Nytro

[h=1]Java vulnerabilities keep breeding[/h]Dec 10, 2013 Denis Makrushin As many as 4.2 million attacks using Java exploits were repelled by our Automatic Exploit Prevention system between September 2012 and August 2013. This number indicates two points. The first point, of course, is the efficiency of our technology. The second point, unfortunately, is the fact that the quantity of attacks on Java has not been reduced, but vice versa – it has increased. Various Kaspersky Lab products have blocked about 14.1 million attacks exploiting Java vulnerabilities, which is one-third more than from 2011-2012. Unfortunately, Java has been and remains a headache for all those involved in information security. There are several reasons for that. Firstly, despite all of its flaws, Java is extremely popular with developers (according to some reports, there are about 9 million people worldwide who use it) sine this language allows them to create cross-platform applications, as they all run in the Java Virtual Machine. For this reason, Java has spread enormously on all user platforms. Now, it is being employed by more than three billion devices worldwide. There is also another reason for its popularity: the development of Java started a long time ago, when there was no point warning users about the prevalence of malware or especially exploits; there was no reason to waste time on its security. It’s no wonder then that last year 50% of attacks using exploits were targeted at Java. See the general dynamics of the number of attacks using exploits on the chart below: Since a slight decline in mid 2012, it has been growing. While the other two “favorite” formats for intruders – PDF and Flash – have been, on the contrary, losing “popularity”. One reason for the growing number of attacks is the fact that between September 2012 and August 2013 there were 160 new vulnerabilities discovered, i.e. twice as much as during the previous 12 months. A recent Kaspersky Lab’s study on the evolution of Java exploits shows particular growth (+21%) of the number of attacks from March until August 2013. 80% of the attacks occurred in 10 countries. This list is topped off by the U.S., Russia, Germany and Italy. More than a half of the attacks used exploits related to six well-known groups. In other words, we cannot say that attackers sought to diversify their tools. What do all these frightening numbers mean for business? First of all, you must understand that attackers deliberately search for Java vulnerabilities, so that the use of applications written in this language is unsafe by itself. It does not mean that all of them should be removed immediately, but you must control them. Secondly, the statistics show that Java is not just the most frequently attacked software, but also one of the most reluctantly updated. On average, even a month and a half after the release of another corrected version, most users do not rush to upgrade Java on their devices. And if system administrators can update Java centrally within a corporate infrastructure, user devices may be somewhat tricky. Unfortunately, exploits are a threat even in cases when users are well-versed in IT, aware of the dangers of malware and prompt to update software as soon as new versions are released. The point is that zero day exploits for new vulnerabilities appear before a developer (in this case, Oracle) learns of the existence of these flaws. Hackers and developers are in a race, but the developers constantly “catch up”. And users are at risk all the time between the detection moment and the update release. Eventually, exposing oneself to an attack is quite easy just by visiting any legitimate site with a malicious code embedded by hackers. The surest way to protect against exploits is to use automated tools that block their activity in a preventive mode. Our Automatic Exploit Prevention technology is such a tool. Despite the diversity of existing exploits they all have several similarities. Besides the fact that they are always written for specific software, exploits also have typical behavior patterns, and operate attakcs similarly. This is why for the most vulnerable software products and platforms (including Java) AEP enables the “presumption of guilt” mode, so if it tries to download and run an executable file, it becomes a reason for additional checks, including tracking the source of the launch command and verifying the origin of the file being downloaded. If the file’s characteristics are suspicious, then it’s running is automatically blocked. Here is a good example. In early January an exploit of Java’s zero day vulnerability CVE 2013-0422 was detected. The exploit proved to be extremely efficient with 83% successful attacks. It even got to the point where cyber security experts from US National Security Agency recommended that users should disable the Java plugin in web browsers to protect themselves against malicious attacks that used this previously unknown vulnerability. At the same time, the statistics of Kaspersky Security Network showed that the users of Kaspersky Lab’s products with AEP technology successfully blocked the exploit on the grounds of behavioral analysis even before the incident was made public. Sursa: Java vulnerabilities keep breeding | Blog on Kaspersky Lab business

How public tools are used by malware developers, the antivm tale Alberto Ortega October 4, 2013 Malware authors are aware of new technologies and research made by the security community. This is palpable when they implement new vulnerability exploitation on their tools or even reuse source code that belongs to public projects. We have discussed antivm and antisandbox analysis tricks seen in malware samples several times. Not long ago we came across a malware sample that had an interesting way to detect if it was being executed in a virtual environment / sandbox. You have probably heard about pafish or ScoopyNG, tools that pretend to be a proof of concept regarding this topic. Sadly, it is a matter of time that malware developers use that code to implement these techniques in new developments. Our malware sample had a weird behavior when it was executed in a sandbox or virtual environment. Somehow, it was detecting that the environment was hostile for itself, let's see how. It has four different executables embedded on it. One is a copy of pafish, another one a copy of ScoopyNG, and two malicious payloads. At running time it drops and executes the two first ones and it tries to detect if it is running under a virtual machine or sandbox. If none of them detect anything, it drops the malicious payload and continues the execution. We can see it in the malwr.com analysis. As you can see, the sandbox has been detected by pafish and the malware has started to create junk files in an infinite loop. Once we have located the routine, patch that jnz loc_4019B0 to disable the detection is an easy task. After patched, the behavior in malwr.com is completely different. It has dropped more files and tried to resolve four different domains, after that, the box is rebooted. To be sure about what happened next, we can try to run it in our own malware analysis machine. After the box is rebooted, this is what we find. So we have a fake AV in the house! The malicious payloads are a dropper that installs a Braviax variant. In this case, those public tools have helped us to disable the detections. It is very positive to release them to the public to train researchers on these topics. Sadly, sometimes you can find this double-edged sword being used in the wild. Sursa: http://www.alienvault.com/open-threat-exchange/blog/how-public-tools-are-used-by-malware-developers-the-antivm-tale

