Nytro

Hacker Wants $50K From Hacker Forum or He'll Share Stolen Database With the Feds By Catalin Cimpanu October 26, 2017 Extortion can also be funny when it happens to the bad guys, and there's one extortion attempt going on right now that will put a big smile on your face. The victim is Basetools.ws, an underground hacking forum that allows users to trade stolen credit card information, profile data, and spamming tools. The site boasts to have over 150,000 users and over 20,000 tools listed in its forums. Earlier this week, on Tuesday, an anonymous user appears to have breached the site, and uploaded samples of its database online, along with a ransom demand. The attacker is asking for $50,000 or he'll share data on the site's administrator with US authorities, such as the FBI, DHS, DOJ, and the DOT (Department of Treasury). To prove the validity of his claims, the hacker shared an image of the Basetools admin panel and an image containing the site admin's login details and IP address. In addition, the hacker also dumped tools that Basetools users were selling on the site, such as login credentials for C-Panel accounts; login credentials for shells, backdoors, and spambots hosted on hacked sites; credentials for RDP servers; server SSH credentials, user data leaked from various breaches at legitimate sites, and many other more. As soon as the ransom demand and accompanying data was published online, the Basetools portal went offline and entered maintenance mode. "Yeah, the fact that site is down right now certainly doesn't look good for them," security researcher Dylan Katz told Bleeping Computer today regarding the possibility of the ransom demand being a fake breach. Nonetheless, "50k is a pretty steep ransom, seeing as the damange has already been done," Katz added. But financial gain is not the only motivation behind this hack. According to other text included in the ransom demand, the hacker also appears to have carried out the hack out of revenge, claiming the site's operator has been manipulating stats. "Basetools.pw is manipulating EARNING STATS & RESELLER STATS, Owner of this market has opened a reseller with name RedHat which always stays in First Place," the text reads. Lots of sensitive data leaked online Despite the "small potatoes" feel that you get when reading about a breach at a hackers' forum, this security incident is quite of note. All the Basetools seller data that was supposedly being sold on the forums before the hack is now online and easily accessible to anyone. This means that credentials for thousands of servers are now in easy reach to anyone who knows where to look for it. Other hackers could take over these servers and deploy them in spam, malware hosting, or other malicious campaigns. The owners of these services will need to be notified so they can change credentials and clean up affected systems. Furthermore, Katz has also identified user data that appears to come from services that have not previously announced they suffered a data breach. These services will also need to be notified so they can investigate any potential breaches, and reset passwords for affected accounts. Katz is currently processing the leaked data and intends to reach out to some of the affected parties. Sursa: https://www.bleepingcomputer.com/news/security/hacker-wants-50k-from-hacker-forum-or-hell-share-stolen-database-with-the-feds/

Lab for Java Deserialization Vulnerabilities This content is related to the paper written for the 12th edition of H2HC magazine. See full paper in: https://www.h2hc.com.br/revista/ Slides and video of the talk will be available soon. Um overview sobre as bases das falhas de desserialização nativa em ambientes Java (JVM) An overview of deserialization vulnerabilities in the Java Virtual Machine (JVM) Content The lab contains code samples that help you understand deserialization vulnerabilities and how gadget chains exploit them. The goal is to provide a better understanding so that you can develop new payloads and/or better design your environments. There is also a vulnerable testing application (VulnerableHTTPServer.java), which helps you test your payloads. Sursa: https://github.com/joaomatosf/JavaDeserH2HC

