-
Posts
2713 -
Joined
-
Days Won
192
Everything posted by QuoVadis
-
A few weeks ago, I was asked to observe an installation of several wireless access points & VoIP phones, with a view to making recommendations on how best to improve security while maintaining ease of deployment. It didn't take long for several trends to appear; chief amongst which was the use of Of course, as soon as the device burst into life, it's on to the next one. At which point, "now" becomes a distant memory, along with any thoughts of hardening the device for use in a commercial setting. This was not a fly-by-night company either, nor do they install cheap & cheerful hardware; we're fitting enterprise-grade Cisco, Snom & Ubiquiti UniFi equipment. With a tight schedule & reputable brand names, I completely understand why many installers trust the default configurations so vehemently. A default config is rarely a secure config. A default configuration is only intended to restore a device to a "default" state, such that a competent installer can configure it to meet the client's needs. Note: This is neither aimed at nor unique to Snom devices. I'm aware of similar exploits against current Cisco devices too. In the following example, I've reset a Snom 320 VoIP phone (running 8.7.5.13 firmware) back to factory "default" settings. Even before we begin, there's a serious problem... there's no authentication whatsoever! To their credit, some manufacturers provide a default set of credentials... even if they're usually "admin/admin", thus equally insecure. Snom however, opted to place a tiny "HTTP password not set" warning at the top of the configuration screen. That'd be fine if it forced you to set a password during the setup process, but it doesn't. To make matters worse, it's only too happy to accept a single character/number password too. A reasonable argument, you might think. So, let's put it to the test. Hijacking the Snom 320 Step 1: Visit a site which contains the exploit payload. That's it. Simply by opening a malicious site (or a genuine site containing the malicious payload), the attacker has complete control over our VoIP phone. To demonstrate this vulnerability, I enlisted the help of two colleagues... Per Thorsheim & Scott Helme. Per will play the part of our attacker, embedding the exploit on a site which he controls. Meanwhile, I'm reading Per's site while having a private conversation with Scott, via Skype. Unbeknownst to me, Per has forced my VoIP phone to call his premium rate number and disabled the speaker, so unless I'm looking at the phone, I wouldn't know it's dialling. Note: We've left the activity LED on during this demo, as it's difficult to read the screen. When the light illuminates, the phone is dialling out. What can the attacker do? Virtually anything. Make calls, receive calls, transfer calls (even before it rings), play recordings, upload new firmware and crucially... use the device for covert surveillance. Our self-defeating approach... If we look beyond the IP telephony sector to the industry as a whole, many companies ship devices which have no "default" security... or permit the use of weak credentials which provide nothing more than a false sense of security. It has to stop. Vendors - If you must supply devices with "default" credentials, disable all other functionality until a suitably-secure password is set to replace it. The term "covert surveillance" is usually only associated with nation states, certain 3-letter agencies and those closed-minded individuals pushing the Investigatory Powers Bill (IPBill / Snoopers Charter). In this demonstration, the attacker has not only compromised your phone & privacy with just a browser, but you've paid him for the privilege! If you install, use or just find yourself sat next to one of these devices, just remember... it's basically a PC, with all the security vulnerabilities associated with them. Don't assume it's safe because it's running as the manufacturer intended; seek professional advice. 1) Use strong passwords, derived from a password manager. 2) VLAN / network segregate your phones, if possible. 3) Restrict access to APIs, even if they're only visible internally. 4) Check & upgrade your firmware regularly, ensuring it doesn't revert to "defaults" afterwards. Just today, Professor Alan Woodward of Surrey University published an article entitled "Are you the only one using your VOIP phone?" which discusses the various attack vectors & implications associated with VoIP devices. If you haven't yet subscribed to Alan's RSS feed, I'd strongly suggest doing so. Thanks to Per Thorsheim & Scott Helme for their help with this demonstration. That's it folks... for now. SOURCE - https://paul.reviews/pwnphone-default-passwords-allow-covert-surveillance/
-
- 1
-
Ai putea sa mergi si sa Neo1337nude
- 23 replies
-
- 2
-
Because it's Sunday and I'm not as drunk as I should be...: - un criminalist adevarat nu se hazardeaza la concluzii dupa o poza. In cazul de fata mai putin decat o poza, un sketch - se investigheaza viata personala: cu cine a fost vazuta persoana ultima oara si in ce stare era (se porneste cu neamuri, vecini, locul de unde s-a cumparat cola si tigarile, etc) - un criminalist adevarat analizeaza impreuna cu cei din laborator traiectoria si distanta de unde s- tras cu arma. Daca a fost impuscata de aproape sau departare, unghiuri (foarte important), etc. - se iau probe de ADN, amprente, etc. - eventual se porneste si niste lumina ultravioleta pentru a arata anumite lucruri care nu sunt vizible cu ochiul liber - se investigheaza eventualele motive din viata personala pentru o ipoteza sau alta - bineinteles, o autopsie facuta cum trebuie, produce si ea multe detalii folositoare - se analizeaza scrisul, caligrafia, daca este in concordanta cu alte lucruri scrise - provenienta armei si a munitiei - eventuale amprente pe arma si pe glont + multe alte procedee Insa, daca tot vrei sa OBSERVI anumite lucruri din sketch: - de obicei, se foloseste aceeasi mana (dreapta sau stanga) pentru a face anumite lucruri. Spre exemplu daca cineva e dreptaci, atunci din instinct, ar fuma cu mana dreapta, ar trage cu pistolul cu mana dreapta, etc. Faptul ca sunt in maini diferite e unusual - pozitia scaunului fata de scrisoare si pata sangelui sunt in contradictie. Putea sa se intoarca la 90 grade inainte sa se impuste (daca e suicid) insa highly unlikely - sticla din cosul de gunoi ar putea indica anumite lucruri. Florile la fel. - pozitia picioarelor este una ciudata pentru sinucidere. Si daca ar fi cazut de pe scaun, si din picioare @Usr6 - vreau leafa de minim 3k eur / luna
-
Nu cred ca ai credibilitatea necesara aici pe RST sa iti dea cineva ceva serios pe mana. Mai degraba uita-te pe upwork.com, freelancer.com si alte site-uri asemanatoare. Sunt destule oferte pe acolo.
