Nytro

[h=3]Recon-ng Framework A Quick Intro [/h]Recon-ng is an open-source framework coded in python by Tim Tomes a.k.a LaNMaSteR53. Its interface is modeled after the look of the Metasploit Framework but it is not meant for exploitation or for spawning a meterpreter session or a shell, it is for web-based reconnaissance and information gathering. It comes with modules to support your web reconnaissance adventure and information gathering just like Metasploit's auxiliary and exploit modules. Modules are categorized into Discovery, Experimental, Recon and Reporting. As of this writing here are the modules with its subcategories: Discovery --------- discovery/exploitable/http/dnn_fcklinkgallery discovery/exploitable/http/generic_restaurantmenu discovery/exploitable/http/webwiz_rte discovery/info_disclosure/dns/cache_snoop discovery/info_disclosure/http/backup_finder discovery/info_disclosure/http/google_ids discovery/info_disclosure/http/interesting_files Experimental ------------ experimental/rce Recon ----- recon/contacts/enum/http/web/dev_diver recon/contacts/enum/http/web/namechk recon/contacts/enum/http/web/pwnedlist recon/contacts/enum/http/web/should_change_password recon/contacts/gather/http/api/jigsaw/point_usage recon/contacts/gather/http/api/jigsaw/purchase_contact recon/contacts/gather/http/api/jigsaw/search_contacts recon/contacts/gather/http/api/linkedin_auth recon/contacts/gather/http/api/twitter recon/contacts/gather/http/api/whois_pocs recon/contacts/gather/http/web/jigsaw recon/contacts/gather/http/web/pgp_search recon/contacts/support/add_contact recon/contacts/support/mangle recon/creds/enum/http/api/leakdb recon/creds/enum/http/api/noisette recon/creds/gather/http/api/pwnedlist/account_creds recon/creds/gather/http/api/pwnedlist/api_usage recon/creds/gather/http/api/pwnedlist/domain_creds recon/creds/gather/http/api/pwnedlist/domain_ispwned recon/creds/gather/http/api/pwnedlist/leak_lookup recon/creds/gather/http/api/pwnedlist/leaks_dump recon/hosts/enum/dns/resolve recon/hosts/enum/http/api/builtwith recon/hosts/enum/http/api/punkspider recon/hosts/enum/http/api/wascompanyhacked recon/hosts/enum/http/api/whatweb recon/hosts/enum/http/api/whois_lookup recon/hosts/enum/http/web/age_analyzer recon/hosts/enum/http/web/asafaweb recon/hosts/enum/http/web/gender_analyzer recon/hosts/enum/http/web/ipvoid recon/hosts/enum/http/web/malwaredomain recon/hosts/enum/http/web/mywot recon/hosts/enum/http/web/netbios recon/hosts/enum/http/web/netcraft_history recon/hosts/enum/http/web/open_resolvers recon/hosts/enum/http/web/urlvoid recon/hosts/enum/http/web/web_archive recon/hosts/enum/http/web/xssed recon/hosts/gather/dns/brute_force recon/hosts/gather/http/api/bing_ip recon/hosts/gather/http/api/google_site recon/hosts/gather/http/api/shodan_hostname recon/hosts/gather/http/web/baidu_site recon/hosts/gather/http/web/bing_site recon/hosts/gather/http/web/census_2012 recon/hosts/gather/http/web/google_site recon/hosts/gather/http/web/ip_neighbor recon/hosts/gather/http/web/mcafee/mcafee_affil recon/hosts/gather/http/web/mcafee/mcafee_dns recon/hosts/gather/http/web/mcafee/mcafee_mail recon/hosts/gather/http/web/netcraft recon/hosts/gather/http/web/yahoo_site recon/hosts/geo/http/api/hostip recon/hosts/geo/http/api/ipinfodb recon/hosts/geo/http/api/maxmind recon/hosts/geo/http/api/uniapple recon/hosts/geo/http/web/wigle recon/hosts/support/add_host Reporting --------- reporting/csv_file reporting/html_report reporting/list I am also one of the contributors for this framework and has contributed mostly to the Discovery modules. In this article I'm going to emphasize the Backup File Finder module which I authored together with Tim Tomes (the main developer of Recon-ng). This module can be used for checking specific hosts for exposed backup files. The default configuration searches for wp-config.php files which contain WordPress database configuration information. As a side note, this module is inspired by cmsploit. Basic Usage: load discovery/info_disclosure/http/backup_finder (use the module) show options (shows the options that can be set for the module) set source target.com (the host you want to crawl) set uri config_file (configuration file you want to check, ex. wp-config.php) Here is the screenshot of the Backup File Finder's actual crawling. Now, here is what's inside in a typical configuration file: define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'passwd'); /** MySQL hostname */ define('DB_HOST', 'localhost'); /** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8'); /** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', ''); List of the various configuration files used by popular CMS' which can be set to the option uri: wp-config.php >> WordPress config.php >> phpBB, ExpressionEngine configuration.php >> Joomla LocalSettings.php >>MediaWiki mt-config.cgi >> Movable Type settings.php >> Drupal About The Author This article has been written by Jay Turla, he is a security researcher at Infosec, along with security research he also performs vulnerability research too. Resources: https://bitbucket.org/LaNMaSteR53/recon-ng The Recon-ng Framework : Automated Information Gathering 1% of CMS-Powered Sites Expose Their Database Passwords

