Nytro

Social Engineering - The Human Factor Name: Dinesh Shetty Profile: Information Security Consultant Email ID: dinesh.shetty @ live.com Social Engineering Cyber security is an increasingly serious issue for the complete world with intruders attacking large corporate organizations with the motive of getting access to restricted content. CSI Computer Crime and Security Survey report for the year 2010-2011 stated that almost half of the respondents had experienced a security incident, with 45.6% of them reporting that they had been subject of at least one targeted attack. Merely trying to prevent infiltration on a technical level and ignoring the physical-social level, cent percent security can never be achieved. Couple of examples can be the scenes from Hackers which shows Dumpster diving in the target company's trash in order to obtain financial data from printouts and the scene from War Games where Matthew Broderick's character studied his target before attempting to crack the password of the military computer system. 'Social Engineering' is a threat that is overlooked in most of the organizations but can easily be exploited as it takes advantage of human psychology rather than the technical barricades that surrounds the complete system. Below is a classic example of this: A person receives an e-mail on his official mailbox saying that his computer has been infected with a virus. The message provides a link and suggests that he downloads and installs the tool from the link to eliminate the virus from his computer. The person in a state of confusion clicks on the link to remove the virus from his computer but unwittingly giving a hacker an easy entrance into his corporate network. To ensure complete security of an organization from all kinds of internal and external factors, the security consultant must have complete knowledge of the Social Engineering cycle, the techniques that can be used by an attacker and the counter-measures to reduce the likelihood of success of the attack. In this paper we are going to take you through the various phases so as to understand what is Social Engineering, Social Engineering Lifecycle, the various Techniques used in Social Engineering attack with detailed examples and then finally conclude with the counter-measures to protect against each of the Social Engineering attack techniques. Download: http://www.exploit-db.com/download_pdf/18135

Uhuuu, poate fi foarte util. Felicitari.

A fost totul foarte organizat. Am stat asezati in sensul intereselor comune astfel inca discutiile sa fie cursive si sa ne atraga. Nu va lasati inselati de aparente, in halbe se afla RedBull si sticlele sunt de suc, nu era moral sa consumam bauturi alcoolica. De asemenea am discutat cu cei de la bar si am ascultat doar muzica clasica si opera. Totul a mers conform planului. Am inceput sa discutam despre probleme de securitate pe partea de Web, de la partea de client-side la server-side. Apoi am luat in considerare limbajele de scripting pentru Web punand accentul pe punctele forte ale fiecarui sistem. Nu am uitat desigur partea de administrare de server si am adus in discutie avantaje si dezavantaje pentru diverse sisteme de operare, web servere si sisteme de gestiuni a bazelor de date. Ulterior am trecut la partea de Desktop la discutii mai complicate despre Race Condition-uri si am ajuns la idei complexe de a descoperi si exploata Local root privilege escalation exploit-uri pe ultima versiune de kernel. Desigur, am avut laptop-uri si ideile erau testate si dezbatute la rece. Toata lumea a avut laptop si a fost ca un laborator in care am invatat unii de la ceilalti. La ora 21:00, cand se apropia ora noastra de culcare am decis ca trebuie sa plecam sa nu avem probleme cu parintii. A fost un mediu placut, pur tehnic in care am legat prietenii. Am dreptate? @Cei care au fost

Sa vedem ce-o sa iasa

Heap overflow exploit and understanding Khalil Ezhani Senator.of.Pirates @ gmail.com http://www.facebook.com/SenatorofPirates Not all buffers are allocated on the stack. Often an application doesn't know how big to make certain buffers until it is running. The heap is used by applications to dynamically allocate buffers of varying sizes. These buffers are susceptible to overflows if user-supplied data isn't checked, leading to a compromise through an attacker overwriting other values on the heap. Where the details of stack overflow exploitation rely on the specifics of hardware architecture, heap overflows are reliant on the way certain operating systems and libraries manage heap memory. Here I restrict the discussion of heap overflows to a specific environment: a Linux system running on an Intel x86 platform, using the default GNU libc heap implementation (based on Doug Lea's dlmalloc). While this situation is specific, the techniques I discuss apply to other systems, including Solaris and Windows. Heap overflows can result in compromises of both sensitive data (overwriting filenames and other variables on the heap) and logical program flow (through heap control structure and function pointer modification). I discuss the threat of compromising logical program flow here, along with a conceptual explanation and diagrams. Download: http://www.exploit-db.com/download_pdf/18133

Reverse Engineering 101 ( Using Ida To Break Password Protections ) Description: This video is the second in the Reverse Engineering 101 series. I would encourage you to view the first video on finding hidden passwords in binaries using a hex editor. In this video we will use the IDA Pro tool to dissect a binary file and see how to crack a basic password protection.Please download an evaluation copy of IDA here. Also, please download binary of the program to be disassembled in this reverse engineering exercise from here. We will use the code from the previous video in this example. Lets look at the program: ------------Code Starts ------------------ #include <stdio.h> #include <stdlib.h> #include <string.h> #define password "FindMeIfYouCan" int main(int argc, char *argv[]) { char pass[100]; printf("Please enter your password\n\n"); scanf("%s", pass); if ( strcmp(pass, password) == 0 ) { printf("Congrats!! Correct Pass\n\n"); } else { printf("Wrong Pass\n\n"); } system("PAUSE"); return 0; } -------------------------------- Code Ends --------------------- The user entered password is stored in the variable "pass", while the program password is held in "password". The entire protection mechanism in the above program depends on the "srtcmp" function(). If the passwords match, strcmp() returns a "0". The the "If" statement does a comparison to check if "0" was returned. If True, then the user is allowed access, else the user is denied access. well how do we reverse engineer this program? well what if somehow we could have "0" placed in the output of the strcmp() operation, so that the If statement yields a "True"? In order to understand how we can accomplish this we need to dive into the assembly language equivalent of the code above. You can watch how its done in the video below. If you are noob to Assembly and would me to create an "Assembly Language Primer to begin Reverse Engineering", please raise a request using the "Feedback" button to the left of the page. Video: http://www.securitytube.net/video/128

