Wubi

Eu folosesc ESET Mobile Security pe HTC Sensation XL. Si nu am avut neam probleme cu antivirus-ul sau protectia.

RiskRanker : A New malware detection technique For many years, mobile security experts have been fighting an uphill battle against malware, which has been steadily and dramatically increasing in both volume and sophistication. Well, NQ Mobile's Mobile Security Research Center, in collaboration with North Carolina State University disclosed a new way to detect mobile threats without relying on known malware samples and their signatures. "In the current scenario malicious software is present in the market place, ready to create havoc as soon as it is downloaded onto a device. Malware is discovered only after it has done irreversible damage. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. RiskRanker crushes the mean motives of the culprit by detecting any malicious content while it is still in the app market." RiskRanker is a unique analysis system that can automatically detect whether a particular app exhibits dangerous behavior. It differs from other malware tools by identifying apps with risky behavior while they are in the app market and before they make their way to a user's phone. "RiskRanker employs a unique two-step method of discovering malware," said by NQ Mobile's Vice President of Research, Dr. Simon Shihong Zou. In a trial run earlier this year RiskRanker scanned over one hundred thousand apps from a variety of marketplaces that provide Android applications and identified 718 malware threats, including 322 zero-day threats. "The development of RiskRanker is another demonstration of NQ Mobile's leadership in mobile security and privacy," said NQ Mobile Chief Product Officer, Gavin Kim. Sursa: http://thehackernews.com/2012/06/riskranker-new-malware-detection.html

Cel mai probabil pentru ca sunt mii de tutoriale despre SQL Injection de zeci de ori mai complexe. Ce ai facut tu nu e tocmai un tutorial. Nici chiar o introducere in Blind SQL Injection.

Poate or sa se termine in sfarsit cu molozuri de topicuri gen "Role cu 5 roti"/"Ce as putea face cu IP unei victime" pline de agarici dornici de caterinca si trollaiala.

Apasa ESC pentru a intra in Boot Menu, si selecteaza acolo CD-DVD PLM. Posibil sa fie de la tastatura, daca e cu USB. Daca in Boot Menu nu poti folosi tastele, e de la tastatura.

The ongoing 2012 UEFA European Championship is the latest sporting event used by cybercriminals to lure users into their malicious schemes. So far, we have uncovered a malicious site with a domain name that copies the official UEFA Euro 2012 site and web pages leading to survey scam pages and ad tracking sites. Malicious Domain Hosts Multiple Threats While conducting proactive research, we spotted the site {BLOCKED}uro2012.com, which tried to mimic the official site UEFA EURO – UEFA.com. Upon our investigation, this site actually hosts several malware, once of which is the FAKEAV variant TROJ_FAKEAV.HUU. Once executed in the system, this malware displays a supposed scan result of the infected system. This may prompt users to purchase the bogus antivirus program and activate the said product. The FAKEAV “activation page” is actually a phishing page designed to trick users into giving out sensitive information. TROJ_FAKEAV.HUU was also found to disable web browsers (Internet Explorer, Mozilla Firefox, and Google Chrome). This domain also hosts the file TROJ_DLOADR.BGV, which connects to three different URLs to download the ZBOT variant TSPY_ZBOT.JMO. ZBOT variants are notorious information stealers that target users online banking login credentials. To know more about the ZBOT/ZeuS variants, you may refer to Trend Micro research paper Zeus: A Persistent Criminal Enterprise. When users searched the keywords “Watch Portugal vs Czech Republic Live”, the malicious site appears as one of the top search results. When clicked, users are redirected to a “video offer” page instead of a live video streaming of the game. If users choose the offer, it will unknowingly access affiliate sites that track user’s location and IP address. In doing so, scammers can earn money by using these details as page visits to their advertisements. Another similar attack took advantage of the recent Italy vs. England fight. The site {BLOCKED} glandvsitalylivestreameuro2012online.com redirects users to http://www.{BLOCKED}og.com/2012/06/england-vs-italy-live-stream/, which supposedly offers a live video streaming of the event. In reality, the page will only lead users to a survey scam page, which eventually leads to affiliate and ad tracking sites. UEFA 2012 Web Extension, Facebook Clicjacking We also encountered a bogus Google Chrome extension hosted on Chrome Web Store. Based on our analysis, once users add the said extension to the browser and is launched, it redirects to the malicious site http://www.{BLOCKED}linetv.biz/livesports.php that also leads to affiliate/ad tracking sites. Unfortunately, Facebook users were not spared from this threat as we’ve noticed several wall posts that purportedly lead to a video streaming page for the event. However, like the rogue web extension, the page too leads to affiliate sites that enable scammers to earn money from users’ visits. Euro 2012 Spam Leads to Fake Pharmacy Site Rik Ferguson also spotted spammed messages that use Euro 2012 team scores, as seen below: Users who received email similar to the one above are warned not to click on the link as it leads to fake Canadian pharmacy sites peddling fake drugs. Trend Micro Protects Users From These Threats Trend Micro users are already protected from these threats via Smart Protection Network™, which blocks these malicious URLs and detects the related malware, as well as blocking the spammed messages. Using sporting events such as the UEFA Euro 2012 as bait to malicious sites is a popular social engineering technique, thus users should visit and bookmark reliable websites for their latest UEFA fix. To know more about web threats that target sports fans, you may read our FAQ entry Sports as Bait: Cybercriminals Play to Win. Update as of 12:26 AM June 28 2012, PST Time TROJ_DLOADR.BGV has been renamed to TSPY_ZBOT.BGV, which connects to specific URLs to download files. Sursa: http://blog.trendmicro.com/cybercriminals-kick-off-uefa-euro-2012/

