Nytro

Vodafone DEZV?LUIE date despre intercept?rile din anumite state de Marius Oncu - Mediafax Vodafone a dezv?luit vineri existen?a unor conexiuni directe ale agen?iilor guvernamentale la re?elele grupului, care permit interceptarea conversa?iilor în unele dintre ??rile în care opereaz?, îns? pentru România ?i alte câteva state nu a putut prezenta informa?ii fiind interzis de legisla?ie. Conexiunile agen?iilor guvernamentale na?ionale sunt utilizate la scar? larg? în multe dintre cele 29 de ??ri care au avut pe parcursul anului trecut acces la re?eaua grupului, inclusiv în baza unor mandate, a afirmat grupul, într-un raport care rupe t?cerea asupra utiliz?rii la scar? tot mai larg? de c?tre autorit??i a intercept?rilor re?elelor telefonice ?i de transmisie de date pentru a spiona proprii cet??eni, scrie publica?ia britanic? The Guardian. Agen?iile au instalat conexiuni directe la re?eaua Vodafone ?i a altor operatori telecom, ceea ce le permite s? asculte ?i s? înregistreze live conversa?ii, iar în anumite cazuri s? localizeze persoanele. În România, Albania, Egipt, Ungaria, India, Malta, Qatar, Africa de Sud ?i Turcia este interzis? dezv?luirea oric?ror informa?ii legate de interceptarea convorbirilor telefonice ?i mesajelor, inclusiv dac? astfel de capabilit??i exist?. "Este înfior?tor ca guvernele s? poat? accesa convorbirile telefonice cu simpla ap?sare a unui buton", a declarat directorul organiza?iei Liberty, Shami Chakrabarti, citat de cotidianul britanic. În circa ?ase din ??rile în care Vodafone opereaz?, legea oblig? operatorii telecom s? instaleze conexiuni directe de acces sau s? permit? autorit??ilor s? fac? acest lucru. Grupul nu a nominalizat statele, întrucât unele dintre acestea ar putea r?spunde prin contram?suri incluzând arestarea unor angaja?i. Sistemele directe de acces nu necesit? mandate, iar companiile nu au informa?ii despre identitatea sau num?rul clien?ilor viza?i. Supravegherea în mas? poate avea loc pe orice re?ea, f?r? ca autorit??ile s? fie nevoite s? se justifice companiilor. "Acestea sunt scenariile de co?mar pe care le imaginam. Nu a? fi crezut niciodat? c? operatorii telecom sunt complici în asemenea m?sur?. Este un pas curajos al Vodafone ?i sper?m ca ?i alte companii s? prind? mai mult curaj în privin?a dezv?luirilor, dar ceea ce avem nevoie este s? fim noi mai curajo?i ?i s? lupt?m împotriva cererilor ilegale ?i chiar a legilor", a declarat Gus Hosein, director al organiza?uei Privacy International, care a dat în judecat? guvernul britanic pentru intercept?ri în mas?. ?eful diviziei Vodafone pentru informa?ii cu caracter personal, Stephen Deadman, a admis existen?a conexiunilor directe folosite de autorit??i pentru intercept?ri. "Facem un apel pentru a pune cap?t accesului direct ca modalitate pentru autorit??i de a ob?ine date despre comunica?iile popula?iei. F?r? un mandat, nu exist? vizibilitate din exterior. Dac? primim o cerere, putem s? încerc?m s? ne opunem. Faptul c? autorit??ile trebuie s? emit? o hârtie reprezint? o limit? important? asupra modului cum este folosit? aceast? putere", a spus el. Grupul britanic a f?cut apel ca toate conexiunile care ofer? acces direct s? fie oprite, iar legile care le permit s? fie anulate. Toate ??rile ar trebui s? publice date despre num?rul de mandate emise, potrivit Vodafone. Acestea sunt de dou? tipuri - cele pentru con?inutul convorbirilor ?i mesajelor, precum ?i cele pentru metadate (date care descriu alte date - n.r.), care pot acoperi loca?ia utilizatorului unui dispozitiv, timpul ?i data comunica?iei, precum ?i persoanele cu care a comunicat. Cotidianul The Guardian a realizat un tabel în care a inclus la categoria metadate ?i mandatele pentru informa?ii precum nume ?i adrese. Informa?iile sunt pentru 2013 sau pentru cel mai recent an ?i includ date atât din raportul Vodafone, cât ?i disponibile de la autorit??ile na?ionale. Un singur mandat poate viza, îns?, sute de persoane ?i dispozitive, în timp ce o singur? persoan? poate fi ?inta mai multor mandate. Potrivit The Guardian, Malta este una dintre cele mai spionate ??ri din Europa. Vodafone a procesat 3.773 de cereri pentru metadate la o popula?ie de numai 420.000 de oameni. În Italia, unde activit??ile mafiei necesit? un nivel mai ridicat de supraveghere, grupul britanic a primit 606.000 de cereri pentru metadate, mai mult decât în oricare alt? ?ar?. Spania, unde autorit??ile au avut de luptat cu atacuri ale terori?tilor islami?ti ?i basci, Vodafone a primit peste 24.000 de mandate pentru con?inut. Agen?iile din Cehia au transmis aproape 8.000 de cereri pentru con?inut. Dup? Italia, Cehia este ?ara cu cea mai ridicat? accesare de metadate, vizate de 196.000 de mandate în cel mai recent an pentru care au fost publicate cifre. Tanzania, una dintre pu?inele ??ri africane în care activeaz? Vodafone, a emis 99.000 de mandate pentru metadate. Tabelul întocmit de cotidianul britanic noteaz? la România: "Este ilegal? dezv?luirea oric?rui aspect despre modul în care se efectueaz? intercept?rile". Sursa: Vodafone DEZV?LUIE date despre intercept?rile din anumite state. În România divulgarea este interzis? - Mediafax