Nu mai spuneti ca desenele de azi sunt violente, si in trecut erau: - Goku se bate toata ziua cu toate specimenele - Pokemonii simpatici se lupta intre ei pana mor - Fetitele Powerpuff se lupta cu toti monstrii pentru a salva Townsville Ce-i drept, nu erau prea violente: - Ce-i cu Andy - Viata cu Louie - Copii de la 402 Dar erau desene violente si in trecut.

Am ales si un nume. Problema e ca nu prea aveam de ales, oricum nu cred ca e foarte important. Pagina: http://www.facebook.com/rstforum

Kernel Hacking & Anti-forensics: Evading Memory Analysis RODRIGO RUBIRA BRANCO (BSDAEMON) FILIPE ALCARDE BALESTRA This article is intended to explain, why a forensic analysis in a live system may not be recommended and why the image of that system can trigger an advanced anti-forensic-capable rootkit. Since, most of the operating systems have the same approach in this regard, most examples covered here in Linux can be applied to similar situations in other operating systems too. An overview of the kernel internals and the structure and working of x86 architecture will also be given, along with the differences between other architectures. Introduction A lot of tools [5] have been developed to analyze a live system in order to detect an intrusion (like installed rootkits [7]). This article tries to explain some presentations [8] that showed problems in this existent model, explaining the risks of this act and when can it be accepted. Dowbload: http://www.kernelhacking.com/rodrigo/docs/AntiForense.pdf

