bookmark_borderCC7F Round 1., during Hacktivity 2021

In a joint project we step to the next level with two rounds of CCTF. Harder challenges and highers prices wait for the players.

You can read more about us in the media:

https://finance.yahoo.com/news/cctf-organizers-awalcon-cryptall-partner-131600682.html

https://markets.businessinsider.com/news/stocks/cctf-organizers-awalcon-and-cryptall-partner-with-ecox-to-host-the-largest-blockchain-hacking-event-so-far-1030838702

bookmark_border4 Microsoft Exchange Server vulnerabilites

March is not a good month for Microsoft in 2021. At the beginning of March, Microsoft has given out warnings about critical unpatched Exchange Server vulnerabilities.

These vulnerabilities can infect tens of thousands of businesses, government entities in the U.S., in Asia, and in Europe. In addition, the number of targeted attacks have increased.

Outside of U.S, the malware also infected services in Norway, the Czech Republic, and the Netherlands. Attackers scan offensively Microsoft’s email servers, which represent high-value. This time the numbers of attacks were higher compared to last December’s SolarWinds hacking spree. The vulnerability allows breaking into Microsoft Exchange Servers and allows the installation of unauthorized web-based backdoors to facilitate long-term access.

Awalcon recommends updating or disconnecting the affected Exchange Servers immediately.

The vulnerability CVE-2021-26855 allows the bypass of authentication of an on-premises Microsoft Exchange Server that’s able to receive untrusted connections from an external source on port 443. The next vulnerabilities are CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065: these allow malicious parties to gain remote access to the vulnerable systems. It is an interesting fact that both CVE-2021-26855 and CVE-2021-27065 were reported in October 2020.

On March 12, 2021 Microsoft released an emergency patch for all the four security issues. As always, the bad news for the affected businesses: installing the patches is not enough if you have already been backdoored.

bookmark_borderGoogle Chrome zero-day vulnerability

Google has introduced an update to the Chrome browser and released a second patch within a month that fixes five vulnerabilities, including a zero-day vulnerability. One of the most important bugs can be traced as CVE-2021-21193 and affects the Windows, Linux, OS X versions of the browser.

This vulnerability was detected by an anonymous user, and through this bug an attacker can execute arbitrary code on the target system. The measuring of this error is  8.8 out of 10 on the CVSS scale. To avoid this security issue, update your Google Chrome browser at Settings -> Help -> About.

Why the browsers?
Browsers tend to evolve faster in many organizations than other applications, and browsers are a great way to reap the benefits, and attackers continue to target them because they continue to be excellent entry points for endpoint threats within the organization. In addition, the extensions are usually updated less frequently and require hardening to prevent further attacks.

What is a zero-day vulnerability?
Timing is most important here. The moment the flaw becomes known, hackers around the world can try to exploit it. Overall, programmers have zero days to find a solution to the issue, henceforth the term “zero-day vulnerability”.

This can take almost any form, such as missing data encryption, buffer overflows, missing permissions, SQL injection, broken algorithms, URL redirects, errors, or password security issues.

How protect yourself?
Here are some tips to help protect your business from these types of attacks:

Be informed: pay attention to software vendor spending, it may be time to take advantage of security measures or respond to threats before taking advantage of them

Take additional security measures: consider seeking the assistance of an experienced professional, as the safety measures mentioned above are not sufficient to fully protect you.

Keep your system up to date: make sure your software platforms are up to date. The best solution is to allow automatic updates so that the software is updated regularly without any manual intervention.

bookmark_borderA global start from Estonia

Awalcon becomes global in 2021. If you haven’t followed us during the first year, here are some active projects we are working on:

Awalcon Information Security and Blockchain Services

HODLBag DAO (will be presented first around mid-January)

CryptoCurrency (is) The Flag – CTF game, in a collaboration with our partners

CryptoZSH – Tools and configuration for ZSH users

2020 was not an easy year, but with clear goals and enthusiast people around, growth occurs even in the hardest times.

We are looking forward to go global in 2021!

bookmark_borderGuide for CCTF4 Hacktivity

We have organized (Awalcon, H.A.C.K. and QAN) CCTF for the fourth time and decided to provide a beginner guide. This helps you to get started with hacking a Ethereum smart contract. While going through the guide you will understand more about the logic of cryptocurrencies, blockchain and smart contract. For the crypto only part, please refer to the links at the end of the post.