[h=2]Romania digitala - sa dai cu subsemnatul la WiFi free si cartele pre-pay !?![/h] O propunere de lege de 5 articole adoptata de Guvernul Romaniei in 30 Aprilie 2014 care cere inregistrarea obligatorie a utilizatorilor de free WiFi si a cartelelor pre-pay a trecut in viteza super-sonica prin Senat, iar in Camera Deputatilor are termene de 2 zile pentru depunere amendamente si raport - ne arata adevarata fata a Romaniei digitale dorita de guvernantii nostri - un spatiu virtual in care sa dai cu subsemnatul pentru orice utilizare a tehnicilor de comuncatie si in care (prin noul proiect de lege privind securitatea cibernetica) datele sa fie accesibile direct si fara mandat de toate serviciile secrete si nesecrete. Intr-un stil traditional de ne-dezbatere publica (proiectul NU a fost transmis societatii civile si industriei inainte de adoptarea de guvern si niciuna din comisiile Senatului NU a fost interesata de alte opinii) riscam sa fie adoptate niste articole lacunare si care nu au niciun efect practic serios, in afara de limitarea drepturilor cetatenilor. Dar sa analizam mai in detaliu. Articol complet: Romania digitala - sa dai cu subsemnatul la WiFi free si cartele pre-pay !?!

OpenSSL Security Advisory [05 Jun 2014] ======================================== SSL/TLS MITM vulnerability (CVE-2014-0224) =========================================== An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h. Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and researching this issue. This issue was reported to OpenSSL on 1st May 2014 via JPCERT/CC. The fix was developed by Stephen Henson of the OpenSSL core team partly based on an original patch from KIKUCHI Masashi. DTLS recursion flaw (CVE-2014-0221) ==================================== By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h. Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. This issue was reported to OpenSSL on 9th May 2014. The fix was developed by Stephen Henson of the OpenSSL core team. DTLS invalid fragment vulnerability (CVE-2014-0195) ==================================================== A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8za OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0m. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1h. Thanks to Jüri Aedla for reporting this issue. This issue was reported to OpenSSL on 23rd April 2014 via HP ZDI. The fix was developed by Stephen Henson of the OpenSSL core team. SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198) ================================================================= A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 1.0.1 users should upgrade to 1.0.1h. This issue was reported in public. The fix was developed by Matt Caswell of the OpenSSL development team. SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298) =============================================================================== A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 1.0.1 users should upgrade to 1.0.1h. This issue was reported in public. Anonymous ECDH denial of service (CVE-2014-3470) ================================================ OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack. OpenSSL 0.9.8 users should upgrade to 0.9.8za OpenSSL 1.0.0 users should upgrade to 1.0.0m. OpenSSL 1.0.1 users should upgrade to 1.0.1h. Thanks to Felix Gröbert and Ivan Fratrić at Google for discovering this issue. This issue was reported to OpenSSL on 28th May 2014. The fix was developed by Stephen Henson of the OpenSSL core team. Other issues ============ OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for CVE-2014-0076: Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" Reported by Yuval Yarom and Naomi Benger. This issue was previously fixed in OpenSSL 1.0.1g. References ========== URL for this Security Advisory: http://www.openssl.org/news/secadv_20140605.txt Note: the online version of the advisory may be updated with additional details over time. Sursa: https://www.openssl.org/news/secadv_20140605.txt

Date: Wed, 04 Jun 2014 10:50:57 +0200 From: Giuseppe Iuculano <iuculano@...ian.org> To: oss-security@...ts.openwall.com Subject: CVE-2014-0476 chkrootkit vulnerability Hi, Thomas Stangner reported the following chkrootkit vulnerability. We assigned CVE-2014-0476 Cheers, Giuseppe -------- Original Message -------- Subject: Serious chkrootkit vulnerability Date: Sun, 25 May 2014 00:53:00 +0200 From: Thomas Stangner <thomas.stangner@...zner.de> Organization: Hetzner Online AG To: team@...urity.debian.org Hi, we just found a serious vulnerability in the chkrootkit package, which may allow local attackers to gain root access to a box in certain configurations (/tmp not mounted noexec). The vulnerability is located in the function slapper() in the shellscript chkrootkit: # # SLAPPER.{A,B,C,D} and the multi-platform variant # slapper (){ SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c" SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \ ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"a SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 " OPT=-an STATUS=0 file_port= if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}"> /dev/null 2>&1 then STATUS=1 [ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \ $egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' | tr -d :` fi for i in ${SLAPPER_FILES}; do if [ -f ${i} ]; then file_port=$file_port $i STATUS=1 fi done if [ ${STATUS} -eq 1 ] ;then echo "Warning: Possible Slapper Worm installed ($file_port)" else if [ "${QUIET}" != "t" ]; then echo "not infected"; fi return ${NOT_INFECTED} fi } The line 'file_port=$file_port $i' will execute all files specified in $SLAPPER_FILES as the user chkrootkit is running (usually root), if $file_port is empty, because of missing quotation marks around the variable assignment. Steps to reproduce: - Put an executable file named 'update' with non-root owner in /tmp (not mounted noexec, obviously) - Run chkrootkit (as uid 0) Result: The file /tmp/update will be executed as root, thus effectively rooting your box, if malicious content is placed inside the file. If an attacker knows you are periodically running chkrootkit (like in cron.daily) and has write access to /tmp (not mounted noexec), he may easily take advantage of this. Suggested fix: Put quotation marks around the assignment. file_port="$file_port $i" I will also try to contact upstream, although the latest version of chkrootkit dates back to 2009 - will have to see, if I reach a dev there. Keep up the good work, Cheers, Thomas Sursa: oss-security - CVE-2014-0476 chkrootkit vulnerability

Real life: WordPress < 3.6.1 PHP Object Injection - VaGoSec

Mai adaug eu o conditie. Sa fiti VIP.

