Hackers 24x7

The latest from Blogger Buzz

2016-05-11T06:56:00.001-07:00

The latest from Blogger Buzz

Keep your readers interested with the AdSense Guide to Audience Engagement

Today, information is at our fingertips and we can access it from anywhere on any device. Just a few taps pull up millions of websites all competing for our attention. For bloggers, engaging with your audience has never been more important or more challenging. To help lay the foundation to a winning engagement strategy, the AdSense team created the AdSense Guide to Audience Engagement.

Research shows that 29% of smartphone users will immediately switch to another site or app if it doesn’t satisfy their needs.

To help keep your audience engaged, get your free copy of the AdSense Guide to Audience Engagement.

In the guide, you’ll learn:

How to help your audience become familiar with your brand
Best practices to design user journeys
How to develop content that resonates with your audience
Ways to make your content easy to consume
Why you should share the love with other sites by referring to good sources

You can use this website to share self destructing encrypted file

2016-02-04T19:19:00.003-08:00

ENCRYPTED FILES SHARED VIA THIS WEBSITE WILL SELF DESTRUCT IN 24 HOURS

If you are looking send a very personal or important file which you want destroyed after the receiver sees/reads it, you can now avail the services of a website called Nafue. [menkveldj]who is a developer, has built a service that encrypts files which self destruct in 24 hours.

However there some many prerequisites for using a the website. The download link can only be used once.

Nafue works like this. You want to share a very imported file, you have to encrypt it on your side using a a password generated using Pbkdf2 key before uploading it to the s3 storage service. Once this is done, the website will provide you with a one-time-use link to share with the recipient. After the first download, or 24 hours, the link and the encrypted file are both deleted.

Remember, the receiver must enter the same password to decrypt and recover the file. No one but the sharer and receiver know what the actual file is.

If the file were to land in some wrong person’s hand, they would take some years before cracking the 256AES encryption.

It’s still work in progress, so chime in with your comments and suggestions. To dig into the code, check out his repository on Github, which also has instructions to build and run it if you’d like to do your own version.

What Is A Web App Attack, How Does It Work — 5 Stages Of A Web App Attack

2016-01-18T08:37:00.001-08:00

Short Bytes: A Web App Attack is one of the biggest threats faced by websites and online businesses. In this article, we are going to tell you about 5 stages of a Web App Attack — Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Covering Tracks — and how this attack works.

If we start looking at the number of hacking attacks in 2015 alone, the number of personal records breached touches almost one billion. In 2015, we saw some of the most notorious hacking attacks till date, namely attacks on Ashleey Madison, TalkTalk, Patreon Donation Site, Pentagonetc.

As the application development is moving more and more onto the web, the Web is home to everything we need. 2015 also saw an increase in Web App Attacks that are carried out using a well-planned plan-of-action. The attack usually targets the web server used by the target company. In spite of network defenses like intrusion penetration systems and firewalls, the Web application could be attacked by an outsider in multiple ways.

What Is A Web App Attack, How Does It Work

In this article, we are going to explain you the five stages of a Web App Attack from a hacker’s perspective. The each stage will be explained into three parts — What is it? How does it work? How do I defend myself against it?

The five stages that will be explained ahead are: Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Covering Tracks.

Let’s take a look at this useful infographic by Barricade, an Early Warning System against Hackers.

Anatomy of a Web App Attack – Visually Explained

How PING Could Save and Prevent Deadly Accidents

2016-01-10T19:19:00.001-08:00

IAN TRUMP OF LOGICNOW WONDERS WHETHER THE HUMBLE PING COULD BE OUR SAVIOUR

This Government of Canada press release caught my eye on a recent newsfeed. The release tells the story of how PING could save and prevent accidents. It’s one of those reports that uses language which for most of us is completely unintelligible or steeped in scientific nuance. So let me break it down for you: a train fell off the tracks and PING could have stopped it.

Hold on, how can something as simple as an Internet Control Message Protocol (ICMP) packet save lives? The reality is actually kind of obvious in this world of Internet of things (IoT) – latency. Using this analogy, the number of seconds or milliseconds it takes for a packet of data to go from one place or another could have prevented this train from being derailed. If there is a change in the latency, there is a problem on the tracks. Yes, my friends, PING works on rail tracks, which in a way are like giant cables reaching out across the nations.

This fact got me thinking. PING is one of the most basic of IT functions. The PING check is built into almost every Remote Monitoring and Management Tool (RMM) on the market today, including our own MAXfocus platform. However, this story is not about our great products, it’s about how PING could have mitigated a train derailment – it blows my mind that all of sudden ICMP becomes the deciding factor between business-as-usual and disaster.

