Usr6

Avira va oferi produsul lor de top absolut gratuit tuturor celor care se vor inscrie la promotia Facebook. Nu va fi tragere la sorti, ci oricine participa, castiga! Care sunt regulile? Avira Internet Security 2012 va fi oferit gratuit oricui intra in marea cursa de pe pagina Facebook Avira. Durata licentei va depinde de numarul de fani pe care pagina Avira ii aduna in timpul campaniei. Pentru fiecare 10.000 fani noi, se va adauga o luna la licenta. Daca la final vor fi 120.000 fani noi, fiecare dintre ei va beneficia de licenta gratuita un an de zile. Nu mi se pare o cerinta exagerata pentru a avea gratuit un program in valoare de 40 Euro. Mai mult, veti obtine versiunea 2012, ce va fi lansata in circa o luna de zile. Pentru detalii despre versiunea 2012 si testare gratuita a versiunii Beta, accesati pagina aceasta. Pentru a te inscrie acceseaza pagina urmatoare, accepta accesul aplicatiei Sweepstakes la Facebook si completeaza datele cerute: http://www.facebook.com/avira?sk=app_28134323652 sursa, Sweepstakes Starts September 14, 2011 @ 09:00 am (PDT) | Sweepstakes Ends October 17, 2011 @ 09:00 am (PDT)

"The storefront for this massive botnet is awmproxy.net, which advertises “the fastest anonymous proxies.”" I’ll take a closer look at a Russian individual who appears to have close ties to the TDSS operation. Tuesday’s story got picked up by news-for-nerds site Slashdot, and one of the comments on the piece observed that the storefront for TDSS — awmproxy.net — has a Google Analytics code embedded in the homepage. That code, UA-3816538, is embedded in six other Web sites, including awmproxy.com (a clone of awmproxy.net), according to a lookup at ReverseInternet.com. Using domaintools.com, I was able to find the historical Web site registration records for awmproxy.com (the historical data for awmproxy.net is hidden). Those records show that the domain was registered on Feb. 27, 2008 to an individual in Russia who used the email address fizot@mail.ru. Another Web site with that same Google Analytics code, pornxplayer.com (hostile site), also includes that email address in its historical records. Awmproxy began offering proxies on March 16, 2008. WHOIS records also indicate fizot@mail.ru was used to register fizot.com, a site which is no longer active. The name given by the person who registered fizot.com was Galdziev Chingiz in St. Petersburg, Russia. That same name is on the registration records for fizot.org, but fizot.org lists a different contact email address: xtexgroup@gmail.com. Googling for the fizot@mail.ru address turns up a LiveJournal blog by a user named Fizot who provides a contact email address of xtexcounter@bk.ru. Fizot isn’t the most prolific blogger, but he has 27 journal entries on his page, and discusses everything from life in St. Petersburg to earning millions of dollars. In one entry, Fizot discusses having bought a sports car with a license plate number that includes the Number of the Beast: “666.” It turns out that there is a Youtube.com channel belonging to a user named Fizot who designates the domain name fizot.com as his personal Web site. Fizot has uploaded just four videos since the account was created in July 2007. Among the videos is a short movie uploaded on Oct. 5, 2007, showing a Porsche car with the license plate H666XK [N666HK in the Cyrillic alphabet] zooming away from the camera in a shopping mall parking lot, before turning around and heading back to the filmmaker. A license plate cover beneath the tags indicates the car’s owner is or was a member of the Moscow Porsche Club. Fizot's plates Fizot may only be tangentially connected to those responsible for building and maintaining the TDSS botnet, but it is likely that he and some of his pals in the SPB and RU Auto clubs know the responsible parties. Update, 2:36 p.m. ET: Getting some additional info from helpful readers. That same Google Analytics code is present on the site domenadom.ru, which appears to be a domain name registrar. Also, that same xtexcounter@bk.ru address provided by Fizot at his LiveJournal blog was the email used to register xvpn.ru, a VPN service that advertises “full anonymity on the Net.” Update, 4:54 p.m. ET: It appears that Fizot has deleted nearly all of the posts on his LiveJournal account. I sort of expected he might do that. Here are cached versions of his home page and contact page at LiveJournal. He has also removed all of his Youtube videos, but I made copies of them before I put this story up. Here’s a link to the video that is screenshotted above. In the meantime, Fizot has only one blog entry now at his LiveJournal page, in which he claims to have sold the AWMproxy service long ago. But to whom? Fizot writes: “I have no relation to the draft awmproxy and sold it long ago. Stop writing to me and bother, please contact the author. I am not related to awmproxy project, since I have sold it out long ago. Please, stop writing to me and bothering me. You need to contact the resource owner.” Surse:Rent-a-Bot Networks Tied to TDSS Botnet Who’s Behind the TDSS Botnet? TDSS: http://rstcenter.com/forum/37240-security-experts-warn-new-almost-indestructible-tdl-4-botnet-threat.rst http://rstcenter.com/forum/37120-250-000-usd-cheltuieli-de-infractor-cibernetic-pe-trei-luni.rst

care ii diferenta intre metascan si virus total? Metascan Online "Metascan Online currently includes engines from Symantec, McAfee, ESET, Norman, AVG and many others. Anti-malware engine vendors who are interested in having their engine added to Metascan and Metascan Online should contact sales@opswat.com for more information. Benefits of partnering with OPSWAT include access to malware samples uploaded to Metascan Online and revenues from Metascan product sales." copy paste de aici virustotal "In exchange for providing an antivirus engine you will receive all files submitted to VirusTotal that are not detected by your product and are detected by at least one other antivirus, along with their corresponding VirusTotal reports." scanare placuta in continuare

