Nytro

[h=1]Japan’s Finance Ministry Spied On by Trojan for Two Years[/h]By: Liviu Arsene July 25, 2012 Japan’s Finance Ministry recently discovered a data-leaking Trojan on its computers that has been running for almost two years. During a security sweep of their network infrastructure, a third-party security firm found the Trojan and notified the institution. Of the 2,000 computers checked, 123 were infected with the Trojan that appeared to be present since January 2010. The Finance Ministry said no taxpayer details were exposed and it’s likely that only documents regarding meetings were exposed. “It is not that the personal information that we have was widely leaked,” one official told reporters. The most recent infection detected took place in November 2011, but that doesn’t mean information was not accessed via previously installed Trojans. No other attacks were reported after November 2011, indicating that interest may have subsided after the two-year spree. The antivirus solution on the infected machines seems to have been ineffective in detecting the Trojan, indicating a higher level of sophistication in the attack. Japan’s government only stated that infected computers belonged to junior staff, implying that access to vital information was severely restricted. Infected hard disk drives were removed, severing all Trojan activities with attacker-controlled servers. Although the official report depicts Anonymous as the primary suspect, the modus operandi of the organization has always been DDoS attacks and not hidden Trojans. Sursa: Japan’s Finance Ministry Spied On by Trojan for Two Years | HOTforSecurity

[h=1]Apple vrea sa fii "orb": a scos din App Store aplicatia Clueful[/h]de Liviu Petrescu | 25 iulie 2012 Apple a scos din App Store aplicatia Clueful, creata de BitDefender. Compania nu a dat niciun motiv pentru decizia sa, dupa ce acceptase in prealabil aplicatia fara probleme. Situatia este controversata deoarece Clueful este singura aplicatie capabila sa cerceteze toate celelalte aplicatii instalate pe iPhone, iPad sau iPod Touch si sa informeze utilizatorul cu privire la datele personale accesate de fiecare aplicatie, potrivit Capital. Catalin Cosoi, Chief Security Researcher BitDefender, s-a aratat surprins de decizia Apple, ce ii lipseste pe multi utilizatori de o unealta importanta pentru a-si apara drepturile. Aplicatia Clueful pentru iOS este in continuare functionala pe gadgeturile pe care a fost instalata si ofera informatii cu privire la peste 65.000 aplicatii analizate si accesul acestora la datele personale din telefon. Apple a recunoscut acum cateva luni ca exista unele probleme de securitate in iOS 5, care permit aplicatiilor din App Store sa acceseze adresele din agenda sau pozele personale fara permisiunea utilizatorului, insa a promis ca acestea vor fi rezolvate in urmatoarea versiune a sistemului de operare mobil Apple iOS 6. Sursa: Apple vrea sa fii "orb": a scos din App Store aplicatia Clueful | Hit.ro

Cuckoo Sandbox 0.4! July 25, 2012 By Mayuresh Our first post regarding the Cuckoo Sandbox can be found here. A few hours ago, an update –Cuckoo Sandbox version 0.4 was released! This release can be considered to be a historical milestone in the project’s history and the best release to have been produced so far! This is a complete rewrite of every single component from scratch with modularity, scalability and flexibility in mind. “Cuckoo Sandbox is a malware analysis system. Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment. It’s mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine. But it can do much more!” [h=2]Cuckoo Sandbox 0.4 official change log:[/h] Modules for performing custom post-analysis processing of the results and generating reports: being able to customize the interpretation of the results and the generation of reports in any format you want, you can easily integrate Cuckoo Sandbox in any existing framework or environment you already have in place. Default support for KVM and the ability to create new, or modify existing, Python modules that will instruct Cuckoo Sandbox on how to interact with your virtualization solution of choice. A signatures engine that you can use to identify and isolate any pattern or event of interest: contextualize the analysis results, quickly identify known malwares or look for particularly interesting events for you or your company. Improved scripting capabilities, further customizing the sandbox to your analysis needs. You can now customize Cuckoo’s analysis process to the best extent by simply writing Python modules that define how the Cuckoo Sandbox should interact with the malware and the analysis environment. Last but not least, the Cuckoo Sandbox analysis core was completely re-engineered. This will significantly improve the quality of our analysis, giving much more detailed and explicative information about the malware you’re analyzing. [h=3]Download Cuckoo Sandbox:[/h]Cuckoo Sandbox v0.4 - cuckoo_0.4.tar.gz Sursa: Cuckoo Sandbox version 0.4! — PenTestIT

XMLCoreServices Vulnerability Analysis Authored by Minsu Kim This document is an analysis of the XMLCoreServices vulnerability as noted in CVE-2012-1889. 1. Executive Summary Recently, the malicious web pages exploiting XMLCoreServices vulnerability are frequently observed, and since Microsoft have released just a temporary fix for this vulnerability, many Internet Explorer users are exposed to this security threat. This document provides detailed analysis of XMLCoreServices (CVE-2012-1889) vulnerability. This vulnerability can be exploited by abusing uninitialized memory section of Microsoft Core Services 3.0, 4.0, 5.0 and 6.0, and ultimately executes malicious code injected by the attacker. This vulnerability can be temporarily removed by Fix It (Microsoft Security Advisory: Vulnerability in Microsoft XML Core Services could allow remote code execution), which disables XML Core Services, however Microsoft should release official patch to this vulnerability as soon as possible. This vulnerability has been analyzed on the machine with Windows XP SP2, Internet Explorer 6, and Microsoft Core Services 3.0. The vulnerability exists in msxml3.dll, which provides Core Services. The structure of memory where the exploitation of the vulnerability takes place is shown in Figure 1 below Download: http://packetstormsecurity.org/files/download/114977/CSRC-12-03-006.pdf Sursa: XMLCoreServices Vulnerability Analysis ? Packet Storm

Reverse Engineering. Il atasezi de un proces si executi fiecare instructiune pas cu pas. De preferat sa stii ce e de fapt Portable Executable si cum e structurat un astfel de fisier inainte de a apasa la intamplare pe butoane in OllyDbg.

Cred ca au inceput de cel putin 2 ani. SUA a afirmat ca ei au creat Stuxnet.

Emails from Iran Over the weekend, I received a series of emails from Iran. They were sent by a scientist working at the Atomic Energy Organization of Iran (AEOI). The scientist reached out to publish information about Iranian nuclear systems getting struck by yet another cyber attack. He wrote: I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom. According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down. I only know very little about these cyber issues as I am scientist not a computer expert. There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing 'Thunderstruck' by AC/DC. I'm not sure what to think about this. We can't confirm any of the details. However, we can confirm that the researcher was sending and receiving emails from within the AEOI. Mikko Sursa: Emails from Iran - F-Secure Weblog : News from the Lab

