Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

PORN SITES ARE WATCHING YOU

April 12, 2015, 9:55 am
Search

Time required to brute-force crack a password depending on password entropy (strength)

April 12, 2015, 10:11 am
$
0
0
In case you're wondering how many attempts per second an attacker would realistically have, a PC with a few thousand dollars worth of graphics cards can brute-force hundreds of billions of password possibilities per second, as this 2012 Arstechnica article reveals. God knows what sort of power an entire nation state's intelligence agency could muster. My chart goes up to 100 trillion.

Embedded image permalink

more here.......http://www.reddit.com/r/dataisbeautiful/comments/322lbk/time_required_to_bruteforce_crack_a_password/

APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation

April 12, 2015, 10:17 am
$
0
0
Having some of the world’s most active economies, Asia Pacific countries are more likely to be a target of targeted attacks than the rest of the world. In “Operation Quantum Entanglement”, “Pacific Ring of Fire: PlugX / Kaba” and other FireEye reports, we have highlighted how Northeast Asian countries have been at the centre of advanced attacks. Today, we release a new report “APT 30 and the Mechanics of a Long-Running Cyber Espionage Operation,” which documents about a threat group, APT 30, who has consistently targeted Southeast Asia and India over the past decade.

We have analysed over 200 malware samples and its GUI based remote controller software, we are able to assess how the team behind APT 30 works: they prioritize their targets, most likely work in shifts in a collaborative environment, and build malware from a coherent development plan. Their missions focus on acquiring sensitive data from a variety of targets, which possibly include classified government networks and other networks inaccessible from a standard Internet connection.

more here.........https://www.fireeye.com/blog/threat-research/2015/04/apt_30_and_the_mecha.html

General Pr0ken Filesystem – Hacking IBM’s GPFS

April 12, 2015, 10:27 am
$
0
0
The IBM General Parallel File System is a distributed file system used in large scale enterprise environments, high performance clusters as well as some of the worlds largest super computers. It is considered by many in the industry to be the most feature rich and production hardened distributed file system currently available. GPFS has a long and really interesting history, going back to the Tiger Shark file system created by IBM 1993.

Of course, this makes it an interesting target for security research.

more here.......http://www.insinuator.net/2015/04/general-pr0ken-filesystem-hacking-ibms-gpfs/

How to verify that system drivers are digitally signed

April 12, 2015, 10:28 am
$
0
0
Device drivers are important files as they allow you and the operating system to interact with hardware connected to the system.

Drivers, just like executable files, can be digitally signed to improve their verifiability.

Manufacturers can submit drivers to Microsoft to get them signed. While many do so, some don’t do this for all drivers they release.

It is common for instance that beta drivers are not digitally signed.

While unsigned drivers don’t necessarily have to be problematic, it makes sense to check the system for those and verify that they are legitimate and the best choice.

more here.......http://www.ghacks.net/2015/04/11/how-to-verify-that-system-drivers-are-digitally-signed/?_m=3n.0038.1576.yj0ao05ekr.1msd

python2-cryptography 0.8.2-1

April 12, 2015, 10:33 am

The oldest trick in the ASCII book

April 12, 2015, 2:51 pm

Using SMT Solvers to Analyze the Premier League Table

April 12, 2015, 4:21 pm
$
0
0
A few days ago reddit user /u/Shurtgal posted a graphic showing the possible points that can be achieved by each football team in the English Premier League. You might think that this graphic would provide insight into questions like the following.

What teams are still mathematically capable of winning the league title?

What is the minimum number of points required to guarantee safety from relegation (finish in one of the top 17 league positions)?

The trouble is, the graphic cannot answer these questions definitively. The following comment from /u/mitters explains why.

Consider Swansea. According to this chart they are not guaranteed safety (2 points short). Which is not actually true. They are in fact already guaranteed safety. Even if they lost every game from now on and did not get the 2 points they need to "guarantee" safety they would still be safe. There's nothing wrong with OP's chart or logic as it would be nearly impossible to plot this table taking into account teams that play each other. Leicester could win all of their remaining games and finish level on points with Swansea. But that would require that West Brom, Newcastle, Sunderland and QPR all drop points. As such, in this (very unlikely) scenario both Leicester and Swansea would be safe because of the points other teams would have to drop as they play each other.