Black Hat 2013: talks and panels 'hot list' Summary: Leading security conference Black Hat boasts over 100 talks that include hacking nuclear facilities, rooting SIM cards, OPSEC failures of spies, a keynote from the NSA and more. Here's a 'hot list' of 2013's riveting talks and demos. By Violet Blue for Zero Day | July 29, 2013 -- 08:38 GMT (01:38 PDT) In its sixteenth year, Black Hat USA 2013 will introduce nearly a hundred new security tools and 35 0-days in a record 110 unique Briefings (talks) and workshops, with 131 companies showcasing their security solutions on-site. An estimated 7,000 high-level security experts are set to attend Black Hat this year. It takes place this week, July 27 – August 1, 2013, at Caesars Palace in Las Vegas. A security conference leader, Black Hat blends hackers, corporations, researchers of all kinds, law enforcement and Feds, in hats ranging from snow-white to so black they actually absorb light. These attendees will be wearing their nicest professional, casual-Friday armor to meet on neutral territory - all comprising an event that may be the world's biggest confluence of virtual arms dealers. Black Hat has cautioned press, "You are about to enter one the most hostile environments in the world." The list of precautions is long, and includes not to use any ATM machines around the conference, keep our hotel keys deep in our belongings, not to use the wi-fi unless we are security experts, not to leave any devices out of sight (EVER!), and to change all of our passwords immediately after leaving Las Vegas. Still, the list of cautions will probably not be enough. There is so much to see and absorb at Black Hat 2013, it will likely be a Vegas gamble worth taking. The packed schedule proves that Black Hat wanted to raise the excitement meter to eleven this year. To mediate overwhelm, we've compiled an insider's 'hot list'. Outside of the usual press releases, we asked organizers what they think will be hot, as well as compiling our own list. Combining the results, we've got a hell of a starting point for attendees listed here: Black Hat's Day 1 Keynote (Wednesday, July 31) is Gen. Keith Alexander, Commander, U.S. Cyber Command (USCYBERCOM) and Director, National Security Agency. Here he will "give attendees an insider’s look into the U.S. Cyber Command and the interworking of offensive cyber strategy." Mactans: Injecting Malware into iOS Devices via Malicious Chargers - Billy Lau. They'll demonstrate how an Apple iOS device can be compromised within one minute of being plugged into a malicious charger, and disclose the details of the vulnerability on-site – something they've held back on so far. Rooting SIM Cards - Karsten Nohl. Karsten will disclose his vulnerability onsite; the UN's ITU issued a global warning about it. Compromising Industrial Facilities from 40 Miles Away - Lucas Apa. Compromises around nuclear/energy, gas and oil facilities, among others - including shutting them down remotely - even from 40 miles away. Energy Fraud and Orchestrated Blackouts: Issues With Wireless Metering Protocols (WM-Bus) - Cyrill Brunschwiler. Energy fraud + widespread orchestrated blackouts are far easier than anyone thinks; Brunschwiler will disclose new flaws in wireless smart meters, resulting in not only a good cheat on your energy bill... but also widespread blackouts as the energy grid is directly impacted. Californians take note. Lets Get Physical: Breaking Home Security Systems and Bypassing Buildings' Controls - Drew Porter, Stephen Smith. Hardware-based vulnerabilities impacting a very broad audience – specifically impacts smart homes. Home Invasion v2.0: Attacking Network Controlled Hardware Jennifer Savage, Daniel Crowley, David Bryan. This team has hacked home-based network-connected devices and reveal how havoc or danger could be unleashed at home - specifically, ones that have been 'impossible' to hack until now - from space heaters to door locks, surveillance systems and much more. What Security Researchers Need to Know About Anti-Hacking Law - Marcia Hofmann. Reduce risk by finding out ways to reduce potential legal trouble from a number of things researchers wonder about; Hofmann surveys issues relevant to researchers now, including cases on port scanning, violating website terms of use, and designing tools capable of bypassing technical access controls. OPSEC Failures of Spies - Matthew Cole. "A rare peek inside the CIA's intelligence gathering operations and the stunning lack of expertise they can bring to the job." Above my Pay Grade: Cyber Response at the National Level - Jason Healey. Examining the decisions and actions at all levels of response escalation when a cyber attack is also a national security event, using an example attack on the finance sector, from banks to the military and presidential level. Combating the Insider Threat at the FBI: Real World Lessons Learned - Patrick Reidy (CSO of the FBI). "Come hear how the FBI uses a surprising variety of methods to combat insiders. In this session the FBI will provide five key lessons learned about effective detection and deterrence techniques used in the FBI's insider threat program developed over the last decade." Exploiting Network Surveillance Cameras Like a Hollywood Hacker - Craig Heffner. A live demonstration of leveraging vulnerabilities described in this talk to freeze and modify legitimate video streams from cameras such as those found in in homes, businesses, hotels, casinos, banks and prisons, as well as military and industrial facilities. Aaron Swartz, Weev, the CFAA and The Future - Kurt Opsahl, EFF [panel]. With the dangers of the CFAA and overzealous, uneducated prosecutors now known, the infosec community has been thrust into the role of educating and persuading lawmakers to reform this dangerous law. The EFF's Opsahl leads a panel and on-the-spot outreach to the community to discuss and propose tactics on all levels. Lawful Access - Matt Blaze, Brewster Kahle, Jennifer Valentino-DeVries, Alan Davidson [panel]. "When you get a National Security Letter, no one can hear you scream." Being served with a search warrant for a criminal investigation can be scary enough, but if you're the target of a national security investigation, you won't be allowed to tell anyone about it. This panel discusss the technical risks of surveillance architectures, the legal and technical defenses against over-broad or invasive searches, and actual experiences fighting against secret surveillance orders. Mobile hot list highlights: Threats to mobile devices such as injecting malware into Apple’s iOS devices with malicious chargers, intercepting traffic and SMS messages through compromised femtocells cracking BlackBerry’s new OS 10, rooting SIM cards and building a spyphone that can record conversations and send messages without you ever knowing. Infrastructure hot list highlights: Preventing attacks on critical infrastructure and national security with talks around insider threats at the FBI, energy fraud and orchestrated blackouts, compromising industrial facilities, threats to major oil and gas pipelines and exploiting network surveillance cameras. Home attacks hot list: Exposing vulnerabilities within our homes from automation systems such as HVAC and lighting, to other network-controlled devices such as door locks and garage sensors, to hacking some of the most well known home security systems and even the newest smart TVs. At the Black Hat Arsenal: Researcher demo highlights: bypassing a car’s security for less than 25 dollars, to analyzing smartphone penetration testing and performing web application security audits. Can't make it, or just want to keep pace with Black Hat? Follow Black Hat Briefings on Twitter @BlackHatEvents, check Black Hat on Facebook, and connect with Black Hat on its LinkedIn Group - social updates can be found at hashtag #BlackHat. Watch for photos on the Black Hat Events Flickr account. An item I had selected for this list was Implantable Medical Devices: Hacking Humans by Barnaby Jack - it had been recommended to me by all experts and organizers I queried. There are many heavy hearts at the passing of Mr. Jack, and the sadness is palpable. He will be so very deeply missed. Black Hat has held his room time and talk slot open: Black Hat will not be replacing Barnaby’s talk on Thursday, Aug. 1. The hour will be left vacant for friends and family to gather: Black Hat has set aside the time to commemorate his life and work and stated to this year's attendees, "we encourage you to join us as we celebrate the legacy that he leaves behind." Sursa: Black Hat 2013: talks and panels 'hot list' | ZDNet