Contents 1 Introduction 2 Primary Defenses 2.1 Defense Option 1: Prepared Statements (Parameterized Queries) 2.2 Defense Option 2: Stored Procedures 2.3 Defense Option 3: Escaping All User Supplied Input 2.3.1 Database Specific Escaping Details 2.3.1.1 Oracle Escaping 2.3.1.1.1 Escaping Dynamic Queries 2.3.1.1.2 Turn off character replacement 2.3.1.1.3 Escaping Wildcard characters in Like Clauses 2.3.1.1.4 Oracle 10g escaping 2.3.1.2 MySQL Escaping 2.3.1.3 SQL Server Escaping 3 Additional Defenses 3.1 Least Privilege 3.2 White List Input Validation 4 Related Articles 5 Authors and Primary Editors Introduction This article is focused on providing clear, simple, actionable guidance for preventing SQL Injection flaws in your applications. SQL Injection attacks are unfortunately very common, and this is due to two factors: the significant prevalence of SQL Injection vulnerabilities, and the attractiveness of the target (i.e., the database typically contains all the interesting/critical data for your application). It’s somewhat shameful that there are so many successful SQL Injection attacks occurring, because it is EXTREMELY simple to avoid SQL Injection vulnerabilities in your code. SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input. To avoid SQL injection flaws is simple. Developers need to either: a) stop writing dynamic queries; and/or prevent user supplied input which contains malicious SQL from affecting the logic of the executed query. This article provides a set of simple techniques for preventing SQL Injection vulnerabilities by avoiding these two problems. These techniques can be used with practically any kind of programming language with any type of database. There are other types of databases, like XML databases, which can have similar problems (e.g., XPath and XQuery injection) and these techniques can be used to protect them as well. Primary Defenses: Option #1: Use of Prepared Statements (Parameterized Queries) Option #2: Use of Stored Procedures Option #3: Escaping all User Supplied Input Additional Defenses: Also Enforce: Least Privilege Also Perform: White List Input Validation Unsafe Example SQL injection flaws typically look like this: The following (Java) example is UNSAFE, and would allow an attacker to inject code into the query that would be executed by the database. The unvalidated “customerName” parameter that is simply appended to the query allows an attacker to inject any SQL code they want. Unfortunately, this method for accessing databases is all too common. String query = "SELECT account_balance FROM user_data WHERE user_name = " + request.getParameter("customerName"); try { Statement statement = connection.createStatement( … ); ResultSet results = statement.executeQuery( query ); } Primary Defenses Defense Option 1: Prepared Statements (Parameterized Queries) The use of prepared statements (aka parameterized queries) is how all developers should first be taught how to write database queries. They are simple to write, and easier to understand than dynamic queries. Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. This coding style allows the database to distinguish between code and data, regardless of what user input is supplied. Prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker. In the safe example below, if an attacker were to enter the userID of tom' or '1'='1, the parameterized query would not be vulnerable and would instead look for a username which literally matched the entire string tom' or '1'='1. Language specific recommendations: Java EE – use PreparedStatement() with bind variables .NET – use parameterized queries like SqlCommand() or OleDbCommand() with bind variables PHP – use PDO with strongly typed parameterized queries (using bindParam()) Hibernate - use createQuery() with bind variables (called named parameters in Hibernate) SQLite - use sqlite3_prepare() to create a statement object In rare circumstances, prepared statements can harm performance. When confronted with this situation, it is best to escape all user supplied input using an escaping routine specific to your database vendor as is described below, rather than using a prepared statement. Another option which might solve your performance issue is used a stored procedure instead. Safe Java Prepared Statement Example The following code example uses a PreparedStatement, Java's implementation of a parameterized query, to execute the same database query. String custname = request.getParameter("customerName"); // This should REALLY be validated too // perform input validation to detect attacks String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); Safe C# .NET Prepared Statement Example With .NET, it's even more straightforward. The creation and execution of the query doesn't change. All you have to do is simply pass the parameters to the query using the Parameters.Add() call as shown here. String query = "SELECT account_balance FROM user_data WHERE user_name = ?"; try { OleDbCommand command = new OleDbCommand(query, connection); command.Parameters.Add(new OleDbParameter("customerName", CustomerName Name.Text)); OleDbDataReader reader = command.ExecuteReader(); // … } catch (OleDbException se) { // error handling } We have shown examples in Java and .NET but practically all other languages, including Cold Fusion, and Classic ASP, support parameterized query interfaces. Even SQL abstraction layers, like the Hibernate Query Language (HQL) have the same type of injection problems (which we call HQL Injection). HQL supports parameterized queries as well, so we can avoid this problem: Hibernate Query Language (HQL) Prepared Statement (Named Parameters) Examples First is an unsafe HQL Statement Query unsafeHQLQuery = session.createQuery("from Inventory where productID='"+userSuppliedParameter+"'"); Here is a safe version of the same query using named parameters Query safeHQLQuery = session.createQuery("from Inventory where productID=:productid"); safeHQLQuery.setParameter("productid", userSuppliedParameter); Developers tend to like the Prepared Statement approach because all the SQL code stays within the application. This makes your application relatively database independent. However, other options allow you to store all the SQL code in the database itself, which has both security and non-security advantages. That approach, called Stored Procedures, is described next. Defense Option 2: Stored Procedures Stored procedures have the same effect as the use of prepared statements when implemented safely*. They require the developer to define the SQL code first, and then pass in the parameters after. The difference between prepared statements and stored procedures is that the SQL code for a stored procedure is defined and stored in the database itself, and then called from the application. Both of these techniques have the same effectiveness in preventing SQL injection so your organization should choose which approach makes the most sense for you. *Note: 'Implemented safely' means the stored procedure does not include any unsafe dynamic SQL generation. Developers do not usually generate dynamic SQL inside stored procedures. However, it can be done, but should be avoided. If it can't be avoided, the stored procedure must use input validation or proper escaping as described in this article to make sure that all user supplied input to the stored procedure can't be used to inject SQL code into the dynamically generated query. Auditors should always look for uses of sp_execute, execute or exec within SQL Server stored procedures. Similar audit guidelines are necessary for similar functions for other vendors. There are also several cases where stored procedures can increase risk. For example, on MS SQL server, you have 3 main default roles: db_datareader, db_datawriter and db_owner. Before stored procedures came into use, DBA's would give db_datareader or db_datawriter rights to the webservice's user, depending on the requirements. However, stored procedures require execute rights, a role that is not available by default. Some setups where the user management has been centralized, but is limited to those 3 roles, cause all web apps to run under db_owner rights so stored procedures can work. Naturally, that means that if a server is breached the attacker has full rights to the database, where previously they might only have had read-access. More on this topic here. Granting execute permissions to all stored procedures in a database Safe Java Stored Procedure Example The following code example uses a CallableStatement, Java's implementation of the stored procedure interface, to execute the same database query. The "sp_getAccountBalance" stored procedure would have to be predefined in the database and implement the same functionality as the query defined above. String custname = request.getParameter("customerName"); // This should REALLY be validated try { CallableStatement cs = connection.prepareCall("{call sp_getAccountBalance(?)