Monday, May 21, 2012

Ads on Wikipedia Can Point to Malware Infection

Every now and then, Wikipedia's popularity and brand are misused by malware peddlers, typosquatters and scammers.

But the fact that the Wikipedia project is funded exclusively by donors and the site never display ads also makes it a good litmus test for discovering whether one's machine is infected with certain types of malware.

"If you’re seeing advertisements for a for-profit industry or anything but our fundraiser, then your web browser has likely been infected with malware," Wikipedia's Director of Community Advocacy Philippe Beaudette pointed out in a recent blog post.

This usually happens when a specific browser extension has been inadvertently downloaded and installed by the user.

"Ads injected in this manner may be confined to some sites, even just to Wikipedia, or they may show up on all sites you visit," he says. "Browsing through a secure (HTTPS) connection may cause the ads to disappear, but will not fix the underlying problem."

One must disable the extension in question, but even after having done this, other malware could still be hiding on the computer, and then a malware scan is order.

Beaudette points out that ads seen on Wikipedia's site can have one final source - one that might not be malicious but is still annoying: the users' Internet provider, who injects them into web pages for profit.

Flashback Botmasters Earned Less Than $15K

The researchers initially calculated that a botnet of that size could bring in $10,000 per day to its masters, as the malware's ad-clicking component would intercept browser requests, target search queries made on Google and redirect users to another page of the attacker's choosing. Consequently, the attackers would receive payment for the ad click instead of Google.

Alas for the botmasters, not everything went as planned. They managed to install the ad-clicking component only on some 10,000 of the 600,000+ infected machines because security researchers reacted quickly and took down most of their C&C servers.

 "From our analysis we have seen that, for a three-week period starting in April, the botnet displayed over 10 million ads on compromised computers but only a small percentage of users who were shown ads actually clicked them, with close to 400,000 ads being clicked. These numbers earned the attackers $14,000 in these three weeks, although it is worth mentioning that earning the money is only one part of the puzzle—actually collecting that money is another, often more difficult, job," shared Symantec.



Reference:

Sunday, May 20, 2012

Worm Targets Facebook Users Via PMs


A worm posing as a JPG image has seemingly been spotted propagating on Facebook and through various IM applications. "We recently received reports about private messages found on Facebook and distributing a link, which is a shortened URL pointing to an archive file May09-Picture18.JPG_www.facebook.com.zip,"  Trend Micro researchers warn. "This archive contains a malicious file named May09-Picture18.JPG_www.facebook.com and uses the extension .COM."

 Once the file is run and the worm gains a foothold in the system, it first tries to find and disable antivirus software in order to avoid detection. Then, it contacts a number of websites, and downloads from them another worm.

Zeus Exploits Users of Facebook, Gmail, Hotmail and Yahoo!

Trusteer discovered a series of attacks being carried out by a P2P variant of the Zeus platform against users of Facebook, Google Mail, Hotmail and Yahoo – offering rebates and new security measures.

The scams exploit the trust relationship between users and these well-known service providers, as well as the Visa and MasterCard brands, to steal users’ debit card data.

In the first attack against Facebook, the malware uses a web inject to present the victim with a fraudulent 20% cash back offer by linking their Visa or MasterCard debit card to their Facebook account.



Reference:

Saturday, May 19, 2012

Cyber Security Still Takes A Backseat For Major Companies

As cyber threats continue to be a nuisance to major companies, senior management has yet to give it the attention it deserves, a recent study finds.

While they are some of the most distinguished enterprises in the world, and considered big targets for cyber attacks, the report indicates that top-level management at the firms still neglect suitable governance over the “security of their digital assets.”



Reference:

Wireless Tech Makes Health Care Security a 'Major Concern'

The use of wireless technology in the latest medical devices found in hospitals, health clinics and doctor offices has become a major concern of the U.S. Department of Homeland Security (DHS).

In a bulletin issued this month, the DHS warned that while new technology brings efficiency, lower cost and better patient care, it also carries security risks that the multi-trillion-dollar healthcare industry may not be prepared to tackle.

"The communications security of medical devices to protect against theft of medical information and malicious intrusion is now becoming a major concern," the report, entitled "Attack Surface: Healthcare and Public Health Sector," said.



Reference:

White House’s Cyber Security Official Retiring

The White House’s cybersecurity coordinator said Thursday that he is stepping down at the end of this month after a 2 1 / 2-year tenure in which the administration has increased its focus on cyber issues but struggled to reach agreement with lawmakers on the best way to protect the nation’s key computer networks from attack.

Howard Schmidt, who oversaw the creation of the White House’s first legislative proposal on Cyber Security, said he is retiring to spend more time with his family and to pursue teaching in the cyber field.


Friday, May 18, 2012

Pre-Boxed Crap

The computer security problems in our country can be easily repaired and monitored. The problem is there are no industry standards for the software we are putting out there, no one is being held accountable, even the automotive industry is finally being held to several safety standards to protect the customers who purchased their vehicles. The way I look at it is we are again, "closing the barn door, after the horse ran away". It costs companies, corporations and individuals mega bucks to fix the software problems after a security incident has happened. Now what would be wrong with security testing the product before it leaves the building??? hmmmm...
...BUTCH


There’s a gap today in requirements. We can quite easily build security into in-house and off-shore developed applications by integrating commonly known requirements. 