The Art of Assembly Language Programming [TABLE=width: 615] [TR] [TD=width: 560, colspan: 6, align: left]The PDF version of "The Art of Assembly Language Programming" is a complete, high-quality version of the text. It is much easier to read and provides an excellent vehicle for printing your own copy of the text. However, to view and print PDF files, you will need a copy of Adobe's Acrobat reader program. You may obtain a free copy of this program for a wide variety of operating systems directly from Adobe.[/TD] [TD=width: 36][/TD] [/TR] [TR] [TD=width: 1][/TD] [TD=width: 16][/TD] [TD=width: 512, colspan: 5, align: left]If you have installed Adobe Acrobat Reader, clicking on the following links should automatically bring up the PDF version of the specified chapter.[/TD] [TD=width: 48][/TD] [TD=width: 36][/TD] [/TR] [TR] [TD=width: 1][/TD] [TD=width: 16][/TD] [TD=width: 16][/TD] [TD=width: 224, colspan: 1, align: left] Short Table of Contents Long Table of Contents Forward Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 [/TD] [TD=width: 16][/TD] [TD=width: 256, colspan: 2, align: left] Chapter 15 Chapter 16 Chapter 17 Chapter 18 Chapter 19 Chapter 20 Chapter 21 Chapter 22 Chapter 23 Chapter 24 Chapter 25 Note: Appendix A is non-existant Appendix B Appendix C Appendix D Index [/TD] [/TR] [/TABLE] Sursa: Art of Assembly Language, PDF Files

Nu mi se pare nimic critic: https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf

Coding Principles Every Engineer Should Know Throughout my engineering career, I’ve had the opportunity work alongside and learn from many incredibly talented people, solve some serious technical challenges, and scale several successful companies. Recently, I was talking with the engineering team at Box about what I’ve learned along this journey, and what came out of that conversation were my personal engineering principals. These aren’t rules or engineering guidelines. They’re simply the principles that I pay attention to when I write and operate code. Be paranoid. This one comes naturally to me. Since I’m mostly self-taught as a programmer, I never trust computers. I never trust that the system I just launched is really up. That the bug I fixed is really fixed. That code really does work the way I think it does without a test. I don’t trust anything. I don’t even trust myself! I never trust that I understand anything as well as I think I do until I check more than once. Paranoia is my friend, and it should be your friend, too. Always try to find a way to test assumptions along some other path, or get a second set of eyes to see what you’ve missed. Most of the time it’s not needed. Sometimes it’s really important. Don’t lie to the computer. Another way to say this is “avoid leaky abstractions.” Don’t use systems in ways they’re not meant to be used. Don’t count on side effects. Don’t do things that won’t be obvious to the next person because the system wasn’t designed for them or they’re undocumented. If usage is three orders of magnitude more than current usage, then you should probably rethink the design. If the contract implies, but doesn’t guarantee, your use, you should change the component and the contract to be aligned. Computers are nasty things. They always bite when lied to, eventually. Keep it simple. We like building things and solving problems. That’s why we do what we do. But a lot of the time, just because we can see a problem that could be solved, doesn’t mean it’s useful to solve it right now. I always think of myself as a fairly dumb programmer?—?I like clean, simple designs that are easy to understand. And this is a high challenge?—?anyone can solve a problem in a complex way, but only good programmers can solve problems in simple, understandable ways. It’s much harder to really think through the problem and solve only what needs to be solved in a simple, robust manner. Making yourself understood is the most important thing. Most time in code is spent maintaining, not creating. First rule of optimizing: don’t. This is from a good book by John Bentley called Programming Pearls. (It’s explicitly meant to help you learn to think like an experienced programmer. It may be an old book but most of the lessons are incredibly relevant today.) Optimization can take many forms: speed, future-proofing, potential scale, possible uses, etc. The problem is, most optimization is ultimately never used, and, more or less by definition, optimization makes designs more complicated. So, first rule of thumb is don’t optimize until it’s really clear that you understand the problem completely. (His second rule: “don’t optimize, yet.” Meaning, even if you do understand it, don’t optimize until you really need to.) Don’t just fix the bug; fix all possibility of it ever happening again. Don’t be sorry if you made a mistake?—?be angry and make it something you never have to think about again. I hate bugs. I hate systems that let me create bugs. I hate it when my own software lets my fragile human brain down and I create a bug that could have been avoided. And I really, really hate fixing the same bug twice. So I try as much as I can, every single time I fix a bug, to think about the following: where else might this bug be happening now? Where might it happen in the future? What are the adjacent patterns that create similar bugs? And how can I kill all the bastards at once, right now? Question assumptions constantly. Because I have spent most of my time in my own startups, I’ve gotten in the habit of asking myself constantly “Why am I doing this? What problem does it solve? Is there a better way? Is there something else I could do instead that’s more important?” You should have that attitude all the time. Constantly be questioning the assumptions given to you. What’s the real problem you’re solving? Did someone ask you to solve an effect rather than the root cause? Is the solution complete? Over-complete? Is the impact worthwhile? Think long term. Slow down, it goes faster. This might be one of the most important ones. It’s easy to hack things out. As engineers, we like efficiency; we like to build as many things as we can. But if we don’t build for the long term, eventually it gets harder and harder to build anything. Sometimes we don’t understand the problem at first and we write code that we later have to back out. Sometimes we do things that are easy for our local problem, but make things worse or harder for someone else or for a larger problem. Sometimes we rush and don’t finish the design, and this causes much more time later on for someone to fix. Sometimes we don’t bother to write it the right way, we just make a copy or hack something in because we’re under time pressure or don’t want to really think it through. I’ve seen all these things too many times. Others have said this better than I have. But I’ll repeat?—?the goal is building the largest number of great features, reaching the largest number users over time. The area under the curve for a given day doesn’t add much, no matter how much gets done on that day, relative to all the days added together. Think long term. Care about your code. I guess this one doesn’t need much explanation, but it’s still something I see people missing from time to time. Take pride in your work! Care about the code you produce! I usually think of my poor future self, having to deal with my crappy code, when I’m tempted to be lazy and cut a corner. You don’t have to take this to an extreme?—?I used to joke at Google that other engineers treated their code like a pet, where my relationship with mine was more like a ranchers?—?pragmatic, not sentimental. But even still, I always hate it if my code isn’t well designed, doesn’t work well, isn’t readable, all that stuff. Cheap, fast, right?—?pick two. This is the iron triangle of software. This is the way the world of software engineering works. But it’s not an excuse for complacency. In fact, this is your opponent every single day. The difference between good and great programmers is often measured in how well they navigate the iron triangle. And really great ones find ways to bend it and get some of all three, more often than not. Try to be that kind of programmer?—?can you find a more elegant design that’s faster to build and is still right? Can you relax some constraint in the spec to get to the goal more quickly? You might not always be able to do that; in fact, you won’t beat the triangle. But if nothing else, make sure you understand what compromise you are choosing, and why, and that it’s the right one for the current situation. Conclusion: Be curious. Learn as much as you can, all the time. Okay, this one is more career advice than anything else. But if you’re not curious and don’t really care that much about learning new things as an engineer and don’t care about new tech or new languages or new ideas, then why are you here? By no means are my principles perfect or an absolute representation of thinking/acting like a successful engineer, but I’m willing to bet there’s a fair amount of overlap with what others might be thinking. I’d love to hear your thoughts. Written by Sam Schillace Sursa: https://medium.com/on-coding/coding-principles-every-engineer-should-know-b946b48cc946

