Nytro

Da, asta cred si eu, si e cel mai bine asa.

Imi place si CentOS (server).

Brute-Force Attack On Ssh, Mysql, Vnc Using Metasploit-Framework Description: In this video I will show you how to perform a brute - force attack on services like SSH , MySQL, and VNC. Why Metasploit – I think Metasploit will work on target very well you can set brute-force speed ,threats level and many more things you can set. Modules Are used : - SSH Login Check Scanner | Metasploit Exploit Database (DB) This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. MySQL Login Utility | Metasploit Exploit Database (DB) This module simply queries the MySQL instance for a specific user/pass (default is root with blank). VNC Authentication Scanner | Metasploit Exploit Database (DB) This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, and 3.8 using the VNC challenge response authentication method. Source : - Penetration Testing Software | Metasploit Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Brute-Force Attack On Ssh, Mysql, Vnc Using Metasploit-Framework

Metasploit Wmap Web Vulnerability Scanner Description: In this video i will show you how to use WMAP Plugging in Metasploit-Framework. WMAP is an automation for an auxiliary, I mean this Plugging will fire automatically web supported auxiliary and in the last if on target vulnerability is available so it will store in our database. In this video I’m targeting one website and we found some files and some links maybe sometime we will get some sensitive information depend on the website. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Metasploit Wmap Web Vulnerability Scanner

Digipass Instrumentation For Fun And Profit Description: PDF : - https://hacktivity.com/en/downloads/archives/223/ He currently works as a Security Consultant at KPMG Romania where he is involved in penetration testing projects against web applications, mobile applications and network infrastructures. Adrian Furtuna has a PhD in Computer Science obtained at the Military Technical Academy of Bucharest, Romania. During his PhD program he has extensively studied various attack techniques utilized in Red Teaming engagements and he has designed a few scenarios for cyber defense exercises. He currently works as a Security Consultant at KPMG Romania where he is involved in penetration testing projects against web applications, mobile applications and network infrastructures. Adrian is also a lecturer at several master programs from Bucharest universities, teaching practical aspects of systems security testing and he is the founder of pentest-tools.com, a place where penetration testers can find a collection of ethical hacking tools that can be used online in their engagements. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Digipass Instrumentation For Fun And Profit

Android Programming for Beginners: Part 1 Thursday, 20 December 2012 11:06 Juliet Kemp With Android phones and tablets making their way into more and more pockets and bags, dipping a toe into Android coding is becoming more popular too. And it's a great platform to code for -- the API is largely well-documented and easy to use, and it's just fun to write something that you can run on your own phone. You don't even need a phone at first, because you can write and test code in an emulator on your Linux PC. In the first of this two-part intro to Android coding, get a basic timer app up and running and start learning about the Android API. This tutorial assumes some basic familiarity with Java, XML, and programming concepts, but even if you're shaky on those, feel free to follow along! Dev environment and getting started A note on versions: the most recent version of Android is 4.2 (Jelly Bean), but as you can see from this Wikipedia chart, there aren't many people using it yet. You're better off coding for one or both of 4.0 (Ice Cream Sandwich) or 2.3 (Gingerbread), especially as Android is entirely forwards-compatible (so your 2.3 code will run on 4.2) but not always backwards-compatible. The code here should work on either 4.0 or 2.3. The quickest way to get your dev environment set up is to download the Android Bundle. You'll also need JDK 6 (not just JRE); note that Android is not compatible with gcj. If you already have Eclipse, or wish to use another IDE, you can set it up for Android as described here. Now, create a project called Countdown either using Eclipse, or from the command line. I set the BuildSDK to 4.0.3, and minimum SDK to 2.2, and (in Eclipse) used the BlankActivity template. My First Android Project: Layout For our very first program, we're going to do is to show a timer that counts down from 10 seconds when you click a button. Before writing the code, let's create the interface -- what the user will see when they start the app. Open up res/layout/activity_countdown.xmlto create an XML layout, using either the Eclipse graphical editor, or a text/XML editor, to enter this: <RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" android:layout_width="match_parent" android:layout_height="match_parent" > <TextView android:id="@+id/time_display_box" android:layout_width="wrap_content" android:layout_height="wrap_content" android:layout_alignParentTop="true" android:layout_centerHorizontal="true" android:layout_marginTop="60dp" android:text="@string/_00_30" android:textAppearance="?android:attr/textAppearanceLarge"/> <Button android:id="@+id/startbutton" android:layout_width="wrap_content" android:layout_height="wrap_content" android:layout_below="@+id/time_display_box" android:layout_centerHorizontal="true" android:layout_marginTop="41dp" android:text="@string/start" /> </RelativeLayout> This illustrates the standard way of referring to Android resources. It's best practice to use string references rather than hard-coding strings. My First Android Project: Code Next, open up the CountdownActivity.java file in your editor, ready to write some code. You should already have an onCreate() method stub generated. onCreate() is always called when the Activity is first created, so you'll often do setup and app logic startup here. (Eclipse may also have created an onCreateOptionsMenu()method stub, which we'll ignore for now.) Enter this code: public class CountdownActivity extends Activity { private static final int MILLIS_PER_SECOND = 1000; private static final int SECONDS_TO_COUNTDOWN = 30; private TextView countdownDisplay; private CountDownTimer timer; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_countdown); countdownDisplay = (TextView) findViewById(R.id.time_display_box); Button startButton = (Button) findViewById(R.id.startbutton); startButton.setOnClickListener(new View.OnClickListener() { public void onClick(View view) { try { showTimer(SECONDS_TO_COUNTDOWN * MILLIS_PER_SECOND); } catch (NumberFormatException e) { // method ignores invalid (non-integer) input and waits // for something it can use } } }); } } You'll notice the thing that makes this a surprisingly easy first project: the Android API includes a CountDownTimer that you can use. We set up this, and the countdown display, as private member variables. In onCreate() we use the built-in setContentView method to grab our XML layout The R.foo.barsyntax is a standard way to refer to Android XML resources in your code, so you'll see it a lot. findViewById is another method you'll use a lot; here, it grabs the display and the Start button from the XML layout. For the Button to work when clicked, it needs an OnClickListener. This is an interface, so must be subclassed. We could create a whole new MyButton class to do this, but this is overkill for a single button. Instead, we do it inline, creating a new OnClickListener and its onClick() method. Ours simply calls showTimer() on the number of milliseconds we want to use (currently hard-coded). So what does showTimer()do? private void showTimer(int countdownMillis) { if(timer != null) { timer.cancel(); } timer = new CountDownTimer(countdownMillis, MILLIS_PER_SECOND) { @Override public void onTick(long millisUntilFinished) { countdownDisplay.setText("counting down: " + millisUntilFinished / MILLIS_PER_SECOND); } @Override public void onFinish() { countdownDisplay.setText("KABOOM!"); } }.start(); } The CountDownTimer class does most of the work for us, which is nice. Just in case there's already a running timer, we start off by cancelling it if it exists. Then we create a new timer, setting the number of milliseconds to count down (from the showTimer() parameter) and the milliseconds per count interval. This interval is how often the onTick()callback is fired. CountDownTimer is another abstract class, and the __onTick()__ and __onFinish()__ methods must be implemented when it is subclassed. We override onTick() to decrease the countdown display by a second on every tick; and override onFinish() to set a display message once the countdown finishes. Finally, start() sets the timer going. If you select 'Run' in Eclipse, you can choose to run this as an Android app, and an emulator will automatically be generated and run for you. Check out the Android docs if you need more information on setting up an emulator, or on running an app from the command line. Congratulations, you've written your first Android app! In the second part of this series, we'll have a closer look at the structure of an Android app, and make some improvements to the timer to input a countdown time, a Stop button, and menu options. We'll also look at running it on a physical phone rather than the software emulator. For more information in the mean time, you can check out the Android Development Training section of The Linux Foundation's Linux training website. Sursa: Android Programming for Beginners: Part 1 | Linux.com