For example:
  1. We can require that developers not maintain integral state data on the client to defend against parameter manipulation. 
  2. We can require that session ids are always sent over SSL. 
  3. We can both require and check for these things before an app is deployed, so that the only thing left for crash testing are mistakes that slipped through the cracks, complex domain specific security flaws, and novel / unique security issues that haven’t been defined yet.

We as an industry have spoken at great lengths about security in the SDLC but we’ve only paid marginal attention to secure requirements. It’s time to move on from crash testing.

Thursday, May 17, 2012

Ninety Percent of HTTPS Websites Insecure

Recently the most popular websites using secure online transactions (Online stores, banks, communication sites, etc.) were tested for security and most did not fare very well.

Of the approximately 200,000 HTTPS SSL encrypted websites tested, only about 10% are properly secured according to the Trustworthy Internet Movement (TIM).

Also, about 75% of the sites are still vulnerable to a BEAST attack:


Why Security Through Obscurity Still Does Not Work


Utah Department of Health officials say the breach, which they suspect involved East European hackers, exposed information about an estimated 780,000 adults and children. That information included 280,000 Social Security numbers.

Recently I provided Howard Anderson at HealthInfosecurity.com with some of my thoughts about the recent Utah Department of Health breach of the files of 900,000 individuals, and counting.

He included some of my thoughts in his blog post, along with thoughts from others. I wanted to provide my full reply here, along with some expanded thoughts.

As background, for those of you who may not have heard of this hack yet, in a nutshell:
The data breach occurred on March 30. A configuration error occurred at the password authentication level. This allowed hacker(s), located in Eastern Europe, to obtain files containing sensitive information by circumventing the Utah Department of Technology Services’ (DTS’s) security system. 


The files were stored on a server that contained Medicaid information at DTS.

Reference:

Future Security Basics


This incident points out the need for organizations, of all sizes and in all industries, to do the following to help prevent the same type of breach as that within the Utah DTS:


  1. Have well documented systems and applications procedures and supporting standards in place that are consistently followed
  2. Provide training and ongoing awareness for the procedures and standards
  3. Log changes consistently, and have teams responsible for reviewing the logs, and maintaining the logs for an appropriate period of time
  4. Perform ongoing audits to catch such configuration errors
  5. Have a change control process in place to help keep the mistakes of individuals from being put into production
  6. Use intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) to identify inappropriate access as soon as possible
  7. Create and maintain well documented breach detection and response plans
  8. Establish breach response teams and provide them with periodic training and ongoing awareness communications
  9. Engage independent third parties to perform periodic vulnerability scans and penetration tests
  10. Encrypt sensitive data, in transit and as rest in all storage locations. As this incident demonstrates, even if a sensitive file is located on a network behind a firewall, the bad guys may possibly still be able to get to it.

Tuesday, May 15, 2012

Chinese Hackers Took Control of NASA Satellite for 11 Minutes

Hacking is becoming a growing problem on Earth. It may seem strange to mention Earth, as there’s not much to hack outside of our planet’s atmosphere unless you count satellites. Even then, how feasible would it be to gain access to the systems running such devices?

Well, China not only has people working on such things, it has been discovered they actually managed to take control of two NASA satellites for more than 11 minutes.


2012 dubbed 'Year of the Smartphone Hacker'

Smartphone users are at risk of banking Trojans, spyware and infected apps and don't even realize it, say security experts who predict 2012 will be the "Year of the Smartphone Hacker."

Monday, May 14, 2012

Security Professionals Aren’t Immune from Dumbass Moves

Spammers and fraudsters often wiggle into our lives through “social engineering,” pretending to be someone that we think we know.

What are some of the security tricks you’ve fallen for? Fess up in the comments below.
It’s one of the oldest tricks in the book and yet it’s so effective. Guess that’s why it keeps resurfacing. We’ve all seen the bad guys dish out a range of schemes over the years, from using nefarious links embedded in an email to, more recently, social media phishing attacks using these same lethal links in Facebook messages and Tweets.

Hackers Steal $90,000 in Bitcoins

Bitcoin exchange site Bitcoinica suspended its operations on Friday after hackers managed to steal 18,547 bitcoins -- valued at about US $90,000 from its online wallet.

The user database probably was compromised as well, Bitcoinica's administrators said in an announcement posted on the site's home page. The information stored in the database included usernames, email addresses and account histories Account passwords were encrypted in a way that makes it extremely unlikely for them to be cracked, the Bitcoinica team said. However, to be on the safe side, the team advised users to change their passwords on other websites where they might have used them.

Sunday, May 13, 2012

10 SQL Injection Tools

10 SQL Injection Tools For Database Pwnage


Black hat hackers and pen testers alike use these tools to dump data, perform privilege escalations, and effectively take over sensitive databases


BSQL Hacker 
Developed by Portcullis Labs, BSQL Hacker is an automated SQL injection framework that facilitates blind SQL injection, time-based blind SQL injection, deep blind SQL injection and error based SQL injection attacks. Attacks can be automated against Oracle and MySQL databases, with power to automatically extract all database data and schemas.


The Mole 
An open source tool, The Mole can bypass some IPS/IDS systems using generic filters. It is able to detect and exploit injections using only a vulnerable URL and a valid string on the site using union or Boolean query techniques. The command line tool offers support for attacks against MySQL, SQL Server, Postgres and Oracle databases.