If you can accept the idea that the railway is like a big, conductive pipe and has a TCIP stack, you can accept the idea that a simple PING could tell you a lot about the quality of transmission. The intimate relationship between PING and the quality of the Layer 1 – i.e. the physical layer – is well known: bad cable equals latency and dropped packets. If you’ve sent thousands or hundreds of thousands of PINGS you would know what the average response time should be.

When the response time is radically different or there is no response; then you know you have a problem. But surely life is not that simple? Oddly with PING, it really is. One of the first things a helpdesk does (after making you reboot) is to ask you to PING the router/IP you need to get to. If you can’t “see” it, you have a connection problem.

Understanding this is going to be key to understanding the IoT. PING will become, if it is not already, one of the default troubleshooting protocols/services we will use to figure out connectivity. If PING does not return, there is a problem. It’s astounding to me that we still have problems understanding this concept.

We live in a world where 8.8.8.8 has to answer to a PING if it does not some folks would suggest we will all die, or at the very least our Shoes.com websites will load really slowly. PING is not DNS, it’s not even Https, it’s lower level and it’s what we use to determine – in IT terms – if you are alive or not. There are lots of folks that turn PING off on their outside interface because of the PING of death, which caused so many problems back in the day, but if you’re still running a firewall that can’t handle a packet outside of an RFC spec you have other much more serious problems.

But I digress. I said PING will save us and I meant it. We have big data – LOGICcards is an example of that – but how cool would it be if your PING check worked across all of the customers?

Imagine if our 2 million endpoints could tell you the expected PING time to important websites and if your customer’s PING time was outside that. No one will ever complain about too fast, but the phones light up if we’re too slow. How cool would that be?

So, how does this affect the IoT or rail cars traveling down the line? It’s simple. If PING gets too long, or there is no ECHO then stop the train, because something is not right. If something is not right it could mean a physical problem that could derail your train. It’s not a super technical thing – if it’s not ECHO’ing a reply it’s probably not online. If it’s not online and it needs to be you better go fix it.

PING may just save you a world of pain when and prevent your train – metaphorical or not –from going off the tracks.

Leaving your websites open to attack?

2016-01-01T20:26:00.004-08:00

Leaving your websites open to attack?

70% of websites and networks are hackable!

Close your doors shut before hackers find you

CSRF Attacks, XSRF or Sea-Surf – What They Are and How to Defend Against Them

Cross-Site Request Forgery, or CSRF for short is a common and regular online attack. CSRF also goes by the acronym XSRF and the phrase “Sea-Surf”. CSRF attacks include a malicious exploit of a website in which a user will transmit malicious requests that the target website trusts without the user’s consent. In Cross-Site Scripting (XSS), the attacker exploits the trust a user has for a website, with CSRF on the other hand, the attacker exploits the trust a website has against a user’s browser.

Basically, an attacker will use CSRF to trick a victim into accessing a website or clicking a URL link that contains malicious or unauthorized requests. It is called ‘malicious’ since the CSRF attack will use the identity and privileges of the victim and impersonate them in order to perform any actions desired by the attacker, such as change form submission details, and launch purchases or payments for the attacker or a third-party account.

Upon a request against most websites, browsers will include along any credentials related with the particular website, such as the session cookie of the user, basic authentication credentials, the IP address of the user, etc. Thus, if user’s authentication session is still valid, an attacker can use CSRF to launch any desired requests against the website, without the website being able to distinguish whether the requests are legitimate or not.

A Simple Example of a Cross-Site Request Forgery

As described above, in order for a CSRF attack to be performed, the user must be authenticated with the target website. Assuming the victim is authenticated, the attacker can include a link or script in a third-party website that the victim visits. Thus, when the victim visits that website or link, the rogue script will be executed without the victim being aware of it. For instance, in a chat forum, an attacker posts a message which contains an image tag or an HTML image element. However, the source of the image contains a link which performs an action on a victim’s bank website account. So, instead of an image file the attacker has included a link that performs a bank transaction. Below is an example of the image tag containing a rogue URL.

<img src="http://bank.example.com/withdraw?account=bob&amount=1000000&for=Fred">

The above is a CSRF attack using an HTTP GET request. As we shall see later, a prevention method would allow only HTTP POST requests, in order to prevent the above attack method. However, this can be easily bypassed, since an attacker can use an HTTP POST request to perform a CSRF attack.