Daca tot vrei sa arate a Vista cu acea configuratie indeplinesti cerintele minime: Procesor de 800 megahertzi (MHz) ?i 512 MO de memorie de sistem Unitate de hard disk de 20 GO cu cel pu?in 15 GO de spa?iu disponibil Suport pentru grafic? Super VGA Unitate CD-ROM Nu prea ii vad rostul. In general teme si chestii de genul ingreuneaza sistemul. Dovada, procesorul tau e la 97% cu Mozilla si un Installer...

Zemra first appeared on underground forums in May 2012. This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. Zemra uses a simple panel with an overview of all statistics is needed.With the help of two graphs can be seen operating machinery and the region location.In addition, statistics on online and for more information. You have a chance to see everything online Socks5 and export them to the list.Traffic is encrypted and protected using the algorithm AES, each client communicates with a unique generated key. A brief functional: Intuitive control panel DDos (HTTP / SYN Flood / UDP) Loader (Load and run). Cheat visits (visits to the page views). USB Spread (spread through flash drives) Socks5 (picks up socks proxy on the infected machine) Update (Updates the bot) The process can not be completed because the He is critical. 256 Bit AES encryption of traffic from the bot to the server Anti-Debugger There is a choice of a particular country bots perform the job Zemra Botnet Download 4 Zemra+Botnet+Leaked, Zemra first appeared on underground forums in May 2012. This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. Zemra uses a simple panel with an overview of all statistics is needed.With the help of two graphs can be seen operating machinery and the region location.In addition, statistics on online and for more information. You have a chance to see everything online Socks5 and export them to the list.Traffic is encrypted and protected using the algorithm AES, each client communicates with a unique generated key. A brief functional: • Intuitive control panel • DDos (HTTP / SYN Flood / UDP) • Loader (Load and run). • Cheat visits (visits to the page views). • USB Spread (spread through flash drives) • Socks5 (picks up socks proxy on the infected machine) • Update (Updates the bot) • [color = red] The process can not be completed because the He is critical. • 256 Bit AES encryption of traffic from the bot to the server • Anti-Debugger • There is a choice of a particular country bots perform the job Two types of DDoS attacks that have been implemented into this bot: HTTP flood and SYN flood. VirusTotal Scan(https://www.virustotal.com/file/d22050d7decc39569e68e70d61b9c5f9defbd1602b86b68933135be8c25b762f/analysis/1340840541/): Download Sursa

Zemra Botnet Leaked, Cyber Criminals performing DDoS Attacks he Zemra DDoS Bot is currently sold in various forums for about 100 € and detected by Symantec as Backdoor.Zemra. Zemra first appeared on underground forums in May 2012. This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. Zemra uses a simple panel with an overview of all statistics is needed.With the help of two graphs can be seen operating machinery and the region location.In addition, statistics on online and for more information. You have a chance to see everything online Socks5 and export them to the list.Traffic is encrypted and protected using the algorithm AES, each client communicates with a unique generated key. Note : In "Tools Yard" we have Posted Zemra Source Code, Only for Educational Purpose. A brief functional: Intuitive control panel DDos (HTTP / SYN Flood / UDP) Loader (Load and run). Cheat visits (visits to the page views). USB Spread (spread through flash drives) Socks5 (picks up socks proxy on the infected machine) Update (Updates the bot) The process can not be completed because the He is critical. 256 Bit AES encryption of traffic from the bot to the server Anti-Debugger There is a choice of a particular country bots perform the job After inspecting the source code, symantec identifies that two types of DDoS attacks that have been implemented into this bot: HTTP flood and SYN flood. "To reduce the possibility of being infected by this Trojan, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed." Symantec suggest in a blog post. Sursa