Brute Force Attack With Burp In many occasions as a penetration testers we will have to face a web application where it will contain a login form which we will have to test it for weak credentials.Burp Suite is probably the best tool to be used when assessing web applications.Burp’s main use is to be a proxy interceptor,however provides a lot of other functions to penetration testers and it can also be used to attack a login form.In this article we will examine how we can use Burp in order to perform a brute force attack on a web application. Let’s say that we have the following login form: Login Form We will try to submit a username and a password and we will use the Burp Suite in order to capture the HTTP request. Capturing the HTTP Request Then we will send the request to the Intruder (Action—>Send to Intruder) and we will clear the positions on the request that we will not need to insert payloads which are the $low$ and session cookie.So we will leave the following positions: Remaining Positions As an attack type we will choose the cluster bomb because this type of attack it can take each word of the username list and it can run it against each word of the password list in order to discover the correct credentials. Now it is time to set the payloads on the three positions.So we will load our wordlists that contains usernames and passwords in the payload options of Burp and for the 3rd position we will just put as an option $Login$.In the next three images you can see this configuration. Payload Set 1 – Usernames Payload Set 2 – Passwords Payload Set 3 – Login Everything now is ready and we can start the attack on the Intruder.The Intruder will start sending HTTP requests to the form based on our payloads and it will try all the possible combinations. Cluster Bomb – Intruder After the inspection of the responses we will notices that Burp has successfully logged in under the credentials smithy/password. Discovery of valid credentials We can now go back to the application and to try to get access to the admin area with this username and password. Access in the admin area Conclusion As we saw in this post Burp is also capable to perform brute force attacks against web applications.Login forms can be found almost in every web application and the intruder tool can help the penetration tester to automate his tests.The discovery of valid administrator credentials can make the difference in black-box penetration tests. Sursa: https://pentestlab.wordpress.com/2012/12/21/brute-force-attack-with-burp/

Eu tot nu inteleg. Ce legaturi sa faca? Singurele legaturi se pot face username - IP (probabil foarte putine oricum). Restul sunt informatii PUBLICE. Daca cineva e speriat ca a facut ceva chiar ii recomand sa isi faca un alt cont si sa aiba grija ca nimeni sa nu isi dea seama de vechea sa identitate. Care ar fi rostul unui inceput de la 0? DE CE? Nimeni nu vine cu o explicatie logica, parca ati fi femei...

Study Of Malware Obfuscation Techniques Description: PRESENTATION ABSTRACT: Malware is widely acknowledged as a growing threat with hundreds of thousands of new samples reported each week. Analysis of these malware samples has to deal with this significant quantity but also with the defensive capabilities built into malware. Malware authors use a range of evasion techniques to harden their creations against accurate analysis. The evasion techniques aim to disrupt attempts of disassembly, debugging or analyse in a virtualized environment. This talk catalogs the common evasion techniques malware authors employ, applying over 50 different static detections, combined with a few dynamic ones for completeness. We validate our catalog by running these detections against a database of 4 million samples (the system is constantly running and the numbers will be updated for the presentation), enabling us to present an analysis on the real state of evasion techniques in use by malware today. The resulting data will help security companies and researchers around the world to focus their attention on making their tools and processes more efficient to rapidly avoid the malware authors' countermeasures. This first of its kind, comprehensive catalog of countermeasures was compiled by the paper's authors by researching each of the known techniques employed by malware, and in the process new detections were proposed and developed. The underlying malware sample database has an open architecture that allows researchers not only to see the results of the analysis, but also to develop and plug-in new analysis capabilities. The system will be made available in beta at Black Hat, with the purpose of serving as a basis for innovative community research. ABOUT RODRIGO RUBIRA BRANCO Rodrigo Rubira Branco (BSDaemon) is the Director of Vulnerability & Malware Research at Qualys. In 2011 he was honored as one of the top contributors to Adobe Vulnerabilities in the past 12 months. Previously, as the Chief Security Research at Check Point he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. Previous to that, he worked as Senior Vulnerability Researcher in COSEINC, as Principal Security Researcher at Scanit and as Staff Software Engineer in the IBM Advanced Linux Response Team (ALRT) also working in the IBM Toolchain (Debugging) Team for PowerPC Architecture. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest security research conference in Latin America. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Study Of Malware Obfuscation Techniques

Element 1337 In The Periodic Table: Pwnium Description: PRESENTATION ABSTRACT: Starting with the earliest Chromium Security Reward Program, we'll look at the evolution from $500 in 2010 to $60000 in 2012. Along the way, we'll look at the events and motivations that directed the growth of the program, as well as celebrate some of the more interesting and quirky bugs and individuals involved. Most excitingly, we'll end with results and updates from the previous day's exciting Pwnium 2 competition! There will be lots of time for audience questions. ABOUT CHRIS EVANS Chris is known for various work in the security community. Most notably, he is the author of vsftpd and a vulnerability researcher. Details of vsftpd are at http://vsftpd.beasts.org/. He releases vulnerabilities at http://scary.beasts.org/. His work includes vulnerabilities in the Firefox and Safari browsers; the Linux and OpenBSD kernels; Sun's JDK; and lots of open source packages. He blogs about some of his work at Security. At Google, Chris has led or been involved with the security of projects such as Google App Engine, Google Spreadsheets, Picasa Web and Google Finance. He now leads security for Google Chrome. He has presented at various conferences. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Element 1337 In The Periodic Table: Pwnium

Dnswalk Tool On Backtrack 5 R3 Description: Dnswalk is a DNS debugger. It performs zone transfers of specifieddomains, and checks the database in numerous ways for internalconsistency, as well as accuracy. dnswalk is not for the faint of heart. It should NOT be used without a firm knowledge of the DNS RFC's. The warnings and errors must be interpreted within the context they are being used. Something may be flagged as a warning, but in reality it is a really bad error. Conversely dnswalk will flag things as warnings and possibly even errors, but they may actually be perfectly "legal" or normal in your specific situation. dnswalk is not an AI engine. It just provides useful information which you need to interpret. If you use this tool for cracking or otherwise evil purposes, the author hereby considers you a slime-ball. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Dnswalk Tool On Backtrack 5 R3

