Hackers' Lounge:1

[Link] Understanding TTY

noreply@blogger.com (SoCo) — Fri, 21 Sep 2012 20:46:00 +0000

www.linusakesson.net
Linus Åkesson (July 25, 2008)

<The TTY demystified>

RuggedCom Unresponsive, Rugged Operating System (ROS®) Backdoor Disclosed

noreply@blogger.com (SoCo) — Wed, 25 Apr 2012 04:20:00 +0000

A factory backdoor account in RuggedCom's Rugged Operating System (ROS®) has been disclosed. <RuggedCom> is a manufacturer of rugged networking equipment popular in industrial, utility, and defense industries. These sensitive consumers of frequently security sensitive networking devices have recently been informed by RuggedCom, who has acknowledged the backdoor. Due somewhat to RuggedCom's unresponsiveness after acknowledgement, this information was publicly disclosed. According to the disclosure, an undocumented account, "factory", which cannot be disabled, is included in all released versions of ROS® with a password generated from the device's MAC address.

<Secunia - Full Disclosure CVE-2012-1803 (April 23, 2012)>

#!/usr/bin/perl
if (! defined $ARGV[0]) {
print "+========================================== \n";
print "+ RuggedCom ROS Backdoor Password Generator \n";
print "+ JC CREW April 23 2012 \n";
print "+ Usage:\n$0 macaddress \n";
print "+========================================== \n";
exit; }
$a = $ARGV[0];
$a =~  s/[^A-F0-9]+//simg;
@b = reverse split /(\S{2})/,$a;
$c = join "", @b;
$c .= "0000";
$d = hex($c) % 999999929;
print "$d\n";

CISPA - US Internet Survalience Bill

noreply@blogger.com (SoCo) — Sun, 22 Apr 2012 17:01:00 +0000

Customers voice their opinion to supporters of the newest dangerous Internet bill, CISPA (H.R. 3523).

Cyber Intelligence Sharing and Protection Act (CISPA), also known as H.R. 3523, is not just another horribly irresponsible SOPA / PIPA. This bill focuses on a real issue, but does it the most horrible and irresponsible way possible.

CISPA is meant to lay the foundation for private companies and Internet service providers to share information with the US Government about cyber security threats. The main problems are the lack of any real definition to what a threat is, the bypassing of all existing laws to protect collection and sharing of your personal data by private companies, the lack of restriction of what information can be shared and with who, the warrant-less unrestricted sharing of data with the NSA, DHS, and other government agencies, and encouragement of heavy broad surveillance of citizens.

This bill will directly encourage private companies such as your cellular carrier (Verizon / AT&T), your operating system (Microsoft), your anti virus scanner (Symantec), and your Internet service provider (ISP) to collect huge amounts of your personal data to a level that would previously be illegal. This CISPA authority would override privacy protection laws (such as protecting of your medical records), local eavesdropping and wiretapping laws, and allow collection of almost any data based on recklessly vague "cybersecurity" purposes. This private companies would be able to collect this data anonymously without ever having to tell you they collected it or what they collected. They would be free to share the data with any company they want, possibly even selling the data, with complete immunity to legal actions such as lawsuits of criminal charges for privacy violations. They would be allowed to dump all this data on any US Government agency without requiring a warrant.

This is at the wake of the NSA beginning building the country's biggest spy center in Utah. As well as a recent NSA whistle-blower's claim that the US Government has illegally been engaged in wide spread Internet surveillance for quite some time having intercepted 20 Trillion communications and has copies of "most of your Emails". Again, illegally and therefor with no oversight, I might add.

CISPA (H.R. 3523) is another horrible dangerous and irresponsible bill that will erode all existing personal data and privacy protection laws, and give ALL your data to private companies to use and abuse under the table with complete immunity from legal repercussions.

Verizon disgustingly supports this bill. We call on you, Verizon, to change your stance away from this strong-arm theft and abuse of citizens personal data!

Verizon's letter of support for CISPA:
http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/Verizon113011.pdf

More Information:

Electronic Freedom Foundation:
http://cyberspying.eff.org/

TIME Magazine:
http://techland.time.com/2012/04/19/5-reasons-the-cispa-cybersecurity-bill-should-be-tossed/

Source: Verizon Wireless Community Forum
April 22, 2012 12:00PM
(The original text has been modified for formatting, linking, and alignment.)