Pangolin 
Produced by the same firm that wrote the JSky tool, NOSEC, Pangolin is a thorough SQL injection testing tool with a user-friendly GUI and a wide base of support for just about every database on the market. Primarily used by the white hat community as a comprehensive pen test tool, Pangolin offers its users the capability to create a comprehensive database management system fingerprint, to enumerate users, dump table and column information and run the users' own SQL statements.


Sqlmap 
A self-proclaimed automatic SQL injection and database takeover tool, the open source sqlmap tool sports the ability to attack via five different SQL injection techniques or directly if the user has DBMS credentials, IP address, port and database name. It can enumerate users and password hashes, with inline support to crack them with a dictionary-based attack and supports privilege escalation through Metasploit's getsystem command. It offers the ability to dump database tables and for MySQL, PostgreSQL or SQL server to download and upload any file and execute arbitrary code.


Havij 
A popular tool used by black hats worldwide, Havij was developed by Iranian coders who named it for the Farsi word for carrort, a moniker that doubles as slang for the male appendage. With a simple GUI, Havij brags about a success rate of 95 percent at injecting vulnerable targets on MySQL, Oracle, PostgreSQL, MS Access and Sybase databases. In addition to being able perform a back-end fingerprint, retrieve usernames and password hashes, dump tables and columns, fetch data and run SQL statements on vulnerable systems, it can also access the underlying file system and execute commands on the operating system.


Enema SQLi 
Unlike many automated tools designed for users with less than abundant technical knowledge, Enema isn't autohacking software, according to its developer, "mastermind." As mastermind says, "This is dynamic tool for people, who knows what to do." Grammatical issues notwithstanding, the tool gives users the ability to customize queries and use plugins to automate attacks against SQL Server and MySQL databases, using error-based, Union-based and blind time-based injection attacks.


Sqlninja 
Sqlninja's developer, icesurfer, puts it best explaining his creation, "Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!" Targeted against SQL Server environments, the tool offers database fingerprint, privilege escalation, and all the tools necessary to gain remote access of a database vulnerable to injection attacks.


sqlsus 
An open source MySQL injection and takeover tool, sqlsus runs with a command line interface and lets users inject their own SQL queries, download files from the attached Web server, crawl the website for writable directories, clone databases and upload and control backdoors.


Safe3 SQL Injector 
Widely known as one of the easiest to use SQL injection automation tools circulating the Internet, Safe3 SI offers a set of features that enable automatic detection and exploitation of SQL injection flaws and eventual database server takeover. The tool recognizes the database type and finds the best method of SQL injection, with support for blind, error-based UNION query and force guess injection techniques. It supports MySQL, Oracle, PostgreSQL, SQL Server, Access, SQLite, Firebird, Sybase and SAP MaxDB, with ability to read, list and write any file when the DBMS is MySQL or SQL Server and support for arbitrary command execution for SQL Server and Oracle DBMS.


SQL Poizon 
A SQL injection scanner/hunter tool, SQL Poizon takes advantage of search engine "dorks" to trawl the Internet for sites with SQL injection vulnerabilities. The tool has a built-in browser and injection builder to carry out and check the impact of an injection. It's simple GUI provides an easy interface to carry out an attack without a deep technical knowledge base.


Reference:

Stuxnet

Imagine a nefarious computer virus, one some industry experts say may be the most sophisticated piece of malware ever written. Imagine this worm, loaded onto a Siemens Programmable Logic Controller (PLC), creating two hexadecimal words as its output: DEAD F007. Now imagine this piece of malware, Stuxnet -- or something like it -- coming to an industrial plant near you. 

Let's start by dispelling one myth that seems to be growing up around this piece of PLC-controlling software: PLCs are not super-secret devices, but are standard bits of industrial control equipment that can cost as little as $200 (and, for really complicated ones, many thousands), and are available from industrial supply houses all over the world without any kind of security check. The software used to program PLCs is no more secret than the devices themselves. WinCC, the compromised program, may not be known to many programmers or sysadmins who work in offices, but it is a familiar tool for industrial plant people in many different fields. 

Siemens, based in Germany is one of the biggest of multinational big dogs in the PLC field. They sell into the U.S., China, Brazil, India, and almost anywhere else there's any industry at all. Want to count cereal boxes on an assembly line and measure out the right amount of cereal for each one? You can program a Siemens PLC for that application, no problem. Want to spin your Uranium-enrichment centrifuges at just the right speed? Ditto. Or run track-mounted speed detectors and switch gear for your high-speed rail system or the moisture control on your Yankee dryer? No problem. If there isn't a PLC app for that already, writing one is no big deal. 

An early article about the Stuxnet infection in Iran claimed that it infected "millions" of industrial control computers there. This is unlikely. Indeed, it's unlikely that Iran has millions of industrial control computers, period. And Stuxnet is not -- at least in forms discovered so far -- an Internet-spread problem, but one that typically infects a computer network when someone plugs a USB stick containing the worm into a computer on that network. 

Another article, on Forbes.com, postulated that the Stuxnet worm's purpose was to disable satellites run by the Indian Space Research Organization, which would mean more business and prestige for China's AsiaSat. 

And maybe some Siemens PLCs are not supposed to be going to Iran, after all. A New York Times story published on Sept. 29 said, "...last year officials in Dubai seized a large shipment of those controllers — known as the Simatic S-7 — after Western intelligence agencies warned that the shipment was bound for Iran and would likely be used in its nuclear program." 

