Nytro

[h=1]Algorithm problems for dummies[/h]Link: http://petr-mitrichev.blogspot.ro/ Cine-i autorul? El: In the Olympics of Algorithms, a Russian Keeps Winning Gold - Technology Review

http://cugiralba.wordpress.com/2012/08/06/pe-cine-intereseaza-am-luat-aur-la-olimpiada-internationala-de-mate/

Da, e si asta o idee...

"4. Apoi conexiunea este ip to ip" -Naspa.

Buna treaba, sa speram ca sefii tai nu sunt membri RST

Concentreaza-te pe partea de comunicatie "secure" apoi contacteaza-ma.

Trebuiau sa isi bata joc de ratatu asta...

[h=2]Blogul lui Mircea Badea a fost spart de hackeri justi?iari[/h]Ce-ati facut ma? 6 august 2012, 12:54 | Autor: Cristian Predoi Blogul lui Mircea a intrat ast?zi pe mâna hackerilor, care au publicat un articol în care o acuz? pe Laura Codru?a Kovesi c?-l protejeaz? pe Emanoil Savin, primarul ora?ului Bu?teni. Autorii demersului i-au cerut, la final, scuze lui Badea pentru deranj. „În timp ce autorit??ile române sesizate fiind, refuz? s? se implice în cercetarea f?r?delegilor, motivând ca fiind o chestiune personal? a peti?ionarului ?i ignorând aspectul ilicit al faptelor de corup?ie crim? organizat?, sp?lare de bani, ?antaj, deturnare de fonduri, atribuire selectiv? a contractelor cu statul firmelor de „buzunar” ?i multe alte infrac?iuni foarte grave.., Parlamentul României a devenit cel mai luxos penitenciar, cu cei mai boga?i de?inu?i liberi. Procurorul General C. Covesi nu face decât s? confunde justi?ia cu sportul, aruncând suli?a în trinubne în loc s?-l arunce la ?inta, inclusiv în ograda justi?iei unde zeci de „dalma?ieni” p?streaz? dosarele penale ale marilor corup?i, de peste 10 ani“, au scris hackerii justi?iari pe blogul lui Mircea Badea. Postarea cuprinde, totodat?, cinci clipuri de pe YouTube, care în acuz? pe Emanoil Savin, „Regele Mafiei Prahovene“. La final, cel care i-a spart blogul lui Badea, îi cere scuze pentru deranj. „PS:Nu va suparati domnule’ Mircea Badea. Sper ca imi ve-ti acorda atentie! Imi cer scuze daca v-am creat neplaceri!“, scrie la finalul post?rii. Dup? ce a aflat c? pe blogul s?u se afl? o postare care nu-i apar?ine, realizatorul TV a dat alarma pe Twitter. „ATEN?IE !!!!!! Blogul meu a fost spart. Nu mai pot intra pe el. Ultimul articol cel referitor la Kovesi nu-mi apar?ine. Încerc s? iau m?suri“, a scris Badea pe Twitter. Totodat?, n-a acceptat scuzele celor care i-au spart blogul. „V?d c? ?stora care sparg bloguri le place pârnaia. Au uitat cand au intrat masca?ii peste ?la al lui Ciutacu. Pârnaie vor, sa le dam. Îi rezolv repede. To?i analfabe?ii au senza?ia c? sunt mari hackeri. Vai de curva de mama lor“, a mai scris Badea pe Twitter. Sursa: Blogul lui Mircea Badea a fost spart de hackeri justi?iari

Posteaza un screenshot demonstrativ, nu stiu, ceva acolo. Iar voi, restul, abtineti-va de la comentarii idioate si inutile.

Ma refeream la prostia de a "crypoui" parolele... Puneti parola in plain text.

gfhfghfgh

Terminati ba cu cacaturile astea de parole.