However, the good news is that a wonderful tool known as an SMT Solver can answer these questions definitively. In this article, I will provide an gentle introduction to using SMT solvers by showing how they can be used to answer such questions.

more here..........http://www.spramod.info/using-smt-solvers-to-analyze-the-premier-league-table.html
Search

Looking for security trouble spots in Go code

April 12, 2015, 9:52 pm
$
0
0
Different languages have certain areas where mistakes are commonly made, and which code auditors focus on. With C, you might grep for strcpy and memcpy. With ruby, you might look for regex that use ^ and $ instead of \A and \z. The use of those functions or idioms are not always vulnerabilities, but are good places to check first. I decided to look for such trouble spots for Go (golang).

more here.......http://0xdabbad00.com/2015/04/12/looking_for_security_trouble_spots_in_go_code/

SIMDA: A Botnet Takedown

April 13, 2015, 1:13 am
$
0
0
The collaboration between Trend Micro, INTERPOL, and other private organizations resulted in another triumph for the security industry earlier this week: the takedown of the SIMDA botnet. Trend Micro provided information such as the IP addresses of the affiliated servers and statistical information about the malware used, which led to the disruption of the botnet activities.

SIMDA, the Malware Behind the Botnet

The botnet relies on the backdoor SIMDA for its operations. One notable feature of the malware is that it modifies HOSTS files, which redirects users to malicious sites whenever they try to access legitimate sites. Our research shows that the malware targeted popular sites including Facebook, Bing, Yahoo, and Google Analytics, as well as their regional counterparts: e.g., Yahoo Singapore, Bing Germany, etc.

more here.........http://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/


Additionally here http://blogs.technet.com/b/mmpc/archive/2015/04/12/microsoft-partners-with-interpol-industry-to-disrupt-global-malware-attack-affecting-more-than-770-000-pcs-in-past-six-months-39-simda-at-39-designed-to-divert-internet-traffic-to-disseminate-other-types-of-malware.aspx is another article on SIMDA by Microsoft titled "Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months"


and finally a writeup by Kapersky Lab..........https://securelist.com/blog/69580/simdas-hide-and-seek-grown-up-games/

PySymEmu

April 13, 2015, 1:11 am

Solaris Admins: For A Glimpse Of Your Networking Future, Install OpenBSD

April 13, 2015, 1:29 am

0day vulnerability in net-snmp

April 13, 2015, 1:49 am
$
0
0
Simple Network Management Protocol (SNMP) is a widely used protocol for monitoring the health and welfare of network equipment (eg. routers), computer equipment and even devices like UPSs. (http://www.net-snmp.org/)

Please refer to below report.


[Author info]

         name: Qinghao Tang

         company: QIHU 360  company, China

         email: tangqinghao () 360 cn



[vendor info]

         name: net-snmp

         email: net-snmp-users () lists sourceforge net

         website: http://www.net-snmp.org/



[vulnerable net-snmp version]

All version



[vulnerability Description]

Incompletely initialized vulnerability exists in the function
‘snmp_pdu_parse()’ of ‘snmp_api.c', and remote attackers can cause memory
leak, DOS and possible command executions by sending malicious packets.

Since the vulnerability occurs when parsing the packets, it could have
broader impacts. Currently we have find 12 remote DOS methods in the latest
version of net-snmp client software. I think this vulnerability could cause
even more severe risks.



[vulnerability resaon]

In the function ‘snmp_pdu_parse()’ of ‘snmp_api.c', the structure of
‘netsnmp_variable_list is initialized incompletely, thus the malicious
packets can cause ‘snmp_parse_var_op()’ returning ERROR. When using the
uninitialized data(type,val,name_loc,buf) in structure ‘
netsnmp_variable_list’, it will cause memory leak, DOS and possible command
executions.



int

snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)

{

                   ….

netsnmp_variable_list *vptemp;

        vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));

        if (NULL == vptemp) {

            return -1;

        }

        if (NULL == vp) {

            pdu->variables = vptemp;

        } else {

            vp->next_variable = vptemp;

        }

        vp = vptemp;



        vp->next_variable = NULL;

        vp->val.string = NULL;

        vp->name_length = MAX_OID_LEN;

        vp->name = NULL;

        vp->index = 0;

        vp->data = NULL;

        vp->dataFreeHook = NULL;