That same story mentions the Biblical-sounding connection of one of the worm's file names to the Book of Esther, "a clear warning in a mounting technological and psychological battle as Israel and its allies try to breach Tehran’s most heavily guarded project." But it also says, "Others doubt the Israelis were involved and say the word could have been inserted as deliberate misinformation, to implicate Israel." 

And then there's that DEAD F007 "leetspeak" PLC output. Eric Loyd, President of Bitnetix, says that no matter how juvenile DEAD F007 sounds, "Stuxnet is far from a kid-hacker attack." Indeed, Loyd is one of many IT experts who believes Stuxnet may be the most sophisticated piece of malware ever written, with its use of four seperate Windows zero-day attacks, not one but two genuine security certificates (now revoked), and it's ability to not only monitor but modify instructions for the targeted Siemens PLCs. 

While PLCs may be a mystery to many -- even most -- programmers and syadmins, they are not complicated, nor do they take advanced degrees to figure out. In most of the industrial world, they are the responsibility of guys who wear their names on their shirts. Indeed, the whole point of SCADA is that it makes plant processes easy to visualize and control. 

So far there is no concrete evidence that Stuxnet-infected computers or PLCs have affected Iran's nuclear fuel enrichment program or delayed the startup of the country's one nuclear reactor. But there are suspicious coincidences that make it seems like Stuxnet might have donesomething to Iran's nuclear efforts, depending on which contradictory reports coming out of Iran you want to believe. 

On one hand Iranian government sources say Stuxnet has not caused problems or delays to anything nuclear, and on the other they claim they have arrested "Nuclear Cyberspace Spies" and is "fully aware of the activities of 'enemies' spy services.'" 


Stuxnet may not be the biggest problem

Whether Stuxnet is the work of Chinese or Israeli government cyberwarriors or a computer science student's prank that got out of hand, there are cures for it, and Microsoft is closing the four Windows zero-day vulnerabilities that allows the worm to do its mischief and to propagate laterally within a government or corporate computer network. And with the right malware protection, a Stuxnet infection can be detected immediately, says Kurt Bertone, Vice President of Strategic Alliances for Fidelity Security Systems, who says his company's XPS cyber defense products has no trouble dealing with Stuxnet. 

Other virus detection and malware control companies also now have a handle on Stuxnet, including Siemens, which offers complete Stuxnet detection and removal instructions

But the problem now, Bertone warns, is not so much Stuxnet but other pieces of malware that are out there but may not have been discovered. He and Eric Loyd both worry that there may be some "Son of Stuxnet" worm out there, spread manually, like Stuxnet, or by some other vector, that will one day cause dangereous problems at nuclear plants, oil refineries or chemical plants or.... 

...there are millions of critical points in our modern industrial infrastructure that use PLCs and other computer-based controls, some of which are carefully secured against malware infections -- and some of which are not secure at all but have not yet been attacked.

Hackers Nab Card Data From 200,000 Citi Customers


Citigroup Inc. has become the latest victim in a string of high-profile data thefts by hackers targeting some of the world's best-known companies.

The New York bank said Thursday that about 200,000 Citibank credit card customers in North America had their names, account numbers and email addresses stolen by hackers who broke into Citi's online account site.

The breach comes after data attacks in recent weeks have struck at companies including Internet search leader Google Inc., defense contractor Lockheed Martin Corp, and media and electronics company Sony Corp.

Citigroup said it discovered that account information for about 1 percent of its credit card customers had been viewed by hackers. Citi has more than 21 million credit card customers in North America, according to its 2010 annual report. The bank, which discovered the problem during routine monitoring, didn't say exactly how many accounts were breached. Citi said it was contacting those customers.

The bank said hackers weren't able to gain access to social security numbers, birth dates, card expiration dates or card security codes. That kind of information often leads to identity theft, where cyber criminals empty out bank accounts and apply for multiple credit cards. That can debilitate the finances and credit of victims. Citi customers could still be vulnerable other problems. Details about their bank accounts and financial information linked to them could be acquired using the email information and account numbers hackers stole.

Federal regulators have taken notice and are asking banks to improve security.

"Both banks and regulators must remain vigilant," said Sheila Bair, chair of the Federal Deposit Insurance Corporation. She said federal agencies, including the FDIC, are developing new rules to push banks to enhance online account access.

The Citi incident is only the latest data breach at a major company.

  • On June 1, Google said that the personal Gmail accounts of several hundred people, including senior U.S. government officials, military personnel and political activists, had been breached.
  • On May 30, broadcaster PBS confirmed that hackers cracked the network's website and posted a phony story claiming dead rapper Tupac Shakur was alive in New Zealand.

  • On May 28, Lockheed Martin said it had detected a "significant and tenacious attack" against its computer networks. The company said it took swift and deliberate actions to protect the network and the systems remain secure.
  • In April, Sony's PlayStation Network was shut down in April after a massive security breach that affected more than 100 million online accounts.
  • Also in April, hackers penetrated a network operated by a data marketing firm Epsilon. The company handles email communications for companies like Best Buy Co. and Target Corp.

The number of data breaches in the last two months sets a "high water mark," said John Ottman, CEO of Application Security Inc., a New York-based firm that specializes in securing databases, the big repositories companies use to organize account information and other data.

"Attackers have realized that most organizations have not properly protected databases," Ottman said.