Owasp - Old Webshells, New Tricks With Ryan Kazanciyan, Mandiant Description: The Presentation Web shells _ malicious scripts that provide an attacker with the ability to upload files, execute commands, conduct reconnaissance, and perform other command-and-control activities on a compromised web server _ are nothing new. They've been in the wild ever since the first web server and application exploits reared their ugly heads over a decade ago. Modern application security and server hardening processes have rendered them all but obsolete tools for desperate script-kiddies, right? Wrong. In this presentation we will discuss how web-based backdoors continue to be leveraged by sophisticated, targeted attackers and the challenges that they pose to forensic analysts conducting large-scale investigations. In particular, we will focus on the usage of web shells as a post-exploitation mechanism for maintaining persistence in an environment _ a backup method of remote access _ rather than a tool utilized in the initial entry vector. We will focus on the forensic artifacts that usage of such malware leaves behind on the host and on the network, and discuss techniques for rapidly identifying unknown web-based malware across servers. The Speakers Ryan Kazanciyan Ryan Kazanciyan is a Principal Consultant with Mandiant and has ten years of experience specializing in incident response, forensic analysis, penetration testing, and web application security. He has spent the past four years leading investigation and remediation efforts for highly-targeted attacks affecting organizations in the defense, technology, utilities, government, and financial services sectors. Mr. Kazanciyan has experience with analysis of host and network-based indicators of compromise, disk and memory forensics, and malware identification and triage. He also has an extensive background managing and executing large penetration testing and application security assessments. Mr. Kazanciyan has leveraged his consulting experience to lead training sessions for a variety of audiences in law enforcement, the federal government, and corporate security groups. He has taught courses on incident response, forensic analysis, penetration testing, and web application security. He has also presented at industry and security conferences including Black Hat, DoD CyberCrime, ShmooCon, Infragard, and ISACA. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Old Webshells, New Tricks with Ryan Kazanciyan, Mandiant on Vimeo Sursa: Owasp - Old Webshells, New Tricks With Ryan Kazanciyan, Mandiant

Owasp - Pentesting Smart Grid Web Apps With Justin Searle, Utilisec Description: The Presentation Web applications have not only conquered most user interfaces in traditional IT markets, they are also quickly replacing most user interfaces in critical control systems such as SCADA, Smart Meters, Distribution Management, and other Smart Grid master servers. And if the servers weren't enough, now they are starting to appear in the embedded devices deployed in the field. This talk will discuss all the places where web applications and web services are being used in today's modern electrical grid. We will also discuss the challenges that penetration testers new to critical control systems will face and how they can successfully overcome those challenges. The Speakers Justin Searle Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and currently plays key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG), National Electric Sector Cybersecurity Organization Resources (NESCOR), and Smart Grid Interoperability Panel (SGIP). Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences, and is currently an instructor for the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top security conferences such as Black Hat, DEFCON, OWASP, and AusCERT. Justin co-leads prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and Laudanum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT). Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Pentesting Smart Grid Web Apps with Justin Searle, Utilisec on Vimeo Sursa: Owasp - Pentesting Smart Grid Web Apps With Justin Searle, Utilisec

[h=1]HTML5 WebSockets Identified As Security Risk[/h] [h=3]WebSockets offer the promise of improved TCP connections, but do they also invite new forms of attack on your applications and infrastructure? [/h] By Sean Michael Kerner | July 31, 2012 In the modern world of web development, there are a set of new and emerging specifications sometimes grouped under the moniker HTML5. One of those specifications is the WebSocket API, which enables two-way communications. WebSockets offer the promise of faster communications than traditional TCP -- but according to a pair of security researchers, there is a hidden risk. Speaking at the Black Hat conference last week, Qualys engineers Sergey Shekyan and Vaagn Toukharian detailed how WebSockets could be exploited for malicious gain. Support for WebSockets is currently available in the latest Chrome, Firefox, Safari, and IE 10 web browsers. According to the two researchers, WebSockets are already in use by websites and embedded applications around the world today, and often without proper security. "We think that user capacity may be an issue with WebSockets if it's not implemented in the right way," Toukharian told eSecurity Planet. "WebSockets can be used for lots of things, but they shouldn't be used for all items on a web page." He stressed that WebSockets don't make sense to use in applications that don't need bi-directional communications or a fast response time. Different browsers also support WebSockets in unique ways. In particular, Shekyan noted that there are some important things that are not implemented in WebKit, which is the underlying engine that powers Chrome and Safari. Shekyan explained that the current WebSockets specification states that there should only be one WebSocket in a connecting state at a time. According to Shekyan, WebKit does not implement that specification. "So if a server is not accepting connections fast enough, then you shouldn't try and open a new connection before the previous one was accepted," Shekyan said. "That would prevent DoS (Denial of Service) attacks." According to Shekyan, an attacker could theoretically open an unlimited number of WebSocket connections from a single machine with WebKit to a third party server. Firefox also doesn't quite follow the WebSocket specification and it can allow up to 200 connections. Toukharian added that from a security perspective, WebSockets don't make applications more secure -- but they do provide a new attack vector for hackers. Traditional web attacks like Cross Site Scripting (XSS) and Man in the Middle (MitM) attacks can find a new home in WebSocket traffic. "Basically, if an attacker has access to content that initiates a WebSockets connection, then that connection could be compromised," Shekyan said. The other key issue is that since WebSocket technology is still relatively new, Shekyan argued that most firewall and IPS network security devices are not aware of them. As such, WebSocket traffic is not inspected or secured by the same mechanisms as other web traffic. "If someone can deliver malicious content over WebSockets, the rest of the protection is useless," Shekyan said. "Vendors should really start at looking at handling the WebSockets protocol." The challenge is one of usage. Toukharian added that if there was more use of WebSockets, than it's likely vendors would take more notice. Shekyan noted that he talked with one of the firewall vendors about the risk of not supporting WebSockets. The surprising response that he got back is that WebSockets are not currently a major attack vector and as such it doesn't matter. "Malware delivery via WebSockets becomes easier since IDS and Firewall technology can't see what is being delivered," Toukharian said. "It's just a matter of unmasking the data and looking at the traffic, it's not very hard. "Our hope is that Firewall and IPS vendors pick it up as soon as possible," Toukharian added. Sursa: HTML5 WebSockets Identified As Security Risk - eSecurity Planet