        DEBUGDUMPSECTION("recv", "VarBind");

        data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,

                                 &vp->val_len, &var_val, length);

        if (data == NULL)

            return -1;

                  ……

}

typedef struct variable_list netsnmp_variable_list;

struct variable_list {

   /** NULL for last variable */

   struct variable_list *next_variable;

   /** Object identifier of variable */

   oid            *name;

   /** number of subid's in name */

   size_t          name_length;

   /** ASN type of variable */

   u_char          type;

   /** value of variable */

    netsnmp_vardata val;

   /** the length of the value to be copied into buf */

   size_t          val_len;

   /** 90 percentile < 24. */

   oid             name_loc[MAX_OID_LEN];

   /** 90 percentile < 40. */

   u_char          buf[40];

   /** (Opaque) hook for additional data */

   void           *data;

   /** callback to free above */

   void            (*dataFreeHook)(void *);

   int             index;

};



typedef union {

   long           *integer;

   u_char         *string;

   oid            *objid;

   u_char         *bitstring;

   struct counter64 *counter64;

#ifdef OPAQUE_SPECIAL_TYPES

   float          *floatVal;

   double         *doubleVal;

   /*

    * t_union *unionVal;

    */

#endif                          /* OPAQUE_SPECIAL_TYPES */

} netsnmp_vardata;







[crash info from /var/log/messages]

sprint_realloc_integer

snmpget:0x290a3

overview:Feb 22 11:37:48 localhost kernel: snmpget[24260]: segfault at 0 ip
00007f00cbff20a3 sp 00007fff7bf08620 error 4 in
libnetsnmp.so.30.0.3[7f00cbfc9000+ac000]





asn_realloc_rbuild_int

snmpget:0x4ac0a

overview:Feb 22 14:38:10 localhost kernel: snmpget[26825]: segfault at 0 ip
00007f2cbc089c0a sp 00007fff294221f0 error 4 in
libnetsnmp.so.30.0.3[7f2cbc03f000+ac000]



asn_realloc_rbuild_unsigned_int

snmpget:0x4a5e7

overview:Feb 22 18:06:53 localhost kernel: snmpget[29948]: segfault at 0 ip
00007f6bb7a8e5e7 sp 00007fffc6863bc0 error 4 in
libnetsnmp.so.30.0.3[7f6bb7a44000+ac000]



asn_realloc_rbuild_unsigned_int64

snmpget:0x49832

overview:Feb 22 20:00:22 localhost kernel: snmpget[31802]: segfault at 0 ip
00007f93cb91d832 sp 00007fff7b93f970 error 4 in
libnetsnmp.so.30.0.3[7f93cb8d4000+ac000]



sprint_realloc_counter

snmpget:0x2877b

overview:Feb 23 09:31:45 localhost kernel: snmpget[44108]: segfault at 0 ip
00007f1e2fd8477b sp 00007fffe0abf9a0 error 4 in
libnetsnmp.so.30.0.3[7f1e2fd5c000+ac000]



sprint_realloc_uinteger

snmpget:0x28c30

overview:Feb 13 09:54:03 localhost kernel: snmpget[64595]: segfault at 0 ip
00007f29f970dc30 sp 00007fff8c89a0e0 error 4 in
libnetsnmp.so.30.0.3[7f29f96e5000+ac000]





printI64

snmpget:0x5273e

overview:Feb 13 10:52:42 localhost kernel: snmpget[3863]: segfault at 0 ip
00007fe314e4773e sp 00007fff782fcba0 error 4 in
libnetsnmp.so.30.0.3[7fe314df5000+ac000]



sprint_realloc_gauge

snmpget:0x28a73

overview:Feb 13 11:24:17 localhost kernel: snmpget[4879]: segfault at 0 ip
00007fb3f0852a73 sp 00007fffc43f7b10 error 4 in
libnetsnmp.so.30.0.3[7fb3f082a000+ac000]



sprint_realloc_timeticks

snmpget:0x29277

overview:Feb 13 12:10:08 localhost kernel: snmpget[6623]: segfault at 0 ip
00007f171c1ad277 sp 00007fff9fad9720 error 4 in
libnetsnmp.so.30.0.3[7f171c184000+ac000]