Minion is a platform developed by the Security Automation team at Mozilla to enable integration and adoption of automated security testing that has been under development for the past year. The platform allows any team to set up the basic requirements to perform automated scanning and testing of websites and services by providing sensible defaults for plugins that enable scanning of many types of web applications and services. With the 0.3 release of Minion there are several milestones that have been achieved that have allowed us to start using Minion internally across our development community, quality assurance, and security teams. Architecture Minion is intended to be a platform that is simple to use, easy to deploy, simple to extend, and flexible enough to be integrated into any development or operations workflows. At a high level there are three major components in Minion: Plugins, Task Engine, and Front End. Minon Plugins are light-weight wrappers that perform tasks such as configuring, starting, stopping a plan, and accept a set of callbacks to notify the caller that information is available. In order to be used, Plugins require a plugin runner that handles the invocation of the plugins as well as the results; in addition to supporting Minion’s task engine, the Minion backend repository includes command-line scripts to execute plugins. This provides support for testing during development of new plugins and allow a high degree of flexibility in how plugins are used outside of Minion. The Task Engine is the core platform; it provides an API for managing and configuring Plans (collections of plugins and configurations), collections of users, sites and services, and the results of executions of Plans against those targets. The Front End is a web application that provides both administration and usage of Minion; users can perform most of the configuration tasks needed to set up Minion plans, targets and users, as well as review the results of Minion scans. Being a Mozilla project, the front-end uses Persona for authentication, but all access control based decisions are built into Minion itself. Minion Plugins At their heart, Minion plugins are automation scripts designed to abstract away the platform, operating system, and features that an individual security tool implements, and provide a single mechanism for configuring the tool, initiating a scan, and collecting the results. It may be helpful to look at the code for an existing plugin to better understand how they work; the AlivePlugin is a clear, simple example. The Alive plugin is an extremely basic plugin that confirms that a host is reachable, but it implements all of the required features, and extends a BlockingPlugin. The plugin exposes some member variables that provide user interface cues (the name, links for additional information), and in this case, some built in report objects. In the do_run method the actual logic of the scan is performed, and since there is no detailed setup or stopping functionality is required, the BlockingPlugin starting and stopping functionality is sufficient. Two base classes for plugins are provided in the Minion backend to get developers started: BlockingPlugin this plugin provide the basic functionality to support a plugin that performs a task, and reports it’s completion state at the end. This is suitable for creating straightforward plugins directly within Python ExternalProcessPlugin this plugin provides the functionality required to kick-off an external tool, and provides the basis for several other extensions, especially those that wrap existing security tools. In addition to several basic “proof of technology” plugins that collect details about targets and provide best practice information, the Minion development team is currently maintaining three other extensions: OWASP Zed Attack Proxy This plugin wraps the OWASP ZAP platform and enables detailed application scanning Skipfish a simple, but powerful web fuzzer from Google nmap a port scanning tool that is generally accepted as the best in it’s class Minion Task Engine The Task Engine provides the core functionality for managing users, groups, sites, scans, and results within the Minion platform. Acting as a central hub, the Task Engine maintains a register of available plugins, provides facilities for creating and modifying plans, and managing user access to Minion, including which sites they can scan. Plugins Plugin deployment is one of the only features of Minion that cannot currently be managed from within the Front-End; this is a result of the configuration needed to deploy them, but the Minion Front-End provides the ability to review the available plugins, and get the class details, which is the information required to add a plugin to a Plan. Plans A Minion Plan is JSON document that provides some information about what the plan does, and a sequence of tools to invoke. An example can be found below: { "name": "Fuzz and Scan", "description": "Run Skipfish to fuzz the application, and perform a ZAP scan.", "workflow": [ { "plugin_name": "minion.plugins.skipfish.SkipfishPlugin", "description": "", "configuration": {} }, { "plugin_name": "minion.plugins.zap_plugin.ZAPPlugin", "description": "Run the ZAP Spider and Scanner", "configuration": { "scan": true } } ] } In this example, the name and description are intended to be human readable descriptions of what the plan will do, while the workflow array contains a set of plugin names, a description that can will be included in the plan details, and a set of configuration details that may be plugin specific. Users and Invites Minion is intended to be a team oriented tool; as a result, the the platform allows user and group management. User accounts are created through an invitation mechanism, or via the administrative interface. The invitation system allows administrators to pre-create groups, sites and plans within Minion, and then add a user to that group before the user has enrolled. Once the invite is issued, an email will be sent to the user and the user can then access a configured profile. Groups Groups are the mechanism by which administrators can control how users have visibility into sites and results within in Minion. In order for a user to be able to interact with a site via Minion, that user needs to be added to the group, and the site needs to be associated with that group. This provides extremely fine grained control over visibility into scan results. Currently group membership allows both viewing of scans and the ability to re-execute a scan, but as the project progresses, constraints can be added to allow users to review results, but not initiate scans. Minion Front-End Designed to be easy to use and provide instant feedback, the front-end provides access to the Minion platform. Each of the pieces of the functionality described above is accessible via the front-end, and is explicitly enabled by calling the web services exposed by the Task Engine. One of the advantages of the architecture is that the front-end can be easily re-engineered with no impact to the back-end or plugins. Technologies Minion is built with Python, Angular.js, and several packages that assist in ensuring a reliable end to end service. These technologies were selected by our development team, but the architecture, and each of the service boundaries are intended to use JSON calls to permit easy integration with other services. Because of the design principles applied, it is entirely possible to implement plugins that run on any operating system or platform, and do not need to reside on the same service. With the appropriate network configurations it is possible to deploy the front-end, task engine, and plugins on different networks, which allows users to isolate the amount of attack surface that needs to be deployed in sensitive networks. Road Map There are several features that are under active development, and should be implemented over the next several releases. Authentication & Access Management Site Ownership Verification This is a critical feature that enables users to demonstrate ownership of a site before initiating scans. Granular Access Control The ability to govern users ability to scan by group and site ownership as well as role. Plugin Improvements Improved Results Reporting Minion is only as good as it’s plugins. Now that we have a working and reliable core platform, refinement of plugin results, and improving reporting is a core objective. Deferred Execution Plugins Sample implementations of invoking third party services so that we can demonstrate integrating with other Security as a Service platform Reporting Plugins Currently we have assigned risk ratings to findings based on our best practices, but that is not necessarily reflective of the priority of issues to other teams. We intend to implement a pluggable reporting interface, including the ability to add plugins to modify the risk ratings based on the security posture and priorities of the teams using Minion. Front End Landing Pages Currently Minion is designed for technical users who have a need to see deep technical details. In the future, it may be desirable to generate metrics and dashboards, and to facilitate that Landing page support will be implemented to allow customization for user views. Task Engine Improvements Cohort Minion is designed to support dynamic analysis via web application scanning. This is only one part of the story regarding how to perform automated security testing. Cohort is a branch of Minion that will enable analysis of source code repositories and perform static analysis. Historical Issues In order to facilitate ongoing tracking of a security program, support and integration for third party issue trackers (initial targets are Bugzilla and Github), and the ability to compare multiple scans over time will be implemented. Why Minion? The Mozilla Security team supports hundreds of websites of services, and products used by hundreds of millions of users. In addition our team supports hundreds of employees and thousands of community members that contribute to Mozilla products and services. Scaling to that level is not feasible without improving automation capabilities. While it would be much easier to solve this problem for ourselves, Mozilla’s mission is to support the open web, and protect our users. By building Minion as a foundation for a security as a service platform, integrating open source and free tools, then releasing it as open source, we aim to contribute a platform that can be used by any team to dramatically improve their coverage, and integrate security testing automation in all parts of their IT operations and software development processes. Minion is an open source project, and we welcome contributors, users, and feedback! Minion Github Repository Minion Development Mailing List Minion Wiki Finally, I would like to extend a huge thanks to Stefan Arentz, Simon Bennetts, Yeuk Hon Wong, Matthew Fuller, and all of the other developers who have moved Minion from a sheet of paper and a set of shell scripts to a production service! yboily Sursa: https://blog.mozilla.org/security/2013/07/30/introducing-minion/

[h=1]OCSP Stapling in Firefox'[/h] dkeeler OCSP Stapling has landed in the latest Nightly builds of Firefox! OCSP stapling is a mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner. Revocation information is important because at any time after a certificate has been issued, it may no longer be appropriate to trust it. For instance, maybe the CA that issued the certificate realizes it put incorrect information on it. Maybe the website operators lose control of their private key, or it gets stolen. More benignly, maybe the domain was transferred to a new owner. The Online Certificate Status Protocol (OCSP) is one method for obtaining certificate revocation information. When presented with a certificate, the browser asks the issuing CA if there are any problems with it. If the certificate is fine, the CA can respond with a signed assertion that the certificate is still valid. If it has been revoked, however, the CA can say so by the same mechanism. OCSP has a few drawbacks. First, it slows down new HTTPS connections. When the browser encounters a new certificate, it has to make an additional request to a server operated by the CA. Second, it leaks to the CA what HTTPS sites the user visits, which is concerning from a privacy perspective. Additionally, if the browser cannot connect to the CA, it must choose between two undesirable options. It can terminate the connection on the assumption that something is wrong, which decreases usability. Or, it can continue the connection, which defeats the purpose of doing this kind of revocation checking. By default, Firefox currently continues the connection. The about:config option security.OCSP.require can be set to true to have Firefox terminate the connection instead. OCSP stapling solves these problems by having the site itself periodically ask the CA for a signed assertion of status and sending that statement in the handshake at the beginning of new HTTPS connections. The browser takes that signed, stapled response, verifies it, and uses it to determine if the site’s certificate is still trustworthy. If not, it knows that something is wrong and it must terminate the connection. Otherwise, the certificate is fine and the user can connect to the site. If Firefox requests but does not receive a stapled response, it falls back to normal OCSP fetching. This means that while OCSP stapling protects against mistakes and many basic attacks, it does not prevent attacks involving more complete network control. For instance, if an attacker with a stolen certificate were able to block connections to the CA OCSP responder while running their own server that doesn’t do OCSP stapling, the user would not be alerted that the certificate had been revoked. A new proposal currently referred to as “OCSP-must-staple” is intended to handle this case by giving sites a way of saying “any connection to this site must include a stapled OCSP response”. This is still in development. OCSP stapling works with all CAs that support OCSP. OCSP stapling has been implemented in popular web servers including nginx and Apache. If you run a website, consider turning on OCSP stapling to protect your users. If you use Firefox Nightly, enjoy the increased security, privacy, and performance benefits! Sursa: https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/