Bucuresti Bookfest

Jegosilor, care ati fost? Muie _|_

De ceva timp: https://www.demonoid.ph/

[h=1]Aparatele se blocheaz?, iar astronau?ii au senza?ii stranii: ce este „Triunghiul Bermudelor spa?ial”, care produce aceste fenomene ciudate?[/h] Unele vehicule spa?iale, precum telescopul spa?ial Hubble, au fost proiectate astfel încât instrumentele delicate de la bordul lor s? închid? la trecerea prin zon?, pentru a evita defectarea lor. Unele defec?iuni ap?rute la sateli?ii re?elei Globalstar sunt atribuite tot trecerii sateli?ilor prin aceast? regiune. Se crede c? tot radia?iile puternice din aceast? regiune ar fi cauza fosfenelor (un fel de scântei sau „stele zbur?toare” care apar în câmpul vizual) raportate de astronau?i. Link: Aparatele se blocheaz?, iar astronau?ii au senza?ii stranii: ce este „Triunghiul Bermudelor spa?ial”, care produce aceste fenomene ciudate?

Da, nu prea ai ce ii face Si versiunea Desktop e "safe". Uite cateva detalii: https://rstforums.com/forum/85016-windows-7-security-features.rst Cateva idei: - pe Desktop nu prea ai limitari la ce poate face un program (desi nu ar fi o idee rea sa se implementeze asa ceva) - pe Desktop ai o flexibilitate mult mai mare in dezvoltarea aplicatiilor, de la exe la bat-uri si X limbaje de programare - daca consideram ca versiunea "Desktop" nu e "safe", atunci nici Linux-ul nu e "safe" deoarece la fel ca pe Windows, o aplicatie malitioasa e foarte usor de facut, de la executabile la "rm -rf"-uri A aparut Windows Phone mai tarziu, dar a avut timp sa invete si sa nu faca aceleasi greseli ca Android si iOS.