-
Da bre, nu am zis ca nu e vina lor. Citesti ce am scris? Eu pur si simplu vorbeam de onorat garantia. Sunt sigur ca avocatii lor au conceput bine tot "fine print-ul" incat sa aibe cat mai multe portite de scapare. Si pot sa blameze clientii spunand ca au schimbat data in mod voit pentru asa ceva pentru a capata telefon nou, etc. Pot sa invoce tot felul de motive sa nu onoreze garantia. Recent am incheiat un contract destul de mic pentru niste produse si cand am luat la puricat ce mi-a dat avocatul lor ca pre-contract m-am luat cu mainile de cap. In mai tot locul limbajul e in asa fel formulat incat sa aibe portite de scapare pentru orice.
-
Ador comentariile de la acel video: John Dunn 17 hours ago Sorry to ask this but can you give a step by step on how you recovered from it being stuck on the apple logo? I did it to mine and can't recover John Danis 22 hours ago I got mine bricked from a post telling me to do this, HOW THE FUCK DO I FIX IT. Arz-o focu' de ispita... + plina lumea de cretini
-
Computer code written by women has a higher approval rating than that written by men - but only if their gender is not identifiable, new research suggests. The US researchers analysed nearly 1.4 million users of the open source program-sharing service Github. They found that pull requests - or suggested code changes - made on the service by women were more likely to be accepted than those by men. The paper is awaiting peer review. This means the results have yet to be critically appraised by other experts. The researchers, from the computer science departments at Caly Poly and North Carolina State University, looked at around four million people who logged on to Github on a single day - 1 April 2015. Github is an enormous developer community which does not request gender information from its 12 million users. However the team was able to identify whether roughly 1.4m were male or female - either because it was clear from the users' profiles or because their email addresses could be matched with the Google + social network. The researchers accepted that this was a privacy risk but said they did not intend to publish the raw data. The team found that 78.6% of pull requests made by women were accepted compared with 74.6% of those by men. The researchers considered various factors, such as whether women were more likely to be responding to known issues, whether their contributions were shorter in length and so easier to appraise, and which programming language they were using, but they could not find a correlation. However among users who were not well known within the community, those whose profiles made clear that they were women had a much lower acceptance rate than those whose gender was not obvious. 'Bias nonetheless' "For outsiders, we see evidence for gender bias: women's acceptance rates are 71.8% when they use gender neutral profiles, but drop to 62.5% when their gender is identifiable . There is a similar drop for men, but the effect is not as strong," the paper noted. "Women have a higher acceptance rate of pull requests overall, but when they're outsiders and their gender is identifiable, they have a lower acceptance rate than men. "Our results suggest that although women on Github may be more competent overall, bias against them exists nonetheless," the researchers concluded. Despite various high profile initiatives, tech firms continue to face challenges in terms of the diversity of their staff, in terms of both gender and ethnicity, particularly in more technical careers. Just 16% of Facebook's tech staff and 18% of Google's are women according to figures released in 2015. However the researchers' findings are still encouraging, computer scientist Dr Sue Black OBE told the BBC. "I think we are going to see a resurgence of interest from women in not only coding but all sorts of tech-related careers over the next few years," she said. "Knowing that women are great at coding gives strength to the case that it's better for everyone to have more women working in tech. "It was a woman - Ada Lovelace - who came up with the idea of software in the first place, we owe it to her to make sure that we encourage and support women into the software industry," Dr Black added. SOURCE
-
- 1
-
[VAND] Abonament anual Adobe CC suite complet (legal) - reducere 250eur
QuoVadis replied to QuoVadis's topic in RST Market
Inca 2 bucati disponibile: Adobe Creative Cloud pachet complet. Pret: 394 eur / an (doar bitcoin caci nu ofer refund celor ce se razgandesc). Se ofera factura si chitanta. Pachetul contine: Acrobat Pro DC After Effects Animate Audition Behance Bridge Capture Comp CC Creative Portfolio Creative SDK Dreamweaver ExtendScript Toolkit Extension Manager Flash Builder Fuse (Preview) Gaming SDK Illustrator Illustrator Draw In Copy InDesign Lightroom Lightroom for mobile Media Encoder Muse PhoneGap Build Photoshop Photoshop Fix Photoshop Mix Photoshop Sketch Prelude Prelude Live Logger Premiere Clip Premiere Pro Preview CC Scout Slate SpeedGrade Story Plus Voice -
Reputation activity apare la profil, https://rstforums.com/forum/profile/19350-garryone/ , doar ca nu e filtrata ci amestecata cu comentarii, etc.