Cyber attackers have a variety of less-dangerous motivations, from mischief to online activism. For example, a group identifying itself as LulzSec claimed credit for the fake PBS article calling it retaliation for a documentary about WikiLeaks, the website that publishes classified documents.


Hackers Attacking Smaller Companies



Hackers are increasingly targeting small and medium-size businesses for cyber attacks, said experts speaking at the Connect Southern California Innovation Conference Thursday in San Diego.

The event featured two panels on cyber security – one geared toward security regulations facing corporate information technology departments and a second focused on what companies can do to protect themselves from cyber attacks.


Reference:

Friday, May 11, 2012

UNC Charlotte: 350,000 SSNs Exposed in Decade-long Data Breach

Two issues exposed financial data and Social Security numbers for 350,000 people, although it is thought the information has not been abused, the University of North Carolina at Charlotte said.

It blamed a system mis-configuration and incorrect access settings for the exposures, which also involved names and addresses of people who had done transactions with the university.The university said in a statement earlier this week that it has fixed both problems, one of which lasted three months and the other more than a decade.



Reference:

Thursday, May 10, 2012

FBI Warns Travelers Using Hotel Networks About New Attack



The FBI is warning travelers to be wary of attempts to infect their computers when they log on to hotel networks. In an intelligence note from the FBI’s Internet Crime Complaint Center (IC3), the agency says that attackers have been targeting travelers abroad when they use the Internet connection in their hotel rooms. According to the FBI, when the victims attempted to set up the hotel room Internet connection, they were presented with a pop-up window notifying them to update a "widely used software product."


Reference:

Wednesday, May 9, 2012

I'm Sure Everything You Do Online Is Safe


...sorry I held my laughter as long as I could. Now let's think about this for a minute. These small yet profitable companies probably have a few more dollars than you for online security and yet they are victims, hmmm...!  ...Butch


F-Secure, McAfee and Symantec websites again XSSed

Written by DP
Friday, 13 January 2012

Once again, the websites of the three famous antivirus vendors are vulnerable to cross-site scripting. The vulnerabilities were reported by "Zeitjak" and "dick" back in mid-April 2011 and appear to be working still. They can be triggered on...

Not surprisingly, McAfee websites are susceptible to XSS attacks

Written by DP & KF
Wednesday, 30 March 2011
Famous antivirus vendor McAfee has been all over the news the past few days, regarding cross-site scripting and information disclosure vulnerabilities that affected several of its websites. It all started when...

Secure Amazon Seller Central password reset page XSSed

Written by DP
Wednesday, 13 October 2010

Just another critical cross-site scripting vulnerability has been reported by "See Me" for Amazon Seller Central, a secure website where sellers who signed up for the "Checkout by Amazon" service can view and manage their orders...

EV SSL-secured live PayPal site vulnerable to XSS

Written by DP
Wednesday, 6 October 2010
"d3v1l" from Security-Sh3ll has reported another critical XSS flaw affecting the live PayPal site, where "real money" changes hands... This XSS vulnerability once more undermines the security of Extended Validation SSL (EV SSL) digital certificates...

Persistent XSS bug discovered on eBay

Written by DP
Wednesday, 6 October 2010
Security researcher "Side3ffects" has contacted us regarding a critical persistent XSS that he discovered on eBay... One of the possible exploitation scenarios is malicious people stealing cleartext credentials from registered users by injecting an iframe tag that retrieves another rogue eBay login page from a remote server... 


Reference:

Shifting Sands in Vulnerability Management: the new Strategic Security Platform



Shifting Sands in Vulnerability Management: The New Strategic Security Platform

Just finished a Rapid 7 , excellent.



Topics Covered:

www.nexus.securosis

Platform:

1. Data Model/Engine
2. Analytics
3. Visualzation and Reporting

Core Technologies:

1. Discovery
2. Scanning Networks and Devices
3. Assess Databases & Applications
4. Configuration Assessment
5. Asset Management/Rish Scoring
6. Cloud Computing Impact?
7. SaaS or On-Premise Deployment?

Value Add Tech:

1. Attack Path Analysis
2. Pentration Testing
3. Compliance Automation
4. Patch/Configuration Management
5. Bench marking Exfiltration Analysis


$60 Billion spent in Cyber Security since 2011.
90% of the companies have been hacked since 2005.

Monday, May 7, 2012

Unix Commands

Standard Commands

  1. Displaying the Date and Time: The date command
  2. Finding Out Who's Logged In: The who command
  3. Echoing Characters: The echo command - echo args
  4. List Information About Active Processes: The ps Command
  5. Display Current Working Directory Path: The pwd Command
  6. Sort Lines of file(s) or standard input if not supplied. - sort file(s)
  7. Count the Number of Lines Words and Characters in Files(s) or Standard Input if not Supplied - wc file(s)
  8. Returns Your Username: The whoami Command
  9. Lets you Change Your Password: The passwd Command
  10. Shows the Disk Usage of the Files and Directories in Filename - du filename
  11. Find Files Anywhere on the System - ff
  12. Looks for the String in the Files -  grep string filename(s) 
  13. Kills (ends) the Processes With the ID you Gave -  kill PID 
  14. Lists Your Last Logins -  last yourusername
  15. Tells you who's logged in, and what they're doing - w  
  16. Gives you lots of information about that user, e.g. when they last read their mail and whether they're logged in -  finger username
  17. Lets You Have a (typed) Conversation with Another User -  talk username
  18. Lets You Exchange One-line Messages with Another User - write username
  19. Lets you Send E-mail Messages to People Around the World. It's not the only mailer you can use, but the one we recommend - elm