how to hack a windows phone In today’s how to we will be discussing on how to hack a Windows Phone 8. Every hacker should know about the internals of a device and operating system before he could attempt to compromise it. So lets try to understand the underlying hardware and OS security before we try to break it. To begin, we will try to compromise the hardware so that we can gain access to the hardware and then exploit the OS and ultimately take control of it or at least to steal data from it. Windows Phone employs UEFI Firmware Hardware at the very low level. In addition to that, every hardware which runs Windows Phone 8 OS has to be certified by Microsoft. Now when we say certified, it also means that all the hardware has to be signed and the chips will be burned with the keys from Microsoft. The “Trusted Boot Chain” component will make sure that all the signatures are in place and if they are valid before and during the process. Every program written in the silicon chip has to be signed including the BIOS, drivers etc. On top of these Windows Phone 8 device will also come with a TPM chip which means your encrypted data it is as good your Windows 7 & 8 PC. UEFI Windows Phone Lets see what are the options we have to break the security of the device. Hardware Now that we know all the components / programs are verified for the signature by the “Trusted Boot Chain”, why don’t we try to spoof the boot chain program itself with our own. If we are able to do that then we could easily make the device load our own components instead of the Windows Phone OS exploiting it completely naked. Though at the first look it is appears to be a very good idea, unfortunately all the hardware chips which can’t or can be overwritten comes with something called an efuse. The moment when you are trying to write something in these chips without a valid signature which will be there only with Microsoft and the device manufacturer, the efuse will trip. Once the efuse trips off, the boot loader will not be able to boot up your device. Congratulations! now you have a phone which is officially no better than a brick. For a moment even if we assume that you somehow fooled the efuse, the device still wont boot up just because you don’t have a valid key. Operating System Windows NT kernel it is. The Redmond guys have made sure that its sturdy enough. Windows NT kernel along with “Code Signing” makes a killer shield that you will not be able to penetrate. If you think you can get the control of the kernel using some code, wait till you read the “Malicious Code” section. For now lets think about the Windows Phone updates. Windows Phone does do regular updates just like your PC so what if we can trick the windows phone to install my program? Unfortunately the windows phone is programmed to get the updates only from the Microsoft update servers and no other place. Still its no big deal because I can always trick my network to believe some malicious hardware / software as the update server. Sadly, the update will again need the code signing process to pass. You can never break through it unless you are hacking into the Microsoft update server; definitely not a great plan. Storage How about the internal storage itself? Why don’t we break the phone take out the internal storage and may be at least try to steal the data? But wait, the storage again uses a 128 bit Bitlocker for encryption. The drive remains encrypted until the boot loader performs the job completely. The TPM chip which comes with the hardware is the one which manages the key for the encryption which means that once the disk is outside the hardware, you will need the 128 bit recovery key to break in the data. The storage behaves the same way as what your bitlocked hard drive behaves. Brute force opening a encryption is a very well known procedure to break encryption however its impossible when it comes to a 128 bit encryption. So to understand the quantum of complexity, lets assume that you have 10 million computers where every computer can process 100 billion keys per second (higher than 100GHz) and if you put them all together to crack the key, it will take 1013 years to find the key which is longer than the age of universe itself. If you are thinking of trying the PIN instead, you can always configure your phone to automatically wipe after a amount of incorrect tries. Some people try to snoop the data from the disk after it is wiped because it is easier that way since it wont have any encryption constraints. Luckily for the user what Windows Phone, it never decrypts the data but it wipes the encrypted data along with the key. You can be pretty sure that not even NSA can retrieve them. Malicious Code We have now almost come to the last and the mot favorite resort of a hacker. Most the hackers disassemble the system instructions and try to inject or alter the commands in the memory location. However the app model which windows phone function is always a sandbox, which means the app will have its own area where it can execute store data and perform actions. Windows Phone with the advantage of Code Signing will sign the apps based on the feature set they are allowed to access. E.g.) If a program does not have a valid signature to access the Camera, it wont be able to. This is true for any feature or hardware access in the device. So even for a moment if we assume that you are able to try writing something into the system memory location of the phone, the “Code Signing” will invalidate the program and unload it immediately. Starting from the phone to your protected mail message, everything is safe in Windows Phone 8. More information on the security of Windows Phone can be found at http://www.windowsphone.com/en-US/business/security-us This how to is written based on Windows Phone 8. Actual functionality might differ from device to device. Some features may not be available with pre-Windows Phone 8. Sursa: how to hack a windows phone | how to windows phone

E doar o colectie de metode de anti-debug. Daca e folosita la un proiect, persoana care face reverse engineering trebuie sa se fereasca de toate metodele pentru a putea face linistit reverse engineering.

