Happy Holidays for Hackers

Quoting SecurityWeek:

The holiday season is well underway and so is the shopping frenzy. In an effort to avoid the crowds and save time, many consumers are turning to online shopping. In fact, Adobes new, 2015 Holiday Shopping Report, finds that online shoppers will spend $83 billion dollars this year (up 11 percent from last year), an average of $305 each. That means more than 270 million shoppers will be making purchases online.


ISIS: The Islamic State releases its own smartphone app

The Islamic State has released its own app for Android smartphones, which it uses to spread propaganda, including videos of beheadings and messages about terrorist attacks in various parts of the world.

The existence of the App was uncovered by the Ghost Security Group, a vigilante collective that aims to disrupt Isil’s online operations.

Rather than using the Google Play Store, which would allow Google to take it down, Isis is distributing installation links through encrypted Telegram App messages.

Although thousands of Twitter accounts have been taken down, and Telegram has banned dozens of Isil channels, the use of its own app would allow Isil to avoid such attempts to police and block its communications.

The Republic of Kazakhstan requires all Internet users to install new communications certificate

Will we allow this to happen in the US?

Kazakhtelecom JSC notifies on introduction of National security certificate from 1 January 2016

From 1 January 2016 pursuant to the Law of the Republic of Kazakhstan «On communication» Committee on Communication, Informatization and Information, Ministry for investments and development of the Republic of Kazakhstan introduces the national security certificate for Internet users.

According to the Law telecom operators are obliged to perform traffic pass with using protocols, that support coding using security certificate, except traffic, coded by means of cryptographic information protection on the territory of the Republic of Kazakhstan.

The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources.

By words of Nurlan Meirmanov, Managing director on innovations of Kazakhtelecom JSC, Internet users shall install national security certificate, which will be available through Kazakhtelecom JSC internet resources. «User shall enter the site telecom.kz and install this certificate following step by step installation instructions”- underlined N.Meirmanov.

Kazakhtelecom JSC pays special attention that installation of security certificate can be performed from each device of a subscriber, from which Internet access will be performed (mobile telephones and tabs on base of iOS/Android, PC and notebooks on base of Windows/MacOS).

Detailed instructions for installation of security certificate will be placed in December 2015 on site telecom.kz.

PR department
Kazakhtelecom JSC

  • Kazakhstan Announces Plan to Spy on Encrypted Internet Traffic

http://motherboard.vice.com/read/kazakhstan-announces-plan-to-spy-on-encrypte d-internet-traffic

AOL Desktop MiTM Remote File Write and Code Execution

If you know someone that still uses AOL, share the link!

Long story short, it may be long past the time to give it up…


AOL Desktop is “the all-in-one experience with mail, instant messaging, browsing, search, content, and dial-up connectivity”. It is the direct successor of the old Windows AOL clients from the 1990s.

Issues in AOL Desktop, version 9.8.1 and below, that have existed since 1993, can be exploited by an entity in a man-in-the-middle position to write files to disk and cause remote command execution.

FDO91 – “Form Definition Order” http://mazur-archives.s3.amazonaws.com/aol-files/fdo91/tutorial_faq.html

AOL: FDO stands for Form Definition Operator. AOL communicates using this programming language. For example, after clicking any icon or button in AOL, FDO code is sent by the AOL system and interpreted by your AOL to create a window. So, the FDO language is the language used to describe forms on the AOL client. This site has a focus on learning how to program in FDO and provides a surfeit of examples and tutorials for those who want to learn.

They use a compiled homegrown scripting language. No authentication is done on any packets sent, and the client will execute any FDO it is sent by the server.

Some FDO opcodes are interesting from an attacker’s perspective. The fm_* series of opcodes (the File Management protocol, 0x08xx), have existed since the very first version of AOL for Windows from 1993. This series of opcodes enables reading from and writing to disk.

The async_exec_app opcode (0x0d19) takes a string operand, and executes the command in that string. This opcode has existed since version 2.0 of AOL for Windows, from 1994.

Affected Versions

9.8.1 and below. It is not known whether the betas of 9.8.2 are affected.


Uninstallation of this software will prevent exploitation of these issues. The researchers cannot sanction any mitigations except to remove this software definitively from any affected devices.

Microsoft’s new moves to force Windows 10 onto unwanting users

Microsoft is using Win7 and 8.1 updates to enable and re-enable unwanted upgrades


Saying “Dramatically Increased Connectivity” over and over is too laborious, thus: “DIC”

I am not saying that Windows 10 is necessarily a bad thing. But, If you don’t want it, it should not be forced on you.