Working With Files

  1. Listing Files: The ls Command - ls files
  2. Displaying the Contents of a File:The cat Command - cat file(s)
  3. Counting the Number of Words in a File: The wc Command
  4. Making a Copy of a File: The cp Command - cp file1 file2
  5. Renaming a File: The mv Command - mv file1 to file2
  6. Removing a File: The rm Command - rm file(s)
  7. Links two Files Together - ln file1 to file2
  8. Compares Files, and Shows Where They Differ - diff filename1 filename2
  9. Lets you Change the Read, Write, and Execute Permissions on Your Files -  chmod options filename 

Working With Directories

  1. Displaying Your Working Directory: The pwd Command
  2. Changing Directories: The cd Command - cd dir
  3. Creating a Directory: The mkdir Command - mkdir dir(s)
  4. Linking Files Into Directories: The ln Command - ln file(s) dir
  5. Copying a File from One Directory to Another: - cp file(s) dir
  6. Moving Files between Directories: mv old file/first directory new file/second Directory - mv file(s) dir
  7. Removing a Directory: The rmdir Command - rmdir dir(s)
  8. List Files in Directories or in Current Directory if Directories is not Specified. - ls dir(s)

Connecting to the Outside World:

  1. Allows you to Read News - nn
  2. Lets you Connect to a Remote Host - rlogin hostname
  3. Also Lets you Connect to a Remote Host - telnet hostname
  4. Lets you Download Files From a Remote Host Which is Set up as an Ftp-Server - ftp hostname
  5. Lets you Browse the Web From an Ordinary Terminal - lynx

File Compression:


  1. Compresses Files, so That They Take up Much Less Space - gzip filename
  2. Uncompresses Files Compressed by gzip - gunzip filename
  3. Lets you Look at a gzipped File Without Actually Having to gunzip it (same as gunzip -c) - gzcat filename
  4. You can even print it directly, using  - gzcat filename | lpr

Denial Of Service Attacks

As a Penetration Specialist I possess many, many tools to defend and offend computer network intrusions, with a lot of different Operating Systems. I have to know several different programming languages. Here is just a small list of DOS attack tools used to invade systems. ...Butch

There are a variety of popular Denial of Service attack tools that have received a fair amount of attention by the security research community, but there are many other attack tools in existence that have been developed in the last few years. A visual review of some of the popular and less popular attack tools will be provided here.

We will cover both simple and complex contemporary and historical threats – showing a sample ranging from single user flooding tools, small host booters, shell booters, Remote Access Trojans (RATs) with flooding capabilities, simple DDoS bots, complex DDoS bots and some commercial DDoS services. Many types of threats can be blended into any given tool in order to make the tool more attractive and financially lucrative.

At the other end of the spectrum, the commercial DDoS services are running full-steam, with a variety of service offerings easily available. While there are numerous motives for DDoS such as revenge, extortion, competitive advantage and protest, many of the commercial DDoS services emphasize competitive advantage with wording devoted to taking down a competitor. More troubling is the recently reported distracting use of DDoS to flood networks after financial theft has been performed via a banking Trojan in order to allow the thieves extended access to the loot. Within this diverse landscape, we are aware of many ongoing attacks from large widely distributed DDoS botnets.

________________________________________________________________________________________________

Fg Power DDOSER
This tool is primarily a “hostbooter” and is aimed at giving unscrupulous gamers an advantage by flooding opponents with traffic. HTTP flooding capabilities may be effective at bringing down unprotected websites as well. A Firefox password stealer is also included, which can be very deadly as people re-use passwords all the time.GB

DDoSeR v3
This tool is advertised as a booter and delivers a TCP or UDP stream of characters of the attacker’s choice towards a victim IP/host and port. This simple bot is written in Visual Basic.


Silent-DDoSer
This Visual Basic tool offers attack types “UDP”, “SYN” and “HTTP”. All appear to send a basic user-specified flood string. Silent-DDoSer utilizes triple-DES and RC4 encryption, IPv6 capabilities, and password stealing functions.

Drop-Dead DDoS
This tool is one example of a Runescaper booter. While I am not a gamer, the opportunity to make real-world money through the virtual economies of gaming worlds may have help make such tools popular.

D.NET DDoSeR
This tool is again aimed at the Runescape audience, but also features SYN and HTTP flooding. The floods in this case are just poorly formed garbage characters randomly generated. This particular screenshot only has one connected bot.

Positve’s xDDoSeR
Like anything flooding port 3074, this is an Xbox booter application, designed to boot users off to generate an unfair advantage. This particular screenshot shows no connected bots.

Sniff DDoSer
This one was announced on a forum and appears to be written in .NET. The default operation appears targeted towards Xbox flooding. We can also see some of the typical anti-detection mechanisms at play in the builder screen.

Darth DDoSeR v2
Another tool aimed at Xbox booting, at least in this screenshot. The flood in this case looks like a “SSYN” type, which is slightly different than many other host booters that appear to use UDP by default.

Net-Weave
Net-Weave is one of the many bots that appeared in our malware collection in mid-2011. It is a booter/bot and backdoor written in .NET and features the typical array of malware functionality including download and execute, USB spreading capabilities, TCP connection exhaustion flood, UDP flood, and a crude port 80 flood instantiated with a .NET Socket call.