Flame Cyber War Against Iran Description: In this video experts talking about Flame malware and lots of politicle issues about this dangerous flame malware. If you don’t know about flame malware so flame malware is Flame malware also known as Flamer, Skywiper, and sKyWIper. This malware discovered in 2012 and flame malware target Microsoft Windows Operating system. Security Experts are telling this malware created for Cyber War. And Secrely information gathering virus. Now, Japan is blaming Israel for the same virus that hit their nuclear computers. Flame can record data files, remotely change settings on computers, turn on PC microphones to record conversations, take screen shots and log instant messaging chats. For More Information about Flame Malware :- Flame (malware) - Wikipedia, the free encyclopedia On the 28th of May 2012 Iran announced the most crippling computer virus ever written, had been detected on computers in Iranian government offices. Iran's Computer Emergency Response Team, MAHER, announced on its official website, that the Flame virus had been intercepted and its infection components posted on their page. A few days later, on June first, the New York Times published an article by David Sanger that blew the lid off a lot of secret information. It revealed just how evolved the US and Israel are in the global cyber war, especially when it comes to the to the cyber attacks against Iran. The article explained how US president Barack Obama ordered a covert cyber attack on Iran a few months after taking office. The article was the result of 18 months of research and information gathered from interviews with top current and former American, European and Israeli officials. The first wave of digital attacks against Iran happened during the presidency of George W. bush. They were codenamed "The Olympic Games". According to the participants in the program it was the first sustained use of cyber weapons. Since then the stuxnet virus has invaded systems at Iran's nuclear power plant, and now Flame. In this edition of the show we will be looking at the cyber war being waged as we speak. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Flame Cyber War Against Iran

Pe pagina de Facebook se posteaza cam in fiecare zi ce e mai interesant de aici: https://www.facebook.com/rstforum Recomandati pagina prietenilor interesati de hacking si securitate IT.

[h=1]Is Hacking in Self-Defense Legal? It Depends, Says Army Cyber Lawyer[/h]By Jordan Robertson | July 23, 2012 Photograph by Photomorgana The allure of hacking back is growing as digital espionage and trade-secret theft have become rampant. When Robert Clark meets with large corporations and government agencies that have been hacked, many express the same feeling. They want revenge. But the impulse to strike back is fraught with legal danger, said Clark, operational attorney for the U.S. Army Cyber Command, who plans to deliver that message on Thursday in a speech at the Black Hat security conference in Las Vegas. “I’ve been involved in this field in-depth for 10 years, and the first thing everybody asks is, ‘How do I hack back? I want to smack somebody,’” he said in an interview. “And my response is always the same: Why? Because you’re mad? What do you want to get out of it?” The allure of hacking back is growing as digital espionage and trade-secret theft have become rampant. Shawn Henry, formerly the FBI’s top cyber crime official, has said that organizations increasingly want to go on the offensive with hackers. Henry is now president of CrowdStrike, a startup that is focused on proactive anti-hacking measures. Companies are taking a cue from elected leaders. Two pieces of malicious software show that governments are taking a more active role in cyber attacks. The New York Times reported last month that the U.S. and Israel jointly developed Stuxnet, which damaged nearly 1,000 centrifuges in an Iranian nuclear plant. The Washington Post reported that the countries also built Flame, a piece of eavesdropping software, to slow Iran’s nuclear ambitions. Clark’s position is a conflicted one, as the military and civilian organizations play by different rules. He wouldn’t comment on Stuxnet or Flame, and emphasized that he was speaking in a personal capacity at Black Hat. But he did have advice for organizations considering hacking in self-defense. Some companies are discussing whether it’s legal to place a tracking bug inside computer files that are at risk of being stolen, Clark said. The law may be on their side in some instances. Clark pointed to a 1992 case where a driver working for the U.S. Postal Service was caught stealing envelopes stuffed with money on his route. The driver, Ervin Charles Jones, pleaded guilty but argued that investigators’ use of a small transmitter to track one of the envelopes — the key to making the arrest — led to an unlawful search of his van. The courts disagreed, and Jones was sentenced to 11 months in prison. It’s not that different from companies trying to chase stolen computer files. But in the digital realm, it’s easy to go too far, Clark said. Because of the powerful capabilities of spying software, organizations might be tempted to do more than simply track their purloined goods. Placing malicious software on attackers’ machines would violate anti-hacking laws, Clark said. A grayer area, though, is whether probing attackers’ networks violates the law. Breaking into computers to recover stolen intellectual property is illegal, but doing light reconnaissance to map attackers’ networks to learn about their systems might not be, Clark said. The law generally favors those that pursue prevention, such as the use of heavy encryption, over post-theft recovery, like a burglary victim who aggressively goes around looking for his stolen goods, Clark said. Planting disinformation is another strategy that’s gaining popularity, he said. Placing fake blueprints or software code in a place where hackers could steal them could be a legal, effective diversion. But spreading flawed airplane designs or pharmaceutical formulas that make their way into products and hurt people might not be, he said. “If I’m talking about the new secret formula for a soda, and I’m just making it taste bad, that’s no big deal,” he said. “But what if my disinformation gets to the point that it harms somebody? That’s what could happen if disinformation is pushed to its ultimate end.” A bizarre case from 1967 shows some limitations on self-defense that could apply to the cyber realm, Clark said. The case involved Iowa landowners, Edward and Bertha Briney, who rigged a shotgun to fire on anyone who entered a bedroom in a vacant farm house that was being repeatedly burglarized. An intruder broke in to scavenge old bottles and fruit jars and had most of his leg blown off. A jury awarded the intruder $30,000 in damages, which would be more than $200,000 in today’s dollars. Hacking attacks can now cause damage in the physical world, as the Stuxnet worm showed. Hackers have an array of non-PC targets to attack now, from the computers that run water facilities to automobiles to insulin pumps, as shown in this Bloomberg.com slide show. Aggressive counterattacks could be justified in cases where personal safety is in danger, Clark said. But organizations that engage in a counterattack would have to prove that their response was proportional to the threat, he added. Of course, the odds of a victim of a counterattack coming forward are slim, Clark said. “Who’s going to complain?” he asked with a laugh. Sursa: Is Hacking in Self-Defense Legal? It Depends, Says Army Cyber Lawyer - Bloomberg