McAfee and Guardian Analytics released a joint report today saying that more than 60 firms have suffered from what it has called an “insider level of understanding.” The automated malicious software program was discovered and it was designed to use servers to process thousands of attempted thefts from both businesses and private individuals. “The fraudsters’ objective in these attacks is to siphon large amounts from high balance accounts, hence the name chosen for this research – Operation High Roller,” the report said. “If all of the attempted fraud campaigns were as successful as the Netherlands example we describe in this report, the total attempted fraud could be as high as 2 billion euro.” What makes this crime so different is that the hackers were able to get into the bank servers and install constructed software that is automated. Because it is on the inside, it is able to get around the normal alarms that alert the system of abnormalities and do its job. Which is to siphon money out of large accounts. MacAfee has identified a bunch of servers being used for this crime. “They have identified 60 different servers, many of them in Russia, and they have identified one alone that has been used to steal 60 million euro,” Sky News defense and security editor Sam Kiley said. The 60 million euros that have been taken are all that has been identified so far, but this has the ability to be one of the largest thefts of money in the history of the world. Sursa

Haarp Cord - Titani (2:02 - 2:09)

Operation Card Shop : FBI Arrested 24 Credit Card Cyber Criminals The FBI has arrested 24 cybercriminals part of an international law enforcement operation aiming to arrest and prosecute the users of a sting operation called “Carder Profit”. The suspects, collared after a two-year investigation dubbed "Operation Card Shop," allegedly stole credit card and banking data and exchanged it with each other online. “We put a major dent in cybercrime,” she said. “This is an unprecedented operation.”In the sting, which they called Operation Card Shop, undercover investigators created an online bazaar to catch buyers and sellers of credit card data and other private financial information. They also aimed at people who clone and produce the physical credit cards that are then used to buy merchandise. Some CarderProfit users apparently learned of the involvement of the feds months ago. A Twitter user with the name @JoshTheGod wrote that “has informants and most likly to be believed as a Federal Sting,” back in April. Names of the arrested cybercriminals: MICHAEL HOGUE - xVisceral JARAND MOEN ROMTVEIT - zer0 MIR ISLAM - JoshTheGod STEVEN HANSEN - theboner1 ALI HASSAN - Badoo JOSHUA HICKS - OxideDox MARK CAPARELLI - Cubby SETH HARPER - Kabraxis314 CHRISTIAN CANGEOPO - 404myth Many of the 11 individuals arrested in the United States offered specialized skills and products on the sting site. One, who used the screen name xVisceral, offered remote access tools known as RATS that would spy on computers and Web cameras; the programs sold for $50 a copy. Federal officials maintained that the operation prevented potential losses of more than $200 million. Credit card providers were notified of more than 400,000 compromised credit and debit cards, the officials said. "As the cyber threat grows more international, the response must be increasingly global and forceful," Manhattan U.S. Attorney Preet Bharara said.Bharara called the crackdown "largest coordinated international law enforcement action in history" directed criminals who use the Internet to traffic in stolen credit cards and bank accounts. Operation Card Shop is the latest in a long string of cybercrime initiatives carried out by the FBI. In January, the agency shut down file-sharing site Megaupload after its staff was charged with copyright violations (inviting a retaliatory strike from Anonymous). Late last year, the FBI announced the arrest of six Estonian citizens after they were charged with using malware to infiltrate Internet advertising services Yet another cybercrime-friendly community was targeted in the operation, although the press release is not discussing the matter. The community in question, Fraud.su, which currently returns an index page placed there by U.S law enforcement agencies.The operation appears to be widespread, as the web site of the UGNazi group (UGNAZI.com) is also defaced by U.S law enforcement agencies. US officials said the operation prevented losses of $205m (£131m) from debit and credit cards. Sursa

+1!