CSRF Example Using an HTTP POST Request

In this example the attacker will use an HTTP POST request to realize a CSRF attack. Since the HTTP GET request is not allowed to be used as a prevention measure against a CSRF attack, an attacker can use the HTTP POST request which will perform the CSRF as successfully as the HTTP GET request. It is very difficult for the target website to distinguish between legitimate and rogue HTTP GET or POST requests, since the requests are sent from a “trusted” browser. That means that if no prevention measures are in place, a CSRF attack can be performed transparently without the victim or target website realizing it.

The purpose of the attack, in this example, is to change the profile information of a particular user (victim) on the target website. The target website for this example will be http://testphp.vulnweb.com/.

The victim has an account on testphp.vulnweb.com which includes personal information as seen below.

The attacker uses CSRF to change the information on the victim’s profile. This, as mentioned earlier, requires the victim to be authenticated with the target website. A user can update the profile information by using the given form in the ‘Your profile’ page. The code of the particular form is shown below.

CSRF Example in – http://testphp.vulnweb.com/userinfo.php

<form name="form1" method="post" action="">
<table border="0" cellspacing="1" cellpadding="4">
<tr>
<td valign="top">Name:</td><td><input type="text" value="James Markus" name="urname" style="width:200px"></td>
</tr>
<tr><td valign="top">Credit card number:</td><td><input type="text" value="1254-5498-5233-5569" name="ucc" style="width:200px"></td>
</tr>
<tr><td valign="top">E-Mail:</td><td><input type="text" value="example@vulnweb.com" name="uemail" style="width:200px"></td>
</tr>
<tr><td valign="top">Phone number:</td><td><input type="text" value="+44 123 12345 123" name="uphone" style="width:200px"></td>
</tr>
<tr><td valign="top">Address:</td><td><textarea wrap="soft" name="uaddress" rows="5" style="width:200px">North London, London, England</textarea></td>
</tr>
<tr><td colspan="2" align="right"><input type="submit" value="update" name="update"></td></tr></table>
</form>

From the above code we can identify the input fields which will receive information from a user and send to the website. These are called urname, ucc, uemail, uphone and uaddress and are shown below.

<input type="text" value="John Doe" name="urname" style="width:200px">
<input type="text" value="1254-5498-5233-5569" name="ucc" style="width:200px">
<input type="text" value="example@vulnweb.com" name="uemail" style="width:200px">
<input type="text" value="+44 123 12345 123" name="uphone" style="width:200px">
<textarea wrap="soft" name="uaddress" rows="5" style="width:200px">
North London, London, England</textarea>

When the user clicks the ‘Update’ button of the form userinfo.php, an HTTP POST request will be sent that will contain the above parameters along with their values accordingly.

Since the website does not have any prevention measures against CSRF, the attacker can use this form (http://testphp.vulnweb.com/userinfo.php) to submit any desired information without the user’s consent. The attacker will perform this by embedding the actual code of the update form in his own website and when the victim visits the attacker’s website, the form, including any desired information of the attacker, will be submitted to the target website.

This is the malicious website of the attacker.

The attacker’s website is a normal online photo gallery website. However, it contains a hidden form which will auto submit and update the victim’s profile on testphp.vulnweb.com.

The hidden iframe exists in the myimages.php page.

<iframe src="http://www.vulnweb.com/updateif.php" style="display:none"></iframe>

This loads another page of the attacker’s website. The website contains the actual userinfo.php page code which auto submits and updates the particular userinfo.php of the current victim. This happens automatically every time a user accesses this website.

The updateif.php page contains the actual form code which auto submits the desired information the attacker has set.


<body onload="document.getElementById('f').submit()">
<form id="f" action="http://testphp.vulnweb.com/userinfo.php" method="post" name="form1">
<input name="urname" value="attacker’svalue">
<input name="ucc" value=" attacker’svalue">
<input name="uemail" value=" attacker’svalue">
<input name="uphone" value=" attacker’svalue">
<textarea name="uaddress" wrap="soft"><attacker’svalue></textarea>
<input name="update" value="update">
</form>
</body>

This form retrieves the value information from a text file. When the updateif.php is called, the information (set earlier) by the attacker is retrieved and placed in the value fields. Then the form is auto submitted and the target page is loaded. These operations are performed inside a hidden iframe, thus the victim will not see the target website.

The attacker has an admin page – www.vulnweb.com/hackpanel – from where values values to be submitted on the target website can be set.