[h=1]BGPmon[/h] BGPmon BGP Hikack Monitoring optional arguments: -h, --help show this help message and exit -b, --baseline Baseline records -c, --check Check for any discrepancies in database -e EMAIL, --email EMAIL Add Email to database -ip IP, --ip IP Add IP to database Saif El-Sherei I. Introduction: BGPmon monitors your bgp route for hijacking and sends email alerts whenever discrepencies is found between the baseline and the latest update records, it utilizes "Team Cymru" IP to ASN tool using bulk queries. BGP hijack monitor grabs the originating AS for a list of IPs saved in the database. and if the "-b" switch is supplied will insert the result in the baseline table. if no switched are supplied the results will be saved in the latest Update tables. The tool utilitzed 'Team Cymru' IP to ASN tool. i would like to extend my special appreciation and thanks to this group for providing such a service. II. Installation: create database 'bgpmon' with user 'bgpmon' and password make sure to update both the bgp-db.py and bgpmon.py with the db name, dbhost, db user, db password. update db details in 'bgpmon.py' line 26 update db details in 'bgp-db.py' line 5 run the bgp-db.py script to create the required tables. add IP with '-ip' switch to be monitored add email with '-e' swtich to be alerted II. Usage: since this tool is made to be running in the cli please note that all std_out is saved in the log file '/var/log/bgp_mon.log' if you want to cancel this behaviour just comment out line 21 in 'bgpmon.py' script. you will see the output on your terminal ./bgpmon.py -e Add Email to the emails table to be alerted. ./bgpmon.py -ip [iP] Add IP to the ips table to be monitored. ./bgpmon.py -b grabs the origin AS for the IPs in the Database and save the results in the base_line tables ./bgpmon.py grabs the origin AS for the IPs in the Database and save the results in the latest_update table. and checks for differences between latest_update and base_line. ./bgpmon.py -c Manual check the records with MAX time stamp in 'latest_update' table with records in the 'base_line' table for the each ip for differences if any difference is found send email to the saved emails. Sursa: https://github.com/ssherei/BGPmon

[h=1]NFTables IPTables-Replacement Queued For Linux 3.13[/h] Posted by Michael Larabel in Linux Kernel on 19 October 2013 03:42 PM EDT NFTables is a new firewall subsystem / packet filtering engine for the Linux kernel that is poised to replace iptables. NFTables has been in development for several years by the upstream author of Netfilter. This new nftables system is set to be merged now into the Linux 3.13 kernel. NFTables has been in development for years and to replace IPTables by offering a simpler kernel ABI, reduce code duplication, improved error reporting, and provide more efficient support of filtering rules. Beyond IPTables, it also replaces the ip6tables, arptables, and ebtables frameworks but nftables does offer a compatibility layer to iptables support. For those into networking and wanting to learn more about NFTables, visit its Netfilter.org project page. Earlier this week a pull request was sent in for pulling in nf_tables for the next Linux kernel release through the net-next branch. The pull request was accepted and is now living in the net-next Git repository for Linux 3.13. IPTables won't die off in Linux 3.13 as there's still work ahead for NFTables, but those wanting to try out the new code when it's mainlined can find this how-to guide. Sursa: [Phoronix] NFTables IPTables-Replacement Queued For Linux 3.13

How's My SSL How's My SSL? is a cute little website that tells you how secure your TLS client is. TLS clients just like the browser you're reading this with. How's My SSL? was originally made to help a web server developer learn what real world TLS clients were capable of. It's been expanded to give developers and the very technically-savvy a quick and easy way to learn more about the TLS tools they use. It's also meant to impell developers to modernize and improve their TLS stacks. Many security problems come from engineers simply not knowing what worries to have. How's My SSL? is a demonstration of what those TLS client worries should be. How's My SSL? chooses topics important to today's security environment and analyzes clients in that context. It will never be a complete audit, but it can hit the high notes. Over time, How's My SSL? will change to live in an ever more difficult security environment. It will be kept up by people who care. Link: https://www.howsmyssl.com/

Inject JavaScript to explore native apps Inject JavaScript to explore native apps on Windows, Mac, Linux and iOS. [h=2]Scriptable[/h] Your own scripts get injected into black box processes to execute custom debugging logic. Hook any function, spy on crypto APIs or trace private application code, no source code needed! [h=2]Stalking[/h] Stealthy code tracing without relying on software or hardware breakpoints. Think DTrace in user-space, based on dynamic recompilation, like DynamoRIO and PIN. [h=2]Portable[/h] Works on Windows, Mac, Linux, and iOS. Grab a Python package from PyPI or use Frida through its .NET binding, browser plugin or C API. [h=4]Get up and running in seconds.[/h] ~ $ sudo easy_install frida ~ $ frida-trace -i 'recv*' Skype recvfrom: Auto-generated handler: …/recvfrom.js Started tracing 21 functions. 1442 ms recvfrom() # Live-edit recvfrom.js and watch the magic! 5374 ms recvfrom(socket=67, buffer=0x252a618, length=65536, flags=0, address=0xb0420bd8, address_len=16) Sursa: Frida