[h=2]Update volatility v2.1 – An advanced memory forensics framework[/h] The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. What’s new in 2.0 Highlights of this release include: Restructured and depolluted namespace Usage and Development Documentation New Configuration Subsystem New Caching Subsystem New Pluggable address spaces with automated election New Address Spaces (i.e. EWF, Firewire) Updated Object Model and Profile Subsystems (VolatilityMagic) Support for Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 Updated Scanning Framework Volshell integration Over 40 new plugins! Volatility supports investigations of the following x86 bit memory images: * Microsoft Windows XP Service Pack 2 and 3 * Microsoft Windows 2003 Server Service Pack 0, 1 and 2 * Microsoft Vista Service Pack 0, 1 and 2 * Microsoft 2008 Server Service Pack 1 and 2 (there is no SP 0) * Microsoft Windows 7 Service Pack 0 and 1 Volatility currently provides the following extraction capabilities for memory samples: - Image date and time - Running processes - Open network sockets - Open network connections - DLLs loaded for each process - Open files for each process - Open registry keys for each process - OS kernel modules - Mapping physical offsets to virtual addresses - Virtual Address Descriptor information - Addressable memory for each process - Memory maps for each process - Extract executable samples - Scanning examples: processes, threads, sockets, connections, modules Download Right Here | Read more in here Our Post Before : Volatility v2.0 An advanced memory forensics framework release

Introduction To Reverse Engineering Software Creator: Matt Briggs License: Creative Commons: Attribution, Share-Alike (http://creativecommons.org/licenses/by-sa/3.0/) Lab Requirements: Windows system with IDA Pro (Free 5.0 is acceptable). Microsoft Visual Studio 2008 redistributable package. Class Textbook: Reversing: Secrets of Reverse Engineering by Eldad Eilam. Recommended Class Duration: 2 days Creator Available to Teach In-Person Classes: Yes Author Comments: Throughout the history of invention curious minds have sought to understand the inner workings of their gadgets. Whether investigating a broken watch, or improving an engine, these people have broken down their goods into their elemental parts to understand how they work. This is Reverse Engineering (RE), and it is done every day from recreating outdated and incompatible software, understanding malicious code, or exploiting weaknesses in software. In this course we will explore what drives people to reverse engineer software and the methodology and tools used to do it. Topics include, but are not limited to: •Uses for RE •The tricks and pitfalls of analyzing compiled code •Identifying calling conventions •How to navigate x86 assembly using IDA Pro •Identifying Control Flows •Identifying the Win32 API •Using a debugger to aid RE •Dynamic Analysis tools and techniques for RE During the course students will complete many hands on exercises. This class will serve as a prerequisite for a later class on malware analysis. Before taking this class you should take Introduction to Intel x86 or have equivalent knowledge. Class Materials All Material (TiddlyWiki (html+javascript) & analyzed binaries (PE)) To bypass exe filters, e.g. so this can be sent through email, this is an encrypted zip with a password of “reclass2011”. All of the .exe files have been renamed to .ex_. On Mac OS X 10.6 and below, you will have to open the zip file from Terminal in order to get the password prompt. Full quality downloadable QuickTime, h.264, and Ogg videos at Archive.org: Day 1 Part 1 (57:36, 706 MB) Day 1 Part 2 (1:17:18, 1 GB) Day 1 Part 3 (29:49, 453 MB) Day 1 Part 4 (38:36, 530 MB) Day 1 Part 5 (36:06, 500 MB) Day 2 Part 1 (49:29) Day 2 Part 2 (54:58) Day 2 Part 3 (40:09) Day 2 Part 4 (1:10:10) Day 2 Part 5 (58:51) (8:33:02 total, sans lab time) The videos are useful for students, but also more useful for potential instructors who would like to teach this material. By watching the video, you will better understand the intent of some slides which do not stand on their own. You are recommended to watch the largest size video so that the most possible text is visible without having to follow along in the slides. Revision History: 07-08-2012 - Day 2 videos uploaded to YouTube, & both days uploaded to Archive.org 07-01-2012 - Day 1 videos uploaded to YouTube 01-27-2012 - Created some 'missing' content, fixed a few flaws, and added a write-up for the last task 06-16-2011 - Initial class content upload If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes. Sursa: IntroductionToReverseEngineering