Port scanning without an IP address Posted: October 26, 2017 in midnight thoughts, security Re-evaluating how some actions are performed can sometimes lead to new insights, which is exactly the reason for this blog post. Be aware that I’ve only tested this on two ‘test’ networks, so I cannot guarantee this will always work. Worst scenario you’ll read an (hopefully) out-of-the-box blog entry about an alternative port scan method that maybe only works in weird corner cases. The source for the script can be found on my gist, if you prefer to skip my ramblings and jump directly to the source. One of the things I usually do is sniff traffic on the network that I am connected to with either my laptop or a drop device. At that point the output of the ifconfig command usually looks similar to this: eth0 Link encap:Ethernet HWaddr 00:0c:29:4b:e7:35 inet6 addr: fe80::20c:29ff:fe4b:e735/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:386316 errors:0 dropped:0 overruns:0 frame:0 TX packets:25286 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:390745367 (390.7 MB) TX bytes:4178071 (4.1 MB) Like you will notice the interface has no IPv4 IP address assigned, you can ignore the IPv6 address for now. Normally I determine which IP address or MAC address to clone based on the traffic that I captured and analysed previously. Then I’m all set to start port scanning or performing other type of attacks. This time however I wondered what type of activities I could perform without an IP address. I mean it would be pretty interesting to talk IP to devices, somehow see a response and not be traceable, right? So I decided to see if it would for example be possible to perform a port scan on the network without having an IP address configured on my network interface. Since usually when you want to perform non-standard, weird or nifty tricks with TCP/IP you have to resort to raw socketsI decided to directly jump to scapy to build a POC. My working theory was as follow: Normally when I am just sniffing traffic I see all kind of traffic that gets send to the broadcast address, so what if we perform a port scan and we specify the broadcast address as the source? I decided to test this using two virtual machine (ubuntu & Windows 10) with the network settings on ‘NAT’ and also tested with the same virtual machines while bridged to a physical network. The following oneliners can be used to transmit the raw packet: pkt = Ether(dst='00:0c:29:f6:a5:65',src='00:08:19:2c:e0:15') / IP(dst='172.16.218.178',src='172.16.218.255') / TCP(dport=445,flags='S') sendp(pkt,iface='eth0') Running tcpdump will confirm if this works or not, moment of truth: tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 23:27:21.903583 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40) 172.16.218.255.20 > 172.16.218.178.445: Flags [S], cksum 0x803e (correct), seq 0, win 8192, length 0 23:27:21.904440 IP (tos 0x0, ttl 128, id 31823, offset 0, flags [DF], proto TCP (6), length 44) 172.16.218.178.445 > 172.16.218.255.20: Flags [S.], cksum 0x03be (correct), seq 3699222724, ack 1, win 65392, options [mss 1460], length 0 23:27:24.910050 IP (tos 0x0, ttl 128, id 31824, offset 0, flags [DF], proto TCP (6), length 44) 172.16.218.178.445 > 172.16.218.255.20: Flags [S.], cksum 0x03be (correct), seq 3699222724, ack 1, win 65392, options [mss 1460], length 0 23:27:30.911092 IP (tos 0x0, ttl 128, id 31825, offset 0, flags [DF], proto TCP (6), length 44) 172.16.218.178.445 > 172.16.218.255.20: Flags [S.], cksum 0x03be (correct), seq 3699222724, ack 1, win 65392, options [mss 1460], length 0 23:27:42.911498 IP (tos 0x0, ttl 128, id 31829, offset 0, flags [DF], proto TCP (6), length 40) 172.16.218.178.445 > 172.16.218.255.20: Flags [R], cksum 0x1af8 (correct), seq 3699222725, win 0, length 0 wOOOOOOOt!! It seems to work. We can clearly see the packet being sent to the ‘.178’ IP address from the broadcast (.255) source address and then we see the response flowing back to the broadcast address. Now that’s pretty interesting right? Essentially we can now perform port scans without being really traceable on the network. Somehow this still feels ‘weirdish’ because it just works on first try…so still thinking I missed something :/ sudo ./ipless-scan.py 172.16.218.178 00:0c:29:f6:a5:65 -p 445 3389 5000 -i eth0 2017-10-26 23:13:33,559 - INFO - Started ipless port scan 2017-10-26 23:13:33,559 - INFO - Started sniffer and waiting 10s 2017-10-26 23:13:43,568 - INFO - Starting port scan 2017-10-26 23:13:43,604 - INFO - Found open port - 445 2017-10-26 23:13:43,628 - INFO - Found open port - 3389 2017-10-26 23:13:43,645 - INFO - Found closed port - 5000 2017-10-26 23:13:43,654 - INFO - Finished port scan, waiting 5s for packets 2017-10-26 23:13:52,626 - INFO - Stopped sniffer Sursa: https://diablohorn.com/2017/10/26/port-scanning-without-an-ip-address/

Dovlecel, traiesti? PS: Nu am gasit un share OK pe care sa testez...