Malevolent DDoSeR
The source code for a version of this leaked some time back. The server is written in C++ and the client is written in Visual Basic. It appears to offer only download and execute and UDP flooding attacks. We show a server screenshot, and a developer’s viewpoint screenshot, obtained from various forums.

HypoCrite
HypoCrite is a Visual Basic host booter apparently on version 4 and offers the ability to steal MSN passwords in addition to providing basic flooding capabilities.

Host Booter v5.7
This booter features several flooding attacks including the popular Slowloris attack style. The features are listed as: UDP (UDP flood), Port (Blocks connections on that port), HTTP (For websites), Slowloris (For websites), Bandwidth Drain (Put a direct link for a .exe or any other file), Send Command To All / Send Stop To All (Execute or End your command), Ports: 25 / 80 / 445 / 3074 / 27015 (Ports you can choose from, you can use your own), Sockets: [1-250] (How many sockets you will use), Seconds: [1-60] (How many seconds you wish your attack to be enabled for), Minutes: [1-59] (How many minutes you wish your attack to be enabled for), Size (KB) Packet size for UDP, Delay (MS) Time between sending a packet

Connect (MS) Reconnect sockets, Timeout (MS) Connection timeout

AlbaDDoS
It appears that the author of this DDoS tool is also involved in defacing websites.


Manta d0s v1.0
The author of this tool, Puridee, has also written multiple other tools including the “Good-Bye” DoS tool.

Good Bye v3.0
The Good-Bye tools appear to be simple HTTP flooding tools that have no DDoS or botnet capability.

Good Bye v5.0

Black Peace Group DDoser
Little additional information was found about this particular tool. Now we’ll look at a couple of “shell booters” that utilize hijacked web applications to perform flooding attacks. While these have been well documented in the past, shell booters typically leverage a number of compromised web applications where an attacker has typically installed a PHP webshell. Sometimes, these webshells may exist on high bandwidth networks, which can amplify the force of the attack significantly. Private webshells are worth more, and lists of webshells can be purchased. Some generic webshells are x32, greenshell, PsYChOTiiC, shell, mouss, Supershell, venom, atomic, and many others. There are other shells specifically created for ddos, such as ddos.php. A webshell can of course be named anything, but these names are common.

PHPDoS


TWBOOTER
This screenshot shows 235 shells online. An update from about a year ago says “Releasing twBooter Web Version today! Might have slowloris and http tonight, but I’ll be releasing without.” Incidentally, someone using the nick “twbooter” was seen selling flooding services via chat.

Gray Pigeon RAT
This is a screenshot from the Gray Pigeon Remote Access Trojan (RAT). In this screenshot, the attacker appears to have three bots online but has filtered the list to show only bots from Beijing, China. Gray Pigeon is well known for its RAT capabilities but it also has DDoS features as well. There are many DDoS bots using Chinese language sets and operating from within the Chinese IP address space. Some of these have been profiled by Jeff Edwards of Arbor Networks ASERT in the past. A great deal of code sharing takes place among the Chinese DDoS bot families that we have analyzed.


DarkComet RAT aka Fynloski
DarkComet is freeware and easily available to anyone. While it features a variety of flooding types, these are an afterthought compared to its main Remote Access Trojan functions which are significant. The binaries for this threat are often called Fynloski.

MP-DDoser v 1.3
MP-DDoser is a relatively new threat, coming to our attention in December 2011. It supports UDP, TCP connection flood, and HTTP attacks. Marketing materials and the GUI for this bot claim that it supports a slowloris style attack. Despite these claims, ASERT analysis indicates that the slowloris attack does not function.

DarkShell
Darkshell is popular among the Chinese DDoS bot families and features a variety of attack types. Included are three distinct HTTP attacks, two types of TCP flooding attacks, two UDP floods, ICMP flood, SYN flood, TCP connection exhaustion and TCP idle attack types. For extensive details on the Darkshell bot, please see the excellent analysis by ASERT’s Jeff Edwards at http://ddos.arbornetworks.com/2011/01/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/

Warbot
This is the warbot web based control panel. Commands are ddos.http (seen here), ddos.tcp and ddos.udp.

Janidos
Without a license key, Janidos runs as a “weak edition”. This version offers to the opportunity to toggle through a variety of User-Agent values during an HTTP DDoS attack. Janidos appears to be of Turkish origin.

Aldi Bot
This is an inexpensive bot that showed up late in 2011. It was interesting to see InfinityBot downloaded and executed from one Aldi Bot node that I was analyzing. Some forums suggest that Aldi Bot is not very good quality. For more information about Aldi Bot, please see an analysis and writeup at http://ddos.arbornetworks.com/2011/10/ddos-aldi-bot/


Infinity Bot
Infinity Bot was seen being downloaded in the wild by an Aldi Bot instance in September 2011. A demonstration video posted October 4 2011 on YouTube shows Infinity-Bot being used to DDoS the Pentagon website and shows approximately 15,000 bots on the botnet with the highest concentration of bots being in Germany, Netherlands, Austria and Switzerland.

N0PE
The n0pe bot is written in .NET. Here is a screenshot of the control panel that demonstrates its attack types. N0pe appears to be Russian in origin.


Darkness (prior to Darkness X)
This is a banner used to advertise the Russian Darkness bot. Darkness connects to a back-end called Optima. Darkness appears to be popular and used in commercial DDoS services.