}"); cs.setString(1, custname); ResultSet results = cs.executeQuery(); // … result set handling } catch (SQLException se) { // … logging and error handling } Safe VB .NET Stored Procedure Example The following code example uses a SqlCommand, .NET’s implementation of the stored procedure interface, to execute the same database query. The "sp_getAccountBalance" stored procedure would have to be predefined in the database and implement the same functionality as the query defined above. Try Dim command As SqlCommand = new SqlCommand("sp_getAccountBalance", connection) command.CommandType = CommandType.StoredProcedure command.Parameters.Add(new SqlParameter("@CustomerName", CustomerName.Text)) Dim reader As SqlDataReader = command.ExecuteReader() ‘ … Catch se As SqlException ‘ error handling End Try We have shown examples in Java and .NET but practically all other languages, including Cold Fusion, and Classic ASP, support the ability to invoke stored procedures. For organizations that already make significant or even exclusive use of stored procedures, it is far less likely that they have SQL injection flaws in the first place. However, you still need to be careful with stored procedures because it is possible, although relatively rare, to create a dynamic query inside of a stored procedure that is subject to SQL injection. If dynamic queries in your stored procedures can’t be avoided, then validate or properly escape all user supplied input to the dynamic query, before you construct it. There are also some additional security and non-security benefits of stored procedures that are worth considering. One security benefit is that if you make exclusive use of stored procedures for your database, you can restrict all database user accounts to only have access to the stored procedures. This means that database accounts do not have permission to submit dynamic queries to the database, giving you far greater confidence that you do not have any SQL injection vulnerabilities in the applications that access that database. Some non-security benefits include performance benefits (in most situations), and having all the SQL code in one location, potentially simplifying maintenance of the code and keeping the SQL code out of the application developers' hands, leaving it for the database developers to develop and maintain. Defense Option 3: Escaping All User Supplied Input This third technique is to escape user input before putting it in a query. If you are concerned that rewriting your dynamic queries as prepared statements or stored procedures might break your application or adversely affect performance, then this might be the best approach for you. However, this methodology is frail compared to using parameterized queries. This technique should only be used, with caution, to retrofit legacy code in a cost effective way. Applications built from scratch, or applications requiring low risk tolerance should be built or re-written using parameterized queries. This technique works like this. Each DBMS supports one or more character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme for the database you are using, the DBMS will not confuse that input with SQL code written by the developer, thus avoiding any possible SQL injection vulnerabilities. Full details on ESAPI are available here on OWASP. The javadoc for ESAPI is available here at its Google Code repository. You can also directly browse the source at Google, which is frequently helpful if the javadoc isn't perfectly clear. To find the javadoc specifically for the database encoders, click on the ‘Codec’ class on the left hand side. There are lots of Codecs implemented. The two Database specific codecs are OracleCodec, and MySQLCodec. Just click on their names in the ‘All Known Implementing Classes:’ at the top of the Interface Codec page. At this time, ESAPI currently has database encoders for: Oracle MySQL (Both ANSI and native modes are supported) Database encoders for: SQL Server PostgreSQL Are forthcoming. If your database encoder is missing, please let us know. Database Specific Escaping Details If you want to build your own escaping routines, here are the escaping details for each of the databases that we have developed ESAPI Encoders for: Oracle Escaping This information is based on the Oracle Escape character information found here: SQL FAQ - Oracle FAQ Escaping Dynamic Queries To use an ESAPI database codec is pretty simple. An Oracle example looks something like: ESAPI.encoder().encodeForSQL( new OracleCodec(), queryparam ); So, if you had an existing Dynamic query being generated in your code that was going to Oracle that looked like this: String query = "SELECT user_id FROM user_data WHERE user_name = '" + req.getParameter("userID") + "' and user_password = '" + req.getParameter("pwd") +"'"; try { Statement statement = connection.createStatement( … ); ResultSet results = statement.executeQuery( query ); } You would rewrite the first line to look like this: Codec ORACLE_CODEC = new OracleCodec(); String query = "SELECT user_id FROM user_data WHERE user_name = '" + ESAPI.encoder().encodeForSQL( ORACLE_CODEC, req.getParameter("userID")) + "' and user_password = '" + ESAPI.encoder().encodeForSQL( ORACLE_CODEC, req.getParameter("pwd")) +"'"; And it would now be safe from SQL injection, regardless of the input supplied. For maximum code readability, you could also construct your own OracleEncoder. Encoder oe = new OracleEncoder(); String query = "SELECT user_id FROM user_data WHERE user_name = '" + oe.encode( req.getParameter("userID")) + "' and user_password = '" + oe.encode( req.getParameter("pwd")) +"'"; With this type of solution, all your developers would have to do is wrap each user supplied parameter being passed in into an ESAPI.encoder().encodeForOracle( ) call or whatever you named it, and you would be done. Turn off character replacement Use SET DEFINE OFF or SET SCAN OFF to ensure that automatic character replacement is turned off. If this character replacement is turned on, the & character will be treated like a SQLPlus variable prefix that could allow an attacker to retrieve private data. See SET System Variable Summary and sql - How to insert a string which contains an "&" - Stack Overflow for more information Escaping Wildcard characters in Like Clauses The LIKE keyword allows for text scanning searches. In Oracle, the underscore '_' character matches only one character, while the ampersand '%' is used to match zero or more occurrences of any characters. These characters must be escaped in LIKE clause criteria. For example: SELECT name FROM emp WHERE id LIKE '%/_%' ESCAPE '/'; SELECT name FROM emp WHERE id LIKE '%\%%' ESCAPE '\'; Oracle 10g escaping An alternative for Oracle 10g and later is to place { and } around the string to escape the entire string. However, you have to be careful that there isn't a } character already in the string. You must search for these and if there is one, then you must replace it with }}. Otherwise that character will end the escaping early, and may introduce a vulnerability. MySQL Escaping MySQL supports two escaping modes: ANSI_QUOTES SQL mode, and