[h=1]Spooky: How NSA’s Surveillance Algorithms See Into Your Life[/h] 24 Jul, 2012 by Radu Tyrsina On the ViewPoint talkshow with Eliot Spitzer, three whistle blowers from the National Security Agency (NSA), Thomas Drake, Kirk Wiebe and William Binney have expressed their allegations surrounding NSA’s illegal domestic surveillance measures. The whistle blowers specifically refer to 9/11 as the date after which electronic surveillance has taken new heights. This means that enormous amounts of email, cell phone conversations have been stored and surveilled, as Eliot Spitzer puts it. When asked whether they knew about the electronic surveillance used by NSA, Kirk Wiebe said that they didn’t even believe the U.S. government could go that far. http://www.youtube.com/watch?feature=player_embedded&v=AQalspt90AU [h=3]Google seems a joke when compared to NSA’s data[/h] William Binney confirms Spitzer’s assumptions by agreeing that there is, indeed, a dossier for almost every American, filled up with data aggregated by the National Security Agency. Looking at how much data the NSA could possibly have piled up, compared to that, Eliot says that Google “seems like a joke”. William goes on to say something really spooky: The data is resident in programs that can pull it together in timelines and things like that and let them (the Government) see into your life, to see what you’re doing in your life. By using satellites and the huge amount of data the NSA currently holds, they can even create some sort of algorithms to realize who’s talking to whom, thus being able to dissect our private lives. Eliot also says that it is being done without any regard to the Fourth Amendment in the United States Constitution. To get a better understanding, here’s what the 4th amendment presumes: When police conduct a search, the amendment requires that the warrant establishes probable cause to believe that the search will uncover criminal activity or contraband. They must have legally sufficient reasons to believe a search is necessary. also, it is important to know this aspect of the U.S Constitution: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. [h=3]The government has an electronic spying program[/h]The algorithms that the NSA has created, according to whistle blower William Binney, are actually a part of the Big Data Research and Development Initiative, which has the official purpose to improve the tools and techniques needed to access, organize, and glean discoveries from huge volumes of digital data. William goes on by saying that the algorithms will go through the data base looking at everybody. The basic and most obvious question that comes in our mind, as well as the mind of the talk show host – hasn’t anybody thought about the direct violation of the Constitution? Normally, for such critically important things for a nation, there needs to be a Court approval. According to Kirk Wiebe, it seems that nobody cares about that. [h=4]Secret spying room inside AT&T facility[/h] As always, this is nothing new, it’s just that thanks to this talk show, some of us have gotten the chance to find about these things and to make our duty about informing others. It is only now that I’ve discovered that the EEF (Electronic Frontier Foundation) has a lawsuit against U.S government’s massive spying program. Here’s what the EEF had to say about this: In a motion filed today (July 2), the three former intelligence analysts confirm that the NSA has, or is in the process of obtaining, the capability to seize and store most electronic communications passing through its U.S. intercept centers, such as the “secret room” at the AT&T facility in San Francisco first disclosed by retired AT&T technician Mark Klein in early 2006. There’ve been numerous reports about the secret room at AT&T, Wired and ArsTechnica have written about this 6 years ago. Another interesting article also shows that the same EEF has filed a suit against AT&T over NSA spying, accusing them of diverting customer traffic to the NSA for years as a means of aiding the NSA’s covert surveillance program. If you still think this is fiction we’re talking, you might want to read this Wikipedia article, which refers to this room as Room 641A. The same William Binney, guest of the ViewPoint show, said that there could be up to 20 of such “secret rooms” across the entire country. The octopus of secret surveillance is getting even bigger as we find out about the President’s surveillance program, which constitutes a series of secret intelligence activities authorized by then President of the United States George W. Bush after the September 11 attacks in 2001 as part of the War on Terrorism. [h=3]Is there still hope?[/h]The surveillance program seems to have appeared as a direct effect of the Patriot Act and its surveillance procedures. And here’s where we make the link with the 4th amendment. I’m no legal expert, but even to me, it makes sense and this explains it all: Removed was the statutory requirement that the government prove a surveillance target under FISA is a non-U.S. citizen and agent of a foreign power, though it did require that any investigations must not be undertaken on citizens who are carrying out activities protected by the First Amendment. The title also expanded the duration of FISA physical search and surveillance orders and gave authorities the ability to share information gathered before a federal grand jury with other agencies. To put it bluntly, by using the Patriot Act’s official purpose of fighting with terrorism, the freedom of U.S citizens appears to be greatly impaired; by using the Big Data initiative’s offical purpose of enhancing even more the role of technology in our lives, they’re actually creating intrusive algorithms that are spying on our private lives. But there’s still hope as it seems that, recently, The Office of the Director of National Intelligence has admitted that government’s spying efforts have exceeded the legal limits, at least once. Let’s hope that all this will have an end and our freedoms will be preserved. As Benjamin Franklin said: “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.“ Sursa: Spooky: How NSA's Surveillance Algorithms See Into Your Life - Technically Personal!

Bypass Antivirus software using backdoor encoding http://www.youtube.com/watch?feature=player_embedded&v=ilZ1CjCB1jc Description: In this video you will learn how to Bypass Antivirus software using backdoor encoding. Basically we are encoding a Backdoor with only one module but in this video he will show us how to encode a backdoor using three different encoders to Bypass antivirus software. 1st encoding with shikata 2nd call4_dword_xor 3rd countdown Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: https://www.youtube.com/watch?v=ilZ1CjCB1jc Sursa: Bypass Anti-Virus

[h=3]Android DNS Poisoning: Randomness gone bad (CVE-2012-2808)[/h] Recently we discovered a very interesting vulnerability in Android’s DNS resolver, a weakness in its pseudo-random number generator (PRNG), which makes DNS poisoning attacks feasible. DNS poisoning attacks endanger the confidentiality and integrity of the target victim’s machine. For instance, DNS poisoning can be used to steal the victim’s cookies, or tamper with weak applications’ update mechanisms in order to execute malicious code. The official advisory with full details can be found here. This blog post summarizes the advisory. A very short background on DNS poisoning Each DNS request holds a unique identifier (‘nonce’) which consists of an attribute called ‘TXID’ and the UDP source port. They both combine to a 32bit value. Ideally these 32 bits are random. In order to conduct a DNS poisoning attack, an attacker must be able to inject a forged response before the legitimate one arrives from the server. The forged response must include the correct nonce (that the attacker must correctly guess), otherwise it is dropped by the resolver. If the nonce is a 32bit random value, an attack takes years to succeed (in average). Not that feasible! But with every bit of randomness we are able to reduce from the nonce, the expected time drops by a factor of two. How does android resolve DNS? The code that is in charge of the DNS resolution can be found under Android’s libc implementation (aka ‘bionic’). Android provides source port and TXID randomization by calling the function res_randomid , which returns a 16bit integer: 1: u_int 2: res_randomid(void) { 3: struct timeval now; 4: 5: gettimeofday(&now, NULL); 6: return (0xffff & (now.tv_sec ^ now.tv_usec ^ getpid())); 7: } It can be seen that the returned value is a XOR operation of the fraction of the current time in microseconds, the current time in seconds and the process ID. This method is used twice in close succession in order to produce the TXID and source port values. The dominant factor which makes this value hard to predict is the microseconds fraction. Why is it vulnerable? Remember that the res_randomid function is used twice, once for the TXID, and once for the source port. The Achilles' heel and the crux of the attack is the fact that there two subsequent calls to the res_random_id function in a very short time. Since res_random_id is a function of the current time, the TXID and source port values become very much correlated to each other: given that the attacker guessed correctly one value, probability is high that the other value would be also guessed correctly. This means that instead of 32 random bits, you get much less. In fact, our research shows that in some environments, the 32 bits contain less than 21 random ones. The expected time for a successful attack is brought down from years to minutes! The attack is feasible regardless of whether or not the attacker knows the process ID. See our whitepaper for the complete analysis. Take a look at the following capture: Let’s examine some source port, TXID couples and verify if there is any correlation: It can be seen even to the naked eye that the TXID and source port values are not that different. Remember that ideally each of them is chosen out of 65536 values. Why should you care? What is the impact? As usual, DNS poisoning attacks may endanger the integrity and confidentiality of the attacked system. For example, in Android, the Browser app can be attacked in order to steal the victim's cookies of a domain of the attacker's choice. In case the attacker manages to lure the victim to browse a web page controlled by him/her, the attacker can use JavaScript in order to start resolving non-existing sub-domains. Upon success, a sub-domain points to the attacker's IP, which enables the latter to steal wildcard cookies of the attacked domain, and even insert ones (see this for more details on the impact of subdomain poisoning). In addition, a malicious app may instantiate the Browser app on the attacker's malicious web-page. If the attacker knows the process ID (for example, a malicious app can access that information), the expected time for a successful attack can be reduced, as explained in the whitepaper. A video demo of the attack How was the issue fixed? The random sample is now taken from /dev/urandom which should have enough entropy when the call is made. Which versions are vulnerable? Android 4.0.4 and below Which versions are non-vulnerable? Android 4.1.1 Disclosed by: Roee Hay and Roi Saltzman Disclosure timeline 07/24/2012 Public disclosure 06/05/2012 Issue confirmed by Android Security Team and patch provided to partners 05/21/2012 Disclosed to Android Security Team by Roee Hay and Roi Saltzman Posted by Roee Hay on July 24, 2012 Sursa: IBM Application Security Insider: Android DNS Poisoning: Randomness gone bad (CVE-2012-2808)