Uhuuu, simplu si frumos, merita incercat.

Deja se misca lucrurile: https://www.darkreading.com/attacks-breaches/new-tool-debuts-for-hacking-back-at-hackers-in-your-network/d/d-id/1330121

Camera-based, single-step two-factor authentication resilient to pictionary, shoulder surfing attacks A group of researchers from Florida International University and Bloomberg LP have created Pixie, a camera-based two-factor authentication system that could end up being a good alternative to passwords and biometrics-based 2FA options. About Pixie “Pixie authentication is based on what the user has (the trinket) and what the user knows (the particular trinket among all the other objects that the user readily has access to, angle and viewpoint used to register the trinket),” the researchers explained. “Pixie assigns the duty of storing the token for the second factor to a physical object outside the mobile device.” It combines the user’s secret and the second authentication factor, and the authentication is performed in a single step: with snapping a photo of the trinket. The trinket can be any item worn or carried everyday by the user – a watch, shoes, jewelry, shirt patterns, credit cards, logos, a piece of jewelry, a tattoo, and so on. The user doesn’t have to use the whole item as the trinket, just a portion of it (e.g. a section of their shoes, a shirt pattern). “In contrast to biometrics, Pixie enables users to change the authenticating physical factor, as they change accessories they wear or carry. This reduces the risks from an adversary who has acquired the authentication secret from having lifelong consequences for the victims, thereby mitigating the need for biometric traceability and revocation,” the researchers noted. Testing the solution The researchers performed a user study to see whether users would find this solution usable and helpful. Granted, the number of participants was small (42), but it showed that users had less trouble memorizing their trinket than their passwords, and half of them preferred it to passwords. As far as authentication speed, accuracy and resilience to attack are concerned, Pixie definitely looks promising. They implemented Pixie for Android on a HTC One smartphone, and found it processes a login attempt in half a second. The solution also achieves a False Accept Rate of 0.02% and a False Reject Rate of 4.25%, when evaluated over 122,500 authentication instances. “To evaluate the security of Pixie, we introduce several image based attacks, including an image based dictionary (or “pictionary”) attack. Pixie achieves a FAR below 0.09% on such an attack consisting of 14.3 million authentication attempts constructed using public trinket image datasets and images that we collected online,” they shared. “Similar to face based authentication, Pixie is vulnerable to attacks where the adversary captures a picture of the trinket. However, we show that Pixie is resilient to a shoulder surfing attack flavor where the adversary knows or guesses the victim’s trinket object type. Specifically, on a targeted attack dataset of 7,853 images, the average number of ‘trials until success’ exceeds 5,500 irrespective of whether the adversary knows the trinket type or not.” They’ve also developed features that enable the solution to reduce the effectiveness of a “master image” attack. Potential use Pixie can be used both as a standalone authentication solution and as a secondary one. According to the researchers, it could be ideal for remote service authentication through a mobile device scenario, but could also be used for authentication in camera-equipped cyber-physical systems. “For instance, cars can use Pixie to authenticate their drivers locally and to remote services. Pixie can also authenticate users to remote, smart house or child monitoring systems, through their wearable devices. Further, door locks, PIN pads and fingerprint readers can be replaced with a camera through which users snap a photo of their trinket to authenticate,” they noted. “Pixie can be used as an alternative to face based authentication when the users are reluctant to provide their biometric information (e.g. in home game systems where the user needs to authenticate to pick a profile before playing or to unlock certain functionalities). Pixie can also be used as an automatic access control checkpoint (e.g. for accessing privileged parts of a building). The users can print a visual token and use it to pass Pixie access control checkpoints.” There are, of course, authentication scenarios where Pixie would not be a good options, such as authentication in poor light conditions, or a high risk associated with external observers. The researchers have published Pixie (open source) code on GitHub, and an Android app on Google Play. Sursa: https://www.helpnetsecurity.com/2017/10/24/single-step-two-factor-authentication/

Doar o sugestie, poate ar fi mai OK ca lista de prezentari, pe zile, sa fie in Tab-uri: "Day 1" si "Day 2". @Andrei

Demo for us: byass ban restriction.