The RTLO method January 9, 2014 | By Pieter Arntz After my post about extensions, I received some requests to deal with another method of pretending to be a different type of file. If you have not read that article yet, it will prove helpful to do that first in order to better understand this post. What is RTLO (aka RLO)? The method called RTLO, or RLO, uses the method built into Windows to deal with languages that are written from right to left, the “Right to left override”. Let’s say you want to use a right-to-left written language, like Hebrew or Arabic, on a site combined with a left-to-right written language like English or French. In this case, you would want bidirectional script support. Bidirectional script support is the capability of a computer system to correctly display bi-directional text. In HTML we can use Unicode right-to-left marks and left-to-right marks to override the HTML bidirectional algorithm when it produces undesirable results: left-to-right mark: ? or ? (U+200E) right-to-left mark: ? or ? (U+200F) How is RTLO being abused by malware writers? On systems that support Unicode filenames, RTLO can be used to spoof fake extensions. To do this we need a hidden Unicode character in the file name, that will reverse the order of the characters that follow it. Look for example at this file, a copy of HijackThis.exe, that I renamed using RTLO: The last seven characters in the file name are displayed backwards because I inserted the RTLO character before those seven characters. As discussed in the previous article, assigning a matching icon to a file is a triviality for a programmer. So here we have an executable file that seems to have the PDF extension. Ironically, you will see straight through this deception if you are still running XP, since it does not support these file names: The square symbol shows us where the Unicode RTLO character is placed. One way to catch these fakes on more modern versions of Windows is to set the “Change your view” ruler to “Content”. Set this way, you can see that the files are applications and not a PDF or jpg. This may be a good idea for your “Download” folder(s), so you can check if you have downloaded what you expected to get. Is the RTLO method actively being used? The technique has been know for quite a while and is starting to re-surface. It is not only being used for filenames by the way. A malware known as Sirefef (which Malwarebytes Anti-Malware detects as Trojan.Agent.EC ) uses the RTLO method to trick users into thinking that the entries it puts into the infected machine’s registry are legitimate ones, belonging to Google update. Does this have any effect on the detection of these files? No. Detection of malicious file is never done by a filename alone. So your AV and Malwarebytes Anti-Malware will still recognize these files if they were added to their detection, no matter what they are called or how they are written. Summary: RTLO is used to fake extensions by writing part of the filename or other descriptions back to front. Although the detection by your AV or Malwarebytes Anti-Malware is not altered in any way this trick can be deceiving users at first glance. Sources : http://www.ipa.go.jp/security/english/virus/press/201110/E_PR201110.html Sirefef Malware Found Using Unicode Right-to-Left Override Technique | Threatpost - English - Global - threatpost.com H34: Using a Unicode right-to-left mark (RLM) or left-to-right mark (LRM) to mix text direction inline | Techniques for WCAG 2.0 Sursa: The RTLO method | Malwarebytes Unpacked

Exploit Delivery Networks Posted on January 9, 2014 by darryl Exploit packs are normally set up on a hacker-controlled server. Compromised websites or malicious email links lead unsuspecting users to the drive-by landing page on the server. While this keeps the main control panel, renter’s panel, crypter, statistics, etc all in one place, it’s vulnerable to a take-down resulting in a major disruption and a loss of statistical data among other things. We might be seeing the beginning of a new trend where distributed, self-contained exploit packs are installed on multiple compromised websites. A back-end server pushes out updates to and retrieves statistics from these websites. Take-downs of these compromised websites hosting the exploit packs don’t cause a major disruption anymore. The hackers just compromise other websites and quickly build it back up. This is basically a content delivery network but for exploits — an “Exploit Delivery Network”, if you will. RedKit is a prime example (you can read about it here). Another exploit pack was recently revealed which operates in a similar manner. Special thanks to a colleague of mine who provided me with intel and permission to write about this. Also thanks to a forum administrator who provided me with the files after his site was compromised. Ramayana Exploit Pack The “DotkaChef” exploit pack was discovered several months ago. Its real name is ramayana. Recently, the cybercriminals behind ramayana targeted numerous forums running vulnerable versions of IP.Board (read more here). After successfully exploiting the website, a folder is created with the self-contained exploit pack copied to it. The PHP script verifies that the incoming URL contains the correct parameters and values otherwise you won’t get infected. This prevents researchers from trying to analyze the pack. Here’s an example exploit chain related to ramayana: website/panel/js/fe0e2feefe/?=MDct5ibpFWbf12c8lzM1ATN4YDM1UDMwk zM89SZmVWZmJTZwUmZvMnavwWZuFGcvUGdpNnYld3LvoDc0RHa8NnZ website/panel/js/fe0e2feefe/?f=a&k=3900550685053931 website/panel/js/fe0e2feefe/?f=s&k=3900550685053919 website/panel/js/fe0e2feefe/?f=sm_main.mp3&k=3900550685053942 Here’s the part of the script that sends the exploit over. There are two Java exploits used — atom.jar (CVE-2013-2423) and byte.jar (CVE-2013-1493). The Java applets and their related payloads are the four other files you see in the folder screenshot above. Those files are base64-encoded and are decoded upon delivery. A stats file is also created which contains the key parameter from the URL and a status code. The PHP script defines the values of the status code: The backend system that controls the exploit pack nodes runs Python. It does a health check, builds the exploit pack files, pushes out updates, and other things. And of course there is a dashboard with a statistics panel which is fed by a stat-harvesting script. This appears to be an important measure of an exploit pack’s success and therefore part of most control panels. Summary “RedKit” and ramayana may represent a new class of exploit packs and an evolutionary improvement over their peers. Their exploitation methods remains the same but the delivery system uniquely leverages compromised websites to host disposable components of their exploit pack in order to maximize resiliency, protect their backend systems, and ultimately, to ensure the longevity of their criminal operations. Time will tell if Exploit Delivery Networks become the new norm but it’s something to keep a close eye on nonetheless. Sursa: Exploit Delivery Networks | Kahu Security