Bre: [TABLE="class: table table-bordered table-striped"] [TR] [TD]AntiVir[/TD] [TD="class: text-red"]KIT/Bandook[/TD] [TD]20111127[/TD] [/TR] [/TABLE] Chiar e detectat ca ceea ce e. E un RAT, ce vrei sa iti spuna antivirusul, ca e un fluturas?

E doar din 2007...

[h=1]PowerSploit: A PowerShell Post-Exploitation Framework![/h] July 23, 2012 By Mayuresh At first, there was Syringe from SecureState. It was expanded upon and a slightly more featured PowerShell-based code/DLL injection utility – Powersyringe. The same author – Matt Graeber – improved upon it again to program PowerSploit. So, PowerSploit is a series of Microsoft PowerShell scripts that can be used in post-exploitation scenarios during authorized penetration tests. It retains much of the same functionality of Powersyringe but each payload is divided into a separate script according to functionality. Additionally, the PowerSyringe code was completely rewritten from scratch. All scripts are now in conformance with proper PowerShell verb-noun agreement and are entirely memory-resident (thanks to certain internal .NET methods and reflection)! PowerSploit also features improved error handing, allowing error handlers to pick up on every fault! [h=2]PowerSploit is comprised of the following scripts:[/h] Inject-Dll: Inject-Dll injects a Dll into the process ID of your choosing. Inject-Shellcode: Inject-Shellcode injects shellcode into the process ID of your choosing or within PowerShell locally. It supports windows/meterpreter/reverse_http and windows/meterpreter/reverse_https payloads too! Encrypt-Script: Encrypt-Script will encrypt a script (or any text file for that matter) and output the results to a minimally obfuscated script – evil.ps1. Get-GPPPassword: Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml. Used with permission from @obscuresec (obscuresec). Invoke-ReverseDnsLookup: Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test. Get-PEHeader: Get-PEHeader is the newest in-memory and on-disk PE parsing utility. Get-PEArchitecture: Get-PEArchitecture returns the architecture for which an executable was compiled. Get-DllLoadPath: Get-DllLoadPath returns the path from which Windows will load a Dll for the given executable. Get-ILDisassembly: Disassembles a raw MSIL byte array passed in from a MethodInfo object in a manner similar to that of Ildasm. So you can see that in addition to a lot of general purpose scripts, you have a lot of scripts that allow you to work with portable executable’s (PE’s) and reverse engineering (RE). Since this is an open source project, all of this can surely be improved upon. A writing style guide also has been provided by the author on the GitHub page, with the 3 clause BSD license, where this project is hosted. [h=3]Download PowerSploit:[/h]PowerSploit.zip and project home page. Sursa: PowerSploit: A PowerShell Post-Exploitation Framework! — PenTestIT

[h=1]Mom arrested for hacking school computers, tweaking her kids' grades[/h]by Lisa Vaas on July 23, 2012 A US mother is facing six felony counts for allegedly hacking into her children's school computer, changing their grades, and accessing the school's human resources system to open thousands of personnel files that contained contracts, employee reports and other information. The mother, Catherine Venusto, 45, from New Tripoli, Pennsylvania, worked as a secretary for the Northwestern Lehigh School District from 2008 through April 2011 and has at least two children in the district, according to the District Attorney's office. Venusto is accused of changing her daughter's grade from an F to an M for "medical," of allegedly boosting her son's grade of 98 percent to 99 percent, and of using the superintendent's information to log onto the district email system and to access Northwestern Lehigh's human resources system. According to Lehigh Valley Live.com, Venusto allegedly used the superintendent's password 110 times over the course of a year and a half to conduct the mischief. Authorities told news outlets that Venusto also used the information of nine other Northwestern Lehigh employees, most of whom were in the guidance department, to access computer systems. According to Lehigh Valley Live, officials first suspected a problem in January after the high school principal told superintendent Dr. Mary Anne Wright that teachers didn't understand why she was checking their computer-based gradebooks. Wright told the principal that she hadn't looked at the books. That's when the jig was up. The district immediately shut down the student information system, quickly initiated steps to bolster security, and turned the matter over to state police, Wright told Lehigh Valley Live: "Within three hours of suspecting unauthorized access, email, student information system and the district shared drive were shut down until we were able to fully identify the issue. New security measures were put in place before the systems were accessed again by staff, students or parents." Venusto is facing three counts each of unlawful use of a computer and computer trespass, which are third-degree felonies. She was arraigned on Wednesday and released on $30,000 unsecured bail, which she'll only have to pay if she fails to appear in court for her preliminary hearing on July 26. If she's convicted, Venusto could face a maximum of 42 years in prison or a $90,000 fine, District Attorney's office spokeswoman Debbie Garlicki told ABC News Radio. Garlicki said that the maximum penalty on each count is seven years or a $15,000 fine. The school district may well have acted promptly to clamp down systems and improve security after they discovered the trespassing and tinkering, but the plain fact is that leading up to this incident, employees seemed to play fast and loose with security. Perhaps it's necessary for a superintendent's secretary to know her boss's login information. Even if it is, it's hard to imagine why Wright failed to change her password after Venusto left her job. This is a good reminder that a password that walks out the door inside the brain of an ex-employee (as well as a current employee, insider-threat-wise) could well come back to haunt us. Sursa: Mom arrested for hacking school computers, tweaking her kids’ grades | Naked Security

Nu e foarte popular, dar eu am lucrat si lucrez (la munca) cu astfel de dispozitive, si chestia asta poate fi foarte utila.

Oricum, genial gandit...