The admin hack panel is a control page where the attacker can set the information that will be submitted to the target website when the CSRF attack is realized.

From this website, the attacker can set new information. (Note: For the purposes of this example, there is a reset button which will reset the values of the target website) This information is stored in a file, from which the updateif.php (seen earlier) will load and submit the attacker’s value.

So, as we mentioned earlier, in order for the attacker to perform a CSRF attack and his information to be submitted, the main requirement is for the victim to be logged into the target website. When the victim visits the attackers’ website, the hidden iframe will load the code of the update profile form found in the userinfo.php (target’s update profile form) with the attacker’s desired information and auto submit them to the target website. This operation is the exact operation the victim could perform to update his profile. However, due to the CSRF vulnerability a third party entity such as an attacker can use this operation to submit malicious information without the user being able to know about it.

The attacker sets the desired information in the http://www.vulnweb.com/hackpanel/ page and clicks ‘Update’. The information is stored in the file.

The attacker’s information is ready to be loaded when the attacker’s website is visited.

When the victim visits the attacker’s website at www.vulnweb.com/index.php, nothing will happen since there is not any malicious code in the ‘Home’ page. The victim needs to access the www.vulnweb.com/myimages.php page where the malicious code exists, and the attacker’s information will be submitted to the target website (testphp.vulnweb.com/).

As soon as the victim visits the myimages.php page, the hidden iframe is loaded executing the CSRF attack. Below is the HTTP POST request which is made when the victim accesses the attacker’s malicious /myimages.php page.

Host: testphp.vulnweb.com
Connection: keep-alive
Content-Length: 140
Cache-Control: max-age=0
Origin: http://www.vulnweb.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.vulnweb.com/updateif.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: login=acuart%2Facuart

urname=h4xor&ucc=1111-2222-3333-4444&uemail=spam%40myspam.com&uphone=%2B800+666+666+666&uaddress=Hacking+the+universe%21%21%21&update=update

The above HTTP POST request shows that the Host to which the POST request is sent is testphp.vulnweb.com but the origin is www.vulnweb.com with a referrer being the updateif.php page of the attackers website. Moreover, the Cookie information is included in the POST request which is the first requirement in order for the POST request to be authenticated and the CSRF to be realized. Finally, the parameters information is included in the POST request and will be submitted to the target website.

When the POST request is made the browser already has the authentication session for the target website and it includes the authentication details in the POST request as it should do in any other legitimate POST request made by the victim. This particular rogue POST request is exactly the same as a legitimate POST request with the same Host target but from a different origin. The browser, as normal, sends the POST request and the server (in this case) is not able to differentiate between a legitimate and rogue POST request since both are performed by the trusted browser in the same way.

There is not any information included in the POST request (such as a token value, seen later) which will help the server to validate a POST request as not malicious. This results in the server processing both POST requests in the normal way.

From the above image you can notice that the profile information of the victim on the target website has been changed.

The rogue information was submitted and successfully updated the victim’s profile on the target website. The victim has no indication of what happened since this operation is transparent to the user. The attacker has completed his attack successfully in this scenario. In another scenario an attacker could change the admin passwords, perform illegal transactions, and more.

NOTE: The particular operation will be performed for any user that accesses the attacker’s website. In case the particular user has an account in the target website and is logged in, then the user’s profile information will be updated with the ones of the attacker. For this particular example, we assumed that there were no security measures in place that might block the CSRF attack.

Prevention Measures

There are many suggested prevention measures that can be implemented to mitigate CSRF attacks. Some of them, though, are not complete solutions and leave room for the attack to still work. For example:

The use of a secret cookie – This method will not work because all cookies related to the target website will be submitted as usual as in a normal (legitimate) HTTP request.

Accept POST requests only – This suggestion falls short because attackers can deceive an end-user to submit a forged POST request unknowingly using social engineering methods.

URL Rewriting – An incomplete solution since some session information is included or exposed in the URL.

Let’s take a look at some measures that do actually mitigate a CSRF attack.

Use of Tokens

A prevention measure could be the implementation and inclusion of tokens in a user’s (current) session. Tokens are long cryptographic values that are difficult to guess. These will be generated when a user’s session begins and will be associated with this particular user’s session. This challenge token will be included in each request, which will be used by the server side to verify the legitimacy of the end-user’s request.

In order for an attacker to forge a HTTP request, they would have to know the particular challenge value (token) of the victim’s session. The disclosure of the challenge token in the URL (GET requests) should be done wisely and with awareness of the CSRF attack.