China ALSO building encryption-cracking quantum computer You didn't think we'd let the West have all the fun, did you? By Phil Muncaster, 10th January 2014 It’s not just the NSA that’s said to be working on a quantum computer – China is also pulling out all the stops to beat its arch rival with a crypto-cracking machine of its own. The National Natural Science Foundation of China funded 90 quantum-based projects in 2013, with the order from Beijing to get the job done irrespective of the cost, according to South China Morning Post. "The value of the quantum computer to the military and government is so great, its cost has never been considered," Zheziang university professor Wang Haohua told the paper. "Many Chinese scientists abroad, such as myself, have been attracted by the rapid technological development in China and are returning home. We hope to help China catch up with the West. It is not impossible that we may even win the race in the future." As part of the huge effort by academics and military boffins, China has apparently built a three-storey Steady High Magnetic Field Experimental Facility on Hefei Science Island, Anhui province. Once operational, the facility could generate a magnetic field in excess of 45 Tesla, creating a more stable environment for quantum research by increasing the distance between qubits, according to the report. "Under super-strong magnetic fields, the distance between qubits can be increased, making our jobs easier,” project leader Chen Hongwei told the paper. "If qubits can be tamed this way, the first quantum computer may be born inside a magnet.” The latest batch of Edward Snowden docs revealed last week that the NSA has budgeted $79.7m for the development of a quantum computer capable of cracking most kinds of encryption systems. However its “Owning the Net” initiative apparently faces competition from rival projects in the EU and Switzerland, as well as China. Even with the brightest minds on the planet and the unlimited resources of China working on the problem, it could still be decades before a working quantum computer is built, according to some experts. ® Sursa: China ALSO building encryption-cracking quantum computer • The Register

Cuckoo Sandbox 1.0 It took a while. After almost four years of development, ups and downs, more people joining the project and more people using it, we finally reached version 1.0. We've been procrastinating a lot while trying to get this release done, mainly for the concern of having a mature enough software worthy of the release code, but it's finally completed and ready for download! There is a number of improvements, bugfixes and new features available in this release. Most importantly Cuckoo is now provided with a full-fledged Django and MongoDB-powered web interface. Similarly to Malwr, you can use it to submit files and URLs, browse through the analyses as well as search across the full dataset. Other noteworthy additions are support for VMWare ESXi, new modules, more analysis packages and an overall improvement in stability and reliability of the software. Changelog Following is the CHANGELOG for this version: - Introduced Auxiliary modules - Added option to set sniffing interface for each virtual machine - Added option to set snapshot for each virtual machine - Added pagination to API - Added option to REST API to return compressed archives of files ("all" and "dropped") - Added option to set Result Server IP and port for each virtual machine - Added processing module for volatility to analyze memory dumps, disabled by default - Added new "reported" status for analysis tasks - Added automated rescheduling of locked tasks at startup - Added tags to machines - Added reduced behavioral events - Added new Django/Mongo-powered web interface - Added Windows analyzer auxiliary module to disguise the analysis environment - Added VBS, CPL and RTF analysis package - Added generic analysis package to execute samples via cmd.exe - Added MAEC 4.0.1 reporting module - Added filter for private networks in Network Analysis processing module - Added max_analysis_count to cuckoo.conf to automatically shutdown Cuckoo - Added check for available disk space - Added support for BSON logging format - Added option to specify a custom DLL to the analyzer and the analysis packages - Added ICMP protocol dissection - Added ESX Virtual Machine Manager - Slightly improved CuckooMon's stealthiness and stability - Refactored processing to improve performances - Refactored signature engine, introducing event-based signatures to improve performances - Refactored generation of process tree - Transitioned network sniffer to auxiliary module - Renamed MachineManagers to Machinery modules - Renamed Metadata to MMDef reporting module - Fixed virtual machine clock, now is updated to current time or specified by user via --clock option - Fixed bug in Human auxiliary module, now moving cursor to absolute positions - Fixed issue in Human auxiliary module, using SetCursorPos instead of mouse_event - Fixed issues with resolving relative filenames in CuckooMon - Removed support for GrayLog2 - Removed pickle reporting module - Removed MAEC 1.1 reporting module Known Issues At the moment we are only aware of one existing issue when analyzing .NET applications. In most cases you'll have inconsistent results and possibly crashes or sudden termination of the analyzed binary. We are currently investigating the issue and we'll hopefully have a fix in the near future. Conclusions This release represents an important landmark for the maturity of the project. We've made it this far thanks to the support of the community and the outstanding work of our developers and our contributors, committed into providing a valuable open source software to the public and dedicating every bit of time to it. Enjoy. published on 2014-01-09 17:30:00 by nex Sursa: Automated Malware Analysis - Cuckoo Sandbox

[h=1]VIDEO: Understanding Bitcoin and Securing your Digital Wallet[/h] Digital currencies such as Bitcoin grew in popularity in 2013 and set to be one of this year’s big talking points. One essential ingredient of a digital currency is somewhere to store your money – a digital wallet. Just like a real wallet, it’s wise to take steps to secure your digital counterpart to keep your money safe. In this video, AVG’s Michael McKinnon gives a short guide to securing your digital wallet and keeping your digital currency safe. [h=3]Watch the guide[/h] Sursa: VIDEO: How to secure your digital wallet