a mode with this off, which we call MySQL mode. ANSI SQL mode: Simply encode all ' (single tick) characters with '' (two single ticks) MySQL mode, do the following: NUL (0x00) --> \0 [This is a zero, not the letter O] BS (0x08) --> \b TAB (0x09) --> \t LF (0x0a) --> \n CR (0x0d) --> \r SUB (0x1a) --> \z " (0x22) --> \" % (0x25) --> \% ' (0x27) --> \' \ (0x5c) --> \\ _ (0x5f) --> \_ all other non-alphanumeric characters with ASCII values less than 256 --> \c where 'c' is the original non-alphanumeric character. This information is based on the MySQL Escape character information found here: MySQL :: MySQL 5.0 Reference Manual :: 8.1.1 Strings SQL Server Escaping We have not implemented the SQL Server escaping routine yet, but the following has good pointers to articles describing how to prevent SQL injection attacks on SQL server Dynamic SQL & SQL injection - Raul Garcia's blog - Site Home - MSDN Blogs Additional Defenses Beyond adopting one of the three primary defenses, we also recommend adopting all of these additional defenses in order to provide defense in depth. These additional defenses are: Least Privilege White List Input Validation Least Privilege To minimize the potential damage of a successful SQL injection attack, you should minimize the privileges assigned to every database account in your environment. Do not assign DBA or admin type access rights to your application accounts. We understand that this is easy, and everything just ‘works’ when you do it this way, but it is very dangerous. Start from the ground up to determine what access rights your application accounts require, rather than trying to figure out what access rights you need to take away. Make sure that accounts that only need read access are only granted read access to the tables they need access to. If an account only needs access to portions of a table, consider creating a view that limits access to that portion of the data and assigning the account access to the view instead, rather than the underlying table. Rarely, if ever, grant create or delete access to database accounts. If you adopt a policy where you use stored procedures everywhere, and don’t allow application accounts to directly execute their own queries, then restrict those accounts to only be able to execute the stored procedures they need. Don’t grant them any rights directly to the tables in the database. SQL injection is not the only threat to your database data. Attackers can simply change the parameter values from one of the legal values they are presented with, to a value that is unauthorized for them, but the application itself might be authorized to access. As such, minimizing the privileges granted to your application will reduce the likelihood of such unauthorized access attempts, even when an attacker is not trying to use SQL injection as part of their exploit. While you are at it, you should minimize the privileges of the operating system account that the DBMS runs under. Don't run your DBMS as root or system! Most DBMSs run out of the box with a very powerful system account. For example, MySQL runs as system on Windows by default! Change the DBMS's OS account to something more appropriate, with restricted privileges. White List Input Validation It is always recommended to prevent attacks as early as possible in the processing of the user’s (attacker's) request. Input validation can be used to detect unauthorized input before it is passed to the SQL query. Developers frequently perform black list validation in order to try to detect attack characters and patterns like the ' character or the string 1=1, but this is a massively flawed approach as it is typically trivial for an attacker to avoid getting caught by such filters. Plus, such filters frequently prevent authorized input, like O'Brian, when the ' character is being filtered out. White list validation is appropriate for all input fields provided by the user. White list validation involves defining exactly what IS authorized, and by definition, everything else is not authorized. If it's well structured data, like dates, social security numbers, zip codes, e-mail addresses, etc. then the developer should be able to define a very strong validation pattern, usually based on regular expressions, for validating such input. If the input field comes from a fixed set of options, like a drop down list or radio buttons, then the input needs to match exactly one of the values offered to the user in the first place. The most difficult fields to validate are so called 'free text' fields, like blog entries. However, even those types of fields can be validated to some degree, you can at least exclude all non-printable characters, and define a maximum size for the input field. Developing regular expressions can be complicated, and is well beyond the scope of this cheat sheet. There are lots of resources on the internet about how to write regular expressions, including: Regular-Expressions.info - Regex Tutorial, Examples and Reference - Regexp Patterns. The following provides a few examples of ‘white list’ style regular expressions: White List Regex Examples Validating Data from Free Form Text Field for Zip Code (5 digits plus optional -4) ^\d{5}(-\d{4})?$ Validating Data from Fixed List Drop-Down Box For U.S. State Selection ^(AA|AE|AP|AL|AK|AS|AZ|AR|CA|CO|CT|DE|DC|FM|FL|GA|GU|HI|ID|IL|IN|IA|KS|KY|LA|ME|MH|MD|MA|MI|MN|MS| MO|MT|NE|NV|NH|NJ|NM|NY|NC|ND|MP|OH|OK|OR|PW|PA|PR|RI|SC|SD|TN|TX|UT|VT|VI|VA|WA|WV|WI|WY)$ Validating a Free Form Text Field for allowed chars (numbers, letters, whitespace, .-_) ^[a-zA-Z0-9\s\.\-_]+$ (Any number of characters) ^[a-zA-Z0-9\s\.\-_]{1-100}$ (This is better, since it limits this field to 1 to 100 characters) Note: \s matches any whitespace character (i.e., space, tab, carriage return, or linefeed, [ \t\r\n]) Additional Examples are available at the OWASP Validation Regex Repository Java Regex Usage Example Example validating the parameter “zip” using a regular expression. private static final Pattern zipPattern = Pattern.compile("^\d{5}(-\d{4})?$"); public void doPost( HttpServletRequest request, HttpServletResponse response) { try { String zipCode = request.getParameter( "zip" ); if ( !zipPattern.matcher( zipCode ).matches() { throw new YourValidationException( "Improper zipcode format." ); } .. do what you want here, after its been validated .. } catch(YourValidationException e ) { response.sendError( response.SC_BAD_REQUEST, e.getMessage() ); } } Some white list validators have also been predefined in various open source packages that you can leverage. Two packages that provide this are: Apache Commons Validator OWASP ESAPI Validators It is strongly recommended that you use ESAPI to assist with your input validation needs, rather than writing your own validation routines. The OWASP Enterprise Security API (ESAPI) project has predefined validators defined in the org.owasp.esapi.Validator interface and implemented in the DefaultValidator reference implementation. These include: getValidDate() getValidCreditCard() getValidSafeHTML() getValidInput() getValidNumber() getValidFileName() getValidRedirectLocation() With ESAPI, the previous example can be rewritten as follows: Example validating the parameter “zip” with generic ESAPI input validator. public void doPost( HttpServletRequest request, HttpServletResponse response) { try { String zipCode = Validator.getValidInput("ChangeAddressPage_ZipCodeField", request.getParameter( "zip" ), "zipCodePattern", 10, false)); .. do what you want with validated ‘zipCode’ param here .. } catch( ValidationException e ) { response.sendError( response.SC_BAD_REQUEST, e.getMessage() ); } } // zipCodePattern is the name of a property defined in ESAPI.properties, and its value // is the regular expression: "^\d{5}(-\d{4})?$" // // If zipcodes were a frequently used parameter in your application, we would recommend // that you create your own getValidZipCode() method that builds on top of ESAPI, to make // it even simpler for your developers to use. articol poate foloseste cuiva...

