big_little

Pentru cei care au nevoie de o analiza nu foarte completa dar rapida pot incerca: Mobile-Sandbox Automated Malware Analysis - Joe Sandbox Cloud http://www.cuckoosandbox.org/

Aici se gaseste o distributie linux, destul de utila, pentru analiza malware REMnux: A Linux Distribution for Reverse-Engineering Malware

Tool-uri sunt multe, dar OllyDbg 2.0 este esential. Aici: Tutorials

Open Malware | Community Malicious code research and analysis Malware Sample Sources for Researchers http://malware.lu/ VirusShare.com nu cred ca va duce cineva lipsa de sample-uri de malware. Le gasesti pe toate drumurile

de acord cu Usr6. S-ar amesteca lucrurile in felul asta.

I'm all in! Am cateva tutoriale ptr ollydbg&stuff

Pe scurt: Informa?iile cu privire la siguran?a pa?aportului electronic fie sunt vagi ?i exagerate, fie nu exist? pe site-urile publice ale emiten?ilor. Lipsa informa?iilor oficiale clare ?i corecte nu duce la cre?terea încrederii în aceste documente, orice informa?ie (chiar nedocumentat?) din ter?e surse putând deveni astfel credibil?. Datele primare (mai pu?in amprentele) care sunt înscrise pe cip pot fi citite în mod electronic, de la distan??, folosind produse legale disponibile public. Nivelul de îndemânare tehnic? pentru a citi aceste date poate fi considerat unul mediu pentru o persoana familiarizat? cu tehnologia informa?iei. Cheia de acces ce ar trebui s? protejeze aceste date primare este relativ u?or de ghicit. Nivelul de îndemânare tehnic? pentru a ghici cheia de acces la datele primare: mediu spre ridicat. Datele primare pot fi citite de la distan??, chiar ?i printr-un rucsac. Cipul poate fi clonat (mai pu?in amprentele biometrice). Dac? s-ar folosi un pa?aport falsificat cu un cip clonat pe o „poarta inteligent?” (detalii mai jos), exist? posibilitatea de a intra în mod fraudulos într-o alt? ?ar?. (Din câte cunoa?tem noi, în România NU sunt folosite astfel de por?i inteligente.) sursa Despre siguran?a pa?aportului biometric ?i a datelor din el | Asocia?ia pentru Tehnologie ?i Internet

Tampenia asta de virus a aparut din nou in ianuarie 2013 pe baza unei vulnerabilitati 0 day. Bitdefender ofera si solutia de dezinfectare: Remediu Bitdefender impotriva virusului ’’Politia Roman?’’

Adobe is recommending ColdFusion users apply a series of mitigations to counter active exploits against vulnerabilities in the application server. An advisory was released late Friday night that the trio of flaws are being targeted by attackers, and that the company would not have a patch available for another week. “We are in the process of finalizing a fix for the issues and expect a hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX will be available on January 15, 2013,” the advisory said. Two of the vulnerabilities affect ColdFusion 10, 9.0.2, 9.0.1 and 9.0. The first, CVE-2013-0625, could enable an attacker to bypass authentication in place and remotely control a ColdFusion server. CVE-2013-0629, could allow an attacker to access restricted directories on a vulnerable server. The third vulnerability, CVE-2013-0631, affects versions 9.0.2, 9.0.1 and 9.0 and could lead to a data leak. “Note that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled, or have no password set,” Adobe said in its advisory. All of the vulnerabilities were given Adobe’s most critical rating. Adobe, meanwhile, recommends a series of mitigations. The first, Adobe said, is to build credentials for Remote Development Services that are different from those used for the administrator account. Once those credentials are configured, Adobe recommends disabling RDS. Users should also disable access from the outside to three directories: /CFIDE/administrator; /CFIDE/adminapi; and /CFIDE/componentutils, Adobe said. Any unknown or unnecessary ColdFusion components or templates should be removed from the CFIDE or webroot directories. Access control restrictions for the administrator interface and internal applications via the Administrator Console in version 10 should be implemented as we ll as within in the Web server’s access control mechanisms for versions 9.0.2 and earlier. Adobe also recommends users apply the latest hotfix available for ColdFusion. Sursa

Poate l-a customizat pe al vostru. Sunt atacurile informatice pentru Iranieni ca "picaturile chinezesti", o sa ii distruga psihic