Man-In-The-Middle Attack Using Ipv6 Description: In this video you will learn how to perform a man in the middle attack on IPv6 system. So he will shows us how to setup your attack tools and how to start spoofing etc.. after all the configuration he will shows us how you can Hack the user , And if users logged somewhere you will get the pain text password. So he will shows us this demo on Facebook. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Man-In-The-Middle Attack Using Ipv6

Self Defending Database Description: PDF : - https://hacktivity.com/en/downloads/archives/215/ His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, SCADA,PLC, banking and processing software. He is the manager of OWASP-EAS (OWASP subproject), a well-known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of the vulnerabilities found in the applications of these vendors. He is the writer of multiple whitepapers devoted to information security research, and the author of the book “Oracle Security from the Eye of the Auditor: Attack and Defense” and one of the contributors to "Oracle with Metasploit" project. Alexander has spoken at international conferences such as BlackHat, HITB (EU/ASIA), Source, DeepSec, CONFidence, Troopers. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Self Defending Database

Android Security - An Introduction Description: PDF : - https://hacktivity.com/en/downloads/archives/207/ During his studies at the Swiss Federal Institute of Technology Antonio focused on information security topics with a special interest in system, network and software security. While studying, he worked as a part-time Software Engineer for a Swiss cable TV and Internet provider. After graduation he started to work as an IT Risk Officer for a Swiss financial institute where he performed IT risk assessments and technical security audits for business-critical applications and infrastructure components. In this function, he gained experience in technical security testing and IT risk assessment methodologies. In June 2011, Antonio joined AdNovum Informatik AG as a Software Engineer where he works on security-related projects. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Android Security - An Introduction

Post Exploitation – Discovering Network Information In Windows In network infrastructure penetration tests if we manage to exploit one system then it is easy to obtain information for the network that this system is part of.This information is important because in almost every network penetration test the ultimate goal is to become domain administrator and in order to achieve that it is necessary to know the appropriate commands that will help us to gather information about the network that we are already inside.In this article we will see how we can gather information about windows networks that we are conducting the penetration test from the system that we have already exploited. Lets say that we have exploited a windows system and we want to know more about the network that this system belongs to.The first and most common command is of course the ipconfig /all which it will display to us all the information about the network adapters of the host and the Windows IP configuration as the picture below is showing: ipconfig /all Another command is the ipconfig /displaydns which it will display the contents of local DNS cache. Display Local DNS Cache Systems in internal networks most of the times contain shared folders which can be listed with the command net share. System Shares We might also want to discover other internal networks that exist by examining the machine routing table with the command route print. Routing Table The ARP -A command will list all the systems that are currently in the machine’s ARP table helping us to discover other valid hosts. ARP Table We can also use the network diagnostic command of the system to obtain information about operating system,network adapters,network clients and other network configuration with the command netsh diag show all. network diagnostic Another information that is important to learn about the host that we have exploited is to see which other hosts are on the same workgroup.The command that we will need to type is the net view. Discover Hosts on the same workgroup Last but not least the netstat command can be used with the parameters -n -a -o to display all the active connections along with the IP addresses and process ID of each connection. Active Connections Conclusion In this article we saw some common commands and their output that can be used for post exploitation activities in Windows networks.The majority of these commands will help us to identify new hosts and network shares which can lead us to compromise further systems on the network. Sursa: Post Exploitation – Discovering Network Information In Windows

