by entering his card details just like any other e-commerce site's payment page. The same risks you would face while entering the card details online, you would face the same here except the added risk that the payment you do is not on your device but that of the merchant.

As many would agree that the same type of attack can be performed on the POS by installing some malware / malicious code. It is true that such an attack can be performed but it requires some deep knowledge of the working PED/ POS device and being able to post / transmit the data. There are encrypted PED/ POS devices but even they can be fused with malicious code. But the hack (if you would like to call it that) is not universal to all devices. There are many vendors of POS devices in the market and each have different set of instructions/operations, thus hacking such a device actually needs extensive knowledge of the device and the system it is placed inn. 

But in case of the POS that was in the Paytm app it is vulnerable to key-loggers and performing a  keylogging attack doesnt need an expert. It is fairly easy to install an app from the app store and set the keystrokes entered on the device to be mailed every set period of time.

Paytm has said that it will rollout the app after getting additional certifications.

https://blog.paytm.com

BlackNurse - A new variant of DDOS

This new attack was discovered by TDC engineers. http://www.blacknurse.dk/

The attack falls on the lines of an ICMP flood attack. The ICMP flood attack involves flooding the target with large amount of traffic whereas black nurse attack requires a very minimal ping traffic while leveraging on ICMP Type 3 Code 3 ( Destination Port Not Reachable ) .

An attack from a laptop can go upto 180 megabits per sec and bring down the firewall effectively. The attack is effective and Cisco and Palo Alto and a few more. This attack is possible only if you have allowed ICMP Type 3 Code 3 to outside interfaces.

http://soc.tdc.dk/blacknurse/blacknurse.pdf

Test your system with this Proof of Concept Code to check if you are vulnerable.
https://github.com/jedisct1/blacknurse

If vulnerable check with your vendor website to mitigate the risk.

Worst case- your router crashes and after the flooding, your router comes back up.

Load testing on single server - Jmeter

Application: w3wp.exe

Framework Version: v4.0.30319

Description: The process was terminated due to an unhandled exception.

Exception Info: System.AccessViolationException

   at System.Threading.Thread.InternalCrossContextCallback(System.Runtime.Remoting.Contexts.Context, IntPtr, Int32, System.Threading.InternalCrossContextDelegate, System.Object[])

   at System.Runtime.Remoting.Channels.CrossContextChannel.SyncProcessMessage(System.Runtime.Remoting.Messaging.IMessage)

   at System.Runtime.Remoting.Proxies.RemotingProxy.CallProcessMessage(System.Runtime.Remoting.Messaging.IMessageSink, System.Runtime.Remoting.Messaging.IMessage, System.Runtime.Remoting.Contexts.ArrayWithSize, System.Threading.Thread, System.Runtime.Remoting.Contexts.Context, Boolean)

   at System.Runtime.Remoting.Proxies.RemotingProxy.InternalInvoke(System.Runtime.Remoting.Messaging.IMethodCallMessage, Boolean, Int32)

   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(System.Runtime.Remoting.Proxies.MessageData ByRef, Int32)

   at .....followed by application exception 

When I was running my load tests using JMeter against a single server (usually against a load balancer but for some reason wanted to know the)I happened to get this weird error repeatedly with 100% error rate in Jmeter. The application I was testing was a WCF service hosted on IIS.

My first instinct was to check if the error had occurred because of my recent changes, I checked the event viewer which told me that this error was occurring very rarely.

It took a lot of googling and ended up with nothing, so I decided to check on the IIS 7 configuration.

I found the root cause of the failure, it was due to few configurations that had to be changed in IIS.


Configuration:

IIS Queue Length: The default value is 1000, so after 1000 active connections any new connections will be served a 503 Error.

IIS rapid fail protection: By default the value is set as true. So after 5 application errors, the app pool goes down.

To sum it up, since I ran the load test for 'n' Users. The default IIS Queue size is overloaded with many requests crossing the default 1000 queue size which returns application errors our and the other config “Rapid Fail Protection” pulls down the app pool.

This error has occurred only because I load tested on a single server with a connection limit of 1000 in the IIS.

I increased the queue size to the max value of 9000 and disabled the Rapid Fail Protection and Ran the same LOAD TEST. It FIXED the problem and worked well as I saw a error rate of less than 0.3% for a very large sample and the above error never occurred again. Turns out it only occurred because I ran the load test against a single server. But it did point out to me that all the servers had a default value of 1000 Queue size and in case of an actual load all the servers would have gone crashing down. 