Taking the mystery out of 64-bit Windows If you’re shopping for a new computer, chances are you already have enough to consider without wondering whether you should buy a computer with a 32-bit or 64-bit version of Windows 7. There’s no need to fret. For most people, there’s little reason to think about this choice when you’re making your next computer purchase. That’s good, since many people don’t understand the difference between a PC running a 32-bit or 64-bit version of Windows, and the version they choose won’t make a big difference in most cases. Some power users prefer a 64-bit version of Windows. There’s no mystery there. A computer with a 64-bit version of Windows can use more memory—4 GB (gigabytes) or more—than a PC with a 32-bit version of Windows, which is limited to about 3.5 GB or less. (Even if a PC comes with 4 GB or more of memory installed, a 32-bit version of Windows can only use about 3.5 GB of that memory.) With more memory, you can keep more files and programs open at once without slowing down your computer. But having more than 3.5 GB available usually won’t matter unless you really keep a lot of things open at once (more on that later). You can check System in Control Panel to see if your PC is running a 32-bit or 64-bit version of Windows. Real world differences versus spec sheet differences Because prices have fallen so much in recent years, many new computers now come with 4 GB of memory—even budget models. A lot of manufacturers have started installing a 64-bit version of Windows on their PCs by default to make sure buyers are able to use all of the memory they paid for. Some are even shipping all of their new computers with a 64-bit version of Windows, and doing so even though it’s difficult to tell the difference between a PC using 4 GB and 3.5 GB of memory. In actual everyday use, most people probably wouldn’t notice a difference between a computer using 3 GB of memory and one using 6 GB. So who might notice the difference? Well, if you’ve ever known anyone who keeps a couple dozen e-mail messages, a dozen programs, and a half dozen other items all open at the same time—while playing videos—then you get the idea. Having more than 4 GB of memory available can make your computer more responsive if you like to keep everything running at once and rarely close anything. Serious PC game players might also be interested in a PC running a 64-bit version of Windows. Games are some of the most hardware-intensive programs you can run on any computer, with their rich graphics, sound, and interaction capabilities. The 64-bit version of Windows 7 Ultimate, Enterprise, and Professional editions can all use up to 192 GB of memory (far more than even a power user would typically need), making them ideal for specialized computing tasks that require enormous amounts of memory, such as rendering 3D graphics. Most of the performance gain in computers running a 64-bit version of Windows comes from this added memory, combined with a powerful 64-bit processor able to use that extra memory. But for most people who just keep a few programs running at a time, 4 GB or more of memory offers no tangible benefit over a computer with 2 GB of memory and a 32-bit version of Windows. Note Server computers—such as computers used to run websites or large corporate networks—can especially benefit from more memory. But they have their own powerful operating system—Windows Server—which also comes in a 64-bit version and can use even more memory than Windows 7. 32-bit versus 64-bit processors So what do you need to run a 64-bit version of Windows? That’s no mystery either. You need a computer with a 64-bit processor (also called an x64 processor, or CPU). It’s not obvious from the names of most processors if they are 64-bit or 32-bit. If you want to know, you can check with the manufacturer or with the store selling the computer. If you’re buying a new computer with Windows 7, it will most likely come with a 64-bit processor, although perhaps not a 64-bit version of Windows 7. This is where it gets a little confusing. Computers with a 64-bit processor can run either a 32-bit or 64-bit version of Windows just fine. So it doesn’t matter too much which version of Windows you install on most PCs with a 64-bit processor—unless you want to be able to use more than 3.5 GB of memory. To find out if your current PC is capable of running a 64-bit version of Windows, download and install the Windows 7 Upgrade Advisor from the Windows 7 Upgrade Advisor webpage. This program will analyze your computer, create a report telling you if your PC can run Windows 7, and list any known compatibility issues, including whether you can run the 64-bit version of Windows 7. For more information, see 32-bit and 64-bit Windows: frequently asked questions. Get a 64-bit version of Windows with a new computer There’s no mystery when it comes to upgrading to a 64-bit version of Windows. You can’t upgrade from a 32-bit version of Windows to a 64-bit version. To install a 64-bit version of Windows on a computer already running a 32-bit version, you have to do a clean installation, which formats your hard drive and erases all of your files and programs. That’s why most people who get a 64-bit version of Windows do so when they buy a new computer. (If you do plan to install a 64-bit version of Windows on a computer running a 32-bit version, be sure to back up all your files and other information first. You'll also have to manually reinstall your programs.) What about cost? Are 64-bit processors more expensive than 32-bit processors? Not typically these days, although they used to be, and you can certainly find some computers with a 64-bit processor that are more expensive. The most common reason for this is the extra memory. If a computer with a 64-bit processor comes with more memory, it might cost a little more than a computer with a 32-bit processor that has less memory. Windows doesn't add a cost factor, since the 32-bit and 64-bit versions of Windows both cost the same. How to tell if you're running a 32-bit or 64-bit version of Windows What if you’re not shopping for a new PC and want to know if your computer is running a 64-bit or 32-bit version of Windows? Since both versions look identical, you need to know where to look. The easiest way to tell is to check System in Control Panel. To do so, click the Start button Picture of the Start button, click Control Panel, type System in the search box, and then click System. Under System, next to System type, you can see if your PC is running a 32-bit or 64-bit operating system. 32-bit versus 64-bit drivers and programs If you’re running a 64-bit version of Windows, your computer needs a 64-bit driver for every piece of hardware installed on your PC or connected to it. For example, if you're trying to install a printer that only has a 32-bit driver available, it won't install in a 64-bit version of Windows. But the good news is there are tens of thousands of devices available today with 64-bit drivers, which Windows can automatically find and install for you. For hardware makers to earn a "Compatible with Windows 7" logo, their hardware must have drivers for both 32-bit and 64-bit versions of Windows. If you see this logo, you don’t have to wonder if the hardware is going to work with the 64-bit version of Windows. Unlike drivers, most programs designed for a computer running a 32-bit version of Windows will run fine on a computer running a 64-bit version of Windows. (Notable exceptions are antivirus programs.) However, most programs designed specifically for a 64-bit version of Windows will often run faster, especially if they involve intensive tasks such as editing high-definition video or operating a large database. You can check the availability of 64-bit drivers and programs online at the new Windows 7 Compatibility Center. This can be useful if you’re considering buying a new printer, for example, and want to be sure a 64-bit driver is available before you buy it—or if you want to find out if there are 64-bit versions of your favorite programs. The Windows Vista Compatibility Center also lists the availability of 64-bit drivers for thousands of hardware products, and tells you whether there are 64-bit versions available for thousands of programs. There are other considerations when installing hardware and programs in a 64-bit version of Windows. For more information, see Understanding hardware and software for 64-bit versions of Windows. Mystery solved Now that we’ve solved the mystery of 64-bit Windows, you can see that 64-bit computing never really was much of a mystery in the first place. Nor does it have to be a dilemma for most computer users. Whether you already have a PC with 64-bit processor or are thinking of buying one, the key is choosing the right version of Windows for the way you work or play. In most cases, it won’t matter if that’s a 32-bit or 64-bit version. Sursa: http://windows.microsoft.com/en-US/windows7/taking-the-mystery-out-of-64-bit-windows

PHP Vulnerability Hunter 1.1.4.6 Authored by AutoSec Tools | Site autosectools.com PHP Vulnerability Hunter is a PHP fuzzing tool that scans for several different vulnerabilities by performing dynamic program analysis. It can detect arbitrary command execution, local file inclusion, arbitrary upload, and several other types of vulnerabilities. Changes: Added code coverage report. Updated GUI validation. Several instrumentation fixes. Fixed lingering connection issue. Fixed GUI and report viewer crashes related to working directory. Download: http://packetstormsecurity.org/files/download/107074/phpvh1.1.4.6.zip