Reverse-Engineering Arrays Dejan Lukan December 19, 2012 Introduction Whenever we would like to reverse-engineer a function, we need to know exactly how the function is being called: its calling convention, number of parameters, parameter types, parameter values, etc. After the Ida analyzes the program, it will create comments for known parameters being passed to known functions. The function names will also be preserved and an automatically generated name will not be assigned to that function. An example of such a function is GetCurrentDirectoryA , a function call we can see in the picture below: We can see that the address of a function GetCurrentDirectoryA is being pushed into register edi. Then we’re moving a hexadecimal value 0×104 into register esi. Let’s ignore the jump instruction for now, since it’s not important at the moment. Then we’re loading some address to the register eax, which is currently unknown, and pushing that address to the stack as an lpBuffer parameter. After that we’re pushing the register esi as parameter nBufferLength to the stack and calling the GetCurrentDirectoryA function. If we go to the MSND website and take a look at the GetCurrentDirectoryA function prototype, we will see the following: We can see that Ida has correctly identified the names of the parameters that we’re pushing on the stack right before calling the GetCurrentDirectory function. If we take a look at the explanation of the function, we’ll figure out that the nBufferLength parameter specifies the length of the buffer for the current directory string, including the null character. The lpBuffer parameter holds a pointer to the buffer that receives the current directory string. If the function succeeds, the return value specifies the number of characters that are written to the buffer, not including the terminating null character. If the function fails, the return value is zero. To get extended error information, call GetLastError [1]. We saw that Ida automatically recognized the parameters that were passed to the GetCurrentDirectoryA function, which can be a great help when reverse-engineering a binary. But we must also mention that Ida doesn’t always know how to identify the parameters being passed to known functions, so from time to time we’ll have to rely on our own knowledge to identify those parameters. In the next part of the tutorial we’ll present a few basic programs and their disassembled versions to show how the higher-level C++ code is compiled into lower-level assembly code. First we must present a few basic programs in C++ we’ll use to compile into their binary form, which we’ll later analyze. We’ll present the C++ code that uses arrays in different situations and then reverse-engineer it in Ida. Global Arrays We know that arrays are contiguous blocks of memory, but we must differentiate between the locations where the arrays are stored. The arrays can be stored in a global scope of the program, on the stack, or on the heap. The first program that stores the array in a global scope of the program, written in C++, is presented below: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11[/TD] [TD=class: code]#include int a[10]; int main(int argc, char **argv) { for(int i=0; i a = i; } return 0; }[/TD] [/TR] [/TABLE] We can see that the program is very simple; first we’re creating an array in the global scope of the program, which we’re iterating in the main function of the program and assigning each element their corresponding index. At the end the array will look like this: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 (the index starts at 0). If we compile and run the program right now, it won’t do anything, since we’re not printing the array on the screen. An example of this can be seen on the picture below where we first compiled the program into the array1 executable and later run it on the system: If we open the array1.exe executable in Ida now, the program will be analyzed and Ida will present the start method, which can be shown below: We can see that the start method initializes the stack and then calls the sub_401000 function to do its work. In order to further declare what the executable actually does, we need to examine that function. It’s good if we can first present the graph of how the functions are called in the current executable; the xrefs graph can be seen in the picture below: In the C++ code, we know that we’re assigning the number 11 to the ninth element of the array, so it would be a good idea to search for immediate value 0xB (the number 11 in hexadecimal representation) using the Search – Search immediate functionality. The following window will be presented to us: In the “Value to search” box we entered the value 0xB and checked the “Find all occurrences,” then pressed the OK button. Ida will look for all 0xB immediate constants throughout the program and will display a view notifying us about them. The view will look like on the picture below: We can see that many of the immediate 0xB constants were found, but we’re looking for such a constant in the .text section of the program, so only the first five options are really relevant. Most probably, the fifth option isn’t the one we’re looking for, since it’s comparing the 0xB constant to the value stored in register eax, and we’re looking for an assignment of the constant 0xB to some value. Thus, we need to scroll over only the four options that are left; we’ll quickly find out that it’s the forth option that we’re looking for and it’s located at the 0x004013C3 virtual address. The whole code of the function that also holds the 0x004013C3 location is presented on the picture below: The function’s name is sub_40138C and it is being called from the function sub_401000 (notice the cross reference). Actually, this is the function that we’re looking for, because the code presented above loops through the array and assigns the appropriate values to each element of the array. The graphical representation of the code above is presented on the picture below: On the loc_4013B7, we can see that we’re comparing the value stored at the [esp+20+var_4] to a constant 9, which is exactly our comparison of a for loop in C++ code. If the number stored at that address doesn’t equal to 9, then the program execution is redirected to loc_4013A4. That subsection increments the specified value by 1 and continues the looping process. When the loop is done, we’re jumping to the last block on the picture above, where we’re storing the 0xB constant in the eax register and overwriting the last entry in the array. Then we’re storing the offset to the cout function on the [esp+20+var_20] and printing the last entry of the array. At the end we’re returning 0 and quitting the program. If we right click on the dword_405020 variable and select “Jump in a new window,” the disassembly of that virtual address will open in a new window as we can see in the picture below: We can see that we’re referencing the dword_405020 variable that is part of the .bss section that holds the variables which can be allocated at compile-time rather than run-time. We know that the .bss section contains the uninitialized global variables that are declared outside any function. After the function is done executing, the memory will look as we can see in the two pictures below; the first picture presents the hexadecimal view and the second picture presents the disassembly view of the memory in question: We can see that both pictures present an array of integers, where the numbers are being increased from 1 to 9 and saved into contiguous memory locations. But why are three out of four bytes marked as zero? It’s because each integer is 4 bytes in size, but we’re only using 1 byte, since the numbers are very small, so the other three bytes must be left at zero. If we take a look at the instruction that writes the number to the specified memory locations, we can see that it’s using the “dword_405020[eax*4]” to index the right element in an array. The usage of eax*4 indicates that each element in an array is 4 bytes long. Local Arrays In the previous example we saw how the array is being accessed and written to when using global arrays where the compiler knows its address at compile-time; but if we try to use a local array, the virtual address to the start of the array is not known in advance, only at run-time. Let’s present the same program we used in the previous example, but move the array inside the main function, so the whole program will look like this: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12[/TD] [TD=class: code]#include int main(int argc, char **argv) { int a[10]; for(int i=0; i a = i; } a[9] = 11; std::cout << a[9] << std::endl; return 0; }[/TD] [/TR] [/TABLE] If we compile and run the program again, it will look like the picture below: We can see that we compiled the program with g++ compiler and when we run it, the program output the number 11 as it should. If we now disassemble the program in Ida and find the function that initializes and declares the array, we will find something like the picture below: Notice the difference in assigning the values to the array. In the previous example, the assignment operations were as follows: [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]mov ds:dword_405020[eax*4], edx mov ds:dword_405044, 0Bh[/TD] [/TR] [/TABLE] The current assignment operations are the following: [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]mov [esp+eax*4+40h+var_2C], edx mov [esp+40h+var_8], 0Bh[/TD] [/TR] [/TABLE] Before we used the global variable for which the space has already been assigned at compile-time: the dword_405020 variable. But with the local array there is no default variable that is assigned at compile-time. Instead, the space in memory is assigned dynamically at run-time. At the latter example we can see that the index to the array is calculated with [esp+40h+eax*4+var_2X] index, which is a clear indication that the ESP register is also used to define the exact memory location, so the array must be local and declared on the stack. When the global array was used, the dword_405020 variable was used to define the exact virtual address of the memory location, but here it’s the ESP register. The var_2C is a local variable that holds a negative number that needs to be added to the ESP virtual address to get the address of the array on the stack. When assigning 0xB constant to the ninth element of the array, the var_8 local variable is used, which is used to calculate the exact address of the ninth element on the local array variable on the stack. The var_2C local variable holds the value of -0x2C, while the local variable var_8 holds the value -0×8. The [esp+eax*4+40h+var_2C] is evaluated as [esp+14h], [esp+18h], [esp+1Ch], etc, while the [esp+40h+var_8] is evaluated as [esp+0x38]. This makes perfect sense and exposes all the virtual addresses of all the elements of local array. The first element a[0] is located at [esp+14h], the second argument a[1] is located at [esp+18h], etc, and the last argument a[9] is located at [esp+38h]. Heap Arrays There’s one more place where we can allocate arrays: on the heap. To do that, we must introduce the new keyword into the C++ program. If we rewrite the program so it will use the heap for storing the array, the actual code will look like the one below: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12[/TD] [TD=class: code]#include int main(int argc, char **argv) { int *a = new int(10); for(int i=0; i a = i; } a[9] = 11; std::cout << a[9] << std::endl; return 0; }[/TD] [/TR] [/TABLE] Notice that the use of new keyword operation reserves space on the heap at run-time. The picture below presents the compiling and running the program the same way as we already did in the previous two examples. When we load the array3.exe executable into Ida, we can quickly locate the relevant function inside it, since the program is basically the same as before. The graphical overview of the relevant code is presented in the picture below: In the first block above, we’re initializing the stack and then moving the value 0×28 to the stack, which is the first and only parameter to function Znaj, which symbolizes the call to the new keyword. The 0×28 bytes is exactly 40 bytes, which is: 10*4=40 bytes (10 elements of the array). After the initialization, the virtual address is stored in eax register, which is then saved into the [esp+20h+var_8] variable on the stack. The [esp+20h+var_4] value holds the index to the array, which is first initialized at 0 and then increased to 9. The “mov [eax], edx” instruction saves the current index value on the address returned by the new operation, which is a memory region on the heap. Conclusion We’ve seen different uses of arrays in assembly language. The easiest way to figure out we’re dealing with an array is noticing the use of eax*4 index, which increases the array index in each iteration by 4. References: [1]: GetCurrentDirectoryA function, accessible on http://msdn.microsoft.com/en-us/library/windows/desktop/aa364934(v=vs.85).aspx. Sursa: InfoSec Institute Resources – Reverse-Engineering Arrays