Kali Linux 1.0.6 Released Posted on: 01-9-2014 Posted by: muts Kernel 3.12, LUKS nuke, Amazon AMI / Google Compute images and more! It’s been a while since our last minor release which makes 1.0.6 a more significant update than usual. With a new 3.12 kernel, a LUKS nuke feature, new Kali ARM build scripts, and Kali AMAZON AMI and Google Compute image generation scripts, not to mention numerous tool additions and updates – this release is really heavily laden with goodness. For more information about what’s new in this release, check the Kali changelog. Kali ARM Build Scripts Now Available This new release brings with it the introduction of the Offensive Security Trusted ARM image scripts – a set of slowly growing scripts that are able to build Kali Linux images for various ARM devices. These scripts will replace the growing number of actual ARM image releases we have in order to reduce the exponentially growing amount of traffic we serve on each release. We will release a short blog post about how to use these scripts in the next few days. LUKS Nuke Patch Added to cryptsetup A couple of days ago, we demonstrated a cool patch for cryptsetup, which introduces a self destruction feature. The response to this post was overwhelmingly positive, as many people voted to see this feature included in Kali Linux. Therefore, we included this patch into our cryptsetup package yesterday, making the luksAddNuke options available to all Kali users by default. The patch is non-invasive and will not change anything for anyone that does not want to make use of it. No action is necessary if you currently use LUKS and don’t want to utilize the key nuke feature. The updated cryptsetup package is present in Kali 1.0.6 by default. We’d like to take a moment to thank everyone who participated in the poll for voicing their opinion. This kind of feedback is very useful for us, giving us a better feel for the type of features to add in the future. In an upcoming blog post, we will take the opportunity to better explain this new feature and show you how to test it out. Updated Instructions for Building VMware Tools with Kernel 3.12 VMware Tools always lags behind new kernels, which always causes us headaches and this time is no exception. At the time of this release, VMware Tools does not cleanly compile against kernel 3.12 and requires a set of patches. We have posted these Kali Linux VMware Tools patches on GitHub along with instructions on how to use them. We suspect that these build issues will go away in future releases of VMware Tools. Kali Linux Amazon AMI/Google Compute Build Scripts Now Available Yay! This was on our todo list for quite awhile and we’re happy to bring this feature out at last. A set of scripts that enables you to build your own custom Amazon AMI and Google Compute cloud images. If you intend to use the images for any real work, you should first consult with the terms of service of the cloud provider. Separation of Kali Official Images and Offensive Security Contributed Images Due to the ever growing number of ARM images Offensive Security is contributing as well as the high demand of more flavours of VMware images, we’ve separated the Official Kali images from Offensive Security contributed images. This allows us to generate more VMware image flavours (amd64, i486, i686-pae), as well as increased flexibility in future releases. To find updated VMware and custom ARM images, visit the Offensive Security Custom Image Download Page. Please bear with us as we update images on this server in the next few days. Improving Kali Linux Package Features In the past couple of weeks, jerichodotm has been helping us add watch files to our Kali packages. These watch files allow us to monitor upstream tarball releases for updates in a much more reliable manner. Once this process is complete, we’ll be able to monitor new upstream software updates with much more ease. For example, if you want to check if there’s a new upstream release of nmap, you could do the following: root@kali:~# apt-get install devscripts root@kali:~# apt-get source nmap root@kali:~# cd nmap-6.40/ root@kali:~/nmap-6.40# uscan --no-download --verbose -- Scanning for watchfiles in . -- Found watchfile in ./debian -- In debian/watch, processing watchfile line: http://nmap.org/dist/nmap-((?:\d+\.)+\d+)\.tgz -- Found the following matching hrefs: nmap-5.00.tgz nmap-5.20.tgz nmap-5.21.tgz nmap-5.50.tgz nmap-5.51.1.tgz nmap-5.51.2.tgz nmap-5.51.3.tgz nmap-5.51.4.tgz nmap-5.51.5.tgz nmap-5.51.6.tgz nmap-5.51.tgz nmap-6.00.tgz nmap-6.01.tgz nmap-6.25.tgz nmap-6.40.tgz Newest version on remote site is 6.40, local version is 6.40 => Package is up to date -- Scan finished root@kali:~/nmap-6.40# No Re-Downloading Required Lastly, if you already have a Kali Linux installation up and running, you don’t need to download a new ISO. You can easily upgrade your installation to the latest and greatest Kali Linux has to offer as follows: root@kali:~# apt-get update root@kali:~# apt-get dist-upgrade ….Engage. We’re really happy with this release and are looking forward to completing our next goals with 1.0.7. As usual, you are welcome to visit our Kali Linux forums (which now default to HTTPS), read up on our official documentation, submit bugs and patches, or chat with us in IRC, irc.freenode.net, #kali-linux. Shameless Plug Offensive Security has recently updated its “Penetration Testing With BackTrack” online course to “Penetration Testing with Kali linux“. If you’re looking for official, quality training on Kali Linux, this is a great place to start. We’re biased of course, but many other people seem to think so too! Sursa: Kali Linux 1.0.6 Released | Kali Linux

Cine mai e offtopic primeste direct ban.