-
Washington (CNN) - Hackers, making good on a threat, published contact information for 20,000 FBI employees Monday afternoon, just one day after posting similar data on almost 10,000 Department of Homeland Security employees. The hackers, tweeting from the account @DotGovs, claim they obtained the details by hacking into a Department of Justice database. The hackers boasted on Twitter, "FBI and DHS info is dropped and that's all we came to do, so now its time to go, bye folks! #FreePalestine." The information contained names, titles, phone numbers and email addresses. After the hackers published the data on the DHS employees on Sunday, they tweeted, "Well folks, it looks like @TheJusticeDept has finally realized their computer has been breached after 1 week." The Justice Department is investigating the hack. Department spokesman Peter Carr told CNN it does not appear there was a breach of private personnel information, such as Social Security numbers. "The department is looking into the unauthorized access of a system operated by one of its components containing employee contact information," said Carr. "This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information. The department takes this very seriously and is continuing to deploy protection and defensive measures to safeguard information. Any activity that is determined to be criminal in nature will be referred to law enforcement for investigation." The hackers taunted federal officials, tweeting, "When will the US government realize we won't stop until they cut relations with Israel." SOURCE - CNN
-
Ransom32 cred ca ar merita mai multa atentie http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/ (imi e lene sa mai repostez thread-ul ce a fost sters cu schimbarea vb - ipb ). Nu cred ca suntem departe de web-based cryptolockers...
-
Lasa-ne bre cu rahaturile astea. What's next? Citind parerea lui Leo de la Strehaia in domeniul securitatii cibernetice?
-
In atentia celor care lucrati pe Upwork: a inceput un individ sa invite mai multe sute de oameni la "interviu" pentru un job de a "vinde" lucruri (fictive) pe ebay. Nu va bagati caci v-o muscati Omul va cere sa folositi conturi proprii de PayPal si Ebay si apoi clientii care nu primesc acele produse dar au dat banii vor trimite chargeback. El deja a primit banii iar voi trebuie sa ii scoateti si va frigeti. Mai jos e textul scamului: Cum va dati seama ca e scam? - vine cu alt nume fata de upwork - vrea sa folositi conturile proprii de ebay - vrea sa aveti minim 15 rating pozitive ca cei carora le "vindeti" sa prinda incredere pe produse scumpe - va cere sa nu aveti limite la paypal - spune ca pentru fiecare item castigati £200 - daca suna prea frumos sa fie adevarat.. cel mai probabil nu-i adevarat - el primeste banii si pana se descalceste treaba dispare - cumparatorul de pe ebay primeste o _!_ si face chargeback si primeste banii inapoi. - voi ramaneti cu datorii bunicele de minim £2000 - omul da un tun de cateva sute de mii si apoi isi vede de viata prin Caraibe ori alte cele
-
(video) Advanced Penetration Testing for Highly-Secured Environments
QuoVadis replied to QuoVadis's topic in Tutoriale video
Probabil a expirat. Insa nu-i mai fac re-upload caci s-au schimbat regulile forumului si nu mai am voie sa postez astfel de lucruri. Sorry. -
Vezi in inbox.
-
shell uploading Shell Uploading Best methods Tutorials-By Spirit
QuoVadis replied to spirited_wolf's topic in Tutoriale video
Can you please post like a normal human being? Maybe in India people like all the flashy colours, sizes and fonts but here it's not India.- 2 replies
-
- 2
-
- how to upload shell
- how to bypass shell uploading
- (and 3 more)
-
@sof Ce ai mancat stricat? Credeam ca esti putin mai mintos fata de unii de pe aici si ca citesc bine oamenii insa m-am inselat Daca ai atatea nemultumiri referitoare la RST cine te obliga sa stai pe aici? Oare nu sunt destule alternative?
-
@EssenceOfLife , @Cripterul - dupa ce va atentioneaza @M2G sa va potoliti voi nu aveti nici o strabatere... daca tot e thread de sugestii poate ca ar fi nevoie de un Mass Purge... un 30-40 banuri asa de "casa noua", apoi e doar peace n tranquility pe forum.
-
@Nytro - am salvat https://rstforums.com/forum la bookmarks. Se intampla de mai multe ori cand dau click sa imi apara o pagina cu: Sorry, there is a problem Something went wrong. Please try again. Error code: EX0 iar apoi daca mai dau inca odata pe acelasi bookmark functioneaza normal. Folosesc ultima versiune de Firefox si la fel se intampla si pe Win7 si pe Mac (El Cap). Am curatat cache-ul si cookie-urile dar tot degeaba.