Reverse Engineering Structures Dejan Lukan December 18, 2012 Introduction In this part of the tutorial, we’ll take a look at how we can figure out a structure when reverse engineering a binary. First, we must write a C++ program that declares and uses the structure, so that we’ll be able to reverse engineer it. The basic difference between arrays and structures is the fact that we’re using an index to address consecutive elements of the array, whereas with structures we’re using named members to access specific data within the structure. When working with structures, we must keep in mind that the size of the structure is declared as the sum of all its data members aligned on word boundary in memory. What does that mean? It means that the compiler will align each data structure on a 4-byte boundary, so it can read and write member values from memory more efficiently. Global Structures The program written in C++ that uses global structures can be seen below: #include <iostream> struct s { int x; int y; int z; double value; } mys; int main(int argc, char **argv) { mys.x = 1; mys.y = 2; mys.z = 3; mys.value = 9.9; std::cout << mys.value << std::endl; return 0; } Let’s compile and run the program to see what it does. We can do that by downloading the MinGW software package in Windows and issue the two commands that can be seen on the picture below: We compiled the program with the g++ compiler and after running it, the program outputted the number 9.9. In the source code of the program, we’re first defining a structure that has four members: variable x, an integer; variable y, an integer; variable z, an integer; and variable value, a double. The structure can represent points and their values in a three-dimensional space. We’re also defining an instance of the structure named mys when declaring the structure: note that this is just a shortcut to declaring the structure in a normal way like “struct s mys.” If we load the program in Ida, we can quickly find the following disassembly that initialized the numbers 1, 2, 3 to the x, y, z members of a structure and which defined the value of member ‘value’ to be 9.9. The disassembly can be seen on the picture below: In the assembly code, we can see the direct assignment of values 1, 2, 3 and 9.9 to a certain memory location by using the variables dword_405020, dword_405024, dword_405028 for variables x, y and z and dword_405030, dword_405034 for variable ‘value’. In the assembly code, there is no math involved at all, so we really can’t be sure if the structure is involved or not. The way we see it, the program references a few global variables rather the members of the structure. Local Structures First let’s present the C++ program that allocates the structure locally and declares its members. Basically, the program is the same as with the global structures, except that the structure is declared locally; all the rest is the same. The whole C++ program is as follows: #include <iostream> struct s { int x; int y; int z; double value; }; int main(int argc, char **argv) { struct s mys; mys.x = 1; mys.y = 2; mys.z = 3; mys.value = 9.9; std::cout << mys.value << std::endl; return 0; } We can see that we’re first declaring the structure with four members: variable x, y and z that are of type int and variable ‘value’ that is of type double. We can copy the program to Windows executable, compiling it and running it. We can see that on the picture below: Okay, so the program works as expected, because it outputs the number 9.9. But we’re interested in the disassembled version of the program that we can obtain very quickly by opening up the executable in Ida Pro and finding the appropriate section of the executable. The disassembly listing can be seen below: In the disassembly function, we can quickly figure out that we’re using 0×30 bytes for local variables, which is the fact that we’re declaring the structure locally. In the previous example where we declared the structure globally, we only used 0×10 bytes on the stack for local variables. We can also see that this time, we’re now assigning the values 1, 2, 3 and 9.9 to different global variables inside the assembly, yet we’re actually using the stack pointer ESP with the right offsets to access certain members of the structure. The x variable from the C++ code lies at the address [esp+30h+var_18], which means that the local variable var_18 is used to reference the x member of the structure. The same goes for other members, where var_14 is used for member y, var_10 is used for member z and var_8 and var_4 are used for member ‘value’. This gives us the picture that the function is using different local variables to hold the values assigned to them, but in reality we’re defining the members of the previously defined structure ‘s’. When we know how a certain function uses a structure, we can rename the local variables to define the structure more clearly. This also presents another useful feature of Ida: renaming the variables automatically generated by Ida itself. The disassembly of the renamed local variables could look like the picture below: Notice that the local variables that used the offset into the structure are not renamed to define their real members x, y, z and ‘value’? This can be a valuable help if we would like to share our work with others; maybe putting a few comments in there wouldn’t be such a bad idea. Heap Structures Heap structures are basically the same as local or global structures, except that they are defined on heap. I guess we should first present the program written in C++ that does exactly that: it allocates the structure on the heap and then allocates certain values to its members and prints the value stored in memory ‘value’. Such a C++ code can be seen below: #include <iostream> struct s { int x; int y; int z; double value; }; int main(int argc, char **argv) { s *mys = new s; mys->x = 1; mys->y = 2; mys->z = 3; mys->value = 9.9; std::cout << mys->value << std::endl; return 0; } Upon compiling and running the example code above, the program will print the value 9.9 as we can see on the picture below: When we load the program with Ida Pro, we can quickly find the relevant code the above program was compiled into. The assembly version of the above program can be seen on the picture below: Notice that we’re first calling the Znwj function that equals the new function in C++. That function creates a new struct on the heap and stores the pointer to the structure in eax, which we’re writing to the address on stack [esp+20h+var_4]. Afterwards, we’re using this pointer to get access to various structure members by using the appropriate offset into the structure: [eax], [eax+4], [eax+8], [eax+10] and [eax+14]. We’re also passing the 0×18 constant to the new function, which means that the struct’s size is 0×18 (24 bytes). Defining Structures Manually in Ida In the preceding examples we saw how the structures from C++ were translated into assembly code. Let’s summarize how the structure members were accessed in each of the three examples. When we declared the structure globally, the structure was accessed as follows: [TABLE] [TR] [TD=class: gutter]1 2 3[/TD] [TD=class: code]mov ds:dword_405020, 1 mov ds:dword_405024, 2 mov ds:dword_405028, 3[/TD] [/TR] [/TABLE] When we declared the structure locally, the structure was accessed as follows: [TABLE] [TR] [TD=class: gutter]1 2 3[/TD] [TD=class: code]mov [esp+30h+var_18], 1 mov [esp+30h+var_14], 2 mov [esp+30h+var_10], 3[/TD] [/TR] [/TABLE] When we declared the structure on the heap, the structure was accessed as follows: [TABLE] [TR] [TD=class: gutter]1 2 3 4[/TD] [TD=class: code]mov eax, [esp+20h+var_4] mov dword ptr [eax], 1 mov dword ptr [eax+4], 2 mov dword ptr [eax+8], 3[/TD] [/TR] [/TABLE] We can see that in the second and third case, we’re using offsets to access certain members of a structure. We should tell Ida that we’re dealing with a structure since Ida can only detect the use of a known structure by itself, but it certainly can’t detect using the custom structure as we did in the above cases. We can open the Structures window by going to View – Open Subviews – Structures to see if Ida has detected the use of any structure in the program. Currently there are no structures in this executable as we can see below: There are some comments presented in the structures view that informs us of how we can use the structures window. To create a structure, we can press the Insert key, while the Del key deletes a structure. We want to press the Insert key to insert a new structure. Upon doing that, the following dialog box will pop-up: We need to enter the name of the structure, which is only the letter ‘s’ and press OK. A new empty structure will be added to the Structures windows as can be seen on the picture below: To add members to the data structure, we must position our cursor to where we want the structure to be and press the letter ‘d’. We must then press the letter ‘d’ as long as the added member isn’t the required size as it should be. Afterwards, we can right-click the name, which is by default field_0 and change its name to something else. Using that approach, we must add all members of a certain structure, which in our case are the variables x, y, z and ‘value’. We must also ensure the proper alignment of all the fields in the array. At the end, we can even collapse the structure with the minus ‘-’ sign to represent it in one line; the opposite operation of that is to expand the structure by pressing the plus ‘+’ sign. There is an easier way to create a structure in Ida – we can import the structure written in C/C++ programming language itself by importing the header file into Ida. We can do that by first creating the header file, which will contain only the defined structure itself and nothing else. Then we need to go to File – Load File – Parse C Header File and choose the created header file. Ida will parse and import it and then display the following notification window: The window tells us that the structure was successfully imported. After that, we should go to the Structures window and Insert a new structure with the same name as what we imported from the header file. This will actually add the structure among all the structures in the executable. We can see the structure ‘s’ being added to the structure window below: To use the structure in the disassembly listing, we have to double click on the offset that is being used to reference different members of the structure. Let’s take a look at the following program disassembly: In the picture above, it’s already evident that we renamed the offsets that reference different members of the structure into x, y, z as valueH and valueL. After that, we should double-click on the variable x to be thrown at an actual stack frame memory address (this can be a memory allocated in any section) as follows: Then we should select the first variable of the structure, in this case variable x, and select Edit – Struct Var. This will display a list of known structures within the executable. In our case, only the imported structure ‘s’ is known, as we can see on the picture below: The structure will be applied to the current address and will consume as many bytes as the size of the structure. This is why we must always select the first member of the structure, because the structure will be applied to that memory address and its corresponding higher memory addresses. After the structure is applied to the current memory address, the disassembly will look like the picture below: We can see that it was worth it, because now the disassembly view is much clearer and easier to read. Notice that we now have a local variable named mystruct that is used later by the function to reference different members inside it. Conclusion We’ve seen how structures are reverse engineered in Ida debugger and how to recognize them. But what is more important is the fact that we’ve looked at how to import the structures in Ida and apply them to memory locations, which automatically updates the disassembly view to make it more readable and easier to understand. We should also keep in mind that Ida applies known structures from various system libraries to the executable by default when being analyzed. Usually, different structures are used in different API functions that are part of the system. All the recognized structures will also be added to the structures window, which we can use throughout the program analysis. Sursa: InfoSec Institute Resources – Reverse Engineering Structures