Want to Spy? Google Play will help you Spyware or legitimate monitoring application? You decide. In this blog we'll discuss a 'legitimate' app that can be purchased in Google Play known as SMS Tracker. Now it's legitimate as it advertises exactly what it does, but based how this same application is packaged and distributed in other markets, it's clear that the vendor is also targeting another, less altruistic audience with this same application. The app also illustrates the powerful access permissions that an application can gain so long as the end user agrees to it, either explictly or otherwise. Details about the application: Name: SMS Tracker. Installs: 10,000-15,000. Description: Gizmoquip SMS Tracker - Track text messages and location data from all of your android phones. As per the description on the application’s Google Play page, the application is able to do the following: SMS Tracking – Intercepts text messages. Read all inbound and outbound text messages. Details include time and date, phone number, contact name and location of the target phone. Complete Text message tracking and logging. MMS tracking - Intercepts MMS multimedia messages. Read and view all inbound and outbound MMS messages. See what photos are sent to and from the target phone. Details include photo, time and date, phone number, contact name and location of the target phone. Browser Tracking – monitors all web browser activity on the target phone. Know which websites were visited, which pages were viewed and when. GPS Tracking – Logs GPS location information wich can later be viewed on a map. Know when and where the phone was located at all times. Breadcrumbs to record location information allowing parents to locate their children at frequent intervals. GPS logging occurs at a user defined rate (default interval is 5 minutes). Remote GPS logging and viewing give you the ability to see the location of your child’s phone, from any web browser. The breadcumb trail offers powerful GPS Tracking. Call Logging – Monitors all inbound, outbound and missed calls. Identifies the phone number, contact name, call duration, and location of the phone for every call. If you want to know where your kids are, just send them a text message. The location of the phone is recorded every time it sends or receives a text message. Tracking of System Events, including Device Powered On/Off, Device Attached / Removed to/from the charger, Apps installed/removed/updated. Silently monitor all inbound and outbound SMS messages. How the app can be used? First you need to download the application and install it on the device on which you want to spy. After installing an application you need to register it. Next, you need to go to Gizmoquip SMS Tracker - Track text messages and location data from all of your android phones., where you will be asked for your login name and password ,which was registered at a time of installing the application. This screenshot shows the dashboard after login. This screenshot shows the page where you can see logging from the device. It covers SMS, device information, call logs, network traffic, location details, etc. Zscaler’s concerns: In any other context, an application with these capabilities would clearly be labelled as spyware. At the vendor's (Gizmoquip.com - Download) they are selling a repackaged version of this app which has the same functionality but does not leave an icon on the device, thus making it more stealthy and harder to detect following installation. This version also does not contain the notification icon or privacy policy screen. Why the transparency? What audience is this version targeting? This same application could also serve generic template for other spyware projects by being wrapped with other code to provide the core functionality needed to create another malicious app. This type of app clearly shows the powerful level of access that can be granted to Android apps, so long as users grant permission. An app can access SMS, call logs, network traffic, hardware details, screen details etc. Always carefully read the permissions requested by an application before installing it on your device. The vendor is promoting this application as a tool for monitoring the mobile activities of your children. However, this same app would be a very effective tool for spying on someone once installed on their phone. You just need to install the app on the device which you want to spy and you are done. All the information about the device and all call and SMS logs can then be remotely monitored. Moreover, all of the user's private data is stored on the vendor's server. What guarantees are in place that the private data will remain private? In the increasingly common enterprise world of “Bring Your Own Device” (BYOD), such applications could be leveraged to expose corporate contact lists, email, browsing information and collect private data from corporate apps in the workplace. Enterprises often block access to 'non-official' app stores to prevent the installation of such apps, but this illustrates that such a restriction is no guaruntee that spyware can't be installed from an official source. Virustotal scan results: The application available from the vendor site (smstracker.com): https://www.virustotal.com/en/file/21aa6c6652287413f07ddfbcadea84441a500ee12816dfe4beed913e4a0fa636/analysis/ The Google Play store’s version: https://www.virustotal.com/en/file/a3b40fa9fea9600b55d4d07fd4f0358ee74e6924c342c5857c2a5311f7a11ed3/analysis/ Interestingly, despite virtually the same functionality, far fewer AV vendors flag the Google Play version as malicious. - Viral Sursa: Zscaler Research: Want to Spy? Google Play will help you

