Posts

Showing posts from March, 2012

[Phân tích] Vụ chèn mã độc JavaApplet tại KBCHN.NET

Image
Trong một loạt các sự kiện liên quan đến SINH TỬ LỆNH và các site bị tấn công, ngày 29/3/2012, trên HVAonline, thành viên có nickname miyumi2 đã có bài phân tích việc trang web kbchn.net lề trái ("phản động") bị chèn JavaApplet


 Code sau khi được anh Conmale phân tích

Đây là cách thức tương đối phổ biến trong thời gian gần đây, đặc biệt là việc sử dụng các ứng dụng của facebook

[Security] Analyzing Wordpress Themes

Image
Introduction

TimThumb is definitely one of the most valuable files (i.e., PHP scripts), that I want to find during a
Penetration Test, as earlier versions between 1.0 and 1.32 has a flaw that enables an attacker to
remotely cache PHP scripts[1,2], allowing remote code execution. It is an image tool often used in
WordPress themes, making cropping, zooming and resizing a lot easier, and it is open source of course.

The amount of websites that use this script are extreme, but most have hopefully upgraded to the
newest, completely re-written version 2.X, that combats the critical remote cache vulnerability but also
other problems too. At least 328 themes and 76 plug-ins [4], use this script where the file is occasionally
renamed, meaning an empty search result for “timthumb.php”, is not equal to it isn’t there.
One of the ways to search for this script, is to use WPScan [5], another is to use shell scripting as shown
in a later figure. WPScan is a vulnerability…

[Security] MS12-020 RDP Vulnerability overview and testing

Image
By now if you have been paying attention to your news readers, Google plus or twitter feed you would have noticed that Microsoft released a patch to a nasty denial of service (DOS) vulnerability. Here is a bit of information about the vulnerability; “This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.”

In short the system would crash and have a “blue screen of death” thus causing the system to reboot. Now the other option would allow and attach to have remote code execution on the affected system. Even though this patch was released over two weeks ago most organizations are still vulnerable and that’s not because the choose to be however most places have a “patch cycle” which require extensive testing prior to deployment.
As explained by the fine people over at ISC Diary Th…

[Report] IBM X-Force 2011 - Trend and Risk report

Image
Download WGL03012USEN.PDF

[Security] Haters and Zombies Inc

Image
Scammers put their philosophical shoes back on with fugit irreparabile timeline and mortem re-loaded baits

Hate it or not, the Timeline’s here to stay. You know it, I know it, but does everybody else on Facebook know it? As we’re living in a revolution-prone age, nobody actually expects oppressive states of fact to be accepted without even the slightest signs of opposition. Some may argue that what’s unbearable to me, might be nothing more than a minor discomfort to others. The nice thing about it is that in the online social world, you can have as many “springs” as you want for as many causes as you want. After all, rising to arms in this environment simply means creating a page and then using it for a healthy crop of Likes to promote your cause.

Speaking of revolutions, here’s our very own “Timeline spring”, complete with a strong message “I hate Facebook Timeline” and one big fat planned action: “sending a report to Facebook staff, to remove facebook timeline!”

[ Via ]

[Ebook] Forensic Science

Image

[RAT] Chuyên mục "Điều tra qua thư khán giả" của ANTV

Image
Tình cờ bật qua kênh ANTV và xem chương trình "Điều tra theo thư khán giả" thấy một vài điểm bất hợp lý và dễ trở thành "mồi ngon" cho báo chí + luật sư. Bài viết dạng câu hỏi... vừa chém gió, vừa tìm hiểu :))

- ANTV có chức năng điều tra ? hay có chức năng phối hợp ?
- Điều tra viên, Cán bộ điều tra hay Phóng viên
Chưa rõ vai trò của họ là gì nhưng thấy mặc áo an ninh chắc là cán bộ điều tra :)
Chức năng và thẩm quyền của họ đến đâu ? Không phải cứ vác theo 1 cái máy camera rồi "điều tra".
Bởi, suy cho cùng.... theo thư của khản giả... thực chất mới chỉ là 1 phía mà thôi
- Trình độ chuyên môn của các "phóng viên" ứng xử còn NON và dễ bị động.... dễ rơi vào bẫy "lý luận" cũng như thực tiễn của dân :)

Vài lời chém gió !