[h=1]Qubes 1.0 Release Candidate 1![/h] July 22, 2012 By Mayuresh Our first post regarding the Qubes OS can be found here. Yesterday, the much anticipated – Qubes 1.0 Release Candidate 1 was released! This release is expected to essentially be identical to the final 1.0 release, which will likely follow in the coming weeks, except for some minor, cosmetic fixes. “Qubes implements Security by Isolation approach. To do this, Qubes utilizes virtualization technology, to be able to isolate various programs from each other, and even sandbox many system-level components, like networking or storage subsystem, so that their compromise don’t affect the integrity of the rest of the system. Qubes lets the user define many security domains implemented as lightweight Virtual Machines (VMs), or “AppVMs”. E.g. user can have “personal”, “work”, “shopping”, “bank”, and “random” AppVMs and can use the applications from within those VMs just like if they were executing on the local machine, but at the same time they are well isolated from each other. Qubes supports secure copy-and-paste and file sharing between the AppVMs, of course.” [h=2]Changes made to Qubes:[/h] A much improved Qubes Manager, that now allows to configure and manage almost every aspect of the Qubes system using a simple and intuitive GUI. All the VMs are now based on Fedora 17 template. Cleaned up and improved command lines tools for both Dom0 and for the VMs. Updated Dom0 and VM kernels are now based on 3.2.7-pvops kernel, which offer better hardware and power management support. Convenient menu improvements, that include e.g. a handy icon for launching a Disposable Web browser in a Disposable VM. Support for “yum proxy”, which smartly allows to update packages in a template VM (or other updateable VM), without requiring to grant general HTTP access for this VM. This has been a problem before, as the Fedora repos use hundreds of mirrored yum servers, and it wasn’t possible to setup a single rule in the firewall VM to allow only access to the yum servers, and nothing else. Now, this is possible, and the primary application is to prevent user mistakes, e.g. against using the temaplate VM for Web Browsing. We also added support for an opt-in fullscreen mode for select VMs. Plus lots of other improvements and fixes under the hood. As can be seen in the wiki, there has been over 200 tickets closed as part of the work on this release! [h=3]Download Qubes:[/h]Qubes 1.0 Release Candidate 1 - Qubes-R1-rc1-x86_64-DVD.iso/Qubes-R1-rc1-x86_64-DVD.torrent Sursa: Qubes 1.0 RC 1! — PenTestIT

[h=1]Java the Hutt meets CVE-2012-1723: the Evil Empire strikes back[/h]by Aleksandr Matrosov Senior Malware Researcher In one of my previous posts I described how the CVE-2012-1889 vulnerability (CVE2012-1889: MSXML use-after-free vulnerability) works, but the Java exploitation process is too easy for the bad guys not to revisit it. The attacker does not have to think about problems with ASLR/DEP, SafeSEH and other security mechanisms included in the latest versions of Microsoft Windows. All the tricks for bypassing security mechanisms make the exploitation process more unstable and are not universal across platforms. [heap-spray results from JS/Exploit.CVE-2012-1889] Previous, the Java vulnerability most commonly used for mass exploitation in popular exploit kits was CVE-2012-0507 (Blackhole, CVE-2012-0507 and Carberp). This vulnerability uses a logical bug in AtomicReferenceArray by using the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. CVE-2012-1723 is an interesting vulnerability, based on a bug in the Java HotSpot VM with the bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checking. The vulnerability allows malware a way to evade the JRE (Java Runtime Environment) sandbox, so that it can load additional java classes in order to perform malicious actions. CVE-2012-1723 is a cross-platform vulnerability and can be used to attack all platforms with an actual JVM (Java Virtual Machine) version. In the cases of both CVE-2012-0507 and CVE-2012-1723 the vulnerabilities were made public by Michael ‘mihi’ Schierl. These vulnerabilities are of a similar nature, using bugs in the logic of JVM components in order to work. Today, CVE-2012-1723 multiplatform exploitation code was made public by publishing it in the Metasploit Framework repository (java_verifier_field_access.rb). ESET products already detect the CVE-2012-1723 vulnerability as JS/Exploit.CVE-2012-1723. The exploit for CVE-2012-1723 (New Java Exploit to Debut in BlackHole Exploit Kits) is already included in the latest update of the BlackHole exploit kit. It has already ceased to be a zero-day vulnerability, but in practice Java exploits constitute a large percentage of successful attacks even after a patch has been released. BlackHole is now the most common exploit kit, and a license for one year with support costs $1,500 on the cyber crime marketplace. The exploitation code packs the following object structure into a JAR (Java archive file): So as to provide execution of a malicious payload, an additional 100 static fields in class C2 were crafted and assigned a NULL value. At the next stage of exploitation another 100 instances of class C3 non-static confuse methods are generated. This operation looks like this in java bytecode: At the next step of exploitation the confuse method is called many times and results in the execution of malicious code. This code executes by loader class and provides additional classes loading in an escalated privilege context and performing operations that enable evasion of the sandbox mechanism. When the Java code is decompiled these operations look like this: At the final stage of exploitation a new application domain is built which executes outside the sandbox and runs a malicious java applet without security checks. The Java platform is particularly interesting to attackers at this moment because vulnerabilities are continually being found, and exploitation looks easier than exploitation of native, platform-specific applications where operating system security mechanisms may get in their way. A working exploit for a known Java vulnerability may take a few days to develop, whereas it may take a few weeks to develop exploitation code for a native application. Aleksandr Matrosov, Security Intelligence Team Lead Sursa: Java exploit CVE-2012-1723 and the Blackhole exploit kit | ESET ThreatBlog