World's stealthiest rootkit pushes DNS hijacking trojan DNS Changer dropped by TDSS By Dan Goodin Posted in Malware, 14th November 2011 21:49 GMT One of the world's most advanced pieces of malware is being used to spread DNS Changer, a trojan at the heart of a massive click fraud scheme that has already hijacked 4 million PCs, security researchers said. Just a few days after federal prosecutors in the US shuttered the international conspiracy, researchers from Dell SecureWorks said they discovered DNS Changer is being spread by TDSS. The rootkit, as previously reported, is among the hardest to detect and remove and is often used as a means to install keyloggers, tools for attacking websites, and other malware. Once installed, DNS Changer is able to alter the DNS, or domain name system, settings that computers and routers use to find the IP numbers that correspond to domain names such as theregister.co.uk and google.com. By replacing legitimate DNS servers with servers under the control of the attackers, they are able to send victims to fraudulent websites instead of the destinations the victims intended to visit. Last week, seven people from Estonia and Russia were criminally charged in a scam that for more than five years used DNS Charger to generate more than $14 million in profit. They racked up the windfall by redirecting victims to imposter websites that paid advertising fees to the attackers each time they were clicked on. The scheme preyed on users of computers running Microsoft Windows and Apple OS X operating systems. DNS Changer is also able to change DNS configuration settings in certain routers, particularly when they use default usernames and passwords. The ability of TDSS to evade antivirus protection and other security software is well documented. The rootkit, which is also known as TDL4 and Aleureon, is among the world's most advanced, with the ability to infect 64-bit versions of Windows, infect a computer's master boot record, and communicate over the Kad peer-to-peer network. It's newest payload means that victims now have an easy way to tell if they are infected. "The real danger of a DNS Changer infection is that it is an indicator that your system is infected with a larger malware cocktail with malware such as Rogue AV, Zeus Banking Trojan, Spam Bot, etc." an emailed report from Dell SecureWorks stated. "Controlling DNS literally gives an attacker complete access to a system." End users who want to know if their systems are infected should check the DNS server settings of their operating system and routers. Compromised systems will show server IP addresses within the following ranges: 85.255.112.0 through 85.255.127.255 67.210.0.0 through 67.210.15.255 93.188.160.0 through 93.188.167.255 77.67.83.0 through 77.67.83.255 213.109.64.0 through 213.109.79.255 64.28.176.0 through 64.28.191.255 To check DNS settings on Windows open a command prompt and type "ipconfig /all" and then check the DNS Server field. On a Mac, choose System Preferences and then select Network. Then click on the Advanced button of the active connection. Users may also want to check the DNS servers used by their router. FBI officials said 4 million PCs were infected by the DNS Changer used in the operation that was shut down last week. The Dell SecureWorks report said researchers aren't sure if that number is accurate. Researchers monitoring the command and control servers used in the attack are seeing about 600,000 unique IP addresses connect per day. Sursa: World's stealthiest rootkit pushes DNS hijacking trojan ? The Register

Introduction to Linux Kernel 2.6 How to write a Rootkit Maurice Leclaire TumFUG Linux / Unix get-together January 19, 2011 Why hacking the kernel? I Understanding the Linux kernel I Fixing bugs I Adding special features I Writing drivers for special hardware I Writing rootkits Download: http://info.fs.tum.de/images/2/21/2011-01-19-kernel-hacking.pdf

Jason Warner Interview About Ubuntu 12.04 Desktop Marius Nestor - Softpedia During the Ubuntu Development Summit for Ubuntu 12.04 LTS, Jason Warner, Ubuntu Desktop Manager at Canonical, gave an interview to Amber Graner, an Ubuntu contributor involved in the community since February 2009. In the interview, Jason Warner talks about the desktop interface in the upcoming Ubuntu 12.04 LTS (Precise Pangolin) and what users should expect from it. Jason Warner says that users will find a more tweaked and bug free Unity interface in Ubuntu 12.04 LTS, as well as an overall quality and very stable release. In the 5 minutes interview, Jason Warner was also asked about his team, user feedback and contributons, and the next Long Term Support release, Ubuntu 14.04 LTS. You can watch the entire, 5 minutes and 13 seconds long, interview with Jason Warner, Ubuntu Desktop Manager at Canonical, right here on this page, at the top. Enjoy! Video: http://www.youtube.com/watch?v=o1SgMKZ7T9Q&feature=player_embedded#! Sursa: Jason Warner Interview About Ubuntu 12.04 Desktop - Softpedia