Darkness X
Darkness X is the 10th version (10a being the latest) of the Darkness bot. The following advertising graphic was used in various forums. Prices have been seen ranging from $499 to $999, depending upon what features are requested. Darkness X includes newly developed plugin architecture.


Optima – DarknessX control panel
The Optima control panel for DarknessX (aka “Destination Darkness Outcast System & Optima control panel”) has been explored in other forums and looks something like this, as of October 2011.

Dedal
Dedal has been mentioned in Russian underground forums describing commercial DDoS services. Dedal has been seen to utilize three types of attack – TCP, UDP and HTTP GET. The HTTP GET attack looks very similar to another bot, implying code-sharing or swiping.

Russkill
Russkill is another Russian bot that has undergone some evolution and is commonly mentioned in commercial botnet service advertisements. Russkill appears to have evolved into the Dirt Jumper.


DirtJumper
Dirt Jumper continues its popularity in the underground DDoS service economy. Dirt Jumper attacks have been widespread. See http://ddos.arbornetworks.com/2011/08/dirt-jumper-caught/ for a full write-up of this version of Dirt Jumper, and also see the excellent blog entry by DeepEnd Research for a writeup of Dirt Jumper version 3, aka “September” at http://www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html

Dirt Jumper v3, aka “September”
Thanks to DeepEnd research for this screenshot

G-Bot aka Piranha
G-Bot has been mentioned many times in various forums in 2011 and seems to be a popular Russian bot. There are indicators that it is used in the commercial DDoS market. It appears that version 2.0 is probably the newest. Around July of 2011, G-Bot source code and customer lists were apparently sold by “westside” to “night”. Development stats currently is unknown. Various versions of the web panel and other artifacts are displayed here. G-Bot is also known as DroopTroop.

G-Bot bot list screenshot
First an older version, then a newer.
The second screenshot appears to be from somewhere around January of 2011 and shows the (obscured) IP addresses of infected hosts, country, and version of G-Bot installed on the host, mostly version 1.4.

Armageddon
The Russian Armageddon bot increased in popularity in mid to late 2011. It has been positioned as a competitor to Dirt Jumper, G-Bot, Darkness/Optima and DeDal. Recent versions of Armageddon allow greater control of attack traffic from within the web panel Command & Control, and also claim to have an “Anti-DDoS” attack style that is said to bypass various Anti-DDoS defenses. Additionally, DoS attacks against specific Apache vulnerabilities have been discussed. Armageddon has been observed performing many attacks including politically motivated attacks in Russia, attacks towards online betting sites, attacks towards forums advertising competing DDoS bot products and more. While Armageddon is heavily involved in HTTP attacks, it has also been seen targeting other services such as Remote Desktop, FTP and SSH.

Commercial DDoS Services
Unique DDoS Service

WildDDOS


Death ddos service


DDoS-SeRVIS


Beer DDoS


500 Internal DDoS Service


OXIA DDoS Service


504 Gateway DDoS Tools


NoName


Wotter DDoS Service


IceDDoS


Reference:

Sunday, May 6, 2012

How To Surf The Internet Safely



Many, many times I am asked, "How do I surf the Internet safely". There never has been or will be a completely safe way to use the Net. As long as you can reach millions of people and their links, they will be able to reach you. There is no such thing as complete Internet Security, it is an illusion. The best you can do is be vigilant on your updates and patches for your preventive maintenance software. Here are the steps, again, that I and many of my "security penetration associates" use. And always keep in mind "for every lock there is a key"...Butch.
________________________________________________________________________

Never, Never, Never...



1. NEVER click on a link that is contained in an e-mail, instant message, or post to a Usenet or other group.
2. NEVER open or install a program directly from the Internet. First, download it to your hard disk, scan it with your anti-virus software, and only then, if it is clean, install it.
3. NEVER open or install a program directly from a CD-ROM or DVD. First, scan it with your anti-virus software, and only then, if it is clean, install it.
4. NEVER enter any personal details in forms on unknown sites.
5. NEVER type your User ID or password unless you see the LOCK icon at the bottom of the screen and the Web address starts with https://
6. NEVER click on a pop-up, no matter what it says! Don't click on it even if you want to close it.
7. NEVER open attachments that you receive by e-mail. If in doubt, save the attachment to the hard disk, scan it with your anti-virus software, and only then, if it is clean, open it. Try to read all your e-mail messages in text format, rather than HTML.
8. NEVER visit unfamiliar Websites. First, go to Google (www.google.com) and check whether the site is legitimate and does not carry malware. Only if it is clean, visit it for the first time using the Opera browser.
9. CHANGE your passwords frequently; use complex passwords (example: 7Yby89IfD); never give your passwords to anyone.
10. UPDATE your Operating System, Antivirus, Firewall, Antispyware, and computer manufacturer's utilities DAILY.
11. SCAN your computer for malware every time you use the computer, after you have used it.
12. ANYTHING SUSPICIOUS? Stop everything you are doing, disconnect from the Internet, and scan the computer for malware. Examples of suspicious behavior: persistent pop-ups; the computer or connection slow down considerably; repeated re-boots; mouse or keyboard freeze; strange messages and alerts.
13. Remember NOTHING you get off the Net is "free". NOTHING!
14. DO NOT use Internet Explorer. Reference: 
15. DO NOT use the same Web Browser all the time. (Google, Opera, Firefox, etc.) Try not to become predictable. Change up.