Linux 3.5 released [TABLE] [TR] [TD=class: lp]From[/TD] [TD=class: rp]Linus Torvalds <>[/TD] [/TR] [TR] [TD=class: lp]Date[/TD] [TD=class: rp]Sat, 21 Jul 2012 15:16:00 -0700[/TD] [/TR] [TR] [TD=class: lp]Subject[/TD] [TD=class: rp]Linux 3.5 released[/TD] [/TR] [/TABLE] Ok, not a lot happened since -rc7. There's a number of MIPS commits (for some reason MIPS has had a horrible track record with the -rc time schedule, I suspect I should just stop pulling late in the game), but most of the rest is pretty small. A couple of dm/md fixes, some gma500 work, make kgdb 'dmesg' command work again, some networking fixes, some xfs and cifs noise, yadda yadda. About 50% of the patch is actually the SPEAr clock name renaming that is just some search-and-replace. The shortlog is appended if you're interested in the details. And as usual, this obviously means that the merge window for 3.6 is open, although I hope people will spend a little bit of time testing and beating on 3.5 before pushing on with the merge window. And as mentioned earlier, if you are a (probably European) maintainer, and will be gone most of August, I'd rather you just delay the whole thing until 3.7 rather than send me a merge request for 3.6 and then effectively disappear for the next few weeks. And if 3.6 ends up smaller as a result of vacation details like that, it's fine. Linus Aaditya Kumar (1): mm: fix lost kswapd wakeup in kswapd_stop() Aaro Koskinen (1): MIPS: cmpxchg.h: Add missing include Al Viro (1): ext4: fix duplicated mnt_drop_write call in EXT4_IOC_MOVE_EXT Alan Cox (5): sch_sfb: Fix missing NULL check gma500: Fix lid related crash gma500: move the ASLE enable gma500,cdv: Fix the brightness base ax25: Fix missing break Alexander Duyck (2): ixgbe: DCB and SR-IOV can not co-exist and will cause hangs ixgbevf: Fix panic when loading driver Amir Hanania (1): net: Fix memory leak - vlan_info struct Anders Kaseorg (1): fifo: Do not restart open() if it already found a partner Anirban Chakraborty (1): MAINTAINERS: Changes in qlcnic and qlge maintainers list Anton Vorontsov (4): kdb: Revive dmesg command printk: Remove kdb_syslog_data printk: Implement some unlocked kmsg_dump functions kdb: Switch to nolock variants of kmsg_dump functions Artem Bityutskiy (1): UBIFS: fix a bug in empty space fix-up Benjamin Tissoires (1): HID: hid-multitouch: add support for Zytronic panels Bing Zhao (1): mwifiex: fix Coverity SCAN CID 709078: Resource leak (RESOURCE_LEAK) Bjørn Mork (1): net: qmi_wwan: add ZTE MF60 Boaz Harrosh (5): ore: Fix NFS crash by supporting any unaligned RAID IO ore: Remove support of partial IO request (NFS crash) ore: Unlock r4w pages in exact reverse order of locking pnfs-obj: don't leak objio_state if ore_write/read fails pnfs-obj: Fix __r4w_get_page when offset is beyond i_size Bruce Allan (1): e1000e: fix test for PHY being accessible on 82577/8/9 and I217 Christoph Hellwig (2): xfs: prevent recursion in xfs_buf_iorequest xfs: do not call xfs_bdstrat_cb in xfs_buf_iodone_callbacks Cloud Ren (1): atl1c: fix issue of transmit queue 0 timed out Dan Carpenter (4): sony-laptop: fix sony_nc_sysfs_store() sony-laptop: fix a couple signedness bugs ideapad: uninitialized data in ideapad_acpi_add() rbd: endian bug in rbd_req_cb() Daniel Nicoletti (1): HID: add battery quirk for Apple Wireless ANSI Danny Kukawka (1): MIPS: BMIPS: Fix duplicate header inclusion. Dave Chinner (2): xfs: really fix the cursor leak in xfs_alloc_ag_vextent_near xfs: don't defer metadata allocation to the workqueue David Daney (2): netdev/phy: Fixup lockdep warnings in mdio-mux.c MIPS: Properly align the .data..init_task section. Deepak Sikri (2): stmmac: Fix for nfs hang on multiple reboot stmmac: Fix for higher mtu size handling Dmitry Eremin-Solenikov (1): MAINTAINERS: reflect actual changes in IEEE 802.15.4 maintainership Dong Aisheng (2): pinctrl: pinctrl-imx: only print debug message when DEBUG is defined pinctrl: pinctrl-imx6q: add missed mux function for USBOTG_ID Douglas Leung (1): MIPS: Fix decoding of c0_config1 for MIPSxx caches with 32 ways per set. Eliad Peller (1): mac80211: destroy assoc_data correctly if assoc fails Emmanuel Grumbach (1): iwlegacy: don't mess up the SCD when removing a key Eric Dumazet (6): net: dont use __netdev_alloc_skb for bounce buffer netem: add limitation to reordered packets net: cgroup: fix out of bounds accesses gianfar: fix potential sk_wmem_alloc imbalance IPoIB: fix skb truesize underestimatiom net: respect GFP_DMA in __netdev_alloc_skb() Eric Paris (2): SELinux: include definition of new capabilities SELinux: do not check open perms if they are not known to policy Eric W. Biederman (2): bonding: Manage /proc/net/bonding/ entries from the netdev events bonding: debugfs and network namespaces are incompatible Ezequiel Garcia (1): cx25821: Remove bad strcpy to read-only char* Federico Fuga (1): rpmsg: fix dependency on initialization order Florian Fainelli (2): MIPS: perf: Fix build error caused by unused counters_per_cpu_to_total() MIPS: BCM63XX: Fix BCM6368 IPSec clock bit Frank Kunz (1): HID: add Sennheiser BTD500USB device support Ganesan Ramalingam (1): MIPS: Netlogic: MSI enable fix for XLS Gao feng (2): cgroup: fix panic in netprio_cgroup net: cgroup: fix access the unallocated memory in netprio cgroup Geert Uytterhoeven (7): mn10300: fix "pull clearing RESTORE_SIGMASK into block_sigmask()" fallout m32r: remove duplicate definition of PTRACE_O_TRACESYSGOOD m32r: fix pull clearing RESTORE_SIGMASK into block_sigmask() fallout m32r: fix 'fix breakage from "m32r: use generic ptrace_resume code"' fallout m32r: consistently use "suffix-$(...)" m32r: add memcpy() for CONFIG_KERNEL_GZIP=y m32r: make memset() global for CONFIG_KERNEL_BZIP2=y Hans Verkuil (1): v4l2-dev: forgot to add VIDIOC_DV_TIMINGS_CAP. Jayachandran C (2): MIPS: Netlogic: Fix PCIX irq on XLR chips MIPS: Netlogic: Fix TLB size of boot CPU. Jeff Layton (3): cifs: on CONFIG_HIGHMEM machines, limit the rsize/wsize to the kmap space cifs: when CONFIG_HIGHMEM is set, serialize the read/write kmaps cifs: always update the inode cache with the results from a FIND_* John Stultz (1): ntp: Fix STA_INS/DEL clearing bug Jozsef Kadlecsik (1): netfilter: ipset: timeout fixing bug broke SET target special timeout value Julia Lawall (3): drivers/isdn/mISDN/stack.c: remove invalid reference to list iterator variable net/rxrpc/ar-peer.c: remove invalid reference to list iterator variable drivers/net/ethernet/broadcom/cnic.c: remove invalid reference to list iterator variable Julian Anastasov (1): ipvs: fix oops in ip_vs_dst_event on rmmod Leonid Yegoshin (3): MIPS: Don't panic on 5KEc. MIPS: Fix race condition with FPU thread task flag during context switch. MIPS: Malta may also be equipped with MIPS64 R2 processors. Lin Ming (1): ipvs: fix oops on NAT reply in br_nf context Linus Torvalds (2): Make wait_for_device_probe() also do scsi_complete_async_scans() Linux 3.5 Marco Chiappero (1): sony-laptop: notify userspace of GFX switch position changes Marek Szyprowski (1): mm: cma: fix condition check when setting global cma area Mark Rustad (1): tcm_fc: Fix crash seen with aborts and large reads Mattia Dongili (5): sony-laptop: use an enum for SNC event types sony-laptop: store battery care limits on batteries sony-laptop: add lid backlight support for handle 0x143 sony-laptop: input initialization should be done before SNC sony-laptop: correct find_snc_handle failure checks Michael Chan (2): cnic: Don't use netdev->base_addr bnx2: Fix bug in bnx2_free_tx_skbs(). Michael Kerrisk (1): PM: Rename CAP_EPOLLWAKEUP to CAP_BLOCK_SUSPEND Mikulas Patocka (3): dm raid1: fix crash with mirror recovery and discard dm thin: do not send discards to shared blocks dm raid1: set discard_zeroes_data_unsupported Narendra K (1): ixgbevf: Prevent RX/TX statistics getting reset to zero Neil Horman (1): sctp: Fix list corruption resulting from freeing an association on a list NeilBrown (3): md: fix bug in handling of new_data_offset md: avoid crash when stopping md array races with closing other open fds. md/raid1: close some possible races on write errors during resync Olaf Hering (1): kexec: update URL of kexec homepage Pablo Neira Ayuso (1): netfilter: nf_ct_ecache: fix crash with multiple containers, one shutting down Paul Moore (1): cipso: don't follow a NULL pointer when setsockopt() is called Prathyush K (1): ARM: dma-mapping: modify condition check while freeing pages Rabin Vincent (1): mm: cma: don't replace lowmem pages with highmem Rafael J. Wysocki (1): Remove SYSTEM_SUSPEND_DISK system state Ralf Baechle (5): MIPS: Provide a symbol for the legacy performance counter interrupt. MIPS: MT: Fix indentation damage. MIPS: SMTC: Spelling and grammar corrections. MIPS: Fix typo multipy -> multiply MIPS: Oprofile: Fix build as a module. Roland Dreier (2): target: Clean up returning errors in PR handling code target: Fix range calculation in WRITE SAME emulation when num blocks == 0 Rustad, Mark D (1): net: Statically initialize init_net.dev_base_head Sachin Prabhu (1): Initialise mid_q_entry before putting it on the pending queue Sage Weil (1): libceph: fix messenger retry Sasha Levin (2): ieee802154: verify packet size before trying to allocate it NFC: Prevent NULL deref when getting socket name Sebastian Andrzej Siewior (1): MIPS: PCI: Move fixups from __init to __devinit. Simon Wunderlich (1): batman-adv: check incoming packet type for bla Sjur Brændeland (1): caif: Fix access to freed pernet memory Stanislaw Gruszka (2): rt2x00usb: fix indexes ordering on RX queue kick iwlegacy: always monitor for stuck queues Stefan Roese (1): ARM: SPEAr600: Fix timer interrupt definition in spear600.dtsi Steven J. Hill (4): MIPS: Clean-up GIC and vectored interrupts. MIPS: Add support for the M14Kc core. MIPS: Refactor 'clear_page' and 'copy_page' functions. MIPS: Malta: Change start address to avoid conflicts. Takashi Iwai (1): intel_ips: blacklist HP ProBook laptops Thomas Gleixner (1): timekeeping: Add missing update call in timekeeping_resume() Thomas Huehn (1): mac80211: correct size the argument to kzalloc in minstrel_ht Tushar Dave (1): e1000e: Correct link check logic for 82571 serdes Uwe Kleine-König (1): mips: mark const init data with __initconst instead of __initdata Vincent Wen (1): MIPS: Fix Magic SysRq L kernel crash. Vipul Kumar Samar (9): clk:spear1340:Fix: Rename clk ids within predefined limit clk:spear1310:Fix: Rename clk ids within predefined limit Clk:spear3xx:Fix: Rename clk ids within predefined limit Clk:spear6xx:Fix: Rename clk ids within predefined limit ARM: SPEAr13xx: Fix Interrupt bindings clk: SPEAr1340: Fix clk enable register for uart1 and i2c1. Clk: SPEAr1340: Update sys clock parent array ARM: dts: SPEAr320: Fix compatible string ARM: dts: SPEAr320: Boot the board in EXTENDED_MODE Yan, Zheng (1): rbd: Fix ceph_snap_context size calculation Yinghai Lu (1): bootmem: make ___alloc_bootmem_node_nopanic() really nopanic Yoichi Yuasa (4): mips: fix bug.h build regression MIPS: BCM47xx: Fix BCMA_DRIVER_PCI_HOSTMODE config dependencies MIPS: Cavium: Fix duplicate ARCH_SPARSEMEM_ENABLE in kconfig. MIPS: Fix bug.h MIPS build regression Yong Zhang (8): MIPS: Octeon: delay enable irq to ->smp_finish() MIPS: BMIPS: delay irq enable to ->smp_finish() MIPS: SMTC: delay irq enable to ->smp_finish() MIPS: Yosemite: delay irq enable to ->smp_finish() MIPS: call ->smp_finish() a little late MIPS: call set_cpu_online() on cpu being brought up with irq disabled MIPS: smp: Warn on too early irq enable MIPS: sync-r4k: remove redundant irq operation Sursa: https://lkml.org/lkml/2012/7/21/114