7 Facts On Duqu Malware Attacks Research into Duqu malware finds a component compiled in 2007, but identified successful attacks that occurred as recent as April 2011. By Mathew J. Schwartz InformationWeek November 16, 2011 11:25 AM New information continues to emerge about the Duqu malware that was designed to steal information relating to industrial control systems. The latest analysis of the Duqu malware has found that one of the components used in the attack was compiled in 2007. But Duqu was used in a targeted attack as recently as April 2011, pointing to a possible four-year attack campaign by Duqu's authors, whose identities and affiliations remain unknown. What is known, however, is that to date, Duqu infected organizations in at least eight countries--including Iran--in part by using a still-unpatched Windows zero-day vulnerability. Furthermore, as researchers continue to study Duqu variants, these findings have emerged: 1. Duqu was a boutique exploit. To date, researchers have discovered "12 unique sets of Duqu files," said Alexander Gostev, chief security expert at Kaspersky Lab and author of a recent Duqu report. That's significant, since "for every victim, a separate set of attack files was created," he said via email. 2. Duqu relates to Stars. According to a Duqu timeline assembled by Kaspersky Lab, Duqu appeared at the same time as the Stars virus hit Iran. "At that time Iranian specialists didn't share samples of the discovered virus with any of the antivirus companies, and this, it has to be said, was a serious mistake, which gave rise to all subsequent events in this saga," said Gostev. "Most probably, the Iranians found a keylogger module that had been loaded onto a system and which contained a photo of the NGC 6745 galaxy. This could explain the title 'Stars' given to it." 3. Attackers covered their tracks. Pointing to the difficulty of tracing attacks back to the actual people who launched them, Gostev said that the Duqu exploits, which used malicious .doc files attached to emails, "took place from anonymous mailboxes, probably via compromised computers." In the case of one particular attack, dubbed "variant F" by Kaspersky, attackers used a computer--again, likely compromised--in South Korea to send attack emails on April 17, 2011, followed by another attack four days later. The first attack ended up in a junk mail folder. "The second attack turned out successful: the addressee opened the attached .doc file that contained the vulnerability exploit and Trojan installer," said Gostev. 4. Exploit used Dexter font. How did Duqu attack? For the Duqu-F variant at least, "the vulnerability exploit was contained in the font called 'Dexter Regular,' said Gostev. But that attack code was only a dropper or installer program, which then downloaded further attack code onto the targeted PC. "After penetration into a system the attackers installed extra modules and infected neighboring computers," he said. 5. Duqu used a ruse. Interestingly, after infecting a PC, Duqu did nothing--at least initially--except residing in memory and staying put even if the .doc file was closed. "This period of inactivity lasted around 10 minutes, after which the exploit waited for the user's activity to stop--no keyboard or mouse activity. Only then did the dropper kick into action," said Gostev. 6. Attackers used disposable control servers. Each Duqu variant had its own, separate control server, which provides further evidence that it was a highly targeted attack. Having a disposable infrastructure, furthermore, helped ensure that the discovery of one Duqu variant or attack wouldn't give away any of the others. Unlike Shady RAT's masterminds, the Duqu attackers also appear to have left the control servers active only for as long as they were required. Indeed, for a control server used to launch the Duqu-F attack, "we think that it is not functioning now and all critical information on it has already been deleted by the attackers," said Gostev. Kaspersky likewise found an identical data-wipe after researching another Duqu variant. 7. Duqu contained communication backups. Duqu can connect not just to command-and-control (C&C) servers, but also function as a server itself. "There are two lists of C&C servers, one can contain domain names, IP addresses, or names of network shares, and the other contains IP addresses in binary format and is used to connect using Windows HTTP (winhttp) services," according to a report published by Kasperksy Lab expert Igor Soumenkov. "Although the configuration blocks we have found so far are similar and are set up to connect to its C&C using HTTP and HTTPS, the payload .dll [file] is able to connect to a network share and even become a server." In other words, while Duqu may have only attacked a handful of organizations, it was engineered to succeed. Sursa: 7 Facts On Duqu Malware Attacks - Security - Attacks/breaches - Informationweek

Duplicate Lines Remover Easily delete duplicate lines from files. Duplicate Lines Remover is a handy freeware application which allows you to easily remove duplicate lines from files and strings. You can specify to ignore empty lines, remove empty lines and enable sorting of items. Is also possible to add the application to the SendTo menu for easily remove duplicate lines from files present in the hard drive. Duplicate Lines Remover is compatible with the following 32-bit and 64-bit Microsoft Windows Operating Systems: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 Screenshots Features Add to SendTo menu Commandline version Compatible with BOTH 32-bit and 64-bit OS Ignore empty lines Remove duplicate lines from files Remove duplicate lines from strings Remove empty lines Sort lines of a file Very user-friendly GUI Details Version: 1.2.0.0 Operating System: Windows All | 32-bit and 64-bit Last Update: 17.11.2011 Category: Security License: Freeware Download: http://downloads.novirusthanks.org/files/duplicate_lines_remover.exe Sursa: Duplicate Lines Remover - Easily remove duplicate lines from files and strings