Penetration Testing cu Backtrack Windows Exploitation Wireless Attack Cracking

Daca doar ce ti-ai instalat Backtrack, sau ai de gand sa o faci, si nu prea sti cu ce se mananca, arunca o privire peste acest topic. Informatiile sunt luate de pe Backtrack Linux Wiki, traduse, si unele adaptate de mine. Daca aveti de asemenea intrebari legate de Backtrack, lasati`le intr`un reply, sau PM, si voi incerca sa raspund fiecaruia. Introducere Primul Login se face username-ul si parola implicite, root / toor Pentru interfata grafica, foloseste comanda startx Daca apar probleme cu interfata grafica, din cauza unelor placi video, in general pe VMWare, vei avea nevoie sa reconfigurezi X server package. Pentru a`l reseta si fixa, foloseste comanda: root@bt:~# dpkg-reconfigure xserver-xorg sau, pentru BT5 x64 KDE: root@bt:~# rm /root/.kde/cache-* Banuiesc ca stiai deja de (root/toor. Este IMPORTANT sa schimbi parola de la root, in special daca folosesti servicii precum SSH. Poti schimba parola folosind comanda passwd. Insa, cel mai usor mod este din System>Administration>About Me>Change Password... Setarea retelei Setarea IP-ului manual IP Address - 192.168.1.112/24 Default Gateway - 192.168.1.1 DNS server - 192.168.1.1 Pentru a face urmatoarele setari, urmeaza comenzile astea: root@bt:~# ifconfig eth0 192.168.1.112/24 root@bt:~# route add default gw 192.168.1.1 root@bt:~# echo nameserver 192.168.1.1 > /etc/resolv.conf Obtinerea unui IP static Aceste setari oricum vor ramane pana cand vei reporni sistemul, deci daca vrei sa ramana, va trebui sa editezi fisierul /etc/network/interfaces cam asa: # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 192.168.1.112 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.1 Modifica fisierul luand ca model cel de mai sus, dupa care reteaua va functiona de fiecare data chiar si daca repornesti sistemul. root@bt:~# update-rc.d networking defaults root@bt:~# /etc/init.d/networking restart Obtinerea unui IP de la DHCP In scopul obtinerii unui IP de la un server DHCP vom folosi dhclient <interface> precum aici: root@bt:~# dhclient eth0 Internet Systems Consortium DHCP Client V3.1.1 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Listening on LPF/eth0/00:0c:29:81:74:21 Sending on LPF/eth0/00:0c:29:81:74:21 Sending on Socket/fallback DHCPREQUEST of 192.168.1.112 on eth0 to 255.255.255.255 port 67 DHCPACK of 192.168.1.112 from 192.168.1.1 bound to 192.168.1.112 -- renewal in 37595 seconds. root@bt:~# Foloseste acest script pentru a porni reteaua Este un script pentru a porni reteaua in directorul /etc/init.d care incearca sa deschide toate interfetele din /etc/network/interfaces (poti renunta la cele de care nu ai nevoie). Pentru a porni foloseste urmatoarea comanda: root@bt:~# /etc/init.d/networking start WICD Network Manager O alta cale de a configura reteaua este sa folosesti WICD Network Manager. Il gasesti in Menu > Internet > Wicd Network Manager OBS: Cand deschizi WICD e probabil sa primesti o eroare de genul: Pentru a scapa de eroarea de mai sus, ai nevoie sa repornesti Backtrack, si INAINTE de a porni WICD scrie asta in terminal: root@bt:~# dpkg-reconfigure wicd root@bt:~# update-rc.d wicd defaults Apoi dupa restart eroarea nu ar trebui sa mai apara. Cateva comenzi comunte "apt" apt-get install <package> Descarca <package> si tot ce depinde de el, il instaleaza si actualizeaza. apt-get remove [--purge] <package> Sterge <package> si tot ce depinde de el. apt-get update Actualizeaza pachetele. Ar trebui folosita cel putin odata pe saptamana. apt-get upgrade "Upgradeaza"(daca exista asa ceva in limba romana) toate pachetele instalate. Ar trebui folosita cel putin odata pe saptamana. apt-get dist-upgrade [-u] Similar cu apt-get upgrade, doar ca acest dist-upgrade va instala sau sterge pachetele. apt-cache search <pattern> Cauta package-urile si descrierea pentru <pattern>. apt-cache show <package> Va arata intreaga descriere a <package>. apt-cache showpkg <package> Arata ceva mai multe detalii despre <package>, si relatiile lui cu alte pachete. man apt Iti va da mai multe informatii pentru aceste comenzi la fel de bine cum multe dintre ele sunt rar folosite. Cateva comenzi utile dpkg dpkg -i <package.deb> Instaleaza un fisier, dupa ce l`ai descarcat manual de exemplu. dpkg -c <package.deb> Listeaza continutul <package.deb> dpkg -r <package> Sterge un pachet numit <package>. dpkg -P <package> Diferenta dintre remove si purge este aceea ca remove doar sterge data si executabilele, purge sterge si toate fisierele configurarile. dpkg -L <package> Ofera o lista a tuturor fisierelor instalate de <package>. dpkg -s <package> Arata informatii despre <package>. dpkg-reconfigure <package> Reconfigureaza un pachet instalat. man dpkg Iti va da mai multe informatii despre dpkg. Pentru a afla mai multe detalii despre o anumita comanda root@bt:~# man <command you want more info on> O sursa buna cu informatii despre comenzi linux se poate gasi pe linuxcommands.org Unele programe e posibil sa nu aiba o pagina man. Dar poti gasi informatii despre ele: root@bt:~# <program name> (doar numele programului fara alte argumente.) sau, root@bt:~# <program name> -help sau, root@bt:~# <program name> --help sau, root@bt:~# <program name> -h Unele programe folosesc alte metode, dar acelea se trag de obicei din one din comenzile de mai sus.