[h=1]IronWASP - Open Source Advanced Web Security Testing Platform[/h] [h=3]What's new in IronWASP v0.9.6.5[/h] IronWASP v0.9.6.5 is now available for download. Users of older versions should get an update prompt when using IronWASP. This is what you get with the new version. 1) Completely redesigned awesome new Results section 2) Support for editing, scanning and fuzzing SOAP messages 3) New active checks for Server Side Includes, Sever Side Request Forgery and Expression Language Injection 4) New passive check for JSON messages that are vulnerable to JSON hijacking 5) Significantly faster and robust parsers for XML, JSON and Multi-part messages with auto-detection support 6) Enhancements to the Payload Effect Analysis feature 7) Enhancements to the Scan Trace Viewer feature 8) Able to create Request in Manual Testing section from clipboards 9) New Network address parsing APIs 10) Update to FiddlerCore v2.4.4.8 I will give a quick peek at some of these new features below. New Results Section: The Results section now automatically highlights the interesting sections of the Request and Response along with some description of what is being highlighted. There is a new Trigger Analysis Tools section that gives log of capabilities that were no available earlier. In the case of the above example if you wanted to see what is the difference between this response and the response sent by the server when normal data was sent, it can be done in just 3 clicks. Go in to 'Trigger Analysis Tools' check Normal, check Trigger 1 and then click on 'Diff Request/Response of Selected Items' buttons. If you wanted to check out all the logs and payloads associated with this scan then that is just one-click away. Just click on the big button named 'Show the Payload. Requests & Responses.....'. SOAP Message Format Support: SOAP messages are automatically detected and parsed. If you trying to scan or fuzz a SOAP message then the injection points are automatically set according to the format. RAW SOAP Message: Parsed SOAP Message available for editing: Enhanced Payload Effect Analysis: Payload Effect Analysis feature now produces eye-friendly and easy to consume summary for the detected Anomalies. Enhanced Scan Trace Viewer: The Scan Trace Viewer has been given many improvements. There is color highlighting for each the log entries based on the scan trace messages. For example, for every scan trace the baseline request/response is the first row and it is now highlighted in green along with a message specifying this. Clicking on any of the rows will show the request/response of that log, in addition a color highlighted diff of the selected log and the baseline log is also displayed. It makes analysis easy and quick. For example in the screenshot below, when the log where the payload to display the /etc/passwd file is sent is clicked, the differences between the response shows that the baseline response did not have the /etc/passwd file contents but the response for this payload does have these values. This section how also holds the Payload Effect Analysis results. Everytime you load a Scan Trace entry in to the viewer Payload Effect Analysis is automatically performed and the results displayed. Clicking on any of the anomalies also displays the request/response associated with it. This level of analysis on the scanner logs is not available in any other tool in the market no matter how many thousands of dollars you are willing to spend. In IronWASP you get all this for free!! There is a lot planned for the next major release, be prepared for a few surprises Bug reports or feedback on this version are most welcome, either on the IronWASP mailing list, my IronWASP email id, my twitter account or the IronWASP Facebook page. Posted by IronWASP at 6:05 AM Sursa: IronWASP - Open Source Advanced Web Security Testing Platform: What's new in IronWASP v0.9.6.5

Stirile sunt mai utile ca astea: Prefer sa citesc o stire decat asa ceva.

Try something new – Beat the BlueHat Challenge! swiat 31 Jul 2013 9:30 AM We were inspired by the Matasano Crypto Challenges. So we built a similar series of fun challenges to exercise reverse engineering, vulnerability discovery, and web browser manipulation attack concepts. The Xbox team helped us develop custom Xbox Live avatar items to be awarded to anyone who completes any track of the BlueHat Challenge. Beat all three tracks for access to all three avatar items (“hacker” T-shirt, “MSRC” T-shirt, “hacker” blue hat). The challenges are all about fun and trying new things. To sign up for any of the three tracks (reverse engineering, vulnerability discovery, design-level web browser manipulation tricks), just email us at bhchall@microsoft.com. In the subject line or in the body of the message, include either [reverse], [vulns], or [web] (or click on any of those three links). To sign up for all three, please send three separate emails. The Challenge is designed to appeal to a wide range of people, so if the first few sets of problems seem easy, stick with it. They’ll get harder! More information There’s no restriction on who can participate, no time limit, and no way to fail. There is no monetary reward, and this is not a contest. Your answers should be your own work. We hope that the fun and learning you gain from completing the Challenge is reward enough. We do plan on publicly recognizing people who finish the Challenge. If you find this sort of thing fun, you’d probably like working at Microsoft in the Trustworthy Computing group. We solve problems like this every day and we have lots of open positions. You can see a list of our available positions at Microsoft Trustworthy Computing, and we encourage you to submit an application! You may also be interested in the Microsoft Security Bounty Programs, which provide cash rewards for eligible individuals who identify security vulnerabilities. A quick word from our lawyers… By participating in the Challenge, you understand that we cannot control the incoming information you will disclose to our representatives in the course of submitting your answers in the Challenge, or what our representatives will remember about your submission. You also understand that we will not restrict work assignments of representatives who have had access to your submission. By participating in the Challenge, you agree that use of information in our representatives’ unaided memories in the development or deployment of our products or services does not create liability for us in connection with the Challenge or under copyright or trade secret law. If you do not want to grant us these rights to your answers, please do not participate in the Challenge. FAQ What is the BlueHat Challenge? The BlueHat Challenge is a series of computer security problems of increasing difficulty to help you build and test your skills in three areas: reverse engineering, vulnerability discovery, and web browser manipulation attack concepts. How does it work? The problems are given and reviewed over email. As you complete each level, send us your answers and we’ll send you the next set of problems. Why is Microsoft doing this? We hope to spur interest in computer security and help people improve their skills through a self-directed learning process. We also want to give something back to the community—we think these problems are going to be a lot of fun for you to solve. We had a lot of fun coming up with them! How long should I expect to wait for my submitted answers to be evaluated? The timeline for evaluating the problems will depend on the number of participants in the program, the difficulty of the problem, and the clarity of your answer. Your answers are being evaluated by real people, so please be patient with us! How long will the program continue? We plan to continue the program as long as there is sufficient community interest. Of course, we may change the program’s design over time as we learn what works best, and we may cancel the program at any time without notice. If there is a particular aspect of the program you like, or one track that you think is better developed than others, please let us know so we can do more of that and less of other things. Is this the new monetary incentive/bounty program I’ve heard about? No. This program is an educational challenge with no monetary reward. The new programs that offer monetary incentive are the Security Bounty Programs. Where can I find information on Microsoft jobs? Check out Microsoft Trustworthy Computing for careers in Microsoft Trustworthy Computing group. See Microsoft.com - Careers for more general Microsoft career information. If I complete the Challenge and do well, am I guaranteed an interview or a job? No. Your completion of the Challenge or your performance will not guarantee that you will get an interview or a job, nor will it preclude you from doing so. If you are interested in careers with Microsoft Trustworthy Computing, we encourage you to visit Microsoft Trustworthy Computing, where you can submit an application for any open positions that interest you. Acknowledgements Many people came together to make the BlueHat Challenge possible: Couldn’t have happened without David Seidman’s logistics magic! Thanks Fred Raynal and the Quarkslab team for help with the vulnerability and RE challenges Thanks Manuel Caballero and Mario Heiderich for developing the web design-level challenges Thanks Bill Barlowe, Andrew Ciccarelli, and Shonn Gilson for the back-end infrastructure help Thanks Rollie Watson and John Doyle from Xbox and Rajat and Mike from Lakshya Digital Thanks Dan Beenfeldt, Tim Hermann, and Nanae Toyozato for the “Eli the Zombie” flash game ([reverse] level 2) Thanks Katie Moussouris, Mike Reavey, Leah Lease, Bruce Dang, and David Ross for inspiration - Jonathan Ness, MSRC Engineering Sursa: Try something new – Beat the BlueHat Challenge! - Security Research & Defense - Site Home - TechNet Blogs

NSA chief to face hacker crowd at Las Vegas conference - NY Daily News

FOLOSITI "int main" ! Pe Linux e strict necesar acel cod returnat Sa presupunem ca ai un program: "adu_o_bere" si ca daca e executat ca root, o sa iti aduca o bere, daca nu, o apa plata. Iar tu, ca autor al programului: 1. returnezi 0 daca a fost rulat ca root si iti poate aduce o bere (0 == actiune indeplinita cu succes!) 2. returnezi 1 sau un alt cod daca nu a fost executat ca root, caz de eroare, nu poate aduce berea Cand executi programul pe Linux, vrei sa stii si tu daca a adus cu succes berea sau nu. Aici conteaza acel cod returnat! ./adu_o_bere && echo "A adus berea" # Va afisa acel mesaj doar daca "./adu_o_bere" a RETURNAT 0 (SUCCES adica). In acest caz va returna un cod de eroare, 1 sau altceva (nu esti root) sudo ./adu_o_bere && echo "A adus berea" # Doar in acest caz va afisa acel mesaj, deoarece pentru acest caz, executat ca root (presupunem ca nu esti implicit root), programul a returnat 0 Pe scurt, cand dai o comanda: "./exploit", "./sparge_nasa" sau orice altceva, uneori cel putin, ai nevoie sa stii daca programul a facut ceea ce trebuie sau a intervenit o eroare. Pentru asta, ai nevoie de acel cod de eroare.