Some other supporters:

AT&T
Boeing
BSA
Business Roundtable
CSC
COMPTEL
CTIA - The Wireless Association
Cyber, Space & Intelligence Association
Edison Electric
EMC
Exelon
Facebook
The Financial Services Roundtable
IBM
Independent Telephone & Telecommunications Alliance
Information Technology Industry Council
Intel
Internet Security Alliance
Lockheed Martin
Microsoft
National Cable & Telecommunications Association
NDIA
Oracle
Symantec
TechAmerica
US Chamber of Commerce
US Telecom - The Broadband Association
Verizon

Steam Warns User's Personal Info and Credit Card Data Swiped in Last Year's Intrusion

noreply@blogger.com (SoCo) — Sun, 12 Feb 2012 22:33:00 +0000

<Steam>, the popular gaming digital rights management platform by <Valve>, pushed an update today containing an "update news" page, which warned of the discovery that personal data was stolen in last year's intrusion. Steam warned that a copy of a backup file about transactions between 2004 and 2008 may have been obtained. Steam assured that no Steam account passwords were included, but mentioned the following user data being contained in the taken data:

User Names
EMail Addresses
Encrypted Billing Adresses
Encrypted Credit Card Information

Steam Update News Text:

February 10th, 2012
Dear Steam Users and Steam Forum Users:

We continue our investigation of last year’s intrusion
with the help of outside security experts. In my last
note about this, I described how intruders had accessed
our Steam database but we found no evidence that the
intruders took information from that database. That is
still the case.

Recently we learned that it is probable that the
intruders obtained a copy of a backup file with 
information about Steam transactions between 2004 and
2008. This backup file contained user names, email
addresses, encrypted billing addresses and encrypted
credit card information. It did not include Steam
passwords.

We do not have any evidence that the encrypted credit
card numbers or billing addresses have been compromised.
However as I said in November it’s a good idea to watch
your credit card activity and statements. And of course
keeping Steam Guard on is a good idea as well.

We are still investigating and working with law
enforcement authorities. Some state laws require a more
formal notice of this incident so some of you will get
that notice, but we wanted to update everyone with this
new information now.

Gabe

Fight SOPA and PROTECT IP

noreply@blogger.com (SoCo) — Wed, 18 Jan 2012 03:31:00 +0000

This blog would be forced offline if the currently proposed U.S. legislature is passed.

SOPA and PROTECT IP are poorly defined, easily abused, unclear bills proposed to the U.S. House and Senate with unrealistic expectations of Internet technology, which will stifle free speech and innovation while giving the U.S. Government the ability to censor the U.S. Internet and seize U.S. domain names with little reason or limitation. Enforcement of these bills would require the restructuring of many web services which would affect Internet users globally.

These bills threaten a blog like this through vague terminology lacking definitions, such as "committing or facilitating the commission of criminal violations" [of copyright infringement or counterfeit products]. "Facilitation" can often be argued as simply teaching or demonstrating how to do something. As I interpret this, any website with Hacking/Hacker/Hack in the name or topic would technically be automatically out of compliance and be at the mercy of enforcement of these laws to not permanently seize associated domain names and possibly further prosecute owners.

These bills create a largely undefined take down process that will clearly leave many types of web services, such as the free blog host here at blogger.com, unable to meet requirements. No provisions for abuse make these vague bills a prime target for more abuse than the DMCA takedown request system has historically endured.

Some other concerning areas of these bills include provisions against circumvention of such measures, which the U.S. State department funds creating hypocritical tools for doing just that, to offer citizens under [foreign]"repressive regimes" uncensored access to the internet.

Please do all you can to educate the public and urge U.S. citizens to contact their government representatives urging them to vote against these reckless bills.

Bill text PROTECT IP (Senate):
http://hdl.loc.gov/loc.uscongress/legislation.112s968

Bill text SOPA - Stop Online Piracy Act (House):
http://hdl.loc.gov/loc.uscongress/legislation.112hr3261

A Layman's examination:
http://blog.reddit.com/2012/01/technical-examination-of-sopa-and.html

History of DCMA takedown abuse:
https://www.eff.org/takedowns

How these bills violate free speech and innovation:
https://www.eff.org/deeplinks/2012/01/how-pipa-and-sopa-violate-white-house-principles-supporting-free-speech

U.S. State department funds tools to circumvent censoring:
http://www.bloomberg.com/news/2011-04-20/u-s-funds-help-democracy-activists-evade-internet-crackdowns.html

I apologize for any inconvenience. We will be returning soon.