SELinux Raises the Bar Against Intruders: An Introduction Adrian Stolarski December 14, 2012 A task of any operating system is to provide software that strongly increases its security. A lot of programs of this type have been created; some are better than others. What does it look like in terms of Linux? Of course, here we have many more choices when it comes to this type of software, but some software is worth recommending. Some people already know what I mean: SELinux. Why choose this solution? Why do I think it is so different from other software of this type? And the last key question: who really should use it? This series will show what SELinux is and what it offers to each user. I hope that you will find the answer to all your questions. Despite the fact that SELinux uses the basic standards, it really is very revolutionary. This system, as the name suggests is Security Enhanced Linux! So I invite you to read this series and learn about this tool. What is SELinux and where did it come from? Do you want a book definition? Okay, no problem. SELinux is a system with MAC, or Mandatory Access Control. It implements a security policy called RBAC, Role-Based Access Control. This policy is implemented by DTAC, which is Dynamically Typed Access Control, which also translates as the domain name of Access Control System. True, it sounds a bit baffling. But in practice, it is really very simple. It is only the theory that seems highly complicated. And now it’s time forsomething much simpler: a little bit about the history of SELinux All work on SELinux is sponsored by the U.S. National Security Agency. The money goes to the team that is working on SELinux, the Secure Computing Corp. It should be noted that this company also owns all of the patents for the software. The idea of SELinux, a product that we all know today, is not really new; it is 20 years old. In 1992, a new idea for security resulted in a project called Distributed Trusted Match. The project developed some innovative solutions, which became part of an operating system called Fluke. Fluke evolved into Flux, which led to the development of Flask architecture. The Flask architecture was then integrated with the Linux kernel, and the whole newly created project was called SELinux. How did this happen? SELinux was the first security project in the history of scientists from NSA. NSA scientists were the first to have noticed that mainstream operating systems do not have a required critical security to enforce access control and separation of inside information on the requirements of consistency. The result is that most security mechanisms are vulnerable to manipulation and handling, which involves a cascade of consequences. The choice of Linux as a system for the NSA security project was not accidental. Linux was chosen because of two main features: • growing popularity • open developement environment NSA’s intention was to present a functionality that could succeed in mainstream operating systems and at the same time would have a chance to contribute to the improvement of the safety of commonly used operating systems. The project thate has been registered as SELinux resulted from several previous NSA projects. The work of NSA scientists (meaning researchers sponsored by NSA) was not intended to solve existing problems of security and SELinux is in no way an attempt to improve security in Linux. Changes in Linux only covered the introduction of new mechanisms. What is hiding in the middle of SELinux? In fact, three elements of this system should attract our attention. The first is the kernel. At first, SELinux tried several kernels, but today the complete infrastructure of SELinux uses the Linux kernel. It is, of course, slightly modified and is called LSM, Linux Security Modules.This infrastructure provides all possible interfaces that allow you to fully control access to all system objects when they are initiated by user actions. These are, for example, opening a file, creating a new folder, or binding ports. How does it work? Well, SELinux simply connects to the interface and forces the use of the system’s own security policy. From the point of view of the administrator who installs SELinux, this system is simply a patch for the kernel. The second element that I have to mention is that key programs are modified. How does it work in practice? In most cases, SELinux allows all programs a little bit of freedom. They do not need to understand that SELinux is not just Linux. But in any operating system there are some safety-critical software systems that must always be extended to support SELinux. These programs are primarily ssh, ls, ps, xdm, or login. And here again there is a role for the Linux. During installation or download, fully modified versions of these programs are required or security patches must be applied to the source programs to ensure the security of the system. The third and last thing that distinguishes SELinux are its rules, or policy. What is their role? They define access rights, the right to pursue activities in the system, and the behavior of SELinux system. Although I mention them third, they are the most important. These rules determine the effective action of the system. A large part of this article will be devoted to writing the rules and the way they are constructed in the system. The truth is that system administrators never, under any circumstances, should be required to write their own rules for the policy, unless there are custom requirements. However, every administrator should have the knowledge that will allow him to modify the rules to suit the system’s needs. In addition to knowing something and be able to use your knowledge, you need to understand all the rules that already exist in the operating system. How to really grasp the damn thing called MAC? As already mentioned, the system is a method of enforcing SELinux MAC. So let’s see exactly what it means to us as administrators. Well, I managed to find the main principle, applicable to all systems using MAC. In my opinion, it should be this: none of the users of the system has the right to decide in any way the security and rights of access to objects in the system. All of those rights and security should always be defined according to the security policy of the system. In the case of SELinux, they should be reflected in all policy records. MAC policy alone is very often confused with ACL. The facts very quickly refute this myth. In fact, ACL does not carry MAC policy. These lists also have yet another disadvantage. In practice, they are very complicated in terms of configuration and maintaining correctness. You can also say that they are different is in terms of action. ACL always specifies individual use cases, while MAC always sets out general principles. In fact, ACL support has been withdrawn from the Linux kernel version 2.4.x already Why did this happen? Because Linux kernel developers decided that ACLs are not really as good a way to control the powers and actions of the user in the operating system. Despite this, those lists are sometimes used. For example, if we have a Samba server, they are often used, because they allow you to set permissions for all the files from the Microsoft Windows client. Another heavy shortcut, or DTAC As I mentioned earlier, DTAC is Dynamically Typed Access Control, but it is often translated as the domain name of Access Control System. But that’s not what this section is about. Let’s focus on the real features of DTAC. Shall we begin? In the case of DTAC, each of the objects in the system, whether it is a directory, port, or any device, has its own unique type. What does this mean in practice? Some top-down rules are always forced on each object type . These rules in no way depend on the decision of the user, but the system administrator creates and controls the policy. This means that in any system that uses a DTAC, you can create any number of rules, a thousand or a million, and the system is always prepared. In addition, the system has whole sets of rules on how to take action on all objects of each type. We will return to this subject later. In fact, in the case of DTAC, control and validation testing of all rules are much easier than in other cases. As a curiosity, I should mention that IBM has developed a tool, whose main task is to automatically check the consistency and accuracy of security policy DTAC. Another heavy stand, the RBAC As I mentioned earlier, RBAC stands for Role Based Access Control. We can recognize that this is an access control system based on user roles in the system. This term is not often used. Where can we find it? Well, any standard Unix or Linux system has built-in Role Based Access Control. And the truth is that if you look closely at the UNIX system, the roles are always split. There are always certain types of system users, each of whom is entitled to exercise a very limited range of activities. This means that each of them performs a role within the UNIX system. There is another element that qualifies a standard UNIX system to become a system with built-in RBAC. There is something in them called SUID. As you all probably know, SUID can change the user’s role and the actions that can be performed by the user. How does this all work with SELinux? Well, it really is a SELinux RBAC system with built-in rules that are implemented by DTAC. SELinux system also extends what is called the philosophy of SUID. Thus, it can also extend the understanding of the role of users in the system. To summarize quickly: a SELinux system is designed to allow for a much more flexible way, which is also more accurate and much better suited to your needs, to identify and help implement user roles within the system. Summary This is really only a quick introduction to SELinux. The article describes the basics of the mechanism used on a daily basis in this system. It still does not do anything special, but the desire to write a summary of what it is captivated me. On our website, with SELinux we often capture 50 fixes critical to the security system in a very short time, less than seven days. Another decisive advantage is its ease of use. As a Linux system administrator, I have never met a tool that uses such simple rules, yet describes so much. Yet very few administrators so far know the SELinux system. My next article in this series will go a few stepsfurther. Sursa: InfoSec Institute Resources – SELinux Raises the Bar Against Intruders: An Introduction