Looking at CPU/GPU Benchmark Optimizations in Galaxy S 4 by Brian Klug & Anand Lal Shimpi on July 30, 2013 9:34 AM EST Somehow both Anand and I ended up with international versions of Samsung’s Galaxy S 4, equipped with the first generation Exynos 5 Octa (5410) SoC. Anand bought an international model GT-I9500 while I held out for the much cooler SK Telecom Korean model SHV-E300S, including Samsung’s own SS222 LTE modem capable of working on band 17 (AT&T LTE) and Band 2,5 WCDMA in the US. Both of these came from Negri Electronics, a mobile device importer in the US. For those of you who aren’t familiar with the Exynos 5 Octa in these devices, the SoC integrates four ARM Cortex A15 cores (1.6GHz) and four ARM Cortex A7 cores (1.2GHz) in a big.LITTLE configuration. GPU duties are handled by a PowerVR SGX 544MP3, capable of running at up to 533MHz. We both had plans to do a deeper dive into the power and performance characteristics of one of the first major smartphone platforms to use ARM’s Cortex A15. As always, the insane pace of mobile got in the way and we both got pulled into other things. More recently, a post over at Beyond3D from @AndreiF gave us reason to dust off our international SGS4s. Through some good old fashioned benchmarking, the poster alleged that Samsung was only exposing its 533MHz GPU clock to certain benchmarks - all other apps/games were limited to 480MHz. For the past few weeks we’ve been asked by many to look into this, what follows are our findings. Characterizing GPU Behavior Samsung awesomely exposes the current GPU clock without requiring root access. Simply run the following command over adb and it’ll return the current GPU frequency in MHz: adb shell cat /sys/module/pvrsrvkm/parameters/sgx_gpu_clk Let’s hope this doesn’t get plugged, because it’s actually an extremely useful level of transparency that I wish more mobile platform vendors would offer. Running that command in a loop we can get real time updates on the GPU frequency while applications run different workloads. Running any games, even the most demanding titles, returned a GPU frequency of 480MHz - just like @AndreiF alleged. Samsung never publicly claimed max GPU frequencies for the Exynos 5 Octa (our information came from internal sources), so no harm no foul thus far. Running Epic Citadel - 480 MHz Firing up GLBenchmark 2.5.1 however triggers a GPU clock not available elsewhere: 532MHz. The same is true for AnTuTu and Quadrant. Running AnTuTu – 532 MHz SGX Clock Interestingly enough, GFXBench 2.7.0 (formerly GLBenchmark 2.7.0) is unaffected. We confirmed with Kishonti, the makers of the benchmark, that the low level tests are identical between the two benchmarks. The results of the triangle throughput test offer additional confirmation for the frequency difference: [TABLE=width: 678, align: center] [TR=class: tgrey] [TD=colspan: 10, align: center] GT-I9500 Triangle Throughput Performance[/TD] [/TR] [TR=class: tlblue] [TD=width: 120] Total System Power[/TD] [TD=width: 85, align: center] GPU Freq[/TD] [TD=width: 85, align: center] Run 1[/TD] [TD=width: 85, align: center] Run 2[/TD] [TD=width: 85, align: center] Run 3[/TD] [TD=width: 85, align: center] Run 4[/TD] [TD=width: 85, align: center] Run 5[/TD] [TD=width: 85, align: center] Average[/TD] [/TR] [TR] [TD=class: tlgrey] GFXBench 2.7.0 (GLBenchmark 2.7.0)[/TD] [TD=align: center] 480MHz[/TD] [TD=align: center] 37.9M Tris/s[/TD] [TD=align: center] 37.9M Tris/s[/TD] [TD=align: center] 37.7M Tris/s[/TD] [TD=align: center] 37.7M Tris/s[/TD] [TD=align: center] 38.3M Tris/s[/TD] [TD=align: center] 37.9M Tris/s[/TD] [/TR] [TR] [TD=class: tlgrey] GLBenchmark 2.5.1[/TD] [TD=align: center] 532MHz[/TD] [TD=align: center] 43.1M Tris/s[/TD] [TD=align: center] 43.2M Tris/s[/TD] [TD=align: center] 42.8M Tris/s[/TD] [TD=align: center] 43.4M Tris/s[/TD] [TD=align: center] 43.4M Tris/s[/TD] [TD=align: center] 43.2M Tris/s[/TD] [/TR] [TR] [TD=class: tlgrey] % Increase[/TD] [TD=align: center] 10.8%[/TD] [TD=align: center] [/TD] [TD=align: center] [/TD] [TD=align: center] [/TD] [TD=align: center] [/TD] [TD=align: center] [/TD] [TD=align: center] 13.9%[/TD] [/TR] [/TABLE] We should see roughly an 11% increase in performance in GLBenchmark 2.5.1 over GFXBench 2.7.0, and we end up seeing a bit more than that. The reason for the difference? GLBenchmark 2.5.1 appears to be singled out as a benchmark that is allowed to run the GPU at the higher frequency/voltage setting. The CPU is also Affected The original post on B3D focused on GPU performance, but I was curious to see if CPU performance responded similarly to these benchmarks. Using System Monitor I kept an eye on CPU frequency while running the same tests. Firing up GLBenchmark 2.5.1 causes a switch to the ARM Cortex A15 cluster, with a default frequency of 1.2GHz. The CPU clocks never drop below that, even when just sitting idle at the menu screen of the benchmark. Left: GLBenchmark 2.5.1 (1.2 GHz), Right: GFXBench 2.7 (250 MHz - 500 MHz) Run GFXBench 2.7 however and the SoC switches over to the Cortex A7s running at 500MHz (250MHz virtual frequency). It would appear that only GLB2.5.1 is allowed to run in this higher performance mode. A quick check across AnTuTu, Linpack, Benchmark Pi, and Quadrant reveals the same behavior. The CPU governor is fixed at a certain point when either of those benchmarks is launched. Linpack for Android: Exynos 5 Octa all cores 1.6 GHz (left), Snapdragon 600 all cores 1.9 GHz (right) Interestingly enough, the same behavior (on the CPU side) can be found on Qualcomm versions of the Galaxy S 4 as well. In these select benchmarks, the CPU is set to the maximum CPU frequency available at app launch and stays there for the duration, all cores are plugged in as well, regardless of load, as soon as the application starts. Note that the CPU behavior is different from what we saw on the GPU side however. These CPU frequencies are available for all apps to use, they are simply forced to maximum (and in the case of Snapdragon, all cores are plugged in) in the case of these benchmarks. The 532MHz max GPU frequency on the other hand is only available to these specific benchmarks. Digging Deeper At this point the benchmarks allowed to run at higher GPU frequencies would seem arbitrary. AnTuTu, GLBenchmark 2.5.1 and Quadrant get fixed CPU frequencies and a 532MHz max GPU clock, while GFXBench 2.7 and Epic Citadel don’t. Poking around I came across the application changing the DVFS behavior to allow these frequency changes – TwDVFSApp.apk. Opening the file in a hex editor and looking at strings inside (or just running strings on the .odex file) pointed at what appeared to be hard coded profiles/exceptions for certain applications. The string "BenchmarkBooster" is a particularly telling one: You can see specific Android java naming conventions immediately in the highlighted section. Quadrant standard, advanced, and professional, linpack (free, not paid), Benchmark Pi, and AnTuTu are all called out specifically. Nothing for GLBenchmark 2.5.1 though, despite its similar behavior. We can also see the files that get touched by TwDVFSApp while it is running: //sys/class/devfreq/exynos5-busfreq-int/min_freq //sys/class/devfreq/exynos5-busfreq-mif/min_freq +/sys/class/thermal/thermal_zone0/boost_mode 2/sys/devices/platform/pvrsrvkm.0/sgx_dvfs_min_lock When the TwDVFSApp application grants special DVFS status to an application, the boost_mode file goes from value 0 to 1, making it easy to check if an affected application is running. For example, launching and closing Benchmark Pi: shell@android:/sys/class/thermal/thermal_zone0 $ cat boost_mode 1 shell@android:/sys/class/thermal/thermal_zone0 $ cat boost_mode 0 There are strings for Fusion3 (the Snapdragon 600 + MDM9x15 combo) and Adonis (the codename for Exynos 5 Octa): doBoostAll doBoostForAdonis doBoostForAdonis:: doBoostForFusion3 doBoostForFusion3:: What's even more interesting is the fact that it seems as though TwDVFSApp seems to have an architecture for other benchmark applications not specifically in the whitelist to request for BenchmarkBoost mode as an intent, since the application is also a broadcast receiver. 6Lcom/sec/android/app/twdvfs/TwDVFSBroadcastReceiver$1; 6Lcom/sec/android/app/twdvfs/TwDVFSBroadcastReceiver$2; ?Lcom/sec/android/app/twdvfs/TwDVFSBroadcastReceiver$IntentInfo; 4Lcom/sec/android/app/twdvfs/TwDVFSBroadcastReceiver; boostIntent 5com.sec.android.intent.action.DVFS_FG_PROCESS_CHANGED *com.sec.android.intent.action.SSRM_REQUEST So we not only can see the behavior and empirically test to see what applications are affected, but also have what appears to be the whitelist and how the TwDVFSApp application grants special DVFS to certain applications. Why this Matters & What’s Next None of this ultimately impacts us. We don’t use AnTuTu, BenchmarkPi or Quadrant, and moved off of GLBenchmark 2.5.1 as soon as 2.7 was available (we dropped Linpack a while ago). The rest of our suite isn’t impacted by the aggressive CPU governor and GPU frequency optimizations on the Exynos 5 Octa based SGS4s. What this does mean however is that you should be careful about comparing Exynos 5 Octa based Galaxy S 4s using any of the affected benchmarks to other devices and drawing conclusions based on that. This seems to be purely an optimization to produce repeatable (and high) results in CPU tests, and deliver the highest possible GPU performance benchmarks. We’ve said for years now that the mobile revolution has/will mirror the PC industry, and thus it’s no surprise to see optimizations like this employed. Just because we’ve seen things like this happen in the past however doesn’t mean they should happen now. It's interesting that this is sort of the reverse of what we saw GPU vendors do in FurMark. For those of you who aren't familiar, FurMark is a stress testing tool that tries to get your platform to draw as much power as possible. In order to avoid creating a situation where thermals were higher than they'd be while playing a normal game (and to avoid damaging graphics cards without thermal protection), we saw GPU vendors limit the clock frequency of their GPUs when they detected these power-virus style of apps. In a mobile device I'd expect even greater sensitivity to something like this. I suspect we'll eventually get to that point. I'd also add that just like we've seen this sort of thing many times in the PC space, the same is likely true for mobile. The difficulty is in uncovering when something strange is going on. What Samsung needs to do going forward is either open up these settings for all users/applications (e.g. offer a configurable setting that fixes the CPU governor in a high performance mode, and unlocks the 532MHz GPU frequency) or remove the optimization altogether. The risk of doing nothing is that we end up in an arms race between all of the SoC and device makers where non-insignificant amounts of time and engineering effort is spent on gaming the benchmarks rather than improving user experience. Optimizing for user experience is all that’s necessary, good benchmarks benefit indirectly - those that don’t will eventually become irrelevant. Sursa: AnandTech | Looking at CPU/GPU Benchmark Optimizations in Galaxy S 4