So to conclude the above error was a memory error I believe. If you faced the same error please post below on what you did to fix it.

Here are the configurations for IIS 7.0 as suggested by Microsoft. Be careful in whatever you need for your application, not all is good for you.

https://technet.microsoft.com/en-us/library/cc745955.aspx

SoapUI hosting on Tomcat error

06-Nov-2016 14:18:34.624 SEVERE [http-nio-9092-exec-2] org.apache.catalina.core.ApplicationContext.log StandardWrapper.Throwable
 java.lang.NoClassDefFoundError: Could not initialize class com.eviware.soapui.impl.wsdl.support.http.HttpClientSupport
at com.eviware.soapui.DefaultSoapUICore.initSettings(DefaultSoapUICore.java:361)
at com.eviware.soapui.DefaultSoapUICore.init(DefaultSoapUICore.java:129)
at com.eviware.soapui.DefaultSoapUICore.<init>(DefaultSoapUICore.java:114)
at com.eviware.soapui.mockaswar.MockAsWarServlet$MockServletSoapUICore.<init>(MockAsWarServlet.java:317)
at com.eviware.soapui.mockaswar.MockAsWarServlet.init(MockAsWarServlet.java:71)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1183)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1099)
at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:779)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:133)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:108)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:349)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:784)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)

This is the error I happened to get on SOAPUI 5.2.1 on trying to deploy a war file containing mock service on Apache Tomcat 8.5.

This issue is caused because the hosting service is unable to find some jar files required to host the service. This can be FIXed by ensuring soapUI has internet access. Once I ran this on a system having internet access, it worked fine.

If you have a system without internet access, you can use the SOAPUI itself to host the mock service and disable logging, it is good enough to run a Load Test on it. Response time I saw was 0.1ms . 

Managing VirtualBox Better

Getting the better out of the painful VM – Virtual Box

After struggling a long time with VM with slow speed and frequent crashes. I found few tips from various websites which helps the VM run in a better way.

This post contains the following.

• ·         Tweaks for a better VM
• ·         Installing Ubuntu or any other Linux/OS on Oraclebox.
• ·         Misc

Below are a few tweaks that can be done to prevent VM from getting crashed and to make it perform better.

(It would be better if you have the fresh vmdk file before applying the following settings.)

Go to

machine-> settings-System.

Set Base Memory to the max green level.

Switch to Processor Tab

Set the CPU as 2 or the green level.

Set the execution Cap below it to 100%

Switch to Acceleration Tab

Set  both Option in Hardware Virtualization to checked.

Go to Display

set Video memory to 128 mb in the video tab

Other things to do:

• ·         Take a snapshot of the fresh install (initial install) – You can restore to any previous snapshot and prevent the loss of your entire vm
• ·         Run Disk Defragmenter every week on your VM.
• ·         Save the machine state, do not shutdown everytime.
• ·         Always choose fixed disk size to prevent space and performance issues.

In case of network issues:

Go to machine -> settings -> Network

Change Adapter 1 to Attached to : Bridged  (works sometimes- this is due to network issues.)

Installing a linux VM on your own.

Download Ubuntu or any linux distro iso file .

http://linuxlookup.com/linux_iso


· Start VMware.

· From the File menu select "Create a New Virtual Machine"

· Choose to install the operating system later. Click "Next".

· Select Linux as the "Guest Operating System" and then choose Ubuntu as the "Version". Click "next".

· Provide a "Virtual machine name" and "Location" where the machine will be stored on the Windows host. The defaults are fine here. Click "Next".

· For "Maximum disk size (GB)" it is good to start with 40G if possible. This means that it will take up 40G on the Windows host. Make sure that the Windows host has at least this much before proceeding. It is also a good practice to tell VMware to split the virtual disk into 2G files. This will makes the image easier to copy and transport if necessary. Click "Next".

· Click "Finish" to complete the creation of the virtual machine.

• settings -> Storage -> Select the disk Icon
• 
  
• On the right select Attributes browse the ISO you downloaded.Click OK.
• 
  
• Now boot up Ubuntu VM ware - install normally like you do any OS installation.
• 
  
• After installation, you will be prompted for reboot. 
• 
  
• Go to Machine ->Settings -> Storage -> Select the disk Icon
• 
  
• On the right select Attributes Disk image and select remove the iso.
• 
  
• Now boot up your VM again. You can use Ubuntu .