[h=1]Power Pwn: This DARPA-funded power strip will hack your network[/h]Summary: The Power Pwn may look like a power strip, but it's actually a DARPA-funded hacking tool for launching remotely-activated Wi-Fi, Bluetooth, and Ethernet attacks. If you see one around the office, make sure to ask if it's supposed to be there. By Emil Protalinski for Zero Day | July 22, 2012 The Power Pwn may look like an ordinary power strip, maybe with an included surge protector, but it's far from it. Network administrators and IT staff in general need to be wary of this one: it can do much more than meets the eye. The Defense Advanced Research Projects Agency (DARPA)'s Cyber Fast Track program helped funded the development of the Power Pwn. Pwnie Express, which developed the $1,295 gizmo, says it's "a fully-integrated enterprise-class penetration testing platform." That's great, but the company also notes its "ingenious form-factor" (again, look at the above picture) and "highly-integrated/modular hardware design," which to me translates to: it's the perfect tool for hacking a corporate network. So what do you get after you drop more than a grand for the device? Check out the list of features: Onboard high-gain 802.11b/g/n wireless. Onboard high-gain Bluetooth (up to 1000'). Onboard dual-Ethernet. Fully functional 120/240v AC outlets!. Includes 16GB internal disk storage. Includes external 3G/GSM adapter. Includes all release 1.1 features. Fully-automated NAC/802.1x/RADIUS bypass. Out-of-band SSH access over 3G/GSM cell networks!. Text-to-Bash: text in bash commands via SMS! . Simple web-based administration with "Plug UI". One-click Evil AP, stealth mode, & passive recon. Maintains persistent, covert, encrypted SSH access to your target network [Details]. Tunnels through application-aware firewalls & IPS. Supports HTTP proxies, SSH-VPN, & OpenVPN. Sends email/SMS alerts when SSH tunnels are activated. Preloaded with Debian 6, Metasploit, SET, Fast-Track, w3af, Kismet, Aircrack, SSLstrip, nmap, Hydra, dsniff, Scapy, Ettercap, Bluetooth/VoIP/IPv6 tools, & more. Unpingable and no listening ports in stealth mode. To summarize that for you, the Power Pwn can launch remotely-activated Wi-Fi, Bluetooth, and Ethernet attacks to identify network weaknesses. You can send commands via a convenient Web interface, accessible through the unit's built-in 3G radio, or directly to the device via text message. In fact, if you're feeling really lazy, you can use Apple's Siri voice-recognition software to send it instructions. It's something "you can just plug in and do a full-scale penetration test from start to finish," Pwnie Express CEO Dave Porcello told Wired. "The enterprise can use stuff like this to do testing more often and more cheaply than they’re doing it right now." He also said 90 percent of the company's clients are commercial or federal organizations. What's the other 10 percent? That's what you should be worried about. The good news is you still have time to get the word out. The Power Pwn is currently available for pre-order, but its estimated ship date is September 30, 2012. Sursa: Power Pwn: This DARPA-funded power strip will hack your network | ZDNet