Vmfs Recovery Recover Data from Vmfs Disks Vmfs Recovery offers a safe, easy way to recover information stored on VMFS-formatted disks. Like any other storage media, VMware disks can get damaged by software and hardware faults. Bad blocks and physical corruption of hard drives storing the virtual disk images can also cause corruption to VMware images. Recover Information from Healthy and Damaged VMFS Drives Vmfs Recovery can recover data from healthy and corrupted virtual disk images used by VMware vSphere 5, ESX/ESXi VMware® ESX Server? in fully automated mode. As VMware employs VMFS, its very own file system to store virtual machines, Vmfs Recovery works equally well in quick and full recovery modes. Recover VMDK Disks from ESX Servers Recovering VMDK images from ESX servers is a two-step process. First, Vmfs Recovery will repair the ESX/ESXi storage to gain access to individual virtual PCs stores in these partitions. After that, individual virtual machines represented with their VMDK disks can be extracted, and a standard data recovery process can be launched. Recover VMware Partitions from Damaged Hard Drives and Faulty RAID Arrays VMFS disks can be recovered from damaged, corrupted and inaccessible physical hard drives and RAID arrays, including corrupted RAIDs and broken arrays with or without the original RAID controller installed. Fully Automated VMFS Recovery VMFS disks can be recovered from damaged, corrupted and inaccessible physical hard drives and RAID arrays, including corrupted RAIDs and broken arrays with or without the original RAID controller installed. What Can Be Recovered VMDK images from healthy and corrupted VMFS disks created in all versions of ESX Server or VMware VMFS drives stored on working or faulty RAID arrays, with or without the original RAID controller present VMFS drives stored on corrupted and inaccessible hard drives VMDK images stored in disks formatted by VMware® ESX Server? Compatibility VMFS partitions created in VMware vSphere 5 and ESX/ESXi VMware® ESX Server? VMFS3 and VMFS5 support Supports files up to 2TB VMFS5 drives with more than 100,000 files VMFS partitions up to 64TB Unicode file names in VMFS5 VMFS drives stored on all types of RAID arrays including RAID JBOD, 0, 1, 1E, RAID 4, RAID 5, RAID 5R, 0+1 and 1+0 VMFS partitions stored on hardware and integrated RAID arrays Runs in all versions of Windows 7, 2008 R1/R2, Vista/XP/2000 Features Two modes of operation: quick and full recovery Fully guided, step-by-step recovery wizard Saves recovered files and folders on local or remote locations Supports FTP upload and can burn recovered data onto CD & DVD discs Can mount virtual disks to system as drive letters (will be accessible with Explorer and all other browsers and file utilities) Recovers information bypassing Windows access restrictions Supports long and international file names and folders with multiple sub-folders Recovers VMDK images from corrupted VMFS partitions stored on corrupted RAID arrays with or without the original RAID controller Supports all the features of Raid Recovery Compatibility Diskinternals Vmfs Recovery supports VMFS partitions created in VMware vSphere 5 and ESX/ESXi drives created in VMware® ESX Server?. Vmfs Recovery supports Windows 7 and 2008 Server R1/R2, as well as Windows 2000, XP, 2003 Server, and Windows Vista. All types of internal and external hard drives and RAID arrays are supported, with or without the original RAID controller. Free Download Diskinternals Vmfs Recovery is available as a free evaluation. Get your copy now. Download: http://www.diskinternals.com/download/Vmfs_Recovery.exe Sursa: Recover Data from VMFS, ESX, ESXi, vSphere Disks

Acunetix Web Vulnerability Scanner 8 BETA Released The next stage in the evolution of Acunetix Web Vulnerability Scanner has arrived — WVS 8 BETA! Many of you have been biting their nails in anticipation of this Beta, so sit tight and read on for the next most important stage in the evolution of Acunetix WVS. Version 8 of Web Vulnerability Scanner has been optimized to make life easier at every stage of a security scan. WVS is easier to use for web admins and security analysts alike: enhanced automation, ability to save scan settings as a template to avoid reconfiguration, and multiple instance support for simultaneous scans of several websites. WVS 8 also ushers in a new exciting co-operation between Acunetix and Imperva: developers of the industry’s leading Web Application Firewall. Download: http://www.acunetix.com/vulnerability-scanner/vulnerabilityscanner8.exe Sursa: http://thehackernews.com/2011/11/acunetix-web-vulnerability-scanner-8.html

Using Ms11-006 To Create Honeypot Description: This video using buffer overflow exploit found in Microsoft Windows thumbnail folder view setting. this uses MS11-006 exploit found in Metaploit and a meterpreter payload to create a reverse connection back thru the victim's firewall, to the attacker. Notice that the file is never opened Va recomand sa il vedeti. http://www.securitytube.net/video/2456 http://vimeo.com/32105952

Unemployed Romanian hacker accused of breaking into NASA

Prostie. 1) Nu elibereaza memoria, nu are cum ci dimpotriva, incearca sa aloce foarte multa 2) Cred ca e un "0" in plus 3) Foarte probabil va rezulta un "Out of string space" Sau poate ma insel si e un algoritm foarte complex care cauta memory leak-uri si actioneaza ca un Garbage collector general descoprind lipsa referintelor la date alocate...

Ai dat Quick format?