Challenge tokens can be used in the ViewState option of the ASP.NET. Since it is possible for an attacker to obtain or guess the parameter values of a ViewState then the inclusion and use of a token can make the ViewState unique and protected to CSRF attacks.

Moreover, tokens can be used in the submission of double cookies. The server-side will generate a strong random value which will be included in the submitted cookie on the user’s machine. This will act as the session ID. On sending a POST request, the website will require the particular session ID to be included as a hidden value in the submission form and be included in the cookie as well. If the two values are the same, the POST request will be considered as valid and submitted successfully. Therefore, even if the attacker is able to include any value in the form, based on the same-origin policy, the attacker will not be able to retrieve or modify the token value in the cookie and launch a CSRF attack unless they manage to guess the session ID value.

Other Security Measures

Another prevention measure is the use of challenge-response options. Despite the fact that this measure affects the user experience, it can strongly defend against CSRF attacks.

Furthermore, users should be made aware of potential threats. For example, users should:

Log out from web applications when they have finished using them.

Use the web browser with safety – that means making sure not to save any login credentials on the web browser and using legitimate and secure browser extensions.

Finally, you should scan your website using a web vulnerability scanner to detect any Cross-Site Request Forgery vulnerabilities so you can fix them before they cause any issues.

Acunetix Web Vulnerability Scanner will crawl your website, detect any CSRF vulnerabilities and alert you if any are found. It also provides you with a detailed description of weakness and the exact location your website is vulnerable, and gives you a detailed explanation on how to solve it. Make sure your website is secure bydownloading the trial version of Acunetix Web Vulnerability Scanner.

Who are Hackers

2015-12-01T07:24:00.002-08:00

50 Best Hacking Tools!

2015-12-01T07:15:00.000-08:00

50 Best Hacking Tools!

Hacking tools can be dangerous in the wrong hands. But, they can be just as useful for a good ethical hacker too!

Hacking tools have been said to make hacking quite easy as compared to the old days. But, there is still more to being a hacker than just that. Yes, these tools have made it simple, but that is nothing unless you have the knowledge about other aspects of hacking as well. We present tp you a set of must-have hacking tools.

Wireless Hacking: These are tools that help you hack into wireless networks. Wireless hacking tools though useful, do not make you a complete hacker. In order to achieve that, you must learn the different ways in which a secure network can be accessed. Also, you should work on making your own network as secure as possible.

1. Aircrack-ng

2. Kismet

3. inSSIDer

4. KisMAC

Intrusion Detection Systems: Intrusion detection tools are one of the most important part of any security arrangement. They allow you to detect those threats that are potentially dangerous for your system.

1. Snort

2. NetCop

Port Scanners

1. Nmap

2. Superscan

3. Angry IP Scanner

Encryption Tools: In an age where more and more governments are being found spying on their own citizens, encryption is the word of the day. These tools allow you to encrypt your data so that even if someone does get through, they can’t get to the data easily.

1. TrueCrypt

2. OpenSSH

3. Putty

4. OpenSSL

5. Tor

6. OpenVPN

7. Stunnel

8. KeePass

Password Crackers: The name is pretty self explanatory in this case. These tools help you recover passwords from the data that a computer system is storing or transmitting over a network.

1. Ophcrack

2. Medusa

3. RainbowCrack

4. Wfuzz

5. Brutus

6. L0phtCrack

7. fgdump

8. THC Hydra

9. John The Ripper

10. Aircrack - Aircrack is 802.11 WEP and WPA-PSK keys cracking program.

11. Cain and Abel

Packet Crafting: Packet crafting is the technique through which an attacker finds vulnerabilities or entry points within your firewall. These tools help you achieve that more easily.

1. Hping

2. Scapy

3. Netcat

4. Yersinia

5. Nemesis

6. Socat

Traffic Monitoring: These are tools that let you monitor what websites your employees or children are monitoring.

1. Splunk

2. Nagios

3. P0f

4. Ngrep

Packet Sniffers: These are tools that can allow you to capture and visualise the traffic that is coming on your website.

1. Wireshark

2. Tcpdump

3. Ettercap

4. dsniff

5. EtherApe

Vulnerability Exploitation: These are the tools that you would use in order to gain access to various places.

1. Metasploit

2. sqlmap

3. sqlninja

4. Social Engineer Toolkit

5. NetSparker

6. BeEF

7. Dradis

Vulnerability Scanners: These are programs that have been designed to asses a computer or network’s vulnerability to attacks. The functionality of these tools varies from one to the other, but they all present a detailed analysis of how vulnerable your system is.