Parent Directory - Ebooks by Authors/ 02-Jul-2011 20:33 - Syngress - Aggressive Network Self-Defense.pdf 02-Jul-2011 20:33 83M Syngress - Best Damn Windows Server 2003 Book P..> 02-Jul-2011 20:34 21M Syngress - Botnets - The Killer Web App.pdf 02-Jul-2011 20:34 7.0M Syngress - Buffer Overflow Attacks.pdf 02-Jul-2011 20:34 5.4M Syngress - Building DMZs for Enterprise Network..> 02-Jul-2011 20:34 12M Syngress - Building SANs with Brocade Fabric Sw..> 02-Jul-2011 20:35 3.8M Syngress - Building a VoIP Network with Multime..> 02-Jul-2011 20:34 17M Syngress - C#.NET Web Developer's Guide.pdf 02-Jul-2011 20:34 6.8M Syngress - Check Point NG VPN-1 FireWall-1 Adva..> 02-Jul-2011 20:33 12M Syngress - Cisco Security - Professional's Guid..> 02-Jul-2011 20:33 15M Syngress - Cisco Security - Specialist's Guide ..> 02-Jul-2011 20:33 11M Syngress - Combating Spyware in the Enterprise.pdf 02-Jul-2011 20:34 8.0M Syngress - Creating Security Policies and Imple..> 02-Jul-2011 20:33 2.8M Syngress - Cyber Adversary Characterization - A..> 02-Jul-2011 20:33 4.1M Syngress - Cyber Crime Investigations.pdf 02-Jul-2011 20:33 9.2M Syngress - Cyber Spying - Tracking your Family'..> 02-Jul-2011 20:35 106M Syngress - Developer's Guide to Web Application..> 02-Jul-2011 20:33 11M Syngress - Email Virus Protection Handbook.pdf 02-Jul-2011 20:32 5.8M Syngress - Enemy at the Water Cooler.pdf 02-Jul-2011 20:33 6.3M Syngress - Essential Computer Security.pdf 02-Jul-2011 20:33 7.8M Syngress - Google Hacking for Penetration Teste..> 02-Jul-2011 20:34 13M Syngress - Google Hacking for Penetration Teste..> 02-Jul-2011 20:33 15M Syngress - Google Talking.pdf 02-Jul-2011 20:34 8.3M Syngress - Hack Proofing Linux.pdf 02-Jul-2011 20:32 12M Syngress - Hack Proofing Sun Solaris.pdf 02-Jul-2011 20:34 6.8M Syngress - Hack Proofing Windows 2000 Server.pdf 02-Jul-2011 20:33 12M Syngress - Hack Proofing XML.pdf 02-Jul-2011 20:34 7.1M Syngress - Hack Proofing your Identity in the I..> 02-Jul-2011 20:33 8.9M Syngress - Hack Proofing your Network - 2nd Edi..> 02-Jul-2011 20:34 8.8M Syngress - Hack Proofing your Web Applications.pdf 02-Jul-2011 20:33 8.6M Syngress - Hack Proofing your Wireless Network.pdf 02-Jul-2011 20:32 6.6M Syngress - Hack Proofing your network.pdf 02-Jul-2011 20:34 2.9M Syngress - Hack the Stack.pdf 02-Jul-2011 20:33 7.2M Syngress - How to Cheat at Securing a Wireless ..> 02-Jul-2011 20:32 12M Syngress - InfoSec Career Hacking - Sell your S..> 02-Jul-2011 20:34 84M Syngress - Intrusion, Prevention and Active Res..> 02-Jul-2011 20:34 85M Syngress - LEGO Software Power Tools.pdf 02-Jul-2011 20:34 15M Syngress - Linksys WRT54G Ultimate Hacking.pdf 02-Jul-2011 20:32 16M Syngress - Metasploit Toolkit for Penetration T..> 02-Jul-2011 20:34 4.9M Syngress - Microsoft Vista for IT Security Prof..> 02-Jul-2011 20:34 19M Syngress - Nessus Network Auditing.pdf 02-Jul-2011 20:33 4.6M Syngress - Ninja Hacking - Unconventional Penet..> 02-Jul-2011 20:34 9.9M Syngress - Nmap in the Enterprise - Your Guide ..> 02-Jul-2011 20:34 6.1M Syngress - OS X for Hackers at Heart.pdf 02-Jul-2011 20:34 15M Syngress - Penetration Tester's Open Source Too..> 02-Jul-2011 20:33 34M Syngress - Penetration Tester's Open Source Too..> 02-Jul-2011 20:35 27M Syngress - Phishing Exposed.pdf 02-Jul-2011 20:34 8.3M Syngress - Practical VoIP Security.pdf 02-Jul-2011 20:33 9.7M Syngress - Programmer's Ultimate Security Deskr..> 02-Jul-2011 20:33 4.5M Syngress - RFID Security.pdf 02-Jul-2011 20:34 5.9M Syngress - SQL Injection Attacks and Defense.pdf 02-Jul-2011 20:34 6.5M Syngress - Scene of the Cybercrime - Computer F..> 02-Jul-2011 20:33 5.0M Syngress - Scripting VMware Power Tools.pdf 02-Jul-2011 20:34 5.0M Syngress - Secure Your Network for Free.pdf 02-Jul-2011 20:33 7.2M Syngress - Securing the Cloud - Cloud Computer ..> 02-Jul-2011 20:34 3.3M Syngress - Security+ Study Guide.pdf 02-Jul-2011 20:32 11M Syngress - Security Assessment Case Studies for..> 02-Jul-2011 20:34 5.0M Syngress - Security Log Management - Identifyin..> 02-Jul-2011 20:34 6.6M Syngress - Security Sage's Guide to Hardening t..> 02-Jul-2011 20:32 11M Syngress - Snort 2.0 Intrusion Detection.pdf 02-Jul-2011 20:34 7.1M Syngress - Snort 2.1 Intrusion Detection - 2nd ..> 02-Jul-2011 20:33 12M Syngress - Snort IDS and IPS Toolkit.pdf 02-Jul-2011 20:34 8.4M Syngress - Sockets, Shellcode, Porting and Codi..> 02-Jul-2011 20:33 112M Syngress - Special Ops - Host and Network Secur..> 02-Jul-2011 20:32 17M Syngress - Stealing the Network - How to Own a ..> 02-Jul-2011 20:34 9.1M Syngress - Stealing the Network - How to Own th..> 02-Jul-2011 20:33 4.6M Syngress - Systems Security Certification Pract..> 02-Jul-2011 20:34 6.3M Syngress - Techno Security’s Guide to Managin..> 02-Jul-2011 20:34 16M Syngress - The Mezonic Agenda - Hacking the Pre..> 02-Jul-2011 20:34 16M Syngress - VB.NET Developer's Guide.pdf 02-Jul-2011 20:33 6.4M Syngress - WarDriving and Wireless Penetration ..> 02-Jul-2011 20:33 21M Syngress - Wireless Hacking - Projects for Wi-F..> 02-Jul-2011 20:34 18M Syngress - Wireshark and Ethereal - Network Pro..> 02-Jul-2011 20:32 13M Syngress - Writing Security Tools and Exploits.pdf 02-Jul-2011 20:35 11M Syngress - XSS Attacks.pdf 02-Jul-2011 20:34 7.3M Syngress - Zen and the Art of Information Secur..> 02-Jul-2011 20:34 5.2M Syngress - Zero Day Exploit - Countdown to Dark..> 02-Jul-2011 20:32 3.7M The Hackademy - Hors Serie 1.pdf 02-Jul-2011 20:35 12M The Hackademy - Hors Serie 2.pdf 02-Jul-2011 20:32 36M The Hackademy - Hors Serie 3.pdf 02-Jul-2011 20:34 14M The Hackademy Prog - Apprendre à Programmer en..> 02-Jul-2011 20:32 14M The Hackademy Prog - Apprendre à Programmer en..> 02-Jul-2011 20:34 34M The Hackademy School - Hack Newbie.pdf 02-Jul-2011 20:35 3.5M The Hackademy School - Hack Security Pro.pdf 02-Jul-2011 20:33 6.4M The Hackademy School - Linux.pdf 02-Jul-2011 20:33 19M The Hackademy School - Mini Guide Anonymat.pdf 02-Jul-2011 20:34 2.3M The Hackademy School - Newbie - part 1.pdf 02-Jul-2011 20:33 10M The Hackademy School - Newbie - part 2.pdf 02-Jul-2011 20:34 9.9M The Hackademy School - Newbie - part 3.pdf 02-Jul-2011 20:33 11M The Hackademy School - Newbie - part 4.pdf 02-Jul-2011 20:33 9.2M The Hackademy School - Securite wifi.pdf 02-Jul-2011 20:34 1.3M ZI Hackademy - Newbie 1.pdf 02-Jul-2011 20:33 25M ZI Hackademy - Newbie 2.pdf 02-Jul-2011 20:32 41M ZI Hackademy - Newbie 3.pdf 02-Jul-2011 20:34 31M Sursa: http://n-pn.info/repo/HackBBS/HackBBS/Docs_HackAngel/