[h=1]$36,000 USD reward for wanted hacker[/h]Posted by Geetansh Jindal Japan's National Police Agency has offered a monetary reward for a wanted hacker, use programming languages like C# to create a virus called "iesys.exe" and Hijack systems of innocent people to post aggressive messages on Internet on behalf of Users. Method called a "Syberian Post Office" to post messages to popular Japanese bulletin board. Hacker use cross-site request forgery exploit, that allow hackers to making online postings via innocent users automatically. The messages included warnings of plans for mass killings at an elementary school posted to a city website. It is the first time that Japan's National Police Agency has offered a monetary reward for a wanted hacker and will pay up to 3 million yen (US$36,000). The case is an embarrassing one for the police, in which earlier this year four individuals were wrongly arrested after their PCs were hacked and used to post such messages on public bulletin boards. "Up until now this type of reward was reserved for cases involving crimes like murder and arson, but the policy has recently been changed to include more types of crimes," an agency spokeswoman said. Sursa: $36,000 USD reward for wanted hacker - Hack Reports

[h=1]Download Nmap 6.25[/h]map 6.25 released with 85 new NSE scripts Download Nmap 6.25 After five months NMAP team release latest version of open source utility for network exploration or security auditing - NMAP 6.25 . It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Updates: integration of over 3,000 IPv4 new OS fingerprint submissions, over 1,500 service/version detection fingerprints, and of the latest IPv6 OS submissions and corrections better IPv6 traceroute support new poll and kqueue I/O engines for improved performance on Windows and BSD-based systems including Mac OS X added support for Unix domain sockets 85 new NSE scripts 12 new protocol libraries Windows 8 improvements targets-sniffer is now capable of sniffing IPv6 addresses a number of bugs affecting the software's security, stability and productiveness fixed. Download Nmap 6.25 Sursa: Download Nmap 6.25 - Hack Reports