Portspoof - service signature obfuscator (more pain for port scanners) From: Piotr Duszynski <piotr () duszynski eu> Date: Sun, 05 Aug 2012 09:49:15 +0200 Hi, Short description of the soft and the concept: The portspoof program is designed to enhance OS security through emulation of legitimate service signatures on otherwise closed ports. The general goal of the program is to make the port scanning process very slow and output very difficult to interpret, thus making the attack reconnaissance phase a challenging and bothersome task. More info at: Portspoof - About Note: This is an idea that I had for a long time in mind and finally I found some time to implement it. It is still an early release and some part of the code isn't perfect, but I'll be working on that :] Cheers, Piotrek The portspoof program is designed to enhance OS security through emulation of legitimate service signatures on otherwise closed ports. It is meant to be a lightweight, fast, portable and secure addition to the any firewall system or security infrastructure. The general goal of the program is to make the port scanning software (Nmap/Unicornscan/etc) process slow and output very difficult to interpret, thus making the attack reconnaissance phase a challenging and bothersome task. Here is an example nmap scan result against system running portspoof: - default scan took about 800s (instead of 20s) - CPU usage was at 0,5% - memory usage was at 0,5% - one legitimate service is running on port in range of 1-65535 - all the rest is fake - portspoof will bind only to one port Check portspoof in action (Live demo - will sometimes hang due to dev. process ): nmap -sV 54.247.124.68 Portspoof is still an early work in progress and although stable and working it will require a lot of additional work (preferably along with a good beverage . Sursa: Full Disclosure: Portspoof - service signature obfuscator (more pain for port scanners)

Owasp - Unraveling Some Of The Mysteries Around Dom-Based Xss With Dave Wichers, Aspect Security, Coo Description: Slide : - https://www.owasp.org/images/f/f4/ASDC12-Unraveling_some_of_the_Mysteries_around_DOMbased_X SS.pdf The Presentation DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it's poorly understood. This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review. This talk will include discussion of numerous open source resources that are available on this topic. OWASP has numerous articles on DOM-based XSS, including a definition article DOM_Based_XSS, an OWASP testing guide article Testing_for_DOM-based_Cross_site_scripting_(OWASP-DV-003), and the DOM_based_XSS_Prevention_Cheat_Sheet, and there are also other open source articles from leading researchers like Stefano Di Paola's Introduction to DOM-Based XSS as well. The speaker has already contributed to all of these OWASP articles and in preparation for this talk, plans to review and contribute additional enhancements to each of these articles in order to make the author's recommendations publically available to the web security community in a very broad manner far beyond just delivering this talk at AppSec DC. The talk will also survey how open source proxy tools like OWASP ZAP and WebScarab, along with Firebug and Chrome's developer tools can be used to track down DOM-based XSS issues within an application. Open source DOM-based XSS detection tools, such as DOMinator, will also be showcased in this talk. This talk was delivered at the conference. The presentation is now available online here. The Speakers Dave Wichers Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a consulting firm focused exclusively on application security that supports a worldwide clientele with critical applications in the government, defense, financial, healthcare, services and retail sectors. Dave and his team at Aspect Security are founding members of the Open Web Application Security Project (OWASP), and have made major industry contributions including: the OWASP Top Ten, Enterprise Security API (ESAPI), and Application Security Verification Standard (ASVS). He is also a long time contributor to OWASP itself including being a member of the OWASP Board since it was formed in 2003 and established the OWASP conferences program through his role as OWASP Conferences Chair from 2005 through 2009. Dave has over 20 years of experience in the information security field, and has focused exclusively on application security since 1998. At Aspect, in addition to his COO duties, he is Aspect's application security courseware lead, one of their chief instructors, and provides a wide variety of application security consulting services to Aspect's clients. This includes frequent application security verification efforts involving both code review and application penetration testing for both commercial and Government clients. Prior to starting Aspect, he ran the Application Security Services Group at Exodus Communications. Dave has a Bachelors and Masters degree in Computer Science, is a CISSP, and a CISM. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Unraveling some of the Mysteries around DOM-based XSS with Dave Wichers, Aspect Security, COO on Vimeo Sursa: Owasp - Unraveling Some Of The Mysteries Around Dom-Based Xss With Dave Wichers, Aspect Security, Coo