Iranienii si-au luat-o din nou:) Iranian CERT is sounding the alarm over another bit of data-deleting malware it's discovered on PCs in the country. Dubbed Batchwiper, the malware systematically wipes any drive partitions starting with the letters D through I Drive, along with any files stored on the Windows desktop of the user who is logged in when it's executed. sursaBatchwiper malware, new virus targets Iranian computers - Hacker News , Security updates

"Ma frend", pe Internet poti sa ai cate 7 vieti ca pisicile

Chiar daca nu am avut o contributie prea mare pentru comunitate ma bucur ca ati revenit. Aici am gasit destule lucruri interesante care m-au ajutat in proiectele personale pe audit de securitate informatica (care chiar poate deveni o sectiune o forumului). Multa bafta!

XnEOS sper sa ai viata scurta aici!

Salutare! Da' chat nu mai avem?

Scopul scuza mijloacele.

recomand cu incredere pentru network admini

Chiar ok, mai ales ca m-a scutit de cateva reprize de explicatii pentru copil:)

It's not every day that you get a security story that involves Yahoo, Google and Microsoft, but that's what has happened with the claims from a Microsoft official that there was an Android-based botnet in existence sending spam from compromised devices. Now it seems that the spam emanating from Android phones may be the result of a bug the Yahoo Mail app that enables attackers to sniff traffic and compromise users' accounts. The original report of the spam messages coming from Android devices came from a blog post by Terry Zink, a Microsoft engineer, who said that he'd found some interesting spam samples that he thought came from Android devices that were compromised. "All of these message are sent from Android devices. We’ve all heard the rumors, but this is the first time I have seen it – a spammer has control of a botnet that lives on Android devices. These devices login to the user’s Yahoo Mail account and send spam," Zink said in his post. Google immediately challenged this claim, saying that no such botnet existed. "Our analysis suggests that spammers are using infected computers and a fake mobile signature to try to bypass anti-spam mechanisms in the email platform they're using," Google said. Researchers at Lookout Mobile Security looked at the messages and some other information and came to the conclusion that the spam may have been the result of attackers sniffing users' traffic on open networks and looking for Yahoo Mail traffic specifically. "It’s come to our attention that Yahoo! Mail for Android does not encrypt its communications by default – it performs all its functions over HTTP, not HTTPS. This means that any traffic that is sent by the Yahoo! Mail Android app can easily be intercepted over an open network connection such as a public WiFi network. This exposes Yahoo! Mail for Android to session hijacking, a form of attack that gained mainstream attention with Firesheep in Fall of 2010," Lookout researchers said. SURSA

The TOR team have discovered a fake certificate in the wild. The certificate, issued by a US company called Cyberoam, was used in an attempt to trick a user in Jordan into believing that her/his connection to the TOR website, was private and secure, though in fact it was being spied upon by a Cyberoam device. This issue was discovered and analysed by Runa A. Sandvik of the TorProject and Ben Laurie. A certificate handling flaw in Cyberoam’s deep packet inspection (DPI) devices allow traffic from a single ‘victim’ to be intercepted by any DPI device from the vendor, according to the Tor Project. Cyberoam make a range of DPI devices which are capable of intercepting SSL connections. “While investigating this further, Ben Laurie and I found a security vulnerability affecting all Cyberoam DPI devices. Examination of a certificate chain generated by a Cyberoam DPI device shows that all such devices share the same CA certificate and hence the same private key,” Runa A. Sandvik, security researcher at Tor Project, explained. Because the devices all use the same CA certificate, anyone in the possession of one of these devices can intercept traffic from any user accessing the network through a different Cyberoam device. Since all of the devices also include the same private key, this key can be extracted and imported into other DPI systems as well, enabling that same traffic to be intercepted. Tor Browser Bundle are not impacted, but other users should check to ensure that the certificate in question is not installed in their web browser. Victims should uninstall the Cyberoam CA certificate from theirbrowsers and decline to complete any connection which gives acertificate warning. Sursa