[h=1]Windows 8 Security Stresses Exploit Prevention[/h]A look at some of the key security features in the Microsoft's new OS Dec 20, 2012 | 03:32 PM By Kelly Jackson Higgins Dark Reading Windows 8 won't be under the Christmas tree for most enterprises this year: it's too new and Windows 7 remains well-entrenched for now. But with the brand-new Windows 8, Microsoft has continued its strategy of building more security features into the operating system to help deflect attacks. One key theme in Windows 8 security is repelling exploitation: mainly making sure that when – that's when, not if – malware gets in, it can't actually do harm. That's right in sync with a growing sense of fatalism among enterprises and security vendors that has replaced the secure fortress mindset. It's no longer if or when you get hacked, but the assumption that you've already been hacked, with a focus on minimizing the damage. [The goal is to try to detect an attack as early in its life cycle as possible and to quickly put a stop to any damage, such as extricating the attacker from your data server -- or merely stopping him from exfiltrating sensitive information. See Damage Mitigation As The New Defense.] Windows 8 comes with security features that fit that major shift in security philosophy and approach. "We've made significant investments in Windows 8 to make sure that even if a vulnerability is discovered, the likelihood of a successful attack will have been minimized, if not eliminated," says Stella Chernyak, a member of the Windows 8 team at Microsoft, in a blog post today. Microsoft says it focused on three main areas of security in Windows 8: resisting malware, data encryption, and new authentication. Security experts applaud Windows 8's new features but question whether they mean much right now, especially since few organizations are ready to make the jump to Windows 8. "The bigger issue is the adoption of Windows 8. Nobody I've talked to is campaigning to implement it. Windows 7 is stable, and it doesn't have a crazy interface" like the new version of Windows, says Andrew Jaquith, CTO of Perimeter E-Security. Jaquith gives a thumbs up to the new security features in Windows 8. Still, it remains to be seen whether enterprises that eventually go Windows 8 will adopt the bulk of its security controls, he says. Here's a look at the three main security disciplines in Windows 8: 1. Malware repellant Just like there's no way to stop a determined hacker, there's no way to stop all malware, either. But Microsoft has included the so-called Secure Boot feature, which is based on the new Unified Extensible Firmware Interface (UEFI), which replaces the BIOS. "Secure Boot prevents a computer from booting into an operating system unless the boot loader code is digitally signed with a certificate derived from a key stored in the UEFI firmware," explains Paul Henry, security and forensic analyst at Lumension Security. The new Secure Boot feature in Windows 8 is aimed at blocking stealth malware such as bootkits and rootkits that can wrest control of the machine, according to Microsoft. The digital signature provides verification that the boot-loader code the UEFI reads from disk into memory is from a trusted source. "This effectively mitigates the risk of a malicious 'boot-kit' from being run on boot to facilitate persistent malware," Henry says. But given the rash of stolen digital certificates over the past year or so to sign and spread malware, "the jury is still out" on the ultimate effectiveness of Secure Boot, he says. Secure Boot combined with running Microsoft's AppLocker whitelisting feature and banning side-loading attacks is the best combination to prevent malicious code and apps from infiltrating the machine, Perimeter's Jaquith says. "Then you would get something very close to what [some] smartphones have [with] app modules that are trusted and you can trace them back to a known app source. Integrity can be verified through" Secure Boot, he says. Microsoft also has embedded an updated version of its Windows Defender anti-malware application in Windows 8. Microsoft recommends using just one anti-malware application on the Windows 8 machine, whether it's Windows Defender or another product. Lumension's Henry says Windows Defender has actually fared better than many other AV products in testing. AV Comparatives found that 13 of 17 AV products had equal or inferior heuristics than Windows Defender. "Even when adding behavioral protection in to the mix, Windows Defender still beat the performance of 4 of the 17 well-established commercial products tested," Henry says. Even so, "it shouldn't be your only defense." Overall, the new Windows Defender version is "more robust" than previous versions, says Nick Skrepetos, CTO of consumer software for Support.com. 2. Protecting the data itself. Encryption traditionally has had its woes: "One of the biggest challenges is the sheer amount of time it takes to provision encryption to the device. It can take hours, and in the case of some third party solutions, it can even block end user productivity while the encryption process is taking place," Microsoft's Chernyak says. Microsoft has beefed up BitLocker and BitLocker to Go, its data encryption features, in Windows 8. The OS offers Data-Only Encryption, where BitLocker encrypts only the sectors on the disk that include data. This trims encryption time down to minutes in many scenarios, according to Microsoft. There's also a new flavor of self-encrypting drive feature that works with BitLocker to encrypt data on the fly, using hardware-based processing to speed up the process. "Bitlocker has a new Bitlocker To Go capability that allows the encryption key for Bitlocker to be saved in the users' SkyDrive Account," Henry notes. Next Page: New virtual smart card 3. Authenticating and controlling user access. Windows 8 features Virtual Smart Card, a simplified multi-factor authentication feature. It's a software-based technology that can be used in lieu of physical smart cards. It works with existing smart card apps and management products, and doesn't require a physical card reader. "The virtual smart card feature can be used in place of existing smart cards with any application or solution that is smart card compatible – no server- or application-side changes are required," according to Microsoft's technical overview of the feature. The idea is to make smart cards more "mainstream" and inexpensive to deploy. Windows 8 also comes with a new access control function called Dynamic Access Control (DAC). It's a rules-based approach that eliminates the static list approach. Other goodies Among some of the other security features in Windows 8 are sandboxing and upgraded versions of Microsoft's Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) attack mitigation technologies. "The improvements to ASLR & DEP are combined with the new Windows 8 application sandboxing capability that effectively limits the access of a compromised application. This feature means the bad guys will be fighting an uphill battle to deliver effective exploits for Windows 8," Lumension's Henry says. Meanwhile, security researchers are already hammering away at Windows 8 for bugs. So far, most of the attacks targeting Windows 8 have basically been scams aimed at confusing and duping new Windows 8 users. Support.com's Skrepetos says his team has mostly seen rogue apps trying to mimic the Windows 8 user interface and trying to get victims to click on a link to "protect" Windows 8 with security applications, for instance. "Windows 8 is still unproven ground. Windows 7 has been around long enough, so there's been more time to [attempt to] exploit" it, Skrepetos says. Sursa: Windows 8 Security Stresses Exploit Prevention - Dark Reading

Aveti si SSL acum

[h=1]Programul de guvernare al CABINETULUI PONTA II, scris pe un Microsoft Word PIRATAT[/h]de Andrei Luca POPESCU Versiunea electronic? a Programului de guvernare a României pentru perioada 2013-2016, dat publicit??ii joi de Guvernul condus de Victor Ponta, este realizat? într-o versiune piratat? a programului Microsoft Office Word. Documentul a fost postat pe pagina de internet a Guvernului României. La propriet??ile documentului Word, pot fi observate numele autorului ?i compania pe numele c?reia este înregistrat? copia programului de redactare pe calculator – Microsoft Office Word. Autorul este C?t?lin Cîndea, angajat al Guvernului la cabinetul premierului Victor Ponta. La numele companiei apare „Grizli777”. O apari?ie comun? pentru utilizatorii de Microsoft Office piratat, „Grizli777” este numele grupului sau individului care s-a ocupat de „spargerea” programului original, prin furnizarea unei licen?e false care poate fi desc?rcat? de pe site-urile de specialitate. Folosind "crack"-ul produs de Grizli777, programul poate fi utilizat f?r? s? fie cump?rat. Sursa: Programul de guvernare al CABINETULUI PONTA II, scris pe un Microsoft Word PIRATAT - Gandul

[h=1]nullcon Delhi 2012: Microsoft EMET Attack Mitigations - By Neil Sikka[/h] EMET is a program that customers can deploy to defend vulnerable software from exploitation without any code changes, binary changes, or recompiling. In this talk, I will show how proof of concept programs that I write can be exploited, and how EMET can stop exploitation of these programs. In demonstrating my programs, I will first run my programs without EMET enabled and show that they successfully exploit the system, and explain how the exploit works. Then, I will enable EMET, and show that the exploit is blocked and the vulnerable program was crashed rather than exploited.

[h=1]nullcon Delhi 2012: Highly Harmful Audio Waves aka DTMF Fuzzing - By Rahul Sasi[/h] Paper would be on DTMF input processing algorithms [DSP] , that are often embed into PBX, IVR, Telephone routers and other devices that process DTMF input. PBX and IVR servers are often deployed for running Phone Banking App Servers, Call Center Application and other systems that uses phone to interact with them. If an attacker could trigger exception in DTMF processing algorithms, then they could crash the entire application server making a single phone call, causing the entire Phone banking in accessible, or no calls to the costumer service goes through. One such denial of Service could cause a lot of panic and the amount of damage would be pretty huge. We will be demonstrating lot of amusing remote DTMF attacks on Phone Banking, Tele-Voting, and Customer Support applications using DTMF. This talk is recommended for Pentesters, PCI|DSS consultants, Telephone Companies, Banks or anyone who uses a device interacted via Telephone.