1. Nessus

2. OpenVAS

3. Nipper

4. Secunia PSI

5. Retina

6. QualysGuard

7. Nexpose

Web Vulnerability Scanners: While vulnerability scanners are meant for your system, web vulnerability scanners assess the vulnerability of web applications. The identify the security vulnerabilities that your app may have through various tests.

1. Burp Suite

2. WebScarab

3. Websecurify

4. Nikto

5. w3af

Web Proxies: Proxies were originally created in order to add encapsulation to distributed systems. The client contacts a proxy server in order to request an item that exists on your server.

1. Paros

2. Fiddler

3. Ratproxy

4. sslstrip

Rootkit Detectors: This tool is a file and directory integrity checker. It verifies if a file is trustworthy and informs the user if found otherwise.

1. AIDE (Advanced Intrusion Detection Environment)

Firewalls: You obviously know what a Firewall is. These monitor and control the traffic in your network, whether incoming or outgoing. They are essential security tools that are used by the most novice to the most advanced users.

1. Netfilter

2. PF: OpenBSD Packet Filter

Fuzzers: The concept of fuzzing is usually put to use in order to test the security vulnerabilities of computer systems or in the software that runs on them.

1. skipfish

2. Wfuzz

3. Wapiti

4. W3af

Forensics: This refers to tools that are used for computer forensic. They are used in order to find evidence that is existing in computer systems.

1. Sleuth Kit

2. Helix

3. Malteg0

4. Encase

Debuggers: These are tools that are used in order to write exploits, reverse engineer binary files and to analyse malware.

1. GDB

2. Immunity Debugger

Hacking Operating Systems: These are operating systems that have been designed specifically for hackers. These distros are preloaded with tools that a hacker needs etc.

1. Backtrack 5r3

2. Kali Linux

3. SELinux

4. Knoppix

5. BackBox Linux

6. Pentoo

7. Matriux Krypton

8. NodeZero

9. Blackbuntu

10. Samurai Web Testing Framework

11. WEAKERTH4N

12. CAINE (Computer Aided Investigative Environment)

13. Bugtraq

14. DEFT

15. Helix

Other Hacking Tools: There are also other miscellaneous hacking tools that are often used by hackers. They can’t be put into a particular category, but they are still quite useful.

1. Netcat

2. Traceroute

3. Ping.eu

4. Dig

5. cURL

Attackers Embracing Steganography to Hide Communication

2015-11-18T09:21:00.000-08:00

Encouraged by patterns carried out on a larger scale recently, researchers believe digital steganography has arrived as a legitimate method for attackers to use when it comes to obscuring communication between command and control servers.

In a presentation last week at Black Hat Europe researchers with Crowdstrike and Dell SecureWorks cited a handful of campaigns that depend on steganography that have flourished lately.

Steganography, or the art of hiding information inside media, isn’t a particularly new concept, but the researchers claim that malware programmers and operators appear taken with the technique as of late.

Pierre-Marc Bureau, a senior security researcher at Dell SecureWorks and Dr. Christian Dietrich, a senior researcher with Crowdstrike, say one of the most recent examples can be found in an instance of “Foreign,” a DDoS tool the two looked at recently which relies on messages hidden in HTTP error messages. The tool parses the page, which appears to be a generic 404 page at first glance, but actually contains a C2 command, hidden from the human eye.

The command – encoded using Base64 and stored between HTML comment tags – prompts the bot to download a file from a given URL.

The tool is the latest entry to a growing field of malware that excels at communicating via a stealthy C2 channel.

Again, Bureau and Dietrich insist the technique as a whole isn’t new, but that the method has grown more sophisticated lately. The two also discussed how three malware families – Lurk, Gozi, and Stegoloader – have also leveraged the technique over the past several years.

Lurk, malware that downloads click fraud malware, was spotted in 2014 hiding the URL where it grabs content from in a .BMP image. Gozi, known for perpetrating bank fraud, began using steganography at the beginning of this year “as a backup mechanism to retrieve URLs where it could download its configuration file.” The malware encrypts information in a favicon.ico file hosted on TOR.

Researchers with SecureWorks first described the Stegoloader malware, which operates in a similar fashion to Lurk, earlier this year. The malware relies on a deployment module that grabs a PNG file that contains malware. Once dropped, the malware is mostly used to steal system information but can also be used to load additional modules that access documents, list installed programs, steal browser history, and drop more malware that steals passwords, Pony.