Owasp - Real World Backdoors On Industrial Devices With Ruben Santamarta Ioactive Description: he Presentation The ICS security, or the lack of, has been hogging the titles during the last months. The underlying issue behind this fact is that, in a post-stuxnet era, the industrial control systems are facing a totally new scenario, they are not a safe place anymore but a potential and valuable target. A lot of questions arise, but maybe the most important one is: are they prepared to face this threat? This presentation details the whole process of analyzing industrial devices, including methods such as reverse engineering and open source intelligence. The results of this approach are also elaborated, showing real cases of backdoors found on widely deployed PLCs and SmartMeters The Speakers Ruben Santamarta Ruben Santamarta is a european security researcher specialized in offensive security. Ruben Santamarta works as a security researcher for IOActive. He has discovered dozens of vulnerabilities on products from leading companies such as Microsoft, Apple or Oracle. Ruben is currently focused on the ICS security field, reporting and releasing flaws on industrial software and hardware Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Real World Backdoors on Industrial Devices with Ruben Santamarta IOActive on Vimeo Sursa: Owasp - Real World Backdoors On Industrial Devices With Ruben Santamarta Ioactive

Penetration Testing The Network Using Core Impact Description: In this video the author is introducing CORE IMPACT tool, which is a penetration testing framework used for vulnerable assessments. The entire demonstration of this video describes on the basic usage of the CORE IMPACT tool and its usage method in the vulnerability assessment on the target network. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Penetration Testing The Network Using Core Impact

[h=3]PDF Analysis + A Request[/h][h=2]Sunday, August 05, 2012[/h]I am going to first make my request. Those who know me know I am a bit gaga for photography. One of my pictures was chosen for the exhibition 'London: A Picture of Sustainability'. Please take a second to vote for my photo (if you like it of course!). I was honored to get this far and it would be awesome to be chosen to win! Definitely look at all of them, its neat to see what everyones definition of 'sustainability' is. All the photographs will be available for sale! I am invited to the Exhibition Opening! What do I wear?! Do I need to suit up?! I thought IRs were stressful.... I can't ask you guys for something without giving something in return... so I present not one, but TWO videos on PDF analysis! I will be looking at one PDF via peepdf (the new version) in REMnux and then in PDFStreamDumper. More than one way to peel a potato The file I am using for this demo is 'CVE-2009-4324_PDF_2009-11-30_note200911.pdf=1ST0DAYFILE' which I grabbed from a malicious document collection from Contagio. What would we do without Contagio? UPGRADING TO PEEPDF 0.2 If you already have Peepdf, its quite simple to update. Simply type in: $sudo peepdf.py -u Then everything should be lovely jubbley If not you can go to where you have peepdf installed (in REMNux its in /usr/local/bin) The PDF and run the command direct from there. Ok I lied, you need to do a few more things. You need to also install pylibemu and maybe update libemu while you are at it. Jose recommends using git as the sourceforge packages are outdated. Check the readme for other dependencies you may want. I also was having issues even afte this, peepdf was not seeing my pylibemu library. I noticed when reinstalling everything I did not have python bound to libemu. I did some browsing and this fixed my issue. Thank you Alex from Canada! If you do not have peepdf you can go to the main site directly and download for your system, or you can even find the older version on REMnux (a great free vm for analysing malware) and simply upgrade it youself! PDF STREAM DUMPER I really love this tool as well. I know its' cooler' to use the command line but you know you have to respect a great GUI tool which is amazginly versatile. Again, using the same PDF from peepdf-- I show analysis being done with this windows tool. You can grab the program at the sandsprite website. Thats all for now folks-- please please please vote in the photo comptetition. And a big thank you to Jose for all your assistance with peepdf! If you ever find yourself in London I owe you a beer Sursa: Sketchymoose's Blog: PDF Analysis + A Request