List of Free Sandboxes for Malware Analysis! by MAYURESH on NOVEMBER 15, 2011 We had done a similar post - way back in 2009 - titled List of Online Malware Scanners. Cut to the end of 2011, we now bring you a list of free sandboxes for malware analysis. Most of them are free and open source products. However, we also have included a few commercial versions and those that can be installed on your system. First, as it always has been a tradition at PenTestIT, let us know what actually malware analysis means: Malware analysis simply means study of malicious programs via code analysis, behaviour analysis or a combination of both these techniques. But where does a sandbox fit in? It helps you in automated behaviour analysis. We like to elongate a sandbox as follows - System And Network Detection Box (as in a system). So, now that we know a bit about malware analysis with sandboxes, lets see the list of free sandboxes for malware analysis. GFI ThreatTrack GFI Sandbox (formerly CWSandbox) is an industry leading dynamic malware analysis tool. It gives you the power to analyze virtually any Windows application or file including infected: Office documents, PDF’s, malicious URL’s and Flash ads. Once you submit your sample below we will email you an executive level PDF and an XML report containing all the behavior information gathered during analysis. – http://www.threattrack.com/ CWSandbox – CWSandbox is an approach to automatically analyze malware which is based on behavior analysis: malware samples are executed for a finite time in a simulated environment, where all system calls are closely monitored. From these observations, CWSandbox is able to automatically generate a detailed report which greatly simplifies the task of a malware analyst. – http://www.mwanalysis.org/ ThreatExpert ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode. In only a few minutes ThreatExpert can process a sample and generate a highly detailed threat report with the level of technical detail that matches or exceeds antivirus industry standards such as those normally found in online virus encyclopedias. – http://www.threatexpert.com/ Xandora – xandora.net is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of xandora.net results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary. The generated report includes detailed data about modifications made to the Windows registry or the file system or other processes and of course it logs all generated network traffic. The analysis is based on running the binary in an emulated environment and watching. It is the ideal tool for a person to get a quick understanding of the purpose of an unknown binary. – http://www.xandora.net/xangui/ Anubis: Anubis is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of Anubis results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary. The generated report includes detailed data about modifications made to the Windows registry or the file system, about interactions with the Windows Service Manager or other processes and of course it logs all generated network traffic. The analysis is based on running the binary in an emulated environment and watching i.e. analyzing its execution. The analysis focuses on the security-relevant aspects of a program’s actions, which makes the analysis process easier and because the domain is more fine-grained it allows for more precise results. It is the ideal tool for the malware and virus interested person to get a quick understanding of the purpose of an unknown binary. – http://anubis.iseclab.org/ Comodo Camas – CAMAS stands for Comodo Automated Malware Analysis System. – http://camas.comodo.com/ Norman SandBox – http://www.norman.com/security_center/security_tools/ Malbox Malbox is a service for malware analysis. Submit your Windows executable(*.exe) or compressed(*.zip)(name the file you want to analysis as “main.exe”)files and you will receive an analysis report telling you what it does, or submit a suspicious URL and you will receive a report that shows you all the activities of the Internet Explorer process when visiting this URL. – http://malbox.xjtu.edu.cn/ DELL SecureWorks Truman: Truman can be used to build a “sandnet”, a tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with. It runs on native hardware, therefore it is not stymied by malware which can detect VMWare and other VMs. The major stumbling block to not using VMs is the difficulty involved with repeatedly imaging machines for re-use. Truman automates this process, leaving the researcher with only minimal work to do in order to get an initial analysis of a piece of malware. Truman consists of a Linux boot image (originally based on Chas Tomlin’s Windows Image Using Linux) and a collection of scripts. Also provided is pmodump, a Perl-based tool to reconstruct the virtual memory space of a process from a PhysicalMemory dump. With this tool it is possible to circumvent most packers to perform strings analysis on the dumped malware. – http://www.secureworks.com/research/tools/truman/ Cuckoo Sandbox: Cuckoo provides you with a fully automated system able to fetch files, analyze them inside an isolated virtualized Windows system and return back results. We covered the Cuckoo Sandbox here – http://www.pentestit.com/cuckoo-malware-analysis-sandbox/. Buster Sandbox Analyzer: It is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.The changes made to system can be of several types: file system changes, registry changes and port changes. We covered Buster Sandbox Analyzer here – http://www.pentestit.com/buster-sandbox-analyzer-malware-analyzer/ BitBlaze: The BitBlaze project aims to design and develop a powerful binary analysis platform and employ the platform in order to analyze and develop novel common off-the-shelf protection and diagnostic mechanisms and analyze, understand, and develop defenses against malicious code. The BitBlaze project also strives to open new application areas of binary analysis, which provides sound and effective solutions to applications beyond software security and malicious code defense, such as protocol reverse engineering and fingerprint generation. – http://bitblaze.cs.berkeley.edu/ Minibis: http://www.cert.at/downloads/software/minibis_en.html Zero Wine Malware Analysis Tool: Zero Wine is a malware’s behavior analysis tool. Just upload your suspicious PE file (windows executable) through the web interface and let it analyze the behaviour of the process. - http://sourceforge.net/projects/zerowine/ Zero Wine Tryouts: Zero Wine Tryouts is an open source malware analysis tool.Just upload your suspicious file (e.g. Windows executable file, PDF file) through the web interface and let it analyze. The Zero Wine Tryouts project is a fork of the original Zero Wine project. – http://zerowine-tryout.sourceforge.net/ Norman Malware Analyzer G2*commercial: Malware Analyzer G2 is the next generation of malware analysis from the inventors of SandBox, voted “Most Innovative Idea in the Past 10 Years” by security researchers at the VB2010 Conference. Analyzer G2 Hybrid SandBoxing combines the benefits of the entirely emulated SandBox environment with IntelliVM monitoring with KernelScout to offer intelligence to unmatched by any other product. – http://www.norman.com/products/sandbox_malware_analyzers/en GFI SandBox*commercial: GFI SandBox (formerly CWSandbox) is an industry leading dynamic malware analysis tool. It gives you the power to analyze virtually any Windows application or file including infected: Office documents, PDFs, malicious URLs, Flash ads and custom applications.Targeted attacks, hacked websites, malicious Office documents, infected email attachments and social engineering are all part of the Internet threat landscape today. Only GFI SandBox™ gives you a complete view of every aspect and element of a threat, from infection vector to payload execution. And GFI SandBox can quickly and intelligently identify malicious behavior using Digital Behavior Traits™ technology. – http://www.gfi.com/malware-analysis-tool/ Joe Sandbox*commercial: Joe Sandbox (formerly JoeBox) is a fully automated analysis system for trojans, viruses and rootkits (malware). It requests malicious executables such as PE, PDF (Acrobat Reader) or DOC (Microsoft Word) files as input and returns highly detailed reports describing the behavior of executables beeing executed. The well structured reports show how the malware installs iself, how it communicates with the internet and how it hides its presence. With the help of advanced behavior signatures Joe Sandbox summarizes interesting actions, making the understanding of the behavior extremly easy. Joe Sandbox is suitable for manual as well as for large scale malware analysis. – http://www.joesecurity.org/index.php That is all we’ve got as of now. I know this list a largely un-structured list, but I built it from a text file containing only the links to these products. Again, these are arranged according to my wish. Oh yes, if you know of any more, please let us know! That is why we have opened up the comments system now! Sursa: http://www.pentestit.com/list-sandboxes-malware-analysis/