[Tool] Open source apps for anti-virus, anti-spam, firewalls, encryption, security gateways and more

Image
Anti-Spam
1. ASSP

Replaces: Barracuda Spam and Virus Firewall, SpamHero, Abaca Email Protection Gateway

The self-proclaimed "absolute best SPAM fighting weapon that the world has ever known," ASSP sits on your SMTP servers to stop spam and scan for viruses. Features include browser-based setup, support for most SMTP servers, automatic whitelists, early sender verification, Bayesian filters and more. Operating System: OS Independent.

2. MailScanner

Replaces: Barracuda Spam and Virus Firewall, SpamHero, Abaca Email Protection Gateway

Downloaded more than 1.3 million times by users in 225 countries, MailScanner is a free e-mail security package for mail servers. It incorporates SpamAssassin, ClamAV and a number of other tools to block spam and malware. Operating System: OS Independent.

3. SpamAssassin

Replaces: Barracuda Spam and Virus Firewall, SpamHero, Abaca Email Protection Gateway

"The powerful #1 open-source spam filter," SpamAssassin uses header and text ana…

[Security] Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies

Image
Good afternoon. I am indeed honored to be here, and gratified to be back in San Francisco.

A few weeks ago, there was a story in The New York Times about a woman who was taking a break from work. She was watching YouTube videos on her iPhone when a man walked up, pointed a gun at her, grabbed the phone, and ran.

A New York City police officer responded to the call and told her not to worry, that he would find her phone. He grabbed his own phone, opened the “Find My iPhone” app, and typed in the victim’s Apple ID. In seconds, a phone icon popped up, showing that the subject was near 8th Avenue and 51st Street. The officer and his partner headed that way.

As they pulled up, the officer pushed a button on his phone, and they began to hear a pinging noise some 20 feet away. The officer hit “Play” once more, and they followed the pinging to its source, which turned out to be in the man’s sock. The Times reporter pointed out that had the subject been tech savvy, he might have known how…

[Security] The Four Phases of Every Attack

Image
Let’s face it, threats have gotten much more complex; like complex mechanisms they use multiple, consecutive methods to attack. At McAfee, our research teams continually analyze the threat landscape, and define threats in terms of their attack mechanisms, which consistently fall into four categories. First malware needs a way to come in contact with unsuspecting users. Second, they then use a diversity of ways to enter your system and begin to write files to disk and modify your system. Third, they use several means to hide from detection before they even begin to do their dirty work of stealing personal information or scare you into buying useless security software. Its not until the fourth phase do they really start to do their unscrupulous business.

In this discussion, we will share some research showing the four phases of every malicious attack and in a follow on blog, with provide some recommendations as to how you can protect yourself and your business.
First, lets look at …

[RAT] Hướng dẫn viết đơn tố cáo tội phạm máy tính

Image
Khi bạn là nạn nhân của tội phạm máy tính thì bạn có thể yêu cầu cơ quan pháp luật bảo vệ.
Mẫu đơn tố cáo bạn có thể sử dụng

Chú ý:
Nên gửi trực tiếp bằng thư viết tay/ đánh máy
Về đơn
Mục 1. Về cơ quan gửi: Bạn có thể tham khảo ở post này to-giac-toi-pham.html
Mục 3. Bạn nêu rõ nội dung sự việc
Ví dụ, nếu có dấu hiệu lừa đảo, chiếm đoạt tài sản thì bạn nêu nội dung từ đầu ---> nghi ngờ, phát hiện mình bị lừa
Mục 4. Đề nghị cơ quan ..... làm rõ, trả lại tiền, tài sản.... truy tố kẻ lừa đảo
Mục 5. Là cam đoan
Ngoài ra, bạn nên gửi kèm BẢNPHOTO các tài liệu có liên quan ( Log chat, số điện thoại, nick, giấy chuyển tiền, thông tin tài khoản... v.v.)

[Security] Happy Birthday IE 8

Image
It was three years ago today (March 19, 2009) that Microsoft unleashed Internet Explorer (IE) 8. According to Microsoft, the priorities for IE 8 were security, compatibility, ease of use, web development improvements, as well as adhering to CSS specifications and other web standards.

Three years on, IE 8 is still the second most used web browser version in the world.