eu sunt mai optimist:) Partitia E era partie logica, de aia cred ca a disparut o data cu D 1.) ai nevoie de un spatiu de back-up unde sa copii datele salvate(stickuri, alt hard disk) 2.) poti incerca un program de recuperare/ reparare a partitiilor (Active@ Partition Recovery Enterprise Toolkit -contine un live cd cu toate instrumentele , la care mai poti adauga ce tool-uri doresti) pentru a vedea daca poti recupera partitia in totalitate 3.) unelte de recovery: get data back, r-studio data recovery, recuva, ontrack, encase etc, intrucat fiecare program foloseste proprii algoritmi poti incerca cu mai multe asemenea software-uri 4.)ai nevoie de timp intrucat nu ai suprascris datele cu nimic, ai sanse de recuperare pana la 100% in functie de cata rabdare, timp, pricepere ai bafta

Many people are under the impression that hard drives need to be wiped with multiple passes to prevent recovery of data. This is simply untrue with modern hard drives. According to the National Institute for Standards and Technology, “Studies have shown that most of today’s media can be effectively cleared by one overwrite.” You may be confused between disk wiping and file wiping and deletion. Wiping a hard drive involves using software or a hardware device to completely write over every bit of a hard drive. This will prevent the recovery of nearly all data on that hard drive. There are methods to “recover” some things which I will explain in a bit. File wiping involves using software to completely write over the contents of a file. The entry for that file in areas such as the file allocation table is usually removed as well. Wiping files is better than pressing the delete key on your keyboard but remnants of these now wiped files can still be found in other places on the hard drive. This is especially true if the file is copied back and forth between volumes, has been cached to the disk from RAM and numerous other operations done by the operating system. Regular file deletion does not really delete the contents of a file. On a Windows XP system this includes choosing a file and pressing the delete key to move it to the recycle bin. As well as the files emptied from the recycle bin and files deleted by holding down shift while pressing delete to bypass the recycle bin. Think of your hard drive as a book. The book has a table of contents with chapters which represent files. The only way to find chapters (data) is through the table of contents. When a file is deleted its entry in the table of contents is removed, leaving the data in that chapter in the book but no actual reference to where it is in the table of contents. In reality, something similar happens on the hard drive. Those leftover contents will eventually be written over as the space they take up is needed. So why are there so many recommendations for multiple passes during disk wiping? Some recommend physically destroying a hard drive or writing to it 3, 7 and even 25 times as the only reliable methods of getting rid of data. This really is not the case. Data is stored magnetically and are represented by 1?s and 0?s. In older hard drives it is possible to view previous states that these magnetic areas existed in. Such as a 1 used to be a 0. This is done with an electron microscope in the examples that I’m aware of. Even though this is possible, it would still be nearly impossible to get enough correct readings to put together a document, picture or anything else. There is currently no public example of this method actually returning any useful results. Modern hard drives are even more efficient, making it harder to read what state bits were previously in. Data Destruction Methods The simplest form of data destruction is simple overwriting of the entire hard drive. As mentioned above, wiping a modern hard disk once is enough to prevent recovery of data. Another simple method of data “destruction” is encryption. Encrypting a hard disk with full disk encryption will effectively render that data unreadable as if it had been overwritten with random characters. Degaussing is one of the best but most expensive methods. It involves using hardware which renders previous data on a hard disk unreadable by changing the magnetic alignment of areas of the hard disk. Another sure-fire method is physical destruction to the platters inside of the hard drive. This can be done by smashing, grinding and shredding them. You can burn them and dip them in corrosive acid as well. Essentially, anything that can cause total destruction to the platters will destroy the data on them. If you’re in the habit of hording copyrighted material that does not belong to you on opitical storage media such as CDs and DVDs then the quickest way to destroy this data is in the microwave. In today’s world, there is really no need to horde pirated data on optical media. It is much easier and safer to store it on encrypted hard disks. However, if you ever find yourself in a situation that involves federal agents beating down your door, you may want to throw your stash in the microwave. However, there’s always that awkward situation where you have to explain why you have fifty microwaved DVDs and CDs in your microwave. Disk Wiping Software I’m sure you’ve heard of DBAN or Darik’s Boot and Nuke. Most people who work in IT have. This is because it works and it is very effective. You can pop the CD in, go through a few menu’s and then leave the machine running while DBAN does all the work. It can wipe every hard disk connected to the system in succession. There are options to do more than one pass, which you should avoid unless you don’t mind waisting your time. Another method I use quite a bit is to just hook a drive up to a Linux system or pop a bootable Live CD in the machine and boot into a Linux environment to use the “DD” command. It can be as simple as this: dd if=/dev/zero of=/dev/[DISK HERE] Remember to read the man page on DD if you plan on using it. There is also DCFLDD which can perform the same actions and more. DCFLDD has been geared towards computer forensics and security. For file level wiping I’m a fan a Jetico’s BCWipe. The software is highly customizable and different wiping options can be setup to run at different times. It can wipe free space or unallocated space on a hard disk which is where older “deleted” files reside. This will prevent recovery of data using forensics and data recovery software from unallocated space. It will also wipe file slack. Data is split between clusters on the hard disk. Files are rarely the perfect size to always fill every cluster up, so what is leftover after the end of that file in a cluster is file slack. It can contain remnents of previous files. It can also wipe and clean old file entries, the swap file, recently used file lists and many other things including custom locations. Lets just say that if BCWipe is used correctly, it can really make a computer forensics examination a pain in the ass and probably render any examination of the drive irrelevant depending on the type of evidence that needs to be collected. Don’t limit yourself to just this software. There is a lot of file level wiping software out there. Some free and some not so much. The reason I have listed BCWipe is that I personally use it and find it very reliable and effective. Another bit of free software that I find useful is CCleaner, which is very similar to BCWipe. You must turn on actual overwriting of files manually within the settings of the program. I use it alongside BCWipe to cover a larger area of temp files, recent file lists and other areas history and artifacts may be lurking. A great method of confirming that your hard drive has been fully wiped is to open the physical disk with a hex editor like WinHex and confirm that the wiping pattern matches what you’ve chosen. I personally just use zero’s. I’ve outlined the entire process in the steps below. Basically what I’ve done is wiped a thumb drive with a single pass and then reformatted the thumb drive with the FAT32 file system. I then created a text document, documenting the sectors it was located in. I then re-wiped the thumb drive with a single pass and documented the results. This was all done with EnCase Forensic, WinHex and the Hard Disk Wipe Tool. Step 1 Using the Hard Disk Wipe Tool 2.35.1178 I have wiped my 1GB thumb drive. Essentially what this software is doing is “writing zeros” to the storage media. This is done with one single pass, not multiple passes. Meaning it goes from start to end, zeroing every sector on the media. full Thumb Drive Being Wiped Step 2 I then verified that the thumb drive was wiped. See the screenshot. full Sector 0 After Wipe - WinHex This first screenshot is a view of the start of the thumb drive with WinHex. You can see that this portion is entirely zero’d out. No filesystem, no files, no data period exists on this thumb drive any longer. The rest of the drive (every sector) is completely zero’d as well. Step 3 I then formatted the thumb drive with the FAT32 file system using Windows XP. full After clicking yes I then filled out the options to do a normal format of the media with FAT32. After formatting the media I then proceeded to view the first sector of the disk with EnCase Forensic software as seen in the next screenshot. Notice that it has been formatted with the FAT32 filesystem. full Sector 0 After Formatting Step 4 I then proceeded to create a text document on the media using Windows Explorer. The text document is named “JUSTATEXTDOCUMENT.txt” and you can see the title and file entry on the disk in this next screenshot. Notice the “name” of the thumb drive is “ANTIFOR” and you can also see the 8.3 file naming standard format of the file as well. full Sector 4032 After Text File Creation Step 5 A few sectors more and you can see the start of the text document which consists of the phrase, “I am just a text document.” copypasta’d quite a few times. You are seeing screenshots of all of this from actual professional computer forensics software. One of the most used computer forensics software in the world which carries a hefty price tag of right around $3,000 USD per license/dongle. full Sector 4040 After Text File Creation Step 6 I then re-ran the Hard Disk Wipe Tool 2.35.1178 and have re-wiped my 1GB thumb drive. This first screenshot shows the first sector of the thumb drive where you previously saw data for the FAT32 file system. full Sector 0 After Wiping Notice that there is now no data at this sector. In this next screenshot you will see sector 4032 which previously had the file entry where you could see the filename for the document. full Sector 4032 After Wiping Notice that there is nothing there anymore. The single pass has completely wiped out file information for the text document. Let’s look at the contents of the text document now in sector 4040. Need I say more about this screenshot? full Sector 4040 After Wiping The fact is, nothing exists on this thumb drive anymore that can be recovered with any data recovery software or computer forensics software. What about magnetic force microscopy? There has been some confusion about magnetic force microscopy and what I’ve done (probably because my writing skills are a bit lacking). Magnetic force microscopes move across magnetic based storage mediums such as a modern hard disk drive. It then creates images based off of the previous values of bits in these sections. I of course have not used one and instead will base my information off of the sources at the end of this article. Previous comments suggested that by using magnetic force microscopy data could be retrieved. To summarize and use plain english, this method determines the state a bit was in before it was changed. So if a bit were a 1 and now it is a zero, this method is supposed to be able to detect that previous state. It is said that in older disk media it is easier to do this and harder with newer media. It will take many months to actually image a small hard drive using this method. Lets try and understand this process though. First, human readable data is made up of many bits. A single human readable ASCII character is equal to 8 bits or a single byte. If even one of these bits is recovered incorrectly, then the byte is a completely different value and our human readable ASCII representation of those groups of bits is completely different. For example, take the ASCII word “anti.” The binary equivelant of this word is: 01100001011011100111010001101001 Lets say using a MFM the last bit was read incorrectly as a zero when it used to be a 1, what do we have now? The word: anth This word is completely different. Now apply this to compound files such as databases, archives, or other files like encrypted containers. If one bit is recovered incorrectly it can negate all of the results and provide corrupted data. I think I’m making it sound like magnetic force microscopy is only sometimes incorrect when imaging platters. This method is very unreliable, costly and time consuming. Right now, don’t count on this method really being utilized on modern hard drives. Sans Computer Forensics on Magnetic Force Microscopy “The basis of this belief that data can be recovered from a wiped drive is based on a presupposition that when a one (1) is written to disk the actual effect is closer to obtaining a 0.95 when a zero (0) is overwritten with one (1), and a 1.05 when one (1) is overwritten with one (1). This can be demonstrated to be false.” “In many instances, using a MFM (magnetic force microscope) to determine the prior value written to the hard drive was less successful than a simple coin toss.” Secure Deletion of Data from Magnetic and Solid-State Memory by Peter Gutmann (35 pass wipe originated from Mr. Gutmann) “Any modern drive will most likely be a hopeless task, what with ultra-high densities and use of perpendicular recording I don’t see how MFM would even get a usable image, and then the use of EPRML will mean that even if you could magically transfer some sort of image into a file, the ability to decode that to recover the original data would be quite challenging.” Sursa:P1P2