[h=3]Is WPA2 Security Broken Due to Defcon MS-CHAPv2 Cracking?[/h][h=2]Tuesday, July 31, 2012[/h] Quick answer - No. Read on to hear why. A lot of press has been released this week surrounding the cracking of MS-CHAPv2 authentication protocol at Defcon. For example, see these articles from Ars Technica and CloudCracker. All of these articles contain ambiguous and vague references to this hack affecting Wi-Fi networks running WPA2 security. Some articles even call for an end to the use of WPA2 authentication protocols such as PEAP that leverage MS-CHAPv2. But they fail to paint a true and accurate picture of the situation and the impact to Wi-Fi networks. I think this is misleading, and that any recommendations to stop using PEAP are flat-out wrong! So let's clarify things. Is MS-CHAPv2 authentication broken? Answer - Based on what I've read, let's assume it is TOTALLY broken. You can read about the details in those other articles. But for the topic of this post, applicability to Wi-Fi networks, it really doesn't matter if it is broken or not. What is the Impact to Wi-Fi Network Security? Specifically, does this make much of an impact for Wi-Fi networks where 802.1X authentication is employed where MS-CHAPv2 is used (namely EAP-PEAPv0 and EAP-TTLS)? Answer - No, it really does NOT. The impact is essentially zero. Let me explain why. EAP Tunneled Authentication Protocols MS-CHAPv2 is only used in what we call "tunneled authentication protocols," which includes EAP-PEAPv0 and EAP-TTLS. These EAP protocol specifications acknowledge that many insecure and legacy authentication methods need protection and should not be used on their own. They deal with that by wrapping the insecure protocol inside of another, much more secure, TLS tunnel. Hence, these protocols are called "tunneled authentication protocols." This tunneling occurs by relying on asymmetric cryptography through the use of X.509 certificates installed on the RADIUS server, which are sent to the client device to begin connection setup. The client verifies the certificate is valid (more on that in a second), and proceeds to establish a TLS tunnel with the server and begin using symmetric key cryptography for data encryption. Once the TLS tunnel is fully formed, the client and server use the less secure protocol such as MS-CHAPv2 to authenticate the client. This exchange is fully encrypted using the symmetric keys established during tunnel setup. The encryption switches from asymmetric key cryptography to symmetric key cryptography to ease processing and performance, which are much faster this way. This is fundamentally the same method used for HTTPS sessions in a web browser. Here is a reference ladder diagram of PEAP authentication which highlights the different phases of the connection process (outer TLS tunnel setup and inner MS-CHAPv2 authentication). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]PEAP Ladder Diagram (Click for full size image)[/TD] [/TR] [/TABLE] So, MS-CHAPv2 is not used natively for Wi-Fi authentication. We're safe right? Only if implemented properly. Importance of Mutual Authentication The key link in this chain then is the mutual authentication between the RADIUS server and the wireless client. The client must properly validate the RADIUS server certificate first, prior to sending it's credentials to the server. If the client fails to properly validate the server, then it may establish an MS-CHAPv2 session with a fake RADIUS server and send it's credentials along, which could then be cracked using the exploit that was shown at Defcon. This is commonly referred to as a Man-in-the-Middle attack, because the attacker is inserting their RADIUS server in the middle of a conversation between the client and the user database store (typically a directory server). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]RADIUS Server Validation and Exposure to Attack (Click for full size image)[/TD] [/TR] [/TABLE] The RADIUS server is validated as long as the certificate that it sends is trusted. For most client platforms, trusted certificates are provided by the manufacturer for public Certificate Authorities and PKI systems (such as Verisign, Thawte, Entrust, etc.) and are held in the certificate store or keychain on the device. In addition, for corporate environments, administrators can deploy certificates to managed devices in a number of different ways to enable trust for private Certificate Authorities and PKI systems, most common among these methods are Group Policy Objects (GPO) for Microsoft clients and Lion Server Profile Manager or the iPhone Configuration Utility (iPCU) for Apple clients (including OS X and iOS devices). Enabling Server Certificate Validation on Clients In Windows the RADIUS server validation is defined within each SSID profile. If you are looking directly on a Windows 7 workstation, you will want to view the SSID properties, select the Security tab, and go into the PEAP settings. Enable server validation, specify valid server names (which are checked against the Common Name - CN within the server certificate presented to the client), restrict which Root CAs the server certificate can be issued from, and prevent the system from prompting users to accept untrusted certificates (which is important, otherwise they could unknowingly accept a bad certificate and connect to an attacker's RADIUS server). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Windows RADIUS Server Validation[/TD] [/TR] [/TABLE] In Apple devices, including OS X Lion, Mountain Lion, and iOS, use the Lion Server Profile Manger or iPCU to define a configuration profile which includes credentials and a Wi-Fi policy. I'll show the iPCU in this example. First, add the Root CA certificate into the "Credentials" section. Next, define a Wi-Fi policy which specifies the trusted certificates and certificate names allowed. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Apple RADIUS Server Validation[/TD] [/TR] [/TABLE] Client Behavior for Server Validation In both vendor implementations, the behavior of the client device is dictated by what policy has been defined on the system. If no policy for the SSID has been defined or pushed to the client device by an administrator, the default behavior is to prompt the user to validate the certificate. This is likely not ideal, since users typically have a hard time distinguishing what a certificate means and whether or not they should proceed. For example, when an Apple iPhone attempts to join a network when no profile has been deployed for that SSID, the user receives a prompt to accept the connection and proceed: [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]iPhone Certificate Prompt[/TD] [/TR] [/TABLE] Therefore, for all corporate 802.1X environments, it is recommended to push profiles for all 802.1X SSIDs that end-users need on their systems. This goes for both production access and BYOD scenarios. The behavior on Windows 7, OS X Lion / Mountain Lion, and iOS devices when a profile has been installed for a specific SSID, is to check the local certificate store or keychain to validate the RADIUS server certificate. It must also match the Root CAs and server names specified in the deployed profile. In the event that an untrusted certificate is presented, all of these systems will NOT prompt the user and the connection is rejected. For example, here is rejected connection by an Apple iPhone for an SSID that has had a profile deployed by an administrator: [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]iPhone Certificate Rejection[/TD] [/TR] [/TABLE] Outstanding Vulnerabilities You should still be aware of a few indirectly related vulnerabilities that have not yet been resolved relating to Wi-Fi authentication with 802.1X. First, the default behavior of all systems (especially personal devices) is to prompt users to validate the RADIUS server certificate. This is often confusing and can lead to bad actions being taken by users and attempted authentication through an attacker's RADIUS server. This can be mitigated by having corporate environments deploy configuration profiles for all SSIDs in their network, both production and BYOD. Don't fall into the trap for BYOD of letting users connect on their own and try to decipher the certificate prompt. Establish a sound personal device on-boarding process which deploys a configuration profile to the device upon successful enrollment and policy acceptance. There are numerous ways to do this, ranging from simple solutions such as sending them a profile in an email or providing a web URL where users can download the profile, to more complex solutions such as MDM integration that allow self-registration and zero IT involvement. Second, certificate binding to the SSID is still a manual process on wireless networks. It must be defined within the configuration profile. This is in contrast to SSL and TLS protocols that are used for secure web access where the end-user system can automatically verify if the FQDN within the URL matches the Common Name presented in the certificate. The manual binding process in Wi-Fi networks is born out of a lack of extensibility within the PKI system to handle network access scenarios such as this. A better solution is needed. Finally, certificate revocation checking cannot occur by Wi-Fi clients since they do not yet have a network connection with which they can query a CRL distribution point or use OCSP. This means that client devices cannot check the status of the presented server certificate to see if it has been revoked, which could be caused by valid certificates that have subsequently been compromised or certificates that were invalidly issued by a CA. However, there is hope that the forthcoming 802.11u extensions to Wi-Fi can provide the means for this to occur through message exchanges prior to full network connection (thanks to Christopher Byrd for pointing this out to me during a Twitter conversation). Revolution or Evolution? - Andrew's Take We've known that MS-CHAPv2 is an insecure protocol for a long time. The recent Defcon exploit has just taken that one step further. Development of modern Wi-Fi security recognized the possible value in using legacy protocols such as these. Therefore, EAP protocols that employed such protocols were designed to tunnel the insecure protocol within a much more robust protocol such as TLS. These "tunneled authentication protocols" such as PEAP ensure protection for these insecure protocols through the use of certificates. The onus for proper security then falls on RADIUS server validation to ensure the other end of the connection is trusted before allowing the client authentication to proceed. In a properly implemented wireless network, this MS-CHAPv2 exploit is a non-issue. There is no need for Wi-Fi network administrators to abandon PEAP. Period. Security is a complex field. It may be hard to distinguish the FUD from fact. If you're interested in learning more about Wi-Fi security, then I highly recommend engineers take training provided in the CWSP (Certified Wireless Security Professional) course offered by CWNP, Inc. or the SEC-617 (Wireless Ethical Hacking, Penetration Testing, and Defenses) course offered by the SANS Institute. Cheers, Andrew vonNagy Sursa: Revolution Wi-Fi: Is WPA2 Security Broken Due to Defcon MS-CHAPv2 Cracking?