Analysis of a malicious PDF from a SEO Sploit Pack According to a Kaspersky Lab article, SEO Sploit Pack is one of the Exploit Kits which appeared in the first months of the year, being PDF and Java vulnerabilities the most used in these type of kits. That's the reason why I've chosen to analyse a malicious PDF file downloaded from a SEO Sploit Pack. The PDF file kissasszod.pdf was downloaded from hxxp://marinada3.com/88/eatavayinquisitive.php and it had a low detection rate. So taking a look at the file with peepdf we can see this information: In a quick look we can see that there are Javascript code in object 8 and that the element /AcroForm is probably used to execute something when the document is opened. The next step is to explore these objects and find out what will be executed: We can see that object 8 is located in the /XFA array of the /AcroForm and that the element to be referenced, as the /Field element tells, is yomRote[0].grueLox[0].khfdskjfh[0]. Now it's time to take a close look at object 8, the one containing Javascript code: The tags we have seen in the downward path from the /Fields element show which element will be located in the form: yomRote[0].grueLox[0].khfdskjfh[0]. The names yomRote and grueLox are subforms of the template contained in object 8. Within the subform grueLox we have a field called khfdskjfh, where the Javascript code is located. So we know that certainly this code will be executed: This script is trying to obfuscate the execution of the eval function (line 5), so we could substitute brtd by eval to make it clearer. In line 24 we can see that the returned value from the function oerz will be executed with eval. This function takes as arguments the content of the element khfdskjfh (ignoring the first 50 characters) and the eval function itself. But, where is the content of khfdskjfh? Object 8 defines the structure of the form but the content of that variable is not included, which should be in the downward path from a xfa:datasets element. Taking a look at all the objects of the /XFA array... Object 10 is the winner, the content of khfdskjfh is located there: it seems to be two arrays, one array of arrays and one array of numbers. Taking a look at the function oerz we can understand the function of these arrays. The second array is an argument of oerz and it's stored in the variable axzr, while the first array will be stored in the variable uyj. After this, some characters from the first array will be stored in yjf (those with decimal values between 32-48, 65-97, 48-64, 10-11, 13-14 and 97-126). And finally, the result of using the second array (axzr) as an array of indexes for the variable yjf will be stored in tash. There are some small modifications to do here because some parts of the original code is not executed by Spidermonkey. So after the changes, we can execute it without problems now: The result is a second stage of Javascript code: The function _X is executed in this new Javascript code, used for storing in the element khfdskjfh (line 59) a base64 value depending on the Acrobat Reader version (line 45). Decoding the content we find a TIFF image: This is the trigger of the vulnerability CVE-2010-0188. Just before, the shellcode is passed as parameter for the _L function, used for the heap spraying. The variable _ET (line 57) contains the escaped shellcode and we can obtain the unescaped bytes thanks to these commands: We can suppose that the payload will try to download some type of malware from the URL, but we cannot see any function in the unescaped bytes. This time the command sctest is not useful so another option is to obtain an executable thanks to shellcode2exe by Mario Vilas and take a look in the debugger: Now we can confirm the purpose of the shellcode. It tries to download an executable from the URL (URLDownloadToFileA) to store it in a system temporal directory (GetTempPathA) and finally execute it (WinExec). The URL was offline and we cannot find out what type of malware was downloaded, but looking at the activity of the domain marinada3.com we can suspect that the malware was a ZeuS 2.x. Submitted by jesparza on Mon, 2011/11/14 - 01:03 Sursa: Analysis of a malicious PDF from a SEO Sploit Pack | eternal-todo.com

Hackers attack Wi-Fi at airports and other public places with fake network Nov 16, 2011, 11:20 AM If you are using Wi-Fi at airports and other public places, your account may at risk The hackers set up fake Wi-Fi networks with names like "LAX Free WI-FI", ,enticing people with laptops, smartphones, tablets, or other devices to access the internet through their bogus network. This results in your account compromised. Attackers can get your confidential data. "So if they go to their bank, it will grab all of their banking information," said Cyber security expert Gregory Evans. "If they go to their Facebook, it'll grab all that- their Twitter account. If they're writing love letters, I can grab all of that." Some tips to prevent Wi-Fi hacking: If you're at an airport or other place find out who the Wi-Fi provider is and use that provider even it costs money. If you go online in a public place, someone could be watching or recording you, peaking at personal information, including bank accounts. Experts say change your passwords from time to time and use different passwords for different accounts. Sursa: Hackers attack Wi-Fi at airports and other public places with fake network ~ e Hacking News [EHN] | Hackers News Am postat doar pentru idee, stiu ca o sa faceti la fel.