This is a blog by Szymon Sidor. Its original purpose was to present nontrival Computer Science and Mathematical problems in an accessible way, but it evolved and now diverse topics are covered. Thursday, May 22, 2014 Exploring limits of covert data collection on Android: apps can take photos with your phone without you knowing. SHORT VERSION: Android apps can take photos with your phone in background phones without displaying any notification and you won't see the app on the list of installed applications. App can send the photos over the internet to their private server. You can also find video with demo in this post. Introduction I discovered this almost by accident while doing a team project for a Computer and Network Security course at my university. The project suggested by college of mine (Predrag Gruevski) was mostly about using cameras on PC's without turning on indicator light. There were already promising findings in this field (iSeeYou paper discussed doing so on old Mac models). Since the project was relatively general each of member of our team took different approach. I initially started with low-level USB hacking, but despite genuine efforts I found nothing really interesting. Further experiments seemed really boring to me, because they in general involved trying various different cameras and hours of starting at LED light hoping the camera light won't blink. I switched my focus to Android. Initial research was promising. There are many apps on Play Store (if you are iPhone user think App Store) that aim at taking pictures without any visual indication (ACLU-NJ Police Tape, Mobile Hidden Camera and more) but from what I found all of them require app activity to be visible and phone screen to be on. Some of them manage to record video without visible preview. Technical Details What I wanted is to take pictures without user knowing, but at any time, not only when the app is on. I started googling and first thing that I found is that using Camera technically requires a preview to be displayed on screen in order to take video, but background services do not have associated visible activity. But let's not get discouraged an keep trying. I wrote a small camera app for my Nexus 5. My first approach was to create a View object that is not attached to any activity and feed preview to that object. That fails (I literally get "take picture failed" exception). The I remembered something that later turned out to be very relevant. Facebook messages draws to the UI, even when the app is not technically running: This turned out to be indeed the right track. I attached preview to the screen from the background service and indeed I was able to take a photo! This is not yet ideal - the preview is visible on the screen user can clearly see that something is going on. But then I tried to remove it. Here's a list of approaches: Make preview invisible - failed: Android just ignores this setting for preview Make preview transparent - failed: Android just ignores this settings for preview Cover preview by another view - partially failed: the view on top is still obstructing the screen Make preview 1x1 pixel - successful The result was amazing and scary at the same time - the pixel is virtually impossible to spot on Nexus 5 screen (even when you know where to look)! Also it turned out that even if you turn the screen completely off, you can still take photos, as long as the pixel is still there. Demo If you cannot see this video here's a direct link: How can you protect yourself form malicious apps? If you are as disturbed by this find as I am you will start asking what can we do to avoid such situations. The bad news is that it's kind of a cat and mouse game - no matter how hard you try attackers can find more ways to obfuscate malicious activity. The good news is there are some ways that seem (at least given my current knowledge hard to circumvent: Pay attention to permissions (for example does Simple Notepad* really need access to your camera?) Keep your Google Account secure - if somebody can access your Google account they can install apps on your phone remotely without you approving it! Set up two step verification. Change your password from time to time. Set up secure password. Uninstall unused apps. High battery consumption (settings -> battery), and high bandwidth (settings -> data usage) are potential culprits Look at the background services that are running (settings -> apps -> running) - does Simple Notepad* really require background service Swiping app out of application list does not switch off background services (if you want to completely switch it off go to App Info (long press app icon inside menu and drag it to app info section) and click force stop - this ensures no background services are running. *Simple Notepad is a made up example - I am not referring to any app in particular. (hopefully constructive) criticism of Android design decisions Let me start by the fact that I really like Android SDK (maybe except the fact that it's Java - but I understand the logic behind that decision). It's nice because it gives a developer a lot of power. There are just some things that are possible on Android that simply would not be possible on other platforms. However given the fact that privacy is recently more and more of a growing concern, it would be nice to adjust accordingly. In my opinion privacy can be achieved by transparency without sacrificing comport. I could imagine use cases where I want app to take photos from background service. But I think it's inexcusable that user is not notified about this face. Android has a very nice notification bar. Users are very used to it. Why not make a use of it here. Same goes for sounds recording location recording etc. Another thing I think Android team should look into is modern security research. There's lot of ways of using data without direct access. Very simple example would be that can send emails to users without learning their email address - with Google acting as a intermediary. All of those suggestions can be summarized in on sentence - please put more effort into ensuring users' privacy. Szymon Sidor at 1:48 AM

Pwners

Bypassing SSL Pinning on Android via Reverse Engineering Denis Andzakovic – Security-Assessment.com 15 May 2014 Table of Contents Bypassing SSL Pinning on Android via Reverse Engineering ......................................................................... 1 Introduction .................................................................................................................................................. 3 Tools Used ..................................................................................................................................................... 3 The Victim ..................................................................................................................................................... 3 The Approach ................................................................................................................................................ 4 Reversing ....................................................................................................................................................... 5 Retrieving and Disassembling the APK ..................................................................................................... 5 Patching .................................................................................................................................................... 6 Patch at class instantiation ................................................................................................................... 6 Patch the Class ...................................................................................................................................... 7 Hijacking the Keystore .......................................................................................................................... 8 Repacking and Running ........................................................................................................................... 10 Tricks ........................................................................................................................................................... 11 Information in Stack Traces .................................................................................................................... 11 Decompiling into Java Code .................................................................................................................... 12 References .................................................................................................................................................. 12 Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/33430.pdf

Linux x86 Reverse Engineering Shellcode Disassembling and XOR decryption Harsh N. Daftary Sr. Security Researcher at CSPF Security Consultant at Trunkoz Technologies info@securityLabs.in Abstract: Most of the Windows as well as Linux based programs contains bugs or security holes and/or errors. These bugs or error in program can be exploited in order to crash the program or make system do unwanted stuff. A code which crashes the given program is called an exploit. Exploit usually attack a program on Memory Corruption, Segmentation Dump, format string, Buffer overflow or something else. Now exploit's work is just to attack the bug but there is another piece of code attacked with the exploit called as Shellcode whose debugging and analysis we will understand in this paper. Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/33429.pdf

SpiderFoot 2.1.4 released From: Steve Micallef <steve () binarypool com> Date: Mon, 28 Apr 2014 10:34:40 +0200 Hi all, SpiderFoot 2.1.4 is now available, and will be the last enhancement release on the 2.1 branch as I focus on 2.2. SpiderFoot is an open source footprinting and intelligence gathering tool, written in Python and runs on Linux, *BSD and Windows. Since 2.1.0 was announced here in January, the following enhancements have been implemented.. - Integration with: - SHODAN - VirusTotal - AlienVault IP Reputation DB - projecthoneypot.org - nothink.org - autoshun.org - isc.sans.edu - openbl.org - SORBS and a bunch more... - PasteBin searching - Zone-H.org defacement look-up - TOR exit node check - Whole bunch of DNS-based functionality - Extracts meta data from PDF, DOCX, PPTX and XLSX files - Identifies human names in content - Finds associated Facebook, Google+ and LinkedIn profiles - SOCKS proxy support - Real-time scan status UI - Bug fixes and smaller miscellaneous enhancements Website: SpiderFoot - The Open Source Footprinting tool GitHub: https://github.com/smicallef/spiderfoot Twitter: https://twitter.com/binarypool Feel free to mail me any questions, enhancement requests or general feedback. Thanks, Steve Sursa: Penetration Testing: SpiderFoot 2.1.4 released