Minibis - is an automated malware analysis platform, can work with the following sample-types: .exe (Windows standard executable filetype) .dll (Windows DLLs) .swf (Flash movies) .pdf (PDFs) .js (Javascript code) URLs (Websites, etc.) Necesitati: Linux (host) + VirtualBox+Windows (guest) Download+manual de instalare & configurare : Minibis - CERT.at Prezentare video: Dyi Malware Analysis With Minibis *Anubis is a service(online) for analyzing malware.

@static de loopul asta? ______________________ | | \./ | cmp edx, 5 | jb short loc_401458 | <----| | \./ | xor [ecx], eax | add ecx, 4 | inc edx | |__________________|

nu ar merge sa faci pe un server al tau un script (www.vreausamaloghezpeyahoo.com/scrip.php) care sa trimita datele de login catre yahoo? iar pe serverul tau faci o logare cu poze sau ceva asemanator? ex: daca apesi pe 5 poze in ordinea aleasa de tine te logheaza pe yahoo in loguri sa apara doar "www.vreausamaloghezpeyahoo.com/scrip.php"

Un Keylogger este un program care monitorizeaz? toat? activitatea întreprins? pe un computer, inclusiv aplica?iile rulate, tastatura, parolele, memoria temporar?, mesageria chat, mesajele email ?i vizitele pe diverse pagini web. Trimite discret rapoarte cu activitatea criptat? pe email, printr-un server FTP sau pe re?ea. Deschide?i pachetul desc?rcat ?i instala?i programul software. Citi?i cu aten?ie instruc?iunile de utilizare pe care le pute?i g?si în fi?ierul readme.txt. Fi?ierul readme.txt este ata?at fiec?rui program software desc?rcat. Download Download valabil azi 16/08/2011 ***17 ore ?i 51 de minute pentru a desc?rca ?i a instala programul software.*** sursa http://www.ultimatekeylogger.com/

ar fi frumos ex: Coders Reverser Pentester Troll ... etc, fiecare cu sefu lor intrucat un user se poate pricepe la mai multe, propun ca sub avatarul fiecaruia sa apara grupurile din care face parte Accesul la fiecare grup fiind dat de liderul grupului

Please welcome the latest addition to Mandiant’s free forensic gadget grab bag: Heap Inspector. This tool is the manifestation of a very simple idea a colleague and I came up with several months ago when discussing the prevalence of heap sprays as a staging mechanism for most exploits in the wild today (and why anti-virus/HIPS did not recognize and block heap sprays in progress). The idea was simple: a heap spray stores identical copies of the same block of data hundreds of times on the heap, so why not hash each chunk in an application’s heap space and report repeating patterns? The idea grew into a full-featured tool to visualize and search an application’s heap space in near real-time. I presented Heap Inspector at a turbo talk this year at Blackhat USA 2011. Heap Inspector is a heap visualization and analysis tool. It has the ability to collect a process’s heaps using both API and raw methods. Features include searching heaps for string or byte patterns (including regex), dumping heap chunks to a file, and viewing chunks in a hex editor pane. Heaps are displayed visually in a bar chart format known as the heap hash map, allowing the user to view allocations spatially. A similar chart called the heap data map overlays regular expression matches for useful patterns on top of the heap bars. This visualization allows an investigator to quickly discover evidence of a heap spray attack and other useful information stored in an application’s heap memory. What can I do with Heap Inspector? In general terms, Heap Inspector allows an investigator to visualize and search data stored in application heap memory. This is a simple yet extremely powerful ability, particularly in the context of host-level forensics. I will discuss two specific use cases: detecting heap spray attacks (post-mortem) and searching for personally identifiable information (PII). Detecting Heap Spray Attacks A heap spray is an attack technique used to stage shellcode. It is meant to increase the reliability of successfully exploiting a memory corruption vulnerability with an accompanying exploit. This technique is very effective, because it stores the same attack data (which typically contains a nop sled and shellcode) in a large portion of the process’s heap memory. Commonly used against applications that host JIT engines (flash, java, etc) such as web browsers and document readers, heap spray based exploits are prolific among modern exploits seen in the wild (CVE-2011-0609, CVE-2010-1297, CVE-2010-3973, CVE-2010-3971, just to name a few). Heap Inspector uses a very simple but powerful concept to make a heap spray stand out in the user interface: the heap hash map. This map consists of heap chunks drawn as colored rectangles according to their calculated CRC32, overlaid onto their respective heap. The hash map consists of the CRC32 hash of every heap chunk within tolerance (i.e., greater than a user-supplied base size and frequency of occurrence). Since heap sprays work by allocating the same block of data (a nop sled plus shellcode) hundreds of times on the heap, all of these blocks will have the same hash and will appear as a single contiguous chunk in the UI hash map, as shown below. fullpic Figure 1: Visualization of successful heap spray in Adobe Reader (CVE-2010-2883) The nop sled can be seen in the tool tip popup, and the shellcode can easily be extracted by clicking on the chunk address hyperlink, which will switch to the hex editor view pane. Also of note in this screenshot is the heap is abnormally large (515 MB), an obvious indicator of a heap spray. fullpic Figure 2: Extracting the shellcode in heap memory from an exploit of CVE-2010-2883 Once extracted, the shellcode can be analyzed statically in a disassembler or dynamically in an emulator to determine its exact functionality. In summary, the heap hash map makes it trivial to determine the trustworthiness of any suspect document (PDF, MS Word, Excel, etc) simply by running it in a sandbox or virtual machine. Searching for Personally Identifiable Information Similar to the heap hash map, the heap data map is used to visualize heap allocations, but in this case only heap chunks that match a supplied list of regular expression are drawn on the map. Several default regular expressions are included with Heap Inspector, such as File/UNC Path, GUID, IPv4 address, SQL queries, URL/domains, Social security numbers, and credit card numbers. You can create, import and export your own regular expressions. As shown below, only regular expressions that are matched in heap memory will be displayed. fullpic Figure 3: A portion of the heap data map for Microsoft Outlook In addition to the graphical heap data map, the search tab provides a simple interface to search for regular expressions in application heap memory. The screenshot below shows an active conversation found in Skype’s heap memory. There are many other useful items stored in Skype’s memory, such as Delphi executable files, SQL statements, and various URLs and configuration data. As a side note, since Heap Inspector reads memory that’s in use by the application, anti-debugging and obfuscation tricks do not work (Skype employs various anti-debugging measures to prevent attaching with a debugger). fullpic Figure 4: Active Skype conversation discovered by searching for the keyword ‘skillz’ The search feature is a powerful tool not only for auditing the data stored and used by an application, but also for reverse engineering internal memory structures. By further analyzing the storage structure of the Skype conversation excerpt above, it could be possible to develop a generic byte signature or regular expression. Such a pattern could then be used for generic Skype conversation detection in subsequent searches with Heap Inspector. How is Heap Inspector different than other tools? There are many ways to collect data stored in memory, such as attaching with a debugger or dumping physical memory using a host of available tools. The most powerful and interactive of these options is a debugger such as Windbg, which requires technical expertise and cryptic low-level commands. Physical memory acquisition and analysis is powerful but also requires technical expertise and knowledge of memory structures and operating system internals. It also has the disadvantage of being a “smear” of the contents in memory and instantly stale once acquired. In general, Heap Inspector seeks a middle ground between technical savvy and functionality. It is as close to “real time” as you can get without using a debugger and does not require the technical savvy to navigate memory contents. Typically in memory analysis, an investigator is dealing with either an entire process dump or an entire physical memory dump, which can be an overwhelming amount of data to cull through. By collecting data only from an application’s heap, an investigator can focus on data that’s being actively allocated and used by the program. With regards to string searching functionality, most investigators are familiar with tools such as SysInternals’ strings utility, which will dump all strings in a binary. Similarly, many memory analysis tools allow an investigator to collect all strings in a process address space, which will include strings from the process’s image. In contrast, Heap Inspector only collects strings from the heap, which represents dynamically allocated data used through the life of the program. This distinction is important because it eliminates a large portion of data that might not be useful. Finally, when applied to heap spray detection, Heap Inspector uses a simple CRC32 frequency-of-occurrence concept to detect and visualize a successful heap spray. All of the current research and tools related to heap spray detection and prevention that I reviewed use a combination of binary instrumentation, emulation, hooking and/or dynamic code analysis to make an informed decision about the contents of heap data. While this has the added benefit of detecting and preventing heap spray attacks in “real time”, it has the notable drawbacks of adding overhead and generating false positives/negatives. Final Thoughts Currently, Heap Inspector only supports live system analysis by injecting into running processes. This method uses API techniques. In future versions of the tool, raw methods to parse heap structures by using the PEB will be employed so that offline memory images can be analyzed. Also, since the heap spray detection is post-mortem, Heap Inspector will only detect the heap spray after the attack was successful. A future release of the tool might include the capability to detect such an attack in progress. However, several tools and research already exist for this purpose and rely on some variations of binary instrumentation and dynamic code analysis. If you are interested in heap spray prevention, I would recommend taking a look at Microsoft’s EMET and Didier Steven’s HeapLocker tool. For more details, see the whitepaper included with Heap Inspector. Download Heap Inspector Sursa