Via pingdom]

[Tool] Oxygen Forensic SQLite Viewer v.2.1

Oxygen Software announces Oxygen Forensic SQLite Viewer v.2.1. This version introduces data export to PDF, XLS, XLM and other formats, and the ability to export selected tables. The new version also improves conversion utilities, introduces the conversion sidebar and adds the ability to save big BLOB fields to file. All registered customers may download the new version immediately from their personal customer area.

New in Oxygen Forensic SQLite Viewer v.2.1:

* Added export to RTF, PDF, XML, XLS, СSV, TSV and HTML file formats.
* Added ability to export selected tables.
* Added ability to select multiple records on Deleted data tab.
* Data type ‘Table record’ or ‘Deleted record’ are shown when copying entries to clipboard.
* Added support for OS X Epoch format conversion.
* Added an external window to view the data.
* Added ability to save big BLOB fields in a file.
* Accelerated SQLite Viewer work.
* Improved conversion of millisecond UNIX format dates.
* Improved conversion: automa…

[Infographic] Wordpess developers are driving

Image

[Security] Victorian Taxi Directorate exposes 400+ email addresses

The Victorian Taxi Directorate has earned then ire of people it was trying to placate, after it put more than 400 email addresses in the “To:” field of an email it sent to ask about its complaints resolution process.

The email, sent yesterday, said “The Victorian Taxi Directorate (VTD) is committed to continually improving its customer service and complaints handling processes,” and went on to say recipients should “... be assured that your personal details have been collected and used consistent with Privacy Act 2000.”


Except for their email addresses, that is, as 432 by The Register's count were included in the “To:” field for all recipients to see. Some have hit “Reply All”, creating a merry little email storm that is pleasing nobody.

Angry recipients, including Register readers, have pointed out the situation and its absurdity.

The Directorate has quickly apologised for the mess, with Assistant Manager of Communications Bob Nelson saying it is “absolutely not” the organisa…

[Security] Malware OSX/Imuler OSX/Revir.A dropper

Image
This new variant is very similar to its ancestors in terms of command-and-control (C&C ) communication and functionalities. (OSX/Imuler is an information stealer that can gather and transmit files, screenshots, and other data to a remote server.) The network protocol is still HTTP-based and the payload is compressed with zlib. The hardcoded C&C domain now being used is a new one, registered on February 13th, 2012 via a Chinese registrar. The domain points to the same IP address as the previous variants, located in the USA and still active at time of writing.

This all seems to indicate that the new variant was most likely released to improve its anti-virus evasion.

OSX/Imuler has the functionality to upload arbitrary local files to the C&C. A specialized separate executable named CurlUpload, downloaded from the C&C every time the malware starts, is used to perform the operation. This stand-alone executable, first seen in early 2011, presents interesting strings that su…

[Security] Australia lacks cash for cybercrime study

The Australian Institute of Criminology (AIC) does not have the resources to repeat its 2009 Australian Business Assessment of Computer User Security (ABACUS) study into the prevalence of cybercrime in Australia.

An AIC spokesperson told The Register that the cost and complexity involved in an ABACUS study is not something the Institute can currently contemplate, and added “It’s certainly important to keep track of the trends in this area, although nationally representative prevalence surveys of cybercrime are rarely undertaken.”


“The AIC will, if resources are available, look to undertake similar surveys to our ABACUS project that was one of the few large-scale business victimisation surveys in this area.”

The AIC's 2011 Australian crime: Facts & figures report therefore use previously-published data from AusCERT and the Australian Competition and Consumer Commission (ACCC). Both sources collected data for 2010 studies. That leaves the cyber crime section of the AIC's 20…

[Report] Monthly Malware Statistics: February 2012

Image
Vulnerabilities in the Google Wallet payment system

In autumn 2011, Google launched Google Wallet, an e-payment system that allows users to pay for goods and services using Android phones with Near Field Communication (NFC — contactless transactions). The Google Wallet app is installed on a smartphone and the user specifies which credit card to use. To process payments, the owner of the phone must enter a PIN in the Google Wallet app and put the phone in proximity to the scanning device. The phone will then transfer encrypted data to complete the transaction.

When Google announced this new service, data security professionals voiced some doubts about security if a phone were to be lost or stolen or otherwise fall into someone else’s hands. Then, in early February, two methods used to hack Google Wallet were detected.

At first, Joshua Rubin, an engineer at zVelo detected how a PIN can be chosen if a certain person gets access to the telephone. Bank account data is stored in a special,…