From: rage <ragesploit () 0xrage com> Date: Wed, 21 May 2014 23:13:20 -0400 I've written and released a packer/crypter called rcrypt that might be fun for some of you to play around with. The latest public version is 1.4 although there is a functional 1.5 non public version currently in progress. The general summary is as follows: rcrypt is a Windows PE binary crypter (a type of packer) that makes use of timelock techniques to cause a delay in execution. This delay can cause analysis to fail on time constrained systems such as on disk scanners. rcrypt can pack exes and dll files. It bypasses KAV and many others. I'm always interested in feedback and suggestions/criticisms. There are many other features and functions as well! Released on my site: rcrypt v1.4 released | 0xrage Writeup also available: rcrypt packer writeup | 0xrage enjoy! - rage Sursa: Full Disclosure: rcrypt packer/crypter writeup and POC tool

From: Tavis Ormandy <taviso () cmpxchg8b com> Date: Wed, 21 May 2014 11:57:31 -0700 Apparently I'm being lured into pointless discussions today, so here's another. As I'm sure everyone is aware, Microsoft introduced basic NULL page mitigations for Windows 8 (both x86 and x64), and even backported the mitigation to Vista+ (On x64 only). There are some weaknesses, but this is a topic for another time. Interestingly, on Windows 8 x86, there is an intentional exception, if an Administrator has installed the 16bit subsystem the mitigation is worthless because you can run your exploit in the context of NTVDM (simply use the technique I documented in CVE-2010-0232 Windows NT - User Mode to Ring 0 Escalation Vulnerability). An Administrator can do this either on-demand by running an 16bit program, e.g. C:\> debug Or using fondue to install it manually: C:\> fondue /enable-feature:ntvdm /hide-ux:all Let's look at an example of a NULL dereference. It's obvious from the code that win32k!GreSetPaletteEntries doesn't validate the MDCOBJA call succeeds in the HDC list traversal, resulting in a very clean NULL dereference. .text:001EAF49 lea esi, [ebp+var_2C] ; out pointer .text:001EAF4C call ??0MDCOBJA@@QAE () PAUHDC__@@@Z ; MDCOBJA::MDCOBJA(HDC__ *) .text:001EAF51 push 1 .text:001EAF53 mov edx, edi .text:001EAF55 call _GreGetObjectOwner () 8 ; GreGetObjectOwner(x,x) .text:001EAF5A mov esi, eax .text:001EAF5C call ds:__imp__PsGetCurrentProcessId () 0 ; PsGetCurrentProcessId() .text:001EAF62 and eax, 0FFFFFFFCh .text:001EAF65 cmp esi, eax .text:001EAF67 jnz short loc_1EAFBA .text:001EAF69 and [ebp+ms_exc.registration.TryLevel], 0 .text:001EAF6D mov eax, [ebp+var_2C] ; load pointer .text:001EAF70 mov ecx, [eax+38h] ; NULL dereference .text:001EAF73 mov eax, [ecx+4] Callers like GreIsRendering, GreSetDCOrg, GreGetBounds, etc, etc check correctly for comparison. This better code is from win32k!GreSetDCOrg: .text:00213DA2 lea esi, [ebp+var_C] ; out pointer .text:00213DA5 xor ebx, ebx .text:00213DA7 call ??0MDCOBJA@@QAE () PAUHDC__@@@Z ; MDCOBJA::MDCOBJA(HDC__ *) .text:00213DAC mov edi, [ebp+var_C] ; load result .text:00213DAF test edi, edi ; check for NULL .text:00213DB1 jz short loc_213E15 ; error This bug can be triggered with typical resource exhaustion patterns (see my exploit for CVE-2013-3660 for reference Windows NT - Windows 8 EPATHOBJ Local Ring 0 Exploit). However, I have also stumbled onto a Windows 8 specific technique that does not require resource exhaustion, using the (undocumented) Xferable object flag. See the attached code (the testcase is Windows 8+ on x86 specific, although the bug affects other versions and platforms). This seems exploitable on 32bit systems prior to Windows 8, but on Windows 8 it's only exploitable (ignoring mitigation failures) with NTVDM configured. It's my understanding that Microsoft no longer consider this a supported configuration, and are only interested in fixing NULL page mitigation bypasses. I'm not convinced this is a reasonable stance, what do other people think? Tavis. P.S. I think linux introduced it's mmap_min_addr mitigation to stable around 2007? Seven years lag, I guess that's the power of the SDL ;-) -- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred ------------------------------------------------------- Attachment: SetPalette.c Sursa: Full Disclosure: NULL page mitigations on Windows 8 x86