DNS Reflection / Amplification Attack Tool Authored by Mark Osborne dns_spquery.c is written in C and sends a DNS recursive name query to a name server of your choice with a spoofed source IP address selected at runtime. This tool was written in order to demonstrate a DNS reflection / amplification attack for testing purposes. Download: http://packetstormsecurity.com/files/download/122600/dns_spquery.c.gz Sursa: DNS Reflection / Amplification Attack Tool ? Packet Storm

"Noi suntem o echipa de informaticieni specializati pe securitate, ITSE Army fiind o grupare de Hackeri" Ultra gay Apropo, nu erau vreo 200 de SQL Injection-uri postate pe aici?

cout e in C++ printf e in C Cartea curenta este pentru C. Parerea mea e sa nu intram in detalii legate de "cout", sa continuam cu C, apoi, dupa ce lumea progreseaza, putem trece la C++ si putem lamuri orice problema.

[h=1]DeepSec 2010 Debugging GSM[/h]

[h=1]DeepSec 2010 Android Reverse Engineering and Forensics[/h]

[h=1]DeepSec 2010 Detection of Hardware Keyloggers[/h]

Functia printf trebuie sa stie cate variabile vrei sa afisezi. Tu ii indici practic asta, ca si tipul datelor pe care vrei sa le afisezi, prin acel "%". Exemplu: #include <stdio.h> int main() { int n = 5; float f = 1.2; char sir[] = "test"; printf("Vom afisa un numar intreg: %d, un numar cu virgula: %f si un sir de caractere: %s", n, f, sir); return 0; } Dupa cum vezi, ai 3 variabile si ai de 3 ori acel "%": - %n - va fi INLOCUIT cu valoarea variabilei n (cu prima variabila de dupa acest sir, deoarece e primul "%") - %f - va fi INLOCUIT cu valoarea celei de-a doua variabile, f - %s - fiind a III-a aparitie, va fi inlocuit cu a 3-a variabila, "sir" Rezultat: Vom afisa un numar intreg: 5, un numar cu virgula: [B]1.200000[/B] si un sir de caractere: test Putem afisa doar 2 zecimale folosind "%.2f" in loc de "%f": Vom afisa un numar intreg: 5, un numar cu virgula: [B]1.20[/B] si un sir de caractere: test