[h=1]Another X.Org Security Bug Found, Dates Back To 1991[/h] Posted by Michael Larabel in X.Org on 07 January 2014 06:00 PM EST Another X.Org Security Advisory had to be publicly issued today to make known a buffer overflow in an X.Org library that's been present in every X11 release from X11R5 and the code was completed way back in 1991. Back in October there was a X11 security advisory going back to 1993 and today's noted security issue was for code introduced in May of 1991. This security advisory comes just days after the X Server security was called a disaster with what will amount to at least hundreds of open security issues found by a researcher. The security was found via running the cppcheck utility as a static analyzer to look at the code. The issue found is a stack buffer overflow in the passing of BDF font files in libXfont. It's an issue present for more than two decades and was easily spotted with static analysis of the code. When a buffer overflow does happen in libXfont, it's possible that the bug could lead to an unprivileged user acquiring root access to the system. This bug has been found in every X Server release going back to X11R5 and was corrected with the new release of libXfont 1.4.6. More details on this latest security advisory can be found via the xorg-announce list. Sursa: [Phoronix] Another X.Org Security Bug Found, Dates Back To 1991

Nu mai pune poze cu black_death, induci lumea in eroare.

30c3 - Hacking As Artistic Practice Description: !Mediengruppe Bitnik are contemporary artists. In their talk they will show two examples of their work, illustrating the translation of hacking from the computer field into an artistic practice. Bitnik will show how to hack the opera in ten easy steps and what happens when you send a parcel with a hidden live webcam to Julian Assange at the Ecuadorian Embassy in London. Using the strategies of hacking, !Mediengrupppe Bitnik intervenes into settings with the aim of opening them up to re-evaluation and new perspectives. «Opera Calling» was an artistic intervention into the cultural system of the Zurich Opera. From March 9th to May 26th 2007, audio bugs, hidden in the auditorium, transmitted the performances of the Zurich Opera to randomly selected telephone land-lines in the city of Zurich. In proper style of a home-delivery-service, anyone who picked up their telephone, was able to listen to the on-going opera performances for as long as s/he wanted through a live connection with the audio bug signal. The Zurich Opera launched a search for the bugs and in a first reaction threatened to take legal action if the transmissions were not stopped and the bugs not removed. «Delivery for Mr. Assange» is a live mail art piece. In January 2013 !Mediengruppe Bitnik sent Wikileaks-Founder Julian Assange a parcel containing a camera. Julian Assange has been living in the center of a diplomatic crisis at the Ecuadorian embassy in London since June 2012. Through a hole in the parcel, the camera documented and live-tweeted its journey through the postal system, letting anyone online follow the parcel's status in real-time. !Mediengruppe Bitnik regard this work as a SYSTEM_TEST. Would the parcel reach its intended destination? Or would it be removed from the postal system? For More Information please visit : - https://events.ccc.de/congress/2013/wiki/Main_Page Sursa: 30c3 - Hacking As Artistic Practice

Stiu, dar e ceva ce trebuie vazut.

Pacat ca lumea prefera un serial/porn/film de cacat in loc sa vada asa ceva.

Windows Exploitation (Structured Exception Handler Based Exploitation) Description: This video demos a Structured Exception Handler (SEH) stack overflow exploit. It gives some basic idea about the SEH structure in windows operating system. It explains the technique used to perform exploitation. Sursa: Windows Exploitation (Structured Exception Handler Based Exploitation)

Metasploit Meterpreter and NAT Published January 4, 2014 | By Corelan Team (corelanc0d3r) Professional pentesters typically use a host that is connected directly to the internet, has a public IP address, and is not hindered by any firewalls or NAT devices to perform their audit. Hacking "naked" is considered to be the easiest way to perform a penetration test that involves getting shells back. Not everyone has the luxury of putting a box directly connected to the internet and as the number of free public IP addresses continues to decrease, the need for using an audit box placed in a LAN, behind a router or firewall, will increase. Putting an audit box behind a device that will translate traffic from private to public and vice versa has some consequences. Not only will you need to be sure that the NAT device won’t "break" if you start a rather fast portscan, but since the host is in a private LAN, behind a router or firewall, it won’t be reachable directly from the internet. Serving exploits and handling reverse, incoming, shells can be problematic in this scenario. In this small post, we’ll look at how to correctly configure Meterpreter payloads and make them work when your audit box is behind a NAT device. We’ll use a browser exploit to demonstrate how to get a working Meterpreter session, even if both the target and the Metasploit "attacker" box are behind NAT. Articol: https://www.corelan.be/index.php/2014/01/04/metasploit-meterpreter-and-nat/

Windows Exploitation (Simple Stack Overflow) Description: This video demos a simple stack overflow exploit. It gives some basic idea about the application that is being exploited, some idea about the exploit and demos how a debugger can be used to perform exploitation. Sursa: Windows Exploitation (Simple Stack Overflow)

Fixed.