Attack of the Hack Back The worst idea in cybersecurity is back again. By Josephine Wolff At its heart this bill would just serve as an excuse to let anyone access anyone else’s computer systems with impunity. Alexander Ryumin/TASS If there were a prize for the worst cybersecurity policy idea that just won’tdie, it would have to go to “hacking back,” or making it legal for people to attack the computers that are attacking them. This idea has been around foryears, which means that for years, people have been warning that this is a verybad idea—it’s not the first time I’ve written about this topic myself. But it’s astrangely persistent piece of policy, regardless of the fact that it’s been condemned by just about everyone, including law enforcement, and openly endorsed by almost no one. Just last week Reps. Tom Graves, R-Georgia, and Kyrsten Sinema, D-Arizona, introduced a revised version of the Active Cyber Defense Certainty Act (anupdate of a bill discussion draft that Graves proposed back in March). It’s nice to see some bipartisan teamwork on an issue in these highly partisan times, buta pity to see it wasted on such a foolhardy endeavor. The ACDC Act (please, go ahead and eye-roll that initialism) attempts to carve out some exceptions to the Computer Fraud and Abuse Act, the U.S. anti-hacking statute, which essentially makes it illegal to access computers that don’t belong to you without permission (or “authorization”). The bill would roll back that restriction to allow companies to access computers that don’t belongto them in the name of self-defense or, as the bill calls it, “active defense.”(Active defense, for those not familiar with cybersecurity euphemisms, is thepolite term for offense. It’s meant to convey that you’re just protecting yourself,not attacking anyone, even though, of course, you are attacking someone—that’s what makes it so “active.”) Most people have interpreted the CFAA to mean that companies (and individuals) are allowed to protect their computers and data only by taking measures confined within the boundaries of their own network. So it’s fine to monitor unusual traffic patterns, or encrypt data, or implement strong authentication systems—those are all things that only require accessing yourown servers and data. But going outside the boundaries of the computers and data that you own to target people who have stolen your data, or are trying tosteal your data, could be considered illegal hacking under the CFAA. Enter the ACDC Act. Get Future Tense in your inbox. The ACDC Act clarifies “the type of tools and techniques that defenders can use that exceed the boundaries of their own computer network.” In particular, it specifies that people facing criminal charges under the CFAA for illegal hacking can defend themselves by claiming that their activities were just “active cyberdefense measures.” According to the bill’s text, the accused would have to showthat they were the victims of a “persistent unauthorized intrusion” directed at their computers. In short, if someone has compromised your computers and stolen some of your data or is bombarding your servers with a denial-of-service attack, the ACDC would make it legal for you to access their servers and delete the files that they stole from you, or bombard their servers to interrupt the ongoing attack. What’s really incredible about the ACDC Act is that Congress is still taking this idea seriously. There are also some limitations placed on what can be considered an “active cyber defense measure.” To be active defense, the measure has to either help establish attribution of the attack, disrupt an ongoing attack, or “monitor the behavior” of the attacker in order to help develop better defensive methods. Things that do not qualify as active defense include: creating a threat to public health or safety, recklessly causing physical injury or financial harm, deliberately accessing an intermediary’s computer, or destroying information that does not belong to the victim stored on the attackers’ computers. (This can get a little confusing to write about because the terms “victim” and “attacker” lose all meaning when we’re talking about hacking back. If A hacks B and then B hacks A back, then, according to the language of the ACDC Act, B is the victim and A is the attacker. But once the hacking back—I mean, the active defense—starts, then the reverse is also, of course, true.) This might all seem reasonable at first glance, but it’s a highway to hell. I am thunderstruck by how terrible it is. At its heart it would just serve as an excuse to let anyone access anyone else’s computer systems with impunity. Want to go after a competitor? Stage an attack directed at yourself coming from their servers, and then hack back! Or plant some of your sensitive files on their computers and then go in and delete them and monitor their behavior while you’re at it (all in the name of building better defenses). Of course, once that company realizes what’s going on, it may decide to take matters into its own hands and indulge in a little active defense directed at you. What could go wrong? But don’t worry, Congress