Pwnie Awards 2013 Nominations! [h=3]Pwnie for Best Server-Side Bug[/h] Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction. Ruby on Rails YAML (CVE-2013-0156) Credit: Ben Murphy While lots and lots of Ruby libraries like YAML, Ruby on Rails likes it the most. This vulnerability leads to remote SQL injection and arbitrary Ruby code execution on the server, bringing down a variety of Ruby on Rails web sites. Cryptographic flaws in the Oracle Database authentication protocol (CVE-2012-3137) Credit: Esteban Fayo Esteban has found the only thing better than brute forcing database passwords online, brute forcing them offline with super fast GPUs without leaving a trail of failed attempts in the server logs. SAPRouter Remote Heap Overflow Credit: Grigory Nosenko SAProuter is an application which is to the Internet for providing updates to the corporate SAP systems and for connecting to different office locations and subcontractor systems. Almost every third company exposes this service at the default port 3299. This is a very small application which simply routes packets, but it contains multiple exploitable heap overflows, compromising many large enterprises. Asterisk Stack Overflow (CVE-2012-5976) Credit: drraid Last November, drraid demonstrated the exploitation of a server-side bug in Asterisk, which really liked putting HTTP request buffers all over its stack. He used multiple threads to disclose memory and control EIP despite the PIE ASLR protections in the Linux kernel. Nginx Overflows (CVE-2013-2028 and CVE-2013-2070) Credit: Greg MacManus Not to be outdone by Asterisk, nginx wanted to overflow with HTTP headers too. And if one overflow was not enough, a second exploitable variant was found and patched shortly after the first. [h=3]Pwnie for Best Client-Side Bug[/h] Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug. WebKit SVGElement Type Confusion (CVE-2013-0912) Credit: MWRLabs Use-after-free bugs in web browsers are so 2012. At CanSecWest, Nils and Jon used their SVG type confusion exploit as their first step into owning Chrome. In addition to using the vulnerability for code execution, they used it to leak out all of chrome.dll to search for ROP gadgets because Chrome updates every few days, especially right before Pwn2Own. Adobe Flash Player RegExp Overflow (CVE-2013-0634) Credit: Unknown What zero-day gets remote code execution with advanced heap manipulation and highly targeted attacks? This bug! Microsoft Internet Explorer VML (CVE-2013-2551) Credit: VUPEN At CanSecWest last March, VUPEN dropped their exploit for an integer overflow in array resizing of a Vector Markup Language (VML) element property. Do not be fooled by the version of this exploit in Metasploit that uses heap sprays and Java to bypass DEP and ASLR. VUPEN's exploit needed neither before gaining code execution in IE10 on Windows 8. Adobe Reader Buffer Overflow and Sandbox Escape (CVE-2013-0641) Credit: Unknown Just in time for last Valentine's day, FireEye found a sophisticated PDF attack in the wild that exploited Adobe Reader and escaped its sandbox. This exploit wanted to show its love for clipboard buffer lengths all in a pure-ROP payload. [h=3]Pwnie for Best Privilege Escalation Bug[/h] Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities. Linux kernel perf_swevents_init (CVE-2013-2094) Credit: sd@fucksheep.org You know a bug is cool when spender and geohot have re-exploited it on different architectures. This kernel bug has been in the linux kernel for a long time and affected many, many systems. win32k.sys EPATHOBJ::pprFlattenRec uninitialized pointer (CVE-2013-3660) Credit: Tavis Ormandy No privilege escalation nomination list would be complete without at least one entry from win32k.sys . This year Tavis provides a great example of a subtle bug that works on Windows XP through Windows 8. iOS incomplete codesign bypass and kernel vulnerabilities (CVE-2013-0977, CVE-2013-0978 and CVE-2013-0981 Credit: David Wang aka planetbeing and the evad3rs team According to statistics in February, the evasi0n exploit works for at least 5 million people every time they boot their iPhone. It bypasses code signing by interposing with an incomplete codesign bug in the dynamic loader. It bypasses user space ASLR by using the dynamic linker. It exploits an untrusted pointer in the kernel with some help from a heap info leak, the ARM data abort interrupt handler and some techniques by Tarjei Mandt by Mark Dowd. Motorola TrustZone array OOB write (CVE-2013-3051) Credit: Dan Rosenberg Dan Rosenberg exploited a bug in Motorola's TrustZone kernel on all of Motorola's Qualcomm-based Android devices allowing their boot-loaders to be irreversibly unlocked. [h=3]Pwnie for Most Innovative Research[/h] Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post. CRIME attack Juliano Rizzo and Thai Duong Juliano and Thai broke the Internet third time in a row and all they got was one little pony? CRIME should pay them something, if not for the below reasons, then just for the sake of coming up with cool names. Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns Mateusz "j00ru" Jurczyk, Gynvael Coldwind The research consisted of two major parts: employing CPU-level OS instrumentation to locate potential double fetch vulnerabilities in the kernels of different operating systems, and discovering and testing practical means of exploiting such memory-bound race conditions in practical scenarios. Not only the topic is interesting, but bochspwn was used to find at least 37 vulnerabilities in windows kernel / drivers (plus some minor system crashes). Leaking Addresses with Vulnerabilities that Cant Read Good Paul @pa_kt and Dion Blazakis Paul @pa_kt presented a new kind of timing attack to bypass browser ASLR in Firefox without using an information disclosure vulnerability or another direct memory read primitive. Paul's technique is based on the observation that user-controlled elements and address space information (such as pointers), when stored in a shared container without a constant lookup time, can be abused to infer the value of such pointers without directly reading their values. Paul's presentation was bundled with Dion Blazakis GC woah technique at Summercon, whose graphics are too embarassing to describe as part of this nomination. Dion showed that Garbage Collectors can sometimes be confused about when to mark pointers for release and can be abused for side-channel attacks against ASLR. Page Fault Liberation Army Julian Bangert and Sergey Bratus Sergey Bratus and Julian Bangert managed to build a Turing-complete virtual machine out of the X86's MMU, demoed by Conway's Game of Life with *ZERO* native instructions. All computation is performed by either a single-fault or double-fault in the MMU. Practical Timing Side Channel Attacks Against Kernel Space ASLR Ralf Hund, Carsten Willems, Thorsten Holz The authors presented an innovative technique for defeating kernel ASLR, using a generic side channel attack against the memory management system to deduce information about the privileged address space layout. [h=3]Pwnie for Lamest Vendor Response[/h] Awarded to the vendor who mishandled a security vulnerability most spectacularly. To be announced [h=3]Pwnie for Best Song[/h] What kind of awards ceremony does not have an award for best song? SSH to Your Heart Dale Chase (feat. Shannon Morse) Laser sounds, funny lyrics, and a catchy tune make a great Best Song nomination. The Judges would also like to point out that this nomination's chances of winning are greatly increased by Snubsie showing up to the Pwnie Awards ceremony. Format String NYAN Another highly-technical track from Not Your Average Nerd. Safe Michael Shea Finally, a nomination that's not rap! Maybe next year we'll get one that also isn't a cover. We gotta keep raising that bar. All the Things Dual Core Something tells me that this song's chorus will be quite popular in Vegas this year... WatchGuard's Security Shop WatchGuard This nomination's chances of winning can be increased by having those two guys wearing those awesome threads from their video to the Pwnie Awards ceremony. Just saying'. [h=3]Pwnie for Most Epic FAIL[/h] Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL. Cryptographic failures in CryptoCat CryptoCat Go home, cryptocat, you are drunk. Steve Thomas wrote decryptocat and destroyed just about two years of Cryptocat's crypto. It turns out that writing crypto safely is hard, let's all go write anti-virus products instead. Sophos Isn't Anti-Virus supposed to improve your security not make it worse? Tavis showed that Sophos is clearly doing it wrong by demonstrating a large number of vulnerabilities in Sophos, including a pre-authentication remote root bug! Andorid "Master Key" Vulnerability Android Despite the excessive hype surrounding the Android application signature flaw, the bug affected 99% of Android devices and allowed attackers to backdoor apps without invalidating their signature. Luckily, there hasn't been any signs of malicious Android apps in the wild. Oh wait. U.S. Govt Destroys $170k worth of Hardware in Hunt for Non-Existant Malware U.S. Economic Development Administration Someone said, "all of the mice in this building are infected with bugs" and somehow the Economic Development Administration (EDA) thought they meant computer mice and proceeded to destroy all of them. We, however, find this method to be quite labor-intensive and just recommend burning the entire building down. It's faster, safer, and cheaper. Nmap: The Internet Considered Harmful - DARPA Inference Checking Kludge Scanning Hackin9 Quoting from the artile published in Hackin9 magazine: "The concept of autonomous methodologies has been studied before in the literature [18]. Next, the well-known framework by David Johnson et al. does not store Smalltalk as well as our method. Further, Wilson and Zhao [19] originally articulated the need for the understanding of linked lists. It remains to be seen how valuable this research is to the software engineering community. Ultimately, the methodology of R. Zhao et al. is a theoretical choice for the exploration of super-pages. Our design avoids this overhead." We couldn't have said it better. [h=3]Pwnie for Epic 0wnage[/h] 0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet. Internet Census 2012 Anonymous The anonymous researcher built a botnet out of one hundred thousand home routers and used it repeatedly portscan the entire Internet, including a full service scan. They released a full paper about it and 10TB of data from the port scans. Cyber Fast Track Peiter "Mudge" Zatko Mudge the government! He opened up DARPA funding to hackers, allowing talented people to be paid government money to do groundbreaking research and keep their own IP. It also showed people used to the capabilities of the defense industrial base what real security experts could do, drastically changing what they expected of all researchers they funded afterwards. Over 100 projects were funded, and the results of many of them were subsequently released publicly. APT1 pwnage by malware.lu malware.lu After Mandiant published their report on the APT1 group, malware.lu upstaged them by owning C&C infrastructure of APT1. They scanned for Poison Ivy C&Cs, developed a custom John the Ripper extension specifically for Poison Ivy's encryption algorithm, exploited a (known) buffer overflow in the C&C to gain access to all the C&Cs they found, revised the Metasploit module for it to improve the remote exploit so that it could accept a non-default connectback password, wrote a great deal of custom shellcode from scratch to properly hide their presence, discovered a brand new homemade RAT on one of the servers, reversed it to bruteforce its password, wrote a scanner to find C&C servers running it, discovered and wrote an exploit for a RCE buffer overflow vulnerability they found in that, and wrote a Metasploit module for it... Joint nomination to Edward Snowden and the NSA Edward Snowden's leak of NSA secrets was an epic example of the insider threat to information security, while his revalations convinced many that the entire Internet is thoroughly and epicly owned! [h=3]Pwnie for Lifetime Achievement[/h] Awarded to those of us who have moved on to bigger and better things. To be announced Sursa: Pwnie Awards 2013