Manual Unpacking of UPX using OllyDbg [TABLE] [TR] [TD=class: page_subheader]Introduction[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]In this tutorial, you will learn how to unpack any UPX packed Executable file using OllyDbg UPX is a free, portable, executable packer for several different executable formats. It achieves an excellent compression ratio and offers very fast decompression. [/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]Here we will do live debugging using OllyDbg to fully unpack and produce the original Executable FILE from the packed file. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Packing EXE using UPX[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]To start with, we need to pack sample EXE file with UPX. First you need to download latest UPX packer from UPX website and then use the following command to pack your sample EXE file.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_code]upx -9 c:\sample.exe[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]If you already have UPX packed binary file then proceed further. In such case make sure to use PEiD or 'RDG Packer Detector' to confirm if it is packed with UPX as shown in the screenshot below.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]UPX Unpacking Process[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: justify] Before we begin with unpacking exercise, lets try to understand the working of UPX. When you pack any Executable with UPX, all existing sections (text, data, rsrc etc) are compressed. Each of these sections are named as UPX0, UPX1 etc. Then it adds new code section at the end of file which will actually decompress all the packed sections at execution time. Here is what happens during the execution of UPX packed EXE file.. [/TD] [/TR] [TR] [TD] Execution starts from new OEP (from newly added code section at the end of file) First it saves the current Register Status using PUSHAD instruction All the Packed Sections are Unpacked in memory Resolve the import table of original executable file. Restore the original Register Status using POPAD instruction Finally Jumps to Original Entry point to begin the actual execution [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Manual Unpacking of UPX[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]Here are the standard steps involved in any Unpacking operation Debug the EXE to find the real OEP (Original Entry Point) At OEP, Dump the fully Unpacked Program to Disk Fix the Import Table [/TD] [/TR] [TR] [TD=align: justify] Based on type and complexity of Packer, unpacking operation may vary in terms of time and difficulty. UPX is the basic Packer and serves as great example for anyone who wants to learn Unpacking. Here we will use OllyDbg to debug & unpack the UPX packed EXE file. Although you can use any debugger, OllyDbg is one of the best ring 3 debugger for Reverse Engineering with its useful plugins. Here is the screenshot of OllyDbg in action [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]Lets start the unpacking operation[/TD] [/TR] [TR] [TD] Load the UPX packed EXE file into the OllyDbg Start tracing the EXE, until you encounter a PUSHAD instruction. Usually this is the first instruction or it will be present after first few instructions based on the UPX version. When you reach PUSHAD instruction, put the Hardware Breakpoint (type 'hr esp-4' at command bar) so as to stop at POPAD instruction. This will help us to stop the execution when the POPAD instruction is executed later on. Other way is to manually search for POPAD (Opcode 61) instruction and then set Breakpoint on it. Once you set up the breakpoint, continue the execution (press F9). Shortly, it will break on the instruction which is immediately after POPAD or on POPAD instruction based on the method you have chosen. Now start step by step tracing with F7 and soon you will encounter a JMP instruction which will take us to actual OEP in the original program. When you reach OEP, dump the whole program using OllyDmp plugin (use default settings). It will automatically fix all the Import table as well. That is it, you have just unpacked UPX !!! [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Fixing Import Table[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] In the current example, OllyDmp plugin will take care of fixing the Import table. However for most of the packers, we need to use advanced tool called ImpRec (Import Reconstructor). ImpREC is highly advanced tool used for fixing the import table. It provides multiple methods to trace the API functions as well as allow writing custom plugins. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]For interested users, here are simple instructions on how to fix Import Table using ImpRec.[/TD] [/TR] [TR] [TD] When you are at the OEP of the program, just dump the memory image of binary file using Ollydmp WITHOUT asking it to fix the Import table. Now launch the ImpREC tool and select the process that you are currently debugging. Then in the ImpREC, enter the actual OEP (enter only RVA, not a complete address). Next click on 'IAT Autosearch' button to automatically search for Import table. Now click on 'Get Imports' to retrieve all the imported functions. You will see all the import functions listed under their respective DLL names. If you find any import function which is invalid (marked as VALID: NO) then remove it by by right clicking on it and then from the popup menu, click on 'Delete Thunks'. Once all the import functions are identified, click on "Fix Dump" button in ImpREC and then select the previously dumped file from OllyDbg. Now run the final fixed executable to see if everything is alright. [/TD] [/TR] [TR] [TD]For advanced packers, you may have to use different methods in ImpRec and some times need to write your own custom plugin to resolve the import table functions. For more interesting details refer to our PESpin ImpRec plugin. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Video Demonstration[/TD] [/TR] [/TABLE] [TABLE] [TR] [TD]This video demonstration uses slightly different way to put a hardware breakpoint than described in the article. Also it uses ImpREC to fix import table which is useful while unpacking advanced packers. Here are the steps shown in video [/TD] [/TR] [TR] [TD] Load your EXE in Ollydbg Step Over (Shortcut-F8) PUSHAD instruction Next Go to ESP (right click and follow in DUMP Window) Put Hardware Read Breakpoint (Access) on first dword at ESP. (This is similar 'hr esp-4 at PUSHAD instruction as described earlier) Now Run EXE until we hit breakpoint (shortcut-F9) It will break right after POPAD instruction. You will see a JMP instruction few lines below the current instructions. Put breakpoint on JMP Run exe again until it stops at JMP instruction (shortcut-F9) Step Over JMP (Shortcut- F8) Now we are at OEP, Here just Dump Process using OllyDump without fixing Import table. Here we will use ImpREC to fix the import table as mentioned in 'Fixing Import Table' section. Finally after fixing import table, run the new unpacked EXE to make sure it is perfect ! [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]References[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] UPX: Ultimate Packer for Executables. OllyDbg: Popular Ring 3 Debugger. ImpREC: Import Table Reconstruction Tool PESpin Plugin for ImpREC RDG Packer Detector PEid Packer Detector [/TD] [/TR] [/TABLE] Sursa: Manual Unpacking of UPX Packed Binary File - www.SecurityXploded.com