In the wake of Windows 10 DIC, we’ve seen the creation of many freeware apps to assist users in managing Windows 10 DIC, because they feel rather strongly about not wanting to have any DIC… Regardless of what that DIC’s purpose and intentions may be.

Another large group of people has decided that rather than getting Windows 10 and then working to neuter the DIC, they would prefer to simply remain on Windows 7 or 8.1. This has spawned another class of freeware to prevent Microsoft from shoving Windows 10 down everyone’s throat. One such tool is that GWX Control Panel by Josh Mayfield

(GWX == Get Windows 10)

  • Formerly “GWX Stopper” renamed to the GWX Control Panel
  • Updated on November 24th to run continuously in the background to periodically check the Windows GWX settings:
  • http://ultimateoutsider.com/downloads/ (installer or stand-alone)​

Since Windows 10’s release, and thanks to his GWX Control Panel and users, Josh has been monitoring Microsoft’s GWX behavior.

http://blog.ultimateoutsider.com/2015/08/using-gwx-stopper-to-permanently-remove.ht ml

Josh: “December 1, 2015: I’ve gotten some very interesting reports from people using the new Monitor Mode feature. Different PCs are seeing different Windows 10 settings get re-enabled for mysterious reasons. They’re not false alarms; these settings are really getting re-set by Windows (it’s not happening to everybody, just certain users/computers), and I’m doing research and testing to see what I can do to stop it once and for all. To those of you observing this strange behavior: Hang in there; the next version of the GWX Control Panel will have some features intended to help you regain control and better understand what’s happening on your PC.”

The Windows Update engine has been updated and the December 1st release says:

  • “This update enables support for additional upgrade scenarios from Windows 7 to Windows 10, and provides a smoother experience when you have to retry an operating system upgrade because of certain failure conditions. This update also improves the ability of Microsoft to monitor the quality of the upgrade experience.”


  • ComputerWorld writes that <quote> In late October, Terry Myerson, the Microsoft executive who runs the Windows and devices teams — dubbed the “More Personal Computing” group — outlined how Microsoft would try to convince users of Windows 7 and 8.1 to upgrade to Windows 10. Rather than wait for customers running the older editions to request a copy of the new OS — the original idea from the summer — Microsoft will instead begin to automatically send the upgrade to PCs via Windows Update, the default security maintenance service.


  • Gregg Keizer , writing for ComputerWorld continues: <quote> The new push will be a two-step process, with the first kicking in this year, the second in early 2016. First, Microsoft will add the Windows 10 upgrade to the Windows Update list on Windows 7 and 8.1 systems as an “optional” item. That list can be examined by users, letting them choose — or not — each optional update.


Sometime next year (2016), UpdatesAvailableMicrosoft will shift the Windows 10 upgrade
from the optional ‘nag’ to the “recommended” or “Important” update list. Which means, rather than seeing the “Upgrade to Windows 10” popup nag, you will see it in your “Recomended” or “Important” update list along with all of your other Windows Updates.




Updates on that list are automatically downloaded and installed on most PCs. If you have the “Auto Update” feature turned on, then you will very likely be automatically “Upgraded” to Windows 10.

The GWX Control Panel app can be downloaded from Mayfield’s website.

The App is free, but Mayfield does accept donations through PayPal. Gregg Keizer, who interviewed Josh quoted him, saying: I get a donation from about one in every thousand downloads.

December 2015 Microsoft Patch Tuesday

Install your Windows updates folks!

Microsoft’s second Tuesday of the Month

  • 12 patch bundles, 8 of them critical, 4 important
  • Remote Code Execution vulnerabilities for: Office, Uniscribe, Silverlight, “Graphics Component”, DNS, JScript & VBScript.
  • Critical update packages for their Edge and IE browsers.

Adobe updates FLASH to v20.0.0.235

  • https://helpx.adobe.com/security/products/flash-player/apsb15-32.html
  • Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
  • How many??? 78!!!
  • Now at v20.0.0.235
  • And still trying to push McAfee “Security Scan Plus” on us

Post from SAN Internet Storm Center:

Special Note: MS15-127 looks particularly “nasty”. A remote code execution vulnerability in Microsoft’s DNS server. Microsoft rates the exploitability as “2”, but doesn’t provide much detail as to the nature of the vulnerability other than the fact that it can be triggered by remote DNS requests, which is bad news in particular if you are using a Microsoft DNS server exposed to the public internet. In this case, I would certainly expedite this patch. This is the vulnerability to look out for this time around.

Overview of the December 2015 Microsoft patches and their status, color coded for you, here.