Guide intro

Cryptocurrencies such as Bitcoin and Ethereum allow you to handle digital assets on decentralized networks. In most cases the assests are simply coins, but here is where Ethereum can provide you more: smart contracts. Imagine coding a program that you broadcast once to a decentralized network, it gets stored on the blockchain and can be called anytime in the future. Or imagine a business that does not have physical contracts, just virtual ones. All these are secure as long as somebody successfully cheats the consensus or exploits vulnerabilities in contrats. It may sound complicated for the first, but it is not. Let’s see a practical example.

Creating a wallet

Most of the Ethereum hacks (breaking smart contracts, accessing accounts without or with weak authentication, phishing) do not require more than a web browser and a bit of coding skills. For the start, only a FireFox or a Chromium/Chrome web broswer will be enough to connect to the test network and to use an addon which allows interacting with (maybe) your first live smart contract.

Open your FireFox or Chromium browser and install the MetaMask extension: https://metamask.io/. Currenly, MetaMask is the most commonly used software by end users to interact with Ethereum systems. After getting the extension, it either automatically opens up or you can open it from the top right bar in your browser. The first step of using MetaMask is to generate a wallet. At this point you are asked to provide a password. Preferably, use a passphrase that is like a sentence, but does not include words from dictionaries (example: “HaxxA11co|ns”). Choose wisely. Move on and read the phishing warning carefully. Finally you need to make sure the secret backup phrase that allows restoring the wallet is secured somewhere, of course in a place only you can access and see.

All is set, now you have an Ethereum wallet, an account.

Changing networks and faucets

MetaMask allows you to change between Ethereum networks. Please change to Ropsten and note that the game will be played there too.

Faucets provide free Ethereum for you on the test networks. Now it is time to get some from: https://faucet.ropsten.be/ (if it does not work, you can find other Ropsten faucets).

Coding and compiling a smart contract

Let’s compile an example smart contract and interact with it. Open https://remix.ethereum.org/ where you get an example contract written in Solidity language. Remix website has an inbuilt compiler and if you click on “Start to compile” it will compile the code. Now you can swith to the “Run” tab. If you have MetaMask running, then you should see “Injected web3” in the environment.

MetaMask injects the so called web3.js into each website you visit, that way the website can communicate with MetaMask (also think about that: is it a good idea to inject to all sites?).

Deploying a smart contract

Make sure your MetaMask account is unlocked, switched to “Ropsten” and you got a coin from the faucet. Then click on “Deploy”.

MetaMask pops you up a transaction which is actually the deployment of the compiled smart contract to the Ropsten Ethereum test network. Now you may wonder what “gas fee” is? Gas limits the computational efforts of the smart contract, meaning you cannot deploy a computational heavy infinite loop for free. You can only use a smart contract if enough gas is provided. If you are ready, click on “Confirm”.

Wait until the transaction changes from “Pending” state to “Confirmed”. This is indicated in MetaMask. The network needs time to make sure your conract is broadcasted and mined successfully. If you click on the transaction, you have a button “View transaction on Etherscan”: click on it and have a look at what happened.

Interacting with the contract functions

By going back to https://remix.ethereum.org/ you can start playing with the “Deployed Contracts”, under the “Run” tab. You can call the deployed smart contract’s functions one by one. Each call you initiate takes a transaction. The executed code runs on all of the Ropsten Ethereum nodes.

Congratulations, you have compiled your first smart contract and interacted with it.

Congratulations

You have seen the very basics now and it is time to think about what can go wrong… Weak passwords, MetaMask seeds all over the place, programmers making mistakes in smart contracts that you can call, logic, broken crypto problems and so on.

References, to learn more

Bitcoin white paper

Cryptography tutorial

Ethereum white paper

Ethereum beige paper (a readable version of the yellow paper)

History of Ethereum Security Vulnerabilities, Hacks and Their Fixes (2017 Sept.)

bookmark_borderState of the Art Phishing @Hacktivity

October is the month for IT security conferences and we are participating on them, as always. The presentation “State of the Art Phishing” has been accepted and will be presented online between October 8-10. More information will be shared on Hacktivity’s website: https://hacktivity.com/

Mostly a technical talk, but there will be many attacks discussed which can give good examples on what to defend against for non-techies too.

If you would like to keep up with the infosec news, six is posting regularly on his Mastodon and Twitter accounts:

https://noc.social/web/accounts/15777

six’s twitter for #infosec news

bookmark_borderIntroduction to IT Security services

If you are looking for a IT Security solutions which are realistic and usable, you are on the right place. With our expertise in the field, we provide services that improve both IT security and business processes – because real security starts with business considerations.

  • IT Security audits (processes and policies)
  • Penetration testing
  • Phishing Campaigns
  • IT Security Awareness training
  • Hardening
  • Consultation
  • Privacy recommendations