RSA SecurIDs Get Cracked In 13 Minutes Major corporations, government agencies, and small businesses all hand out RSA SecurID fob keychains to employees so that they can log in to their systems for security reasons and If you’re used to seeing a device like this on a daily basis, you probably assume that it’s a vital security measure to keep your employer’s networks and data secure. A team of computer scientists beg to differ, however, because they’ve cracked the encryption it uses wide open. In a paper called “Efficient padding oracle attacks on cryptographic hardware,” researchers Romain Bardou, Lorenzo Simionato, Graham Steel, Joe-Kai Tsay, Riccardo Focardi and Yusuke Kawamoto detail the vulnerabilities that expose the imported keys from various cryptographic devices that rely on the PKCS#11 standard. They managed to develop an approach that requires just 13 minutes to crack the device’s encryption. RSA Security, a division of the data storage company EMC, is one of the largest makers of the security fobs. A spokesman for the company, Kevin Kempskie, said that its own computer scientists were studying the paper to determine “if this research is valid.” Commonly referred to as the ‘million message attack,’ it usually requires an average of 215,000 queries to reveal a 1024-bit key. The refined method suggested in the document improves the algorithm and only requires an average of 9,400 calls to reveal the same key. They accomplished this by using a theorem that allows not only multiplication but also division to be used in manipulating a PKCS# v1.5 ciphertext to learn about the plaintext. The paper says that "the attacks are efficient enough to be practical." Among the other vulnerable devices are SafeNet's iKey 2032 and Aladdin eTokenPro, Siemens' CardOS and Gemalto's CyberFlex (92 minutes). Also vulnerable is the Estonian electronic ID Card, which contains two RSA key pairs Sursa

Drones can be hijacked by terrorist, Researchers says Vulnerability Exist Fox News is reporting that researchers say that terrorists or drug gangs, with the right kind of equipment could turn the drones into “suicide” weapons. A University of Texas researcher illustrated that fact in a series of test flights recently, showing that GPS "spoofing" could cause a drone to veer off its course and even purposely crash. This is particularly worrisome, given that the US is looking to grant US airspace to drones for domestic jobs including police surveillance or even FedEx deliveries In other words, with the right equipment, anyone can take control of a GPS-guided drone and make it do anything they want it to. Spoofers are a much more dangerous type of technology because they actually mimic a command by the GPS system and convince the drone it is receiving new coordinates. With his device what Humphreys calls the most advanced spoofer ever built (at a cost of just $1,000) he was able to override the signal from space with a more powerful signal from the device. Congress recently passed legislation paving the way for what the FAA predicts will be somewhere in the region of 30,000 drones in operation in US skies by 2020.Critics have warned that the FAA has not acted to establish any safeguards whatsoever, and that congress is not holding the agency to account. Sursa

Cu hardware-ul PC-ului nu ai ce probleme sa intampini.