[h=1]Clipcaptcha: An Open Source CAPTCHA Provider Impersonation Tool![/h] July 21, 2012 By Mayuresh Our last post in connection with CAPTCHA or Completely Automated Public Turing test to tell Computers and Humans Apart was on the offensive side, trying to break it – Stiltwalker. Today’s post was submitted via the Submit Your Tool option by Mr. Gursev Singh Kalra – Clipcaptcha, a open source tool programmed in Python to provide extensible and signature based CAPTCHA Provider impersonation. Again, this tool will be officially released with the Black Hat USA 2012 Arsenal. Clipcaptcha can be used to exploit certain vulnerabilities to bypass CAPTHCA provider protection. It based off Moxie Marlinspike’s sslstrip codebase. According to the author, certain vulnerabilities affect almost every CAPTCHA provider including reCAPTCHA, opencaptcha and captchator. These vulnerabilities can be exploited to completely bypass the protection offered by CAPTCHA providers. Depending on its mode of operation Clipcaptcha may approve, reject or forward the CAPTCHA verification requests. It maintains an easy to edit XML configuration file that it queries to identify CAPTCHA provider request formats and render corresponding responses. [h=2]Clipcaptcha permitted operational modes:[/h] Monitor Mode: Signature based CAPTCHA provider detection is performed and all CAPTCHA validation requests are logged to a local file. The CAPTCHA validation requests and corresponding responses are allowed to complete without any modifications. Avalanche Mode: Success response is returned on the matching CAPTCHA provider for all validation requests. It is recommended to not run clipcaptcha in this mode as a surge in successful account creation or registrations may be detected. Stealth Mode: Stealth is the recommended mode for running clipcaptcha. This mode relies on the fact that all CAPTCHA validation API.s need to send user supplied CAPTCHA solution to the CAPTCHA providers for validation. clipcaptcha banks on this behavior to operate stealthily and return Success status only for the requests that contain a secret string. In its current implementation, clipcaptcha parses the entire CAPTCHA validation request (initial line, headers and body) and returns success if the secret string is found or allows the request to complete without any modifications. DoS Mode: Failure response is returned for all CAPTCHA validation requests. This leads to a Denial of Service condition on the target web application for all forms that require CAPTCHA validation. Random Mode: Random Success and Failure responses are returned as per the matching CAPTCHA provider for all validation requests and exits only as a teaser mode. Once the clipcaptcha instance starts running, all CAPTCHA validation requests will be taken care of by clipcaptcha. It also has this Signature based CAPTCHA provider detection, which dictates that CAPTCHA providers are basically HTTP based custom web services, that accept CAPTCHA validation requests in a particular format and respond with finite set of responses that allow the clients to make Boolean choices to allow or disallow the request. This allows clipcaptcha to take advantage of this finite and predictable request and response data set to implement signature based request detection and response system. This open source tool requires Python 2.5 or newer with the Twisted Python Module. Setting up Clipcaptcha is a four step process which is effectively underlined in the document that accompany the tool. Executing it is also pretty simple: clipcaptcha.py < mode > -l < listeningPort > That is all and you are ready to bypass CAPTCHA providers! [h=3]Download Clipcaptcha:[/h]Clipcaptcha v0.1 – clipcaptcha-v0.1.zip Sursa: Clipcaptcha: A CAPTCHA Provider Impersonation Tool! — PenTestIT

Parola pe care o folose?ti, dar nu o ?tii [TABLE=class: contentpaneopen] [TR] [TD]Scris de Scientia.Ro [/TD] [/TR] [TR] [TD=class: createdate] Sâmb?t?, 21 Iulie 2012 17:19 [/TD] [/TR] [/TABLE] hiar ?i cea mai sofisticat? metod? de securizare a unui echipament electronic poate fi dep??it?, for?ându-l pe cel care ?tie parola s? o dezv?luie. Dar dac? parola ar fi stocat? în creier, f?r? ca de?in?torul s? o poat? dezv?lui, chiar dac? ar încerca? Aceasta este promisiunea unei noi tehnici care combin? criptografia cu neuro?tiin?a. În testele ini?iale, voluntarii au înv??at o parol?, ulterior folosind-o pentru a trece un test, dar ei nu au putut s? o identifice atunci când li s-a cerut. Ideea se bazeaz? pe principiul înv???rii implicite, un proces prin care omul poate înv??a în mod incon?tient anumite succesiuni de ac?iuni. Hristo Bojinov, de la Universitatea Stanford din California, SUA ?i colegii acestuia au creat un joc în care juc?torii intercepteaz? obiecte care cad, prin ap?sarea unei taste. Obiectele apar într-una din cele 6 pozi?ii disponibile, pentru fiecare pozi?ie fiind disponibil? o tast?. F?r? ca juc?torii s? ?tie, pozi?iile în care erau pozi?ionate obiectele nu erau mereu aleatorii. În cadrul jocului era ascuns? o secven?? de 30 de pozi?ii succesive care se repeta de peste 100 de ori pe timpul celor 30-45 de minute, cât dura jocul. Juc?torii au f?cut pu?ine erori atunci când au ajuns la aceast? succesiune de taste, în multiple runde, iar aceast? deprindere a persistat vreme de 2 s?pt?mâni, când ace?tia au fost testa?i. Rezultatele sugereaz? c? jocul poate forma baza unui sistem de securitate. Juc?torii vor înv??a o succesiune unic? în sesiunea ini?ial? a jocului, iar apoi o pot folosi jucând acela?i joc. Curios, studii anterioare au ar?tat c? oamenii nu pot reda succesiuni înv??ate în acest fel. Dar acest fenomen al înv???rii implicite este unul pe care-l experiment?m zilnic: gândi?i-v?, de exemplu, la modul în care omul poate include noi cuvinte în mod corect într-o propozi?ie f?r? a fi con?tient de regulile gramaticale care stau la baza folosirii limbajului. O persoan? poate încerca s? descopere o succesiune de ac?iuni, înv??at? dup? modelul de mai sus, for?ând posesorul acesteia s? joace un joc similar ?i s? observe acele secven?e din joc în care se fac cele mai pu?ine erori. Dar pentru c? succesiunea const? din 30 de taste accesate în ?ase pozi?ii diferite, ?ansele de a g?si succesiunea de taste este mic?. Creatorii acestui model cred c? testarea a 100 de utilizatori timp de un an, non-stop, ar însemna o probabilitate de 1 la 60.000 de cazuri de determinare a succesiunii corecte de taste. Sistemul are nevoie de a fi mult mai "user-friendly" înainte de a fi folosit la scar? comercial?. Ca ?i alte sisteme de securitate, ar putea fi spart prin metodele clasice, ca spargerea secven?ei de autentificare a utilizatorului. Din aceste motive, Bojinov spune c? modelul s?u este mult mai probabil s? fie folosit în activit??i de mare risc, unde prezen?a fizic? a posesorului de parol? este necesar?, cum ar fi accesarea unei capabilit??i militare ori nucleare. Sistemul descris mai sus are avantaje în compara?ie cu metodele biometrice, care se bazeaz? pe recunoa?terea unor tr?s?turi unice, cum ar fi "amprenta" irisului. "Autentificarea (în cazul metodei biometrice, n.tr.) nu cere vreun efort explicit din partea utilizatorului" crede Ari Juels, director al Laboratoarelor RSA, Cambridge, Massachusetts. "Dac? timpul cerut pentru antrenament ?i autentificare poate fi redus, atunci unele dintre beneficiile metodei biometrice, care nu presupune vreun efort ?i nici riscul pierderii parolei, pot fi cuplate cu unele op?iuni care lipsesc, cum ar fi posibilitatea de a înlocui un sistem biometric ce a fost compromis". Sursa: Parola pe care o folose?ti, dar nu o ?tii