"Distrust and caution are the parents of security" - Benjamin Franklin

Cryptowall ransomware creators earned a massive $325 million bitcoin ransom

2015-11-03T06:55:00.000-08:00

Cryptowall ransomware is minting millions in bitcoin for its developer

Who says crime never pays, cryptowall is paying fantastic returns for its developers. According to a report by Cyber Threat Alliance, the CryptoWall ransomware campaign has generated more than $325 million in ransom income for the malware developers.

The report was published earlier this week by the Cyber Threat Alliance, founded by Intel Security, Symantec, Palo Alto Networks and Fortinet. The report states that Cryptowall has till now affected $325m worth of ransomware victim payments and made more than 400,000 attempts to infect computers with the third variant of CryptoWall (CW3), many of which appear to have focused on targets in North America.

The report states that the ransomware originates from a single entity, evidence of which is available in both the code as well as the web of bitcoin payments trackable on the public blockchain. The report notes that Armenia, Belarus, Iran, Kazakhstan, Russia, Serbia and Ukraine are blacklisted, meaning the malware won’t operate in those regions and suggesting possible points of origin.

The report’s authors add that an analysis of bitcoin transactions tied to known ransom campaigns points to the common use of bitcoin wallets across those campaigns, stating:

“As a result of examining this financial network, it was discovered that a number of primary wallets were shared between campaigns, further supporting the notion that all of the campaigns, regardless of the campaign ID, are being operated by the same entity.”

The report states that the ransomware makers are quite flexible in their ransom bitcoin demands. The known ransom demand range from the hundreds to thousands of dollars, according to the report – are then washed through multiple addresses and known bitcoin services, though none are named directly in the report. Some of the funds are essentially reinvested in new exploit kits or rent payments for botnets.

Revenue-wise, the report’s authors note that, for its backers, CryptoWall “is extremely successful and continues to provide significant income”.

“One variant alone involved with the ‘crypt100’ campaign identifier resulted in over 15,000 victims across the globe,” the report states. “These 15,000 victims alone would account for, at minimum, roughly $5m in profit for the CW3 group.”

Read the full report below:

CryptoWall Report

New Types of Reflection DDoS Attacks Spotted

2015-11-01T09:24:00.002-08:00

A new threat advisory published this week by Akamai’s Security Intelligence Response Team warns organizations about three new types of reflection distributed denial-of-service (DDoS) attacks observed in recent months.

There are well over a dozen UDP protocols that can be abused for the reflection and amplification of DDoS attacks, including DNS, NTP, SSDP, BitTorrent, RIPv1, mDNS, CharGEN, QOTD, NetBIOS, and Portmap. While some of these services have been abused for a long time, others are not as popular among attackers.

According to Akamai, attackers have recently started abusing the RPC portmap service, NetBIOS name servers, and Sentinel licensing servers.

The content delivery network (CDN) service provider reported spotting attacks leveraging NetBIOS, a service used by applications on separate computers to communicate over a LAN, sporadically between March and July 2015. In the attacks observed by the company, the attackers obtained amplification rates ranging between 2.56 and 3.85. Of the four attacks seen by Akamai, the largest peaked at 15.7 Gbps.

Another uncommon type of reflection attack spotted over the past period by the CDN company abused RPC Portmap (Portmapper), an Open Network Computing Remote Procedure Call (ONC RPC) service designed to map RPC service numbers to network port numbers.

These types of attacks are much more powerful than the ones leveraging NetBIOS, with the largest attack exceeding 100 Gbps. While the most common amplification factor observed by Akamai was approximately 10, experts noticed one instance where the traffic sent to the targeted server was multiplied more than 50 times.
Akamai said it had observed such attacks almost every day in September. In August, when the company noticed the first RPC Portmap reflection attacks, telecoms firm Level 3 Communications also warned organizations about such threats.

Another type of attack abuses Sentinel license servers, which are used to enforce and manage licensing in multi-user environments. The first such attack was observed by Akamai in June 2015 and it leveraged a vulnerable Sentinel server used by Stockholm University in Sweden. In September, Akamai mitigated a couple of Sentinel reflection DDoS attacks aimed at a gaming company and a financial firm, with a peak bandwidth of 11.7 Gbps detected for one of these attacks. DDoS protection company Nexusguard also warned about such attacks last month.

While the amplification factor for such attacks can exceed 40, attackers are limited by the fact that there aren’t many Sentinel servers that can be abused. Only 745 unique sources of attack traffic have been identified, Akamai said in its report.