has anticipated all these problems (maybe because people have been pointing them out, repeatedly, for the better part of a decade). The bill’s authors include this incredibly vague safeguard in its text: “Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.” It’s unclear what constitutes a qualified defender in Congress’ view, much less a “high degree of confidence in attribution.” Attribution is really, really hard. Not to mention that part of the bill’s explicit purpose is legalizing hacking intended to help gather information about attribution. Why would anyone hack back to gather information about attack attribution if hacking back is only legal when victims are absolutely, 100 percent positive they know who the perpetrator is in the first place? I could go on and talk about how legalizing this type of activity under U.S. law doesn’t mean that people who practice active defense won’t be breaking laws in other countries. (Don’t worry, Congress has thought of that too; the bill warns that defenders should “exercise extreme caution to avoid violating the law of any other nation.” That’ll fix it!) Or how this would make the work of law enforcement harder, not easier—a point the FBI has already made. But what’s really incredible about the ACDC Act is not how terrible its proposals are, but that Congress is still taking them seriously after years of people pointing out how terrible they are and in the absence of any clear demand. The ACDC Act authors have clearly heard all these concerns, but their only response seems to have been inserting tepid language into the draft advising active defenders to exercise “extreme caution.” The rationale behind hacking back is supposed to be that the U.S. is full of highly sophisticated technical companies with the ability to do much more advanced and effective cybermaneuvers than the slow, bureaucratic law enforcement agencies. But if those sophisticated tech companies are eager to be doing active defense, they certainly haven’t been vocal about that desire or publicly endorsing proposals like the ACDC. When I last wrote about hacking back legislation, I spoke with Greg Nojeim, the director of the Freedom, Security, and Technology Project at the Center for Democracy and Technology, and asked him who he thought was lobbying for this kind of regulation. Nojeim, who has been working on cybersecurity policy in Washington for years, told me: “I haven’t heard from particular companies that they want to have that activity authorized. I just have not heard the proponents of that position other than some academics, one or two think tanks, and Stewart Baker.” Baker is a lawyer and former homeland security assistant secretary under George W. Bush who is probably the most vocal supporter of hacking back. No one wants this law. Or, at the very least, almost no one, except Stewart Baker, is willing to admit they want this law, which is pretty damning in itself. And yet, even though the companies that would presumably be hacking back, were it legal, have not publicly expressed any need for such a statute, it turns out to be the rare issue that Congress members from both parties can rally around right now. In fairness to Graves and Sinema, there are some reasonable things in the ACDC Act text: It still allows for civil suits against active defenders, and it permits “beaconing” tools that help defenders locate their stolen data, after it has been stolen. Though it’s not at all clear that attaching “beacon” code to your sensitive data while it’s stored on your system was illegal in the first place. But at its core, the ACDC Act is a bill that would open the door for much more misbehavior online and even greater obstacles to trying to charge the offenders and hold them responsible. Hells bells. It’s hard to fathom why, in 2017, Congress is taking up this idea, unless members are so completely out of ideas for cybersecurity that they’re stuck recycling the worst ones over and over again. This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter. Sursa: http://www.slate.com/articles/technology/future_tense/2017/10/hacking_back_the_worst_idea_in_cybersecurity_rises_again.html

La cate lucruri s-au aflat la acel moment, faptul ca ar avea acces la acest "krack" e unul dintre lucrurile minore.

How Retailers Use Personalized Prices to Test What You’re Willing to Pay Rafi Mohammed October 20, 2017 https://hbr.org/2017/10/how-retailers-use-personalized-prices-to-test-what-youre-willing-to-pay

Cred ca avea codul printat si il copia.

Ma bucur ca se numesc "Track #1", "Track #2" si "Track #3", pentru ca daca exista un "Main Track", toata lumea sa ingramadea acolo pentru ca "int main()" .

Pentru doritori: https://def.camp/become-a-volunteer/

Backup! Ce exemplu esti tu pentru noi?

@dancezar Link nou?

Oberv ca lista de speakeri se actualizeaza din cand in cand. @Andrei cand o sa fie gata lista finala?

https://pastebin.com/aZyyS16w

Patch-urile sunt disponibile de ani de zile...

Cam multe in ultima vreme.

Dupa ceva cuvinte cheie: kpmg, securitycafe...

Mai sunt si alti membri RST, doar ca se pastreaza "underground".

In sfarsit ceva interesant.