printU64

snmpget:0x52675

overview:Feb 13 13:48:11 localhost kernel: snmpget[9878]: segfault at 0 ip
00007fc3b04ed675 sp 00007fff4d0a3cb0 error 4 in
libnetsnmp.so.30.0.3[7fc3b049b000+ac000]



sprint_realloc_float

snmpget:0x29c57

overview:Feb 18 23:31:41 localhost kernel: snmpget[57217]: segfault at 0 ip
00007f625c50ac57 sp 00007fffe60ebdb0 error 4 in
libnetsnmp.so.30.0.3[7f625c4e1000+ac000]



asn_realloc_rbuild_signed_int64

snmpget:0x4934d

overview:Feb 21 18:21:13 localhost kernel: snmpget[9149]: segfault at 0 ip
00007f431746e34d sp 00007fffbcac3ed0 error 4 in
libnetsnmp.so.30.0.3[7f4317425000+ac000]





[patch]

--- snmp_api.c 2014-12-09 04:23:22.000000000 +0800

+++ snmp_api.c.patch     2015-03-04 10:44:03.896001377 +0800

@@ -4518,6 +4518,9 @@

         vp->index = 0;

         vp->data = NULL;

         vp->dataFreeHook = NULL;

+       vp->type = 0;

+       vp->name_loc = 0;

+       vp->buf = 0;

         DEBUGDUMPSECTION("recv", "VarBind");

         data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,

                                  &vp->val_len, &var_val, length)

Remediate VBS malware

April 13, 2015, 2:03 am

SHARING THE SIMDA PSEUDO DGA

April 13, 2015, 5:47 am
$
0
0
There was the takedown of Simda reported yesterday by Microsoft. According to that report, Simda communicates “up to six hard-coded IPs” and has a DGA that it uses to set the hosts field in the HTTP header and also used as seed for encryption.

This is the reversed algorithm......http://blog.kleissner.org/?p=771
Search

Redis backend

April 13, 2015, 5:49 am

Kiosk/POS Breakout Keys in Windows

April 13, 2015, 5:51 am
$
0
0
There is an old axiom that goes something like “If an enemy has physical access to your box, it is no longer your box”. With enough time, and baring well-implemented cryptography, someone will get to the data on the system eventually. This axiom definitely applies to public kiosks and in some cases point of sale systems (also known as POS, Point Of Interaction, electronic registers, etc.) depending on how much you trust your employees. The captive kiosk/POS software is normally meant to only allow users to do a set number of tasks and to limit the data that is viewable. If someone can freely look around the hard drive, all sorts of things that an attacker might find useful can be found, like autologon credentials, private data, backend connection strings, etc.

more here.......http://www.trustedsec.com/april-2015/kioskpos-breakout-keys-in-windows/

NanoCore RAT: It’s Not 100% Original

April 13, 2015, 5:56 am
$
0
0
A few days ago, a cracked full-version of the NanoCore Remote Access Trojan (RAT) tool was leaked.

With scarce existing documentation of NanoCore we decided to investigate ourselves NanoCore’s core set of features and techniques. What we found was that although this RAT is highly sophisticated –– its authors weren’t keen to totally re-invent the wheel. In fact, one of NanoCore’s unique features – password retrieval – uses another tool, NirSoft, a Web freeware also commonly used by threat actors.

more here.......http://www.ensilo.com/nanocore-rat-not-100-original/

How to bypass Google’s Santa LOCKDOWN mode

April 13, 2015, 7:25 am
$
0
0
Santa is a binary whitelisting/blacklisting system made by Google’s Macintosh Operations Team. While I refer to it as Google’s Santa it is not an official Google product. It is based on a kernel extension and userland components to control the execution of binaries in OS X systems.
It features two interesting modes of execution, monitor and lockdown. The monitor mode is a blacklisting system, where all binaries except those blacklisted can run. The lockdown mode is a whitelisting system, where only the whitelisted binaries can run and everything else will be blocked. This is the mode we want to attack and bypass since it’s the most interesting one from an attacker’s perspective....

more here........https://reverse.put.as/2015/04/13/how-to-bypass-googles-santa-lockdown-mode/

and code here.....https://github.com/gdbinit/hello_santa_bye_santa

Reverse Engineering Vectored Exception Handlers: Implementation (3/3)

April 13, 2015, 7:27 am
Viewing all 8064 articles
Browse latest View live
Search