SoCo

[Link] Source Code of Older Symantec Antivirus Stolen

noreply@blogger.com (SoCo) — Fri, 06 Jan 2012 15:04:00 +0000

Security Week
Brian Prince (January 06, 2012 - Updated)

<Symantec Investigating Possible Theft of Norton AV Source Code>

Update:
<Facebook - Symantec confirms>

Antisec Gives Christmas Present to the Public, Massivly Owning Stratfor's Servers

noreply@blogger.com (SoCo) — Tue, 27 Dec 2011 17:25:00 +0000

Stratfor, <(Wiki)Strategic Forecasting, Inc.>, is a global intelligence company founded in Texas in 1996. They are known for publishing security newsletters to the public. They also provide custom intelligence reports for clients such as major corporations, the U.S. military, and international government agencies.

The Antisec wing of Anonymous, revealed Saturday, on Christmas Eve, that they had compromised several("four") Stratfor servers and posted credit card details of a few Stratfor customers on IRC servers. Stratfor's site is still down with after being <(mirror)defaced>. The group claims plans to dump up to 200 gigabytes worth of data leading up to New Year’s Eve. Participants estimated they had already donated between $500,000 and $1,000,000 to charities fraudulently.

A Antisec participant explains motive for the attack, stating, “That there will be repercussions for when you choose to betray the people and side with the rich ruling classes.”

The biggest revelation seems to be how terribly insecure the security intelligence firm's servers were. Claims were made that Stratfor saved client data in clear text and even stored card security codes, a practice prohibited by credit card companies.

Stratfor, known for their secrecy and big name secret clients, has their proported client list posted (Although, some claim it may only be a subscriber list.)

<Proported client list (pastebin)>

Quinn Norton (December 26, 2011)
<Wired.com - Antisec Hits Private Intel Firm; Million of Docs Allegedly Lifted>

Fight SOPA!

noreply@blogger.com (SoCo) — Thu, 15 Dec 2011 14:12:00 +0000

Fight SOPA!

The US House Judiciary Committee is meeting Today to mark up a bill that threatens all US websites. User contributed services such as blogger/blogspot that host this blog are particularly threatened.

(Wiki)SOPA - Stop Online Piracy Act

EFF - Electronic Frontier Foundation's stop SOPA efforts

Mozilla's stop SOPA efforts

Boing Boing's stop SOPA efforts

Tumblr's stop SOPA efforts in the news (cnet.com)

Founders of Google and EBay attack SOPA in the news(Bloomberg)

An open letter from 83 prominent Internet inventors and engineers sent to members of the United States Congress (EFF.org)

Another CA Compromised

noreply@blogger.com (SoCo) — Thu, 08 Dec 2011 16:48:00 +0000

itworld.com
Lucian Constantin, IDG News Service (December 08, 2011)

<Dutch SSL certificate provider Gemnet investigates website compromise>

[Video Link] Facebook Social XSS by Copy-Paste

noreply@blogger.com (SoCo) — Sat, 19 Nov 2011 23:45:00 +0000

Matt Jones (November 19, 2011)
(Video hosted on Facebook as public in Matt's gallery)

<Facebook Social XSS by Copy-Paste>

[Link] US Water Utility Pump Destroyed After Hack

noreply@blogger.com (SoCo) — Sat, 19 Nov 2011 22:48:00 +0000

PCMag.com
Chloe Albanesius (November 18, 2011)

<Illinois Water Utility Pump Destroyed After Hack>

[Link] SQL Injection Start to Finish Example

noreply@blogger.com (SoCo) — Sat, 29 Oct 2011 00:32:00 +0000

(Moderate SQL understanding expected)

Mathy Vanhoef (October 26, 2011)

<Exploiting 'INSERT INTO' SQL Injections Ninja Style >

[Link] EFF - How secure is HTTPS today? How often is it attacked?

noreply@blogger.com (SoCo) — Wed, 26 Oct 2011 01:09:00 +0000

<Peter Eckersley> - Technology Projects Director, Electronic Frontier Foundation (October 25, 2011)

< EFF - How secure is HTTPS today? How often is it attacked?>

[Links] More Surfaces On German State Sponsored Trojan

noreply@blogger.com (SoCo) — Wed, 19 Oct 2011 16:40:00 +0000

Secure List (Kaspersky Lab) - Tillmann Werner (October 18, 2011)

<Secure List - Federal Trojan's got a "Big Brother">

F-Secure - Sean (October 11, 2011)