MISC:
Cloning:

When you want to clone the VMDK file. (Time consuming, do not do it unless extremely necessary)

Grouping Boxes:

Group -> group (for better classification)

Secure your site using Cloudflare for free

Want to secure your site immediately due to the rise in DDOS attacks?
Use Cloudflare

what is cloudflare?

It is a CDN - Content Delivery Network, with added security measures.

In short it caches your website content across all its servers around the world. So that it can serve your website consumers at a quicker pace.

While preventing your site from a DDOS attack / Spam Bot/ SQL Injection. There are many players in CDN which is led by Akamai. 

Usage of cloudflare is known to improve the performance of your website and the security.

The process is fairly simple. Try it out.

https://support.cloudflare.com/hc/en-us/articles/201720164-Step-2-Create-a-CloudFlare-account-and-add-a-website

Ransomware Risk Mitigation

RANSOMWARE:

Malware that locks/encrypts your system / files and requires you to pay a ransom amount to decrypt/unlock your system/files.

RANSOMWARE is a serious issue addressed by all the AV companies and the security agencies like the FBI.

The average ransom demand is now $679

RANSOMWARE targets end users and targets on enterprise users is on the rise usually by spear phishing emails.

Stages of RANSOMWARE:

Infection: The script / program / exe file that contains the code to encrypt all your system files.

Search & Encrypt: Most of the times, the file type is configured. The script searches for system files / .docx xlsx and other specified files and starts encryption.

Notification: The affected system is notified that the system is locked and a ransom needs to be paid.

Along with a countdown timer indicating the time left to pay ransom after which you will never be able to recover the data. 

Something like this:

RANSOMWARE is not a Virus.

RANSOMWARE informs the user after the attack and requires you to pay up to free your data which is held ransom.

Why isn’t your antivirus/ security suite not enough?

AV’s work on signature recognition of a file / program to detect whether it is a good egg or a bad one.

There are quite a few famous RANSOMWARE such as TesCrypt, Locky, Waltrix etc. But the main problem is that there are many types of custom RANSOMWARE. Which renders the signature recognition useless. 

Ransomware has gained a lot of steam in the past year. It has even evolved to “Ransomware as a Service”, it is being sold on the market like any other software service. One might also witness a very immense competition between rival groups, with each group sharing the decrypting keys of its rival.

Preventing a RANSOMWARE Attack:

Employee Training: Most of the employees working in enterprise / Health Industry are not aware of RANSOMWARE. They need to be made aware and trained in how to prevent and report such an occurrence.

Phishing: Beware of phishing emails. RANSOMWARE can also be disguised in macros and sent across via email stating “2016 Store Rollout Plain.xlsx” (something that looks genuine) Macros have unlimited ability to execute a program or script.  Disable macros when not required.

Click Bait: Many links are leached with RANSOMWARE infections causing the script / payload to download via JavaScript and other means and affects the system

Internet: If you are aware that files are being encrypted, shut down the internet immediately and also power off the system. This will help you in preventing the infection spread. Disconnect any network drives connected to the system. As RANSOMWARE has a tendency to go after it too.

Backup: Have a scheduled backup taken often. In case of RANSOMWARE infection system can be restored using the backup/ windows restore. Beware some RANSOMWARE even encrypt the shadow/ backup files.

Public Wi-Fi: Beware of public wifi’s best if you prevent using public Wi-Fi for official work. Using man in the middle attack via a pineapple router the attacker can easily move the infection to your system.

Update: Keep updating your system via patches and the softwares, applications which you use regularly to safeguard against the latest vulnerabilities.

Show Hidden File Extensions:  This could prevent the user from running an exe file disguised as a video or picture file.

Misc: You will need a behavior driven detection system that looks out for malicious activity of a program or a user. Since RANSOMWARE attack can be unique every time, having such a detection system will truly serve the purpose. Ex: https://www.barkly.com/

In case you are attacked:

·         Inform the authorities.

·         Isolate the system from network.

·         There are many free tools out there that might help you unlock. You may try them. Ex: Trend Micro Crypto-RANSOMWARE File Decryptor Tool

·         Paying the Ransom should be your last option. Many organizations have ended up paying. Many cases the decrypter key is not provided even after the payment of the ransom.

References: Osterman Research