O sa-ti mearga. Daca vrei o performanta mai buna scapa de efectele implicite Start>Control Panel>Performance Information and Tools, apoi, in lista rezultatelor, da click pe Performance Information and Tools. Dai click pe Adjust visual effects Da click pe tab-ul Visual Effects, click pe Adjust for best performance, apoi OK. Pentru o optiune, ceva mai putin drastica, selecteaza Let Windows choose what`s best for my computer. Scapa de programele care pornesc la startup. Scrie in searchbox-ul de la Start, "msconfig". Si mai sunt multe alte lucruri de facut pentru a`ti optimiza Windows 7. Verifica aici pentru mai multe : Optimize Windows 7 - Windows 7 Forums

Apple has quietly removed a statement from its website that the Mac operating system isn’t susceptible to viruses. Apple released a patch to a Java vulnerability that lead to the infection of roughly 600,000 Macs with the Flashback Trojan earlier this year, there were claims weeks later from security researchers that hundreds of thousands of Macs were still infected. Apple is one of the single software companies that hasn't really faced the problem of viruses, for years claiming their operating system is the most secure among all. The specific language about the operating system, “It doesn’t get PC viruses” was replaced with “It’s built to be safe.” But now, Apple may be taking security threats more seriously. Apple is introducing a new app security measure called Gatekeeper in the upcoming release of Mountain Lion, the latest version of Mac OS X. The majority of malware might still be floating around in the Windows world, but it’s still important to remember that no OS is bulletproof once people start shooting at it. You can never be too careful. Sursa

Antivirus-ul si Firewall-ul este pentru a`ti proteja computerul de atacuri, virusi, stealere, rat-uri, etc. Cateodata insa, un atacator poate cu usurinta sa evite protectia, si sa obtina acces la root pe computerul tau. Sunt sute de tool-uri si tehnici pentru a evita un anti-virus sau firewall. Buffer Overflow este cea mai comuna metoda de atac, care ii permite atacatorului sa obtina acces de administrator in computer sau retea. Sunt de asemenea sute de tutoriale prin care sa folosesti BackTrack ca sa "hachezi" un sistem informatic ce foloseste ca sistem de operare Windows. Chiar nu cunosc despre autorul acestul video, dar contine un bun exemplu pentru atacurile buffer overflow folosind un exploit. Cerinte: BackTrack 5 R1/R2 Victima ar fi indicat sa foloseasca Windows Metasploit Apache Creier Sursa: Ethical Hacking-Your Way To The World Of IT Security

Am specificat.