"Although reflection DDoS attacks are common, these three attack vectors abuse different services than we've seen before, and as such they demonstrate that attackers are probing the Internet relentlessly to discover new resources to leverage," said Stuart Scholly, senior vice president and general manager at Akamai’s Security Business Unit. "It looks like no UDP service is safe from abuse by DDoS attackers, so server admins need to shut down unnecessary services or protect them from malicious reflection. The sheer volume of UDP services open to the Internet for reflection DDoS attacks is staggering."

Earlier this week, Symantec warned that attackers had started abusing MySQL servers infected with a piece of malware dubbed “Chikdos” for DDoS attacks.

Hacking Team Offering Encryption Cracking Tools to Law Enforcement Agencies

2015-11-01T09:17:00.001-08:00

Hacking Team, the infamous Italy-based spyware company that had more than 400 GB of its confidential information stolen earlier this year, has resumed its operations and started pitching new hacking tools to help US law enforcement gets around their encryption issues.

Yes, Hacking Team is back with a new set of Encryption Cracking Tools for government agencies as well as other customers to break encrypted communications.

The announcement came in an email pitch sent to existing and potential new customers on October 19 when Hacking Team CEO David Vincenzetti confirmed that Hacking Team is now"finalizing [its] brand new and totally unprecedented cyber investigation solutions."

The e-mail is not made public, but Motherboard has been able to obtain a copy of it that states:

"Most [government agencies] in the United States and abroad will become 'blind,' they will 'go dark,' they will simply be unable to fight vicious phenomena such as terrorism," wrote Vincenzetti. "Only the private companies can help here; we are one of them."
"It is crystal clear that the present American administration does not have the stomach to oppose the American IT conglomerates and to approve unpopularly, yet totally necessary, regulations," He added.

Game Changers

The brand new cyber investigation solutions here, of which Vincenzetti is talking about, will be "Game Changers."

The announcement came roughly 4 months after a mysterious hacker or group of hackers hacked into Hacking Team's servers, leaking more than 400 gigabytes of internal data, including:

Internal emails
Hacking tools
Zero-day exploits
Surveillance tools
Source code for Spyware suite, called Remote Control System (RCS)
A spreadsheet listing every government client with date of purchase and amount paid

Remote Control System Version 10 (RCS 10)

Since then, Hacking Team has reportedly been working on launching a new revamped 10th edition of its proprietary Remote Control System, RCS 10.

Hacking Team is known for its Remote Control System (RCS) spyware, also known as Galileo, which is loaded with a number of zero-day exploits that have the ability to monitor the computers of its targets remotely.

However, it's still unclear when the company will actually release RCS 10. Also, it is all set to be seen as to which law enforcement agencies will take the Hacking Team offer, given its recent security breach.

Hackers 24x7

The latest from Blogger Buzz

The latest from Blogger Buzz

Keep your readers interested with the AdSense Guide to Audience Engagement

You can use this website to share self destructing encrypted file

ENCRYPTED FILES SHARED VIA THIS WEBSITE WILL SELF DESTRUCT IN 24 HOURS

What Is A Web App Attack, How Does It Work — 5 Stages Of A Web App Attack

What Is A Web App Attack, How Does It Work

Anatomy of a Web App Attack – Visually Explained

How PING Could Save and Prevent Deadly Accidents

IAN TRUMP OF LOGICNOW WONDERS WHETHER THE HUMBLE PING COULD BE OUR SAVIOUR

Leaving your websites open to attack?

Leaving your websites open to attack? 70% of websites and networks are hackable! Close your doors shut before hackers find you CSRF Attacks, XSRF or Sea-Surf – What They Are and How to Defend Against Them

A Simple Example of a Cross-Site Request Forgery

CSRF Example Using an HTTP POST Request

Prevention Measures

Use of Tokens

Other Security Measures

Who are Hackers

50 Best Hacking Tools!

Attackers Embracing Steganography to Hide Communication

Cryptowall ransomware creators earned a massive $325 million bitcoin ransom

Cryptowall ransomware is minting millions in bitcoin for its developer

New Types of Reflection DDoS Attacks Spotted

Hacking Team Offering Encryption Cracking Tools to Law Enforcement Agencies

Game Changers

Remote Control System Version 10 (RCS 10)

Leaving your websites open to attack?

70% of websites and networks are hackable!

Close your doors shut before hackers find you

CSRF Attacks, XSRF or Sea-Surf – What They Are and How to Defend Against Them