A New Class Of Buffer Overflow Attacks Description: In this talk, we focus on a class of buffer overflow vulnerabilities that occur due to the "placement new" expression in C++. "Placement new" facilitates placement of an object/array at a specific memory location. When appropriate bounds checking is not in place, object overflows may occur. Such overflows can lead to stack as well as heap/data/bss overflows, which can be exploited by attackers in order to carry out the entire range of attacks associated with buffer overflow. Unfortunately, buffer overflows due to "placement new" have neither been studied in the literature nor been incorporated in any tool designed to detect and/or address buffer overflows. We would describe how the "placement new" expression in C++ can be used to carry out buffer overflow attacks -- on the stack as well as heap/data/bss. We show that overflowing objects and arrays can also be used to carry out virtual table pointer subterfuge, as well as function and variable pointer subterfuge. Moreover, we show how "placement new" can be used to leak sensitive information, and how denial of service attacks can be carried out via memory leakage. Ashish Kundu is a Research Staff Member IBM T J Watson Research Center. He works in the area of security and privacy with current focus on cloud security, and a long term vision of "end-to-end holistic security woven into the systems". Dr. Kundu was awarded the CERIAS Diamond Award in 2011. In 2010, he graduated from Purdue with Ph.D.. His doctoral thesis addressed the problem of "How to Authenticate Trees and Graphs Without Leaking". Ashish has received Best Student Paper at the IEEE Enterprise Computing conference in 2006, and three Best Research Poster awards at CERIAS symposia during 2006-2008. He has been an (co-)inventor in about twenty patents. He has also been awarded with the IBM Bravo award as well as three IBM Plateau awards for his contributions. This talk is based on the paper co-authored with his advisor Elisa Bertino and presented at ICDCS 2011. (Visit: www.cerias.purude.edu) For More Information please visit : - CERIAS - Center for Education and Research in Information Assurance and Security Sursa: A New Class Of Buffer Overflow Attacks

Interesant... Ar trebui sa se poata, cam asta se intampla si la "Power save" cand nu mai e baterie la laptop. Ma uit momentan prin kernel, /drivers/cpufreq, pana acum pare sa fie ceva intr-un registru MSR. Par sa fie 2 registrii MSR: 1. MPERF: 0000_00E7h - maximum frequency clock count 2. APERF: 0000_00E8h - actual frequency clock count Pentru Linux ar trebui sa poti folosi MSR tools: https://www.kernel.org/pub/linux/utils/cpu/msr-tools/

De ce C++ si nu Python: 1. Pentru ca iti trebuie la facultate, sa te vad la admitere si examene cum scrii cod in Python... 2. Pentru ca e limbaj interpretat, in timp ce C++ e compilat. Adica Python necesita interpretor 3. C++ e mai rapid (direct pe procesor) 4. C++ consuma mai putina memorie (tipuri de date, nu are supraincarcarea generata de interpretor) Bine, practic trebuie doar sa te gandesti la punctul "2" si tragi multe concluzii. Vezi cateva idei: Is Python faster and lighter than C++? - Stack Overflow De ce Python si nu C++: 1. Scrii cod mai putin, deci scrii cod mai repede Bine, tu ai pus intrebarea incorect, ca si cum ai intreba: "Ce sa imi iau, un Lamborghini sau o Ducatii?" cand intrebareile corecte sunt "Lamborghini sau Ferarri?" si "Ducatti sau Suzuki?". Cu alte cuvinte, sunt 2 limbaje din categorii diferite. E important ce ai de gand sa faci cu ele.

Invata C/C++, o sa iti trebuiasca oricum la facultate. Sau Java.

nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit about a generic way to exploit Linux targets written by Kingcope Introduction In May 2013 a security advisory was announced at the nginx-announce mailing list [1] and a CVE identifier was assigned to the vulnerability. The vulnerability was discovered by Greg MacManus, of iSIGHT Partners Labs. CVE-2013-2028 is described as [2] follows. „The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a chunked Transfer-Encoding request with a large chunk size, which triggers an integer signedness error and a stack-based buffer overflow.“ Recent versions of nginx http server use a HTTP 1.1 standard called chunked transfer encoding. Older versions of nginx do not support chunked transfers in HTTP requests. A third party module or source patch had to be installed to use chunked transfers. This quite new code in nginx contains the mentioned integer signedness error that results in a stack-based buffer overflow. This text will show how to exploit this bug on Linux platforms in a generic and brute force way. The exploit [3] relies on the fact that all memory addresses are randomized in process address space on the Linux platform today, only the process images address is not randomized and is found at a fixed address. This fact can be used to build exploits by only referencing the addresses of the process image. The first step to write an exploit for the current Linux platform is to find all addresses that are needed to build a ROP chain and execute shellcode. Interesting is that normally all addresses are hardcoded in exploit code. There are ways to minimize the amount of hardcoded addresses. By using less hardcoded addresses it is possible to target many Linux platforms at once with the same exploit code without the need to add offsets for each target platform. Nearly all offsets can be retrieved using brute force methods. The disadvantage is that brute forcing addresses can be noisy throughout the process. Download: www.exploit-db.com/download_pdf/27074

Information Security News: PayPal opens bug bounty program to minors

Details on NSA/FBI Eavesdropping We're starting to see Internet companies talk about the mechanics of how the US government spies on their users. Here, a Utah ISP owner describes his experiences with NSA eavesdropping: We had to facilitate them to set up a duplicate port to tap in to monitor that customer's traffic. It was a 2U (two-unit) PC that we ran a mirrored ethernet port to. [What we ended up with was] a little box in our systems room that was capturing all the traffic to this customer. Everything they were sending and receiving. Declan McCullagh explains how the NSA coerces companies to cooperate with its surveillance efforts. Basically, they want to avoid what happened with the Utah ISP. Some Internet companies have reluctantly agreed to work with the government to conduct legally authorized surveillance on the theory that negotiations are less objectionable than the alternative -- federal agents showing up unannounced with a court order to install their own surveillance device on a sensitive internal network. Those devices, the companies fear, could disrupt operations, introduce security vulnerabilities, or intercept more than is legally permitted. "Nobody wants it on-premises," said a representative of a large Internet company who has negotiated surveillance requests with government officials. "Nobody wants a box in their network...[Companies often] find ways to give tools to minimize disclosures, to protect users, to keep the government off the premises, and to come to some reasonable compromise on the capabilities." Precedents were established a decade or so ago when the government obtained legal orders compelling companies to install custom eavesdropping hardware on their networks. And Brewster Kahle of the Internet Archive explains how he successfully fought a National Security Letter. Sursa: Schneier on Security: Details on NSA/FBI Eavesdropping