<F-Secure - More Info on German State Backdoor: Case R2D2>

Dennis Ritchie, creator of the C programming language dead at 70

noreply@blogger.com (SoCo) — Thu, 13 Oct 2011 15:10:00 +0000

Rumors that Dennis Ritchie had passed have been confirmed. Dennis was known for developing the C programming language and being a key developer of the UNIX operating system. He was 70 years old. <Dennis Ritchie (wiki)>

[Link] F-Secure: Mac Trojan Flashback.B Checks for VM

noreply@blogger.com (SoCo) — Thu, 13 Oct 2011 01:02:00 +0000

Brod - Threat Solutions (October 12, 2011)

<F-Secure - Mac Trojan Flashback.B Checks for VM>

European Hacker Group Analyzes Germany's Federally Sponsored Trojan

noreply@blogger.com (SoCo) — Sun, 09 Oct 2011 17:34:00 +0000

A European hacker group, <Chaos Computer Club> (site mostly in German), has published an analysis of Germany's federally sponsored trojan, used by German police forces, revealing it's functionality may violate guidelines set by Germany's constitutional court ("Bundesverfassungsgericht").

(Oct 8, 2011)
<Chaos Computer Club analyzes government malware (English)>

ZDNet later published the following article which summarizes the situation well, adding background and <confirmation from F-Secure's analysis>.

(Ed Bott October 8, 2011)
<(ZDNet)German government accused of spying on citizens with state-sponsored Trojan>

Payload Anatomy of InMotion Hosting Defacements

noreply@blogger.com (SoCo) — Sun, 02 Oct 2011 05:28:00 +0000

The Attack

<InMotion Hosting> was hacked leaving more than 70,000 websites compromised on the weekend of September 23, 2011. One of many news articles that covered the attack:

(Article by Jack Phillips Sep 29, 2011)
<The Epoch Times: Hosting Firm InMotion Hacked, Thousands of Websites Defaced>

The Defacement

This attack appears to be a host-wide defacement. The defaced websites had hacked-by pages added to their site which credited "TiGER-M@TE":

(This is a screen shot of the defacement page, index.php )

From the perspective of the customer, there were no access, web, or ftp log entries. A file named hacked_page was dropped in to the root www directory and was propagated to all the immediate sub-directories as index.php.

<index.php contents>(pastebin.org)

Encoding

This PHP page contains only HTML and JavaScript. A close look at its contents shows that it uses some cleaver encoding in an attempt to avoid security fingerprinting, which could later allow for easy automated detection.

A common technique is to represent malicious JavaScript code in escaped hexadecimal character format, then pass that through JavaScript's unescape function at run time. First, this obscures the malicious code. With some small adjustments, the same encoded contents can be generated in many copies all uniquely different. But, with a little time one can decode the page's contents.

The unescape function decodes the URL escape character syntax as well as the JavaScript escape character syntax. The defacement page used both, one over top of the other:

found in index.php
(JavaScript escaped hexadecimal characters)

\x25\x33\x43\x25\x37\x33\x25\x36\x33\x25\x37\x32\x25\x36\x39\x25\x37\x30\x25\x37\x34

unescape's to...
(URL escaped hexadecimal characters)

%3C%73%63%72%69%70%74

unescape's to...
(The start of an HTML tag that will contain the malicious JavaScript)

<script

This is not a new technique and is easily decoded after the fact. After coding up a quick tool I was able to decode the page:

<index.php decoded>(pastebin.org)
(The decoded contents are noted in JavaScript comments.)

I've created an open source tool for decoding escaped hex, <Unescape>, so you can follow along.

Analyzing this shows that this page has five parts of interest:

Connection to statistics tracking service
Window animation and color cycling
A base64 embedded GIF image (not hex-coded)
"Hacked" image
Playing of an embedded Flash file (apparently for auto playing audio)

Statistics tracking

Line #33 of the <decoded page> (line #11 originally) defines the function details. This function is set as an onclick event for the "TiGER-M@TE" text. The function open three web pages when triggered, two different statistics tracking service links at <zone-h> and one Google search of "Hacked by TiGER-M@TE" through <LMGTFY (Let Me Google That For You)> The statistics at zone-h can be viewed here:

<zone-h notifier: TIGER-M@TE>

<zone-h notifier: TIGER-M@TE special=1>

Window animation

Line #40 through #133 of the <decoded page> (also line #11 originally) defines a timed script of moving and resizing the browser window in some sort of animated show while cycling colors.