Secuzizarea punctului de acces (Access Points(AP)) al paginii web a router-ului tau si Telnet-ul sau accesul SSH ar trebui sa fie considerat o parte din strategia de securitate generala, nu numai la birou cat si acasa. De ce? Pentru a impiedica alt user care este conectat la retea sa modifice, sa incurce, sau sa editeze configuratiile routerului tau. Unii useri pot profita de privilegiile administrative la reteaua ta daca securitatea poate fi evitata usor sau exploatata de tehnici simple pe care orice copil o poate face. Voi enumera cateva dintre tehnicile pe care cei mai multi dintre atacatori le vor folosi in scopul accesarii si exploatarii vulnerabilitatilor in unele router. 1. Implicit, Comun, si parole slabe Unele routere au username-uri si parole usor de ghicit, sau inca le folosesc pe cele implicite. Cateva combinatii: admin : pass admin : password admin : root admin : admin admin : jake admin : rose admin : secret admin: administrator root: administrator root : root root : admin root : password root : toor root : iloveyou root : access root : pirate root: secretpass root : acess user : user guest : guest Deci daca un user se intampla sa initieze un atac de tip brute force pe login-ul unui astfel de router, doar folosind o lista simpla de cuvinte compilata din cautarea diferitelor login-uri implicite de la diferite routere. Daca inca iti amintesti de, ‘Silly Routers Release’ al Lulzsec care includea SSH sau Secure Shell logins, si falsul AnonPH`s. Silly Routers Release and SSH Logins ( http://www.itac.com.ph/portals/0/anonph.txt ). In analiza pe care am facut`o, aceste doua grupuri folosesc SSH scannere in masa ce pot fi UNixcod, PIata, sau GSM SSH Scanner bazat pe urmatoarele login-uri: root : root cezar : cezar root : admin admin:admin guest:guest iscadm:sparks staff:staff web : web nurse : nursing Acest lucru suna simplu, deoarece este, dar nu putem nega ca unii utilizatori nu se gandesc prea mult la prolele ce le folosesc, sau poate ei nu stiu cum sa isi configureze router-ul, si poate nu se gandesc la posibilele riscuri. Cateva site-uri unde poti gasi ceva parole implicite: Default Passwords | CIRT.net Default Password List Default passwords list - Select manufacturer Big bertha says: default passwords default password Virus.Org Default Password List - Submit 2. Intrand fara autorizatie A venit odata timpul cand am decis sa verific port-urile deschise ale CD-R King IP04166 Wireless-N-ului meu de acasa si porturile 23 care sunt pentru acces telnet, si portul 80 pentru a accesa pagina web a Acces POint-ului, dar avea o parola(grrr!). Sunt port-uri bune pentru a verifica posibilele intruziuni daca atacatorul stie ce exploit-uri sa foloseasca. Si deoarece port-ul 80 avea o parola, si brute force parea o pierdere de timp, am decis sa verific pe port-ul 23: shipcode@projectX:~ telnet 192.168.10.1 OK, am fost in stare sa fac telnet la gateway-ul implicit al router-ului dar...NU M`A INTREBAT NIMENI PE MINE pentru vreo informatie de login sau autentificare. Deci daca user-ul nu poate accesa pagina web a AP-ului, atunci el poate profita de acest privilegiu sa caute parola paginii web. Acum, sa uitam de parolele implicite sau slabe, pentru ca este pea EPIC. Un router care permite oricarui utilizator din retea sa se conecteze la gateway-ul implicit fara o verificare. Dupa cum puteti vedea in imaginea de mai sus, am scris "ls -la" care listeaza toate directoarele din directorul root. Ia ca exemplu, uita`te in /bin unde poti vedea toate programele comune, impartasite de program, administratorul sistemului sau utilizatorii; atacatorul poate gasi cate ceva important aici. Asta poate fi posibila si pe alte routere de asemenea. 3. Aplicatiile web vulnerabile pe pagina web a Acces Point-ului Unele routere nesecurizate au aplicatii web care pot fi vulnerabile la SQLi, LFI, LFD, XSRF, si multe altele. Craig Heffner, autorul reaver - spune ca "milioane" de routere de acasa, sunt vulnerabile la atacurile web. Anul trecut, m`am putut juca cu router-ul meu Huawei-ul bm622, si este una dintre jucariile mele preferate de acasa. De fapt sunt multe tutoriale despre cum sa "pentrezi" un astfel de router. Poti accesa router-ul chiar de pe port-ul 80 punand gateway-ul implicit al router-ului in browser. In mod normal, gateway-ul implicit este 192.168.1.1 si te poti loga ca user:user dar fara privilegii de aministrator. Poti vedea doar starea conexiunii, adres mac a WAN-ului, adresa mac a LAN-ului, BSID, etc. Insa este destul de usor sa iei parola care iti ofera privilegii de aministrator. Acest tip de router este vulnerabil la LFD(Local FIle Disclosure). Tot ce ai de facut este sa vezi sursa link-ului (Ctrl + U) : 192.168.1.1/html/management/account.asp. Dupa ce ai vazut sursa, trebuie doar sa cauti linia asta: var UserInfo = new Array(new stUserInfo(“InternetGatewayDevice.UserInterface.X_ATP_UserInfo.1? Atacatorul ar trebui sa fie in stare sa vada username-ul si parola administratorului care arata ca una cryptata insa nu este, este parola care de obicei e un pic cam lunga. Parola de obicei incepe cu 200000. Acum te poti loga la router folosind admin ca username si 2000**** ca parola. Incruciseaza`ti degetele si ar trebui sa functioneze! 4. Inauntrul sitemului In cele din urma, daca ai acces shell-ul router-ului cu web page-ul Acces Point-ului atunci poti gasi o cale pentru a`ti folosi acest avantaj pentru a cauta parola sau informatii despre cont. Acum revenind la acces-ul meu la CD-R King IP04166 Wireless-N-ul meu de acasa fara a necesita autentificare, oare ce se se va intampla daca decid sa verific sub-directoarele sistemului. Atunci am intrat in directorul /var folosind comanda : ls -a Daca te uiti atent peste imagina ar trebui sa vezi un fisier '.htpasswd', acum sa incercam sa verificam acel fisier folosind comanda: cat .htpasswd .htpasswd contine parola accountului paginii web a acces point-ului. Acum sa incercam sa ne autentificam pe pagina web a AP-ului folosind aceste informatii: #nimda:sudo910aPt Yey, am intrat in pagina web a router-ului meu. Inca cateva chestii peste care te`ai putea uita sunt fisierele .db, .conf si .cfg sau ceva comenzi shell ce pot arata parola. O alta jucarie cu care m`am putut juca este routerul Huawei bm622i (succesorul bm622) dar care nu mai este vulnerabil la LFD pe 192.168.*.*/html/management/account.asp. Din cauza noii interfete, scripturilor si firmware-ului. Dar are slabiciunile lui, ce ii permite atacatorului de la distanta sa obtina privilegii de administrator. Desi te poti autentifica pe HTTP-ul routerului si sa folosesti user ca username si parola, dar nu iti da privilegii de administrator. Am fost foarte curios cum sa obtii acces de administrator pe acest router. De fapt, este un tool in zilele noastre ce generaza parola adminului dupa ce ii procuri adresa mac. Dar nu sunt sigur daca este atat de efectiv in realitate totusi. Privilegiile de administrator iti permit sa editezi setarile avansate ale routerului cum ar fi setarile VOIP, mac filtering, SSH si accesul Telnet, QoS, etc. A venit o perioada in care am decis sa arunc o privire peste shell-ul routerului prin intermediul telnet-ului gateway si login-ul: wimax:wimax820. Dupa ce am scris sh, si acum sunt in shell... "Hello Busybox again!" . Am mutat in in directorul /bin din nou, folosind comanda ls -la din nou. Am putut vedea o comanda care este cmd, si am fost foarte curios ce e cu ea si am executat`o dupa care scripturile au aparut si am vazut urmatoarea linie: username=200*. Am gasit parola (NU am inclus adresa de mail desigur) a router-ului meu. Si am incercat sa folosesc parola pe care tocmai am vazut`o ca sa ma autentific ca admin. Si.. a mers! Sunt de asemenea tool-uri bune pentru verifica imaginea firmware-ului router-ului, extractand firmware-ul in componentele sale, apoi extragand imaginea file system-ului. Asta permite utilizatorilor, sa faca modificari fara a recompila sursa firmware-ului. Tool-ul se numeste Firmware Mod Kit care a fost dezvoltat de Jeremy Collage si Craig Heffner. Acesta poate fi folosit pentru a verifica vulnerabilitatile unui anumit router la care nu ai acces inca. Tool-ul include binwalk care arata layout-ul firmware-ului. Poti descarca tool-ul de aici: firmware-mod-kit - This kit allows for easy deconstruction and reconsutrction of firmware images for various embedded devices - Google Project Hosting De exemplu, vreau sa extrag imaginea de la Trendnet v1.10 Build: 12 ce poate fi descarcata de aici: TRENDnet | Downloads | Wireless | TEW-654TR, folosind comanda: ./extract-ng.sh TEW-654TRA1_FW110B12.bin Daca extractia firmware-ului este completa si cu succes, ar trebui sa poti sa vezi partile firmware, in directorul fmk. Si poti acum lista directoarele si sa cauti continutul de care ai nevoie. Happy Exploiting! Referinte: Blog | /dev/ttyS0 | Embedded Device Hacking Hacking into the BSNL Router using Andriod | www.SecurityXploded.com Bugtraq: D-Link DIR-300 authentication bypass "Millions" Of Home Routers Vulnerable To Web Hack - Forbes CD-R King IP04166 Wireless-N Router Not Secured Even Though Web Page AP Has a Password | The ProjectX Blog – Information Security Redefined Huawei bm622i Administrator Password Disclosure | The ProjectX Blog – Information Security Redefined Tradus din: InfoSec Resources – Simple Router Pawning Techniques – Getting the Administrative Privileges