File: iStealer 6.3 Legends.exe CRC-32: 4881bae6 MD4: e2b7c74268b9ee16627d9d031cd029b4 MD5: b72399dc0e1977c9e5c90db26d044a18 SHA-1: 3e6ef0c085fbca240bf8bb5526c7fe04ff014d36 Size: 1.63 MB (1,712,128 bytes) este curat

(1+1+1)!=6 10+10+10=6, 10 in binar=2

keygenul este infectat sandepad.zapto.org

test*nu necesita instalare In functie de rezultatul "Daily average" te incadrezi intr-una din urmatoarele categorii: Intre 0 si 1 ora - Rezultat normal, folosesti calculatorul doar in caz de maxima necesitate. Nu esti adeptul calculatorului, preferi sa te ocupi cu altceva, decat sa-ti pierzi vremea in fata lui. Intre 1 si 2 ore - Folosesti calculatorul cu intelepciune. Ai nevoie de el si apelezi la el ori de cate ori ai cu adevarat nevoie. Intre 2 si 4 ore - Calculatorul face parte din viata ta. Ori de cate ori ai ocazia il folosesti. Intre 4 si 6 ore - Incepi sa exagerezi cu folosirea computerului. Nu poti sta nicio zi fara el. Deja este un semnal de alarma. Virusul informatic a pus stapanire pe tine, esti contaminat. Trebuie sa intri cat mai repede intr-o cura de devirusare, altfel s-ar putea sa treci curand la urmatoarea categorie, cea a "bolnavilor cronici". Peste 6 ore - Esti obsedat de calculator! Aproape ca nu sunt momente sa ai calculatorul inchis. Pentru tine, toata lumea se misca in jurul lui. Aproape ca stii tot ce e nou pe Internet, nu-ti scapa nimic. Acest test este valabil pentru persoanele particulare, nu pentru cele care folosesc calculatorul la birou, in timpul programului de lucru, sau pentru cei care folosesc calculatorul in scop de afaceri. sursa e cineva normal?

Miscellaneous EC-Council Certified Ethical Hacker v7 EC-Council releases the most advanced ethical hacking program in the world. This much anticipated version was designed by hackers and security researchers. CEH v7 is a revolutionary training program that combines class metrics, advance lab environment, cutting edge hacking techniques and excellent presentation materials. EC-Council has spent several years in developing this version. Module 01: Introduction to Ethical Hacking Module 02: Footprinting and Reconnaissance Module 03: Scanning Networks Module 04: Enumeration Module 05: System Hacking Module 06: Trojans and Backdoors Module 07: Viruses and Worms Module 08: Sniffers Module 09: Social Engineering Module 10: Denial of Service Module 11: Session Hijacking Module 12: Hacking Webservers Module 13: Hacking Web Applications Module 14: SQL Injection Module 15: Hacking Wireless Networks Module 16: Evading IDS, Firewalls, and Honeypots Module 17: Buffer Overflow Module 18: Cryptography Module 19: Penetration Testing Size: 15.51 GB Torrent Sursa

Hex-Rays.IDA.Pro.Advanced.v6.1.Windows.incl.Hex-Rays.x86.Decompiler.v1.5.READ.NFO-RDW Hex-Rays.IDA.Pro.Advanced.SDK.v6.1-RDW Hex-Rays.IDA.Pro.Advanced.FLAIR.v6.1-RDW Hex-Rays.IDA.Pro.Advanced.IDS.Utilities.v6.1-RDW Hex-Rays.IDA.Pro.Advanced.LOADINT.v6.1-RDW Hex-Rays.IDA.Pro.Advanced.TILIB.v6.1-RDW Hex-Rays.IDA.Pro.Advanced.v6.1.TVision.v2009b.Source-RDW Rapidshare.ru :: sursa Epic Fail from IDA and Eset

