Friday, May 22, 2015

Online banking vulnerabilities in 2014: Authentication, Authorization and Android

Today the security for online banking (OLB) is insufficient. High severity vulnerabilities in the source code and multiple flaws in authentication and authorization mechanisms of systems allow remote attackers to execute unauthorized transactions or take complete control of an affected system. This has the potential to cause both financial and reputation damage.

In this article we present some results of the research on OLB vulnerabilities discovered by Positive Technologies experts in 2013 and 2014 in the course of security assessments for a number of the largest Russian banks.

Tuesday, May 19, 2015

Schneider Electric Thanks the Winner of the Positive Hack Days Hacker Contest

Early April, Schneider Electric has released several updates and patches fixing vulnerabilities in the software used for creating SCADA and HMI systems at nuclear power plants, chemical plants and other critical units.

The vulnerabilities which even a novice attacker could exploit were found in InduSoft Web Studio, InTouch Machine Edition 2014 as well as previous versions of these products. Among bugs fixed — arbitrary code execution and non-encrypted storage/transfer of sensitive data. The vendor recommends downloading the new patches as soon as possible.

Ilya Karpov and Kirill Nesterov, Positive Technologies researchers, detected the vulnerabilities during an ICS security analysis. Meanwhile, many bugs in those products were independently revealed by the participants of the Critical Infrastructure Attack contest held in May 2014  at the international infosec conference Positive Hack Days IV.

Monday, February 16, 2015

The research: Mobile Internet traffic hijacking via GTP and GRX

Most users assume that mobile network access is much safer because a big mobile-telecoms provider will protect subscribers. Unfortunately, as practice shows, mobile Internet is a great opportunity for the attacker.

Positive Technologies experts have detected vulnerabilities in the infrastructure of mobile networks, allowing an attacker to intercept unencrypted GPRS traffic, spoof the data, block the Internet access, and determine the subscriber's location. Not only cell phones are exposed to threats, but also special devices connected to 2G/3G/4G networks via modems: ATM machines and payment terminals, remote transport and industrial equipment control systems, telemetry and monitoring tools, etc.

Friday, February 6, 2015

How to Protect Yourself From an IE Zero-day Vulnerability That is Threatening Your Website

A new, previously unknown cross-site scripting vulnerability in Microsoft Internet Explorer, which lets remote users bypass the same-origin policy and inject arbitrary JavaScript into HTML pages, was revealed yesterday by

Researchers from published sample exploit code to demonstrate how to hack — Great Britain’s  leading online daily newspaper.  A specially formed link takes users to, followed by the message “Hacked by Deusen”.

Message on website

Thursday, January 29, 2015

GHOST(dot)WEB: The First Blood

The Positive Technologies researchers report there is a working exploit for GHOST vulerability against the popular phpBB forum. The exploit in gethostbyname function allows an attacker to gain full control over an operating system of the vulnerable server.  PhpBB is a well-known forum tool for websites. A quick Google search shows that this system is currently installed in more than 800,000 websites.

Of course, not all of them are vulnerable to GHOST, as it requires that several factors be taken into account. However, rich mechanisms to maintain host identification allow an attacker to create a specially crafted exploit via http and achieve almost 100% success in conducting this attack.

Monday, January 19, 2015

Hacking ATM with Raspberry Pi

First days of new year came with the warning about a new class of ATM fraud named "black box attack". The crooks gain physical access to the top of the cash machine, connect their own computer to the the cash dispenser and force it to spit out cash, Krebs OnSecurity reports. In fact, this technics isn't so new. The Positive Technologies experts Olga Kochetova and Alexey Osipov showed similar attacks on ATM at Black Hat Europe 2014 in Amsterdam.

Thursday, January 15, 2015

iOS Blocking — Do Not Give In to Cyber Blackmail!

Another scandal beside the one with celebrity nude photo leaks seems to break out soon. Recently, many owners of Apple phones and tablets have faced iCloud account blocking. Accounts are blocked by Apple itself in response to continuous bruteforce attempts. Positive Technologies experts warn you of iCloud blocking attacks conducted for the sake of blackmail and ask to ignore suspicious emails.

Nowadays cybercriminals are very attentive to information security researches — celebrity photos appeared on the Internet right after Andrey Belenko published his report "iCloud Keychain and iOS 7 Data Protection". Following notorious photo publications, Apple restricted the number of login attempts. Once all of them fail, an account gets blocked.