Hackers Exploit Unpatched Windows XML vulnerability An unpatched vulnerability in the Microsoft XML Core Services (MSXML) is being exploited in attacks launched from compromised websites to infect computers with malware. This zero-day exploit that potentially affects all supported versions of Microsoft Windows, and which has been tied to a warning by Google about state-sponsored attacks, has been identified carrying out attacks in Europe. Microsoft security bulletin MS12-037 was this month’s cumulative update for Internet Explorer. It is rated as Critical, and addresses 14 separate vulnerabilities that affect every supported version of Internet Explorer in some way.One vulnerability in particular is more urgent than the rest, though. There are multiple attacks circulating online that target CVE-2012-1875.The name of the vulnerability is “Same ID Property Remote Code Execution Vulnerability”, which doesn’t really explain much. Until a patch is released, the Microsoft workaround is the only way to stymie hackers. Many security vendors have updated their products to detect malicious code that tries to exploit the vulnerability. Exploit code that works on all versions of Internet Explorer on Windows XP, Vista and 7 has been added to the Metasploit penetration testing framework. Microsoft has provided a temporary fix for the vulnerability that all Windows users should apply whether or not they use IE as their browser of choice. Most antivirus products have added signatures to detect and block exploits. In addition, you can also run the Fix-It tool from Microsoft. The automated tool implements measures to block the attack vector used to exploit this vulnerability. Sursa