The warnings about the Internet problem have been splashed across Facebook and Google. Internet service providers have sent notices, and the FBI set up a special website. Thousands of Canadians could be among the hundreds of thousands of people around the world who might lose Internet access on July 9.That's the day the FBI will shut down all the "clean servers" it set up to combat a massive hacking operation. Last November the FBI arrested and charged six Estonian men behind the malware as part of Operation Ghost Click. These hackers were able to make a fortune off their project, raking in millions for ads placed on their fraudulent websites.On the eve of the arrests, the FBI hired Paul Vixie, chairman of the Internet Systems Consortium (ISC) to install two temporary Internet servers that would prevent infected users from losing access to the Internet once the DNSChanger botnet was shut down. Sursa

you've been scanning the headlines or watching the evening news, you may have heard that tens of thousands of Internet users in the U.S. - hundreds of thousands around the world - will be cut off from the Internet on Monday, July 9, after servers set up at the bequest of the U.S. government go dark. That's bad, right? Well, maybe not. What you may not know is that the impending DNSChanger "black out" threatens to obscure what has been a highly successful effort - one of few to date - to stamp out a global online scam and malware infestation. First, some recent history: U.S. authorities in November unveiled indictments against six Estonian nationals who they charged with running a sophisticated, international online fraud that netted an estimated $14 million in bogus Internet advertising revenues, while infecting some four million computers world wide, 500,000 in the U.S. alone. The scheme used malicious software, installed on victims' machines, to force the users to visit Web sites that were customers of an online advertising firm controlled by the scammers. Continuarea in sursa

Major corporations, government agencies, and small businesses all hand out RSA SecurID fob keychains to employees so that they can log in to their systems for security reasons and If you’re used to seeing a device like this on a daily basis, you probably assume that it’s a vital security measure to keep your employer’s networks and data secure. A team of computer scientists beg to differ, however, because they’ve cracked the encryption it uses wide open. In a paper called “Efficient padding oracle attacks on cryptographic hardware,” researchers Romain Bardou, Lorenzo Simionato, Graham Steel, Joe-Kai Tsay, Riccardo Focardi and Yusuke Kawamoto detail the vulnerabilities that expose the imported keys from various cryptographic devices that rely on the PKCS#11 standard. They managed to develop an approach that requires just 13 minutes to crack the device’s encryption. RSA Security, a division of the data storage company EMC, is one of the largest makers of the security fobs. A spokesman for the company, Kevin Kempskie, said that its own computer scientists were studying the paper to determine “if this research is valid.” Commonly referred to as the ‘million message attack,’ it usually requires an average of 215,000 queries to reveal a 1024-bit key. The refined method suggested in the document improves the algorithm and only requires an average of 9,400 calls to reveal the same key. They accomplished this by using a theorem that allows not only multiplication but also division to be used in manipulating a PKCS# v1.5 ciphertext to learn about the plaintext. The paper says that "the attacks are efficient enough to be practical." Among the other vulnerable devices are SafeNet's iKey 2032 and Aladdin eTokenPro, Siemens' CardOS and Gemalto's CyberFlex (92 minutes). Also vulnerable is the Estonian electronic ID Card, which contains two RSA key pairs SursaRSA SecurIDs Get Cracked In 13 Minutes | The Hacker News

A new Mac OS X backdoor variant has begun making the rounds online, targeting a Turkic ethnic group in central Asia, according to a post on Securelist’s blog earlier today. Researchers intercepted an advanced persistent threat (APT) campaign earlier this week that was targeting Uyghur Mac users, according to the analysis by Kaspersky Lab senior security researcher Costin Raiu. Victims of the attack received an email with a zip file (matiriyal.zip) with a JPG file and an OS X application attached. If opened, the application will launch a new variant of the MaControl backdoor, connect to its command and control (C+C) server and allow the attacker to run commands on the infected computer and access its files. Researchers appear to have traced the C+C server to an IP address in China. Similar to Kaspersky Lab's discovery, AlienVault Labs claims to have found another backdoor, this one affecting Windows users. Transmitted through email, the attack also includes a zip file - along with a Winrar file. The file extracts a binary that goes on to copy itself but not before dropping a DLL file on the system. After its injected, the DLL file appears to help initiate Gh0st RAT, a well-known remote access tool. Gh0st RAT was served up by Amnesty international’s website just last month and has been used in other targeted attack campaigns in recent years. Other variants of Gh0st RAT were recently installed on computers, following a spear phishing campaign involving nongovernmental organizations that support the Central Tibetan Administration. Much like the Flashback Trojan earlier this year, another type of Mac malware, SabPub, took aim at Mac users in April after it exploited the same Java security hole. SursaMac OS X, Windows Backdoors Used in New APT Attacks | threatpost