[h=1]Volume of Malware Targeting Java CVE-2012-1723 Flaw Spikes[/h]by Dennis Fisher It's been nearly two months since Oracle patched the CVE-2012-1723 Java vulnerability, a serious remote pre-authentication flaw that's present in the Jave Runtime Environment. It's taken a little time, but the attacker community has decided that this bug deserves some serious attention, and as a result, attacks trying to exploit it have ramped up significantly in recent weeks. The first malware samples that were exploiting this vulnerability started appearing about a month ago, but it was just in dribs and drabs. But by the second week of July, the number of attacks on CVE-2012-1723 began to take off dramatically. Microsoft researchers compiled statistics that show the volume of malware targeting the Java flaw really took off around July 10, and, with some peaks and valleys in the interim, is still quite high now. The vulnerability itself is in a JRE sub-component called Hotspot and attackers who are able to exploit it will have the ability to execute arbitrary code on the target machine. "The issue is in the optimization performed when a field inside the class is accessed. A static field with a ClassLoader orObject type and bunch of instance-fields with custom data type is a strong indication of exploitation. A bunch of instance-fields are a buffer area where a type-confused object is retrieved," Jeong Wook Oh of the Microsoft Malware Protection Center said in an analysis of the attacks. An oddity with this vulnerability is that attackers don't have the ability to disguise what they're doing with their exploits in this case. Oh said that because attackers need to build a Java class with some specific attributes, it's relatively easy for analysts to see what's going on. "Java-based malware could use a Java-reflection feature to obfuscate vulnerable class and methods loading code when the vulnerability is inside specific class and methods -- for example, CVE-2012-0507 was related toAtomicReferenceArray class. The loading of AtomicReferenceArray class itself can be obfuscated and you can't easily tell whether it is loading the specific class at all just by looking into the Java code. This makes the whole malware analysis process more time-consuming," Oh said. "For this vulnerability, attackers can't obfuscate the core exploit part easily. As we explained with Figure 3, the attackers need to create a class with specific features like static field member with ClassLoader type or Objecttype. And bunch of instance fields follows. It has specific code pieces to run which looks like the code shown in Figure 4. Java doesn't provide ways to obfuscate this class structure itself, so the code pattern stands out. You can easily identify the pattern just by statically investigating the code." Sursa: Volume of Malware Targeting Java CVE-2012-1723 Flaw Spikes | threatpost