Ambasadorul Romaniei la Tirana a fost convocat marti la MAE albanez pentru a clarifica pretinse afirmatii atribuite de presa din aceasta tara presedintelui Traian Basescu referitoare la trasaturi de caracter ale albanezilor, inclusiv ale celor din Kosovo. In replica, MAE roman a comunicat marti ambasadorului Albaniei la Bucuresti ca este total inacceptabil faptul ca un ambasador roman a fost pus in pozitia de a da explicatii in urma unor informatii neverificate si provenind din surse neclare, relateaza NewsIn. "Acest tip de abordare nu este in concordanta cu nivelul relatiei bilaterale si nici cu sustinerea constanta de catre Romania a aspiratiilor europene ale Albaniei", se afirma intr-un comunicat al MAE. "MAE dezaproba incercarile de trivializare a dialogului diplomatic si supralicitarea unor informatii precare vehiculate in mediile de comunicare virtuale", se mai precizeaza in documentul remis Ziare.com Potrivit site-ului italian julienews.it, presedintele Traian Basescu ar fi declarat presei din Romania ca tara noastra nu recunoaste independenta Kosovo, catalogandu-i pe albanezi drept "tigani de rahat" si "gunoaie". Mai multe site-uri sin Kosovo si Albania au preluat stirea, in cursul zilei de marti. Dupa numai patru ore de la postarea initiala pe site-urile kosovare a povestii despre "rasismul lui Basescu", site-urile kosovare indeksonline.net si gazetaexpress.com fac precizarea: "Un hacker sarb era sa declanseze un scandal diplomatic intre Romania si Albania si a reusit sa activeze diplomatii celor doua tari marti". Intre timp, postarea de la julienews.it a disparut, la fel si cele publicate de Ora News, site-ul televiziunii albaneze de stiri. Potrivit cotidianului Jurnalul National, s-a ajuns la concluzia ca un hacker sarb a atacat site-ul de stiri italian, acolo unde a fost publicata stirea initiala. Sursa

One of the first and most important questions that intrusion analysts are asked after a network attack is “did they steal anything?”. And if so, “what did they take?”. Often, this is also one of the most challenging questions to answer when the analyst only has a post-intrusion forensic image to work with. Frequently, the analyst’s primary objective becomes identifying and locating data exfiltration files. For those not familiar with the term, data exfiltration files are created by an attacker to contain stolen data on the victim box. It is basically a storage container that he later intends to transfer back to his own computer. Data exfiltration files may be a simple keylogger text file or HTML files concatenated by web scraping malware. However, they can also contain targeted company intelligence or entire SQL database dumps. Content varies as widely as the attacker’s imagination and end goals. Although Data Exfil files could be anywhere on the system, in my experience, I often locate them in the following directories: C:\Windows\system32 C:\Temp C:\Documents and Settings\profilename\Local Settings\Temp Once the data exfiltration files are located, they are often obfuscated, which further complicates the issue. The files could be encrypted with advanced algorithms such as Blowfish or AES-256, however, the most common type of encryption I see is much simpler; XOR. Hence, the purpose of this blog entry is to provide analysts with a technique to recover data from these types of files. First, a very brief explanation of XOR (shortened from the term exclusive or): XOR is a bitwise operator that examines the individual bits of each character and compares them to the XOR key. If the two bits are identical, then the result is “0” if they are different, the result is “1”. Once this is run through every bit in a data exfiltration file, it results in a very effective scrambling of the data. Wikipedia provides an excellent resource for the mathematics behind this function but this is not necessary to complete the techniques I am discussing today. For the analyst’s purpose, we only need to know that the attacker has encrypted the data with an XOR key and we need to identify that key in order to recover the data. So, I will begin with identifying a multi-character XOR key, which is the most common implementation that I see. The picture below shows a simple login page to Bank of America. This is the sample data exfiltration file that I will be using. It is saved in HTML format, typical of how malware would capture and save it. The picture below shows the Bank of America HTML login page in hexadecimal format. The interface shown is from a program called Hexplorer, available for free from Hexplorer | Download Hexplorer software for free at SourceForge.net. I highly recommend Hexplorer for this kind of work because there are very few other hex tools available that allow you to input multi-character XOR keys. The next step I took was to encode the HTML file with a multi-character XOR key. I chose the word hidden. (Shown in the picture below). The result is shown in the picture below. It appears to be encrypted; some analysts may give up at this point because reversing encryption is extremely challenging. However, I encourage everyone to look deeper into the file, because decryption may be easier than expected. The key to understanding how to decode this file lies in the hex 0×20 character. Hex 0×20 is equivalent to the space bar in ASCII and is represented only as blank space. When an XOR key is applied, the hex 0×20 characters will always return with a true (0) value. Hence, when multiple hex 0×20 characters exist in a string, they will actually reproduce the XOR key. It is often difficult to find, but careful examination of the entire file may show you the key sitting plainly in the hex. The picture below again shows the encoded Bank of America file, however, this is a different part of the file, where more blank space existed. Notice the terms highlighted in red. The case-opposite (all caps) XOR key, hidden, is shown clearly. The analyst may now take this file and use Hexplorer to reverse the XOR encryption with the known key. The result will be the complete Bank of America HTML file. It should be understood that this technique is often more difficult to implement because the key may not be a simple English word. It may be written in a different language and may even be comprised of random characters. This makes it more difficult to see the term in the encrypted file. The key is to locate multiple instances of the same repeating characters. Also, there are variable implementations of XOR that can complicate decryption as well. I have seen malware authors begin the XOR transmutation function at specific byte offsets within the data exfiltration file. In this case, the analyst must identify the offset, determine if it is a repeating function, and finally decrypt only the sections of the file that are actually XOR’d. The technique is also highly dependent on the existence of hex 0×20 in the data exfiltration file. Keylogger and basic text files will likely have very little blank space, however, HTML, Word and database files may have quite a bit. Like most techniques, this can be employed on a case-by-case basis and will hopefully prove helpful in your investigations. Identifying a single character XOR encryption key can be done using a similar technique. The picture below shows the Bank of America file encrypted with the key b. Frequently, because the space (0×20) is such a ubiquitous character, the most frequently occurring character in a file may be the actual XOR key. Additionally, there are other tools on the market that make single character identification much easier. Didier Stevens created XORSearch, which does an excellent job of identifying single character XOR, ROT and ROL keys. It can be found at: XORSearch « Didier Stevens. It should also be noted that this technique is useful in extracting malware from antivirus quarantines. Frequently, intrusion analysts are only called in after a first responder already tried to fix the problem. The “fix” may include installing an antivirus program that captures and encrypts valuable evidence. If the only copy of malware that you need to analyze is located in a quarantine container, then consider what methodologies may have been used to lock them inside. For example, simply unzipping McAfee quarantine files with 7-zip and reversing the files with the XOR key j (hex 0x6A) will yield the original malware. XOR encryption is used frequently, for both legitimate and illegal purposes; it is important for analysts to know that this encryption can be broken with minimal effort and the result may be very valuable to the investigation. Sursa

4,524,488 in primele 3 luni, acu suntem in iulie.... modul de functionare mai detaliat: TDL4 – Top Bot - Securelist

hacar de hacar p.s. te rog sa nu te superi pe mine ca ti-am facut publica parola si sa-mi dai flood pana se ard circuitele de la mouse

cine are timp + cunostintele necesare si are nev de logurile respective... .net, packer detectat iexpress v2 smtp.gmail.com:465 (smtp via ssl sau secure smtp)

cripterul asta (si celalalt postat mai jos) e atat de vechi incat si hostu de la stealeru cu care era bindat a expirat;) lalaktutu.blackapplehost.com [stiu ca era cpanel de stealer acolo pt ca a mai fost pe la mine cu ceva vreme in urma]