[h=1]Hackers Increasingly Look for Cross-Platform Vulnerabilities[/h]By Antone Gonsalves, 2-Aug-2012 [h=2]A Microsoft security researcher says malware makers seek 'economies of scale'.[/h] More and more hackers are targeting the same application vulnerabilities on Macs and Windows PCs as a way to reap the financial benefits of writing cross-platform malware. The trend involves exploiting vulnerabilities that go as far back as 2009 in Office documents. Other cross-platform, third-party technologies favored by hackers include Java, Adobe PDF and Adobe Flash, Microsoft security researcher Methusela Cebrian Ferrer said Tuesday in the company's Malware Protection Center blog. Targeting the same vulnerabilities in applications commonly found on both platforms allows hackers to reap profits twice from the same malware, a trend Ferrer calls "economies of scale in cross-platform vulnerabilities. "This method of distribution allows the attacker to maximize their capability on multiple platforms," he said. Stephen Cobb, security evangelist for ESET, said cybercriminals have treated malware development and methods for infecting systems as a business for years. "We can expect to see further application of business logic -- such as economies of scale, division of labor and risk/reward calculations -- to developments in this space," he said in an interview via email. Although targeted vulnerabilities may have already been patched by vendors, hackers bank on user negligence when it comes to installing software updates. As an example, people are notoriously slow in installing Java patches to Windows PCs and Macs. As much as 60 percent of Java installations are never updated, according to security vendor Rapid7. "All these un-updated applications on the desktop, whatever they may be, are low-hanging fruit," said Jamz Yaneza, research manager for Trend Micro. "These are the easiest things to attack." Microsoft spotted the latest trend while investigating malware called Backdoor Olyx, which the software vendor first spotted a year ago. Subsequent variants since then demonstrated the cross-platform approach taken by malware writers. Backdoor Olyx and its variants are typically downloaded by victims clicking on malicious links or visiting malware-distributing Web sites. The Trojans are also distributed through e-mail attachments. Because the malware attacks known vulnerabilities, the best defense is to keep security software up-to-date and install the latest operating system and third-party security patches. "This best practice should extend to all devices and platforms, especially those in large enterprise networks," Ferrer said. Additional options include uninstalling Java. While the platform is often necessary in servers, its importance has diminished in desktops and laptops with the use of newer Web technologies. To make other software safer, users can run applications in the safest configuration possible, according to Wolfgang Kandek, chief technology officer for Qualys. He noted, for example, that users can turn off Javascript in Adobe Reader as one way to bolster security in that software. Sursa: Computerworld India News | Hackers Increasingly Look for Cross-Platform Vulnerabilities | Computerworld.in