Embedded base64 GIF image

Line #148 of the <decoded page> (the end of line #11 originally) contains a GIF image embedded in the page using <base64(wiki)> encoding. This appears to merely be a faded line. As we'll seen next, maintaining image hosting seems like a challenge for the defacers.

"Hacked" image

Line #183 of the <decoded page> (then end of line #15 originally) is some encoded JavaScript to add an image tag to a small image of the word "Hacked". This <image is hosted on Fotonons.ru> but the tag is crafted to fall back on <the same image hosted at BayImg.com>. This seems to highlight the perceived difficulty of maintaining image hosting during the peak of the defacement activity.

Embedded flash audio

The code inside the "mp3 code starts from here" HTML comments turned out to be the most complicated. This part was encoded in multiple layers and revealed a custom character transformation function. First the contents had some key characters escaped with JavaScript hex characters, the entire resulting contents was escaped with URL escaped hexadecimal characters, then the resulting contents was additionally escaped with JavaScript hex characters. Pealing this away reveals a dF function which provided a custom transformation decoder for decoding the accompanying section of escaped data:

<index.php decoded dF function>(pastebin.org)

This decoder merely did some basic arithmetic to each character's value. The final results start at line 200 of the <decoded page>. This resulting code adds the following flash file to the page for auto-play:

http://77.247.69.68/.../By_TiGER-M@TE.swf

The host 77.247.69.68 <resolves> to <Rackhosting.com> in Denmark. The link, with its peculiar "..." directory, seemed dead as as soon as tested.

Variable Names

The "_0x9355" style of JavaScript variable names imply that many documents where intended to be generated with unique variable names. This technique would act as an obfustication while attempting to evade fingerprinting by security applications such as anti-virus and intrusion detection services.

Summary

The index.php defacement page propagated nearly one hundred thousand times in recently compromised <InMotion Hosting> web sites display a decorative brand promotion while loading a flash file that appeared to be for audio, but was unrecovered. A statistics tracking service was used and a couple of mostly common techniques where used to obfusticate the JavaScript code in an apparent attempt to evade filtering and detection by security services.

UPDATES:

10/2/2011 - Added decoded dF function pastebin
10/8/2011 - Added open source Unescape tool.

[Link] Gentoo Pleas For Help

noreply@blogger.com (SoCo) — Mon, 26 Sep 2011 03:23:00 +0000

Donnie Berkholz (September 14, 2011)

<LWN.net : The state of Gentoo>

[Link] Reverse Connection ICMP Shell

noreply@blogger.com (SoCo) — Thu, 22 Sep 2011 02:39:00 +0000

(Friday, 15 April 2011)

<Reverse connection: ICMP shell>

DigiNotar Issued Fraudulent Google Certificate

noreply@blogger.com (SoCo) — Tue, 30 Aug 2011 20:54:00 +0000

<DigiNotar> is a Dutch Certificate Authority who issued a rogue SSL certificate to somebody in Iran on July 10th, 2011 for the domain name .google.com. This allows the certificate holders the ability to possibly carry out a man in the middle attack on most of Google's services, including GMail, Google+, and Google Docs.

DigiNotar is a wholly owned subsidiary of VASCO Data Security International. On August 30, 2011 <VASCO released a public statement> acknowledging that their DigiNotar Certificate Authority infrastructure was hacked on July 19, 2011, and was used to issue fraudulent CA's for a number of domains, including Google.com. <Some digging by F-Secure> found defacements left over from at least two separate intrusions that could be years old.

The Google Chrome browser <has an extra fine grained set of CA's with the authority to sign for Google> which is rumored to have protected Google Chrome users.

Firefox suggested revoking DigiNotar and <provides instructions for revoking the CA> in your local browser.

Fraudulent Digital Certificates Could Allow Spoofing (Aug 29, 2011)
<Microsoft Security Advisory (2607712)>

UPDATE (Aug 31, 2011):
<Mozilla pushes Firefox 6.0.1 update explicitly to revoke the DigiNotar CA>

[Link] Inserting fake certificates to sniff SSL and hijack DNS

noreply@blogger.com (SoCo) — Thu, 18 Aug 2011 03:18:00 +0000

seventhoctober.net (Aug 17, 2011)

<SSL MITM with an inserted CA and a DNS hijack>

[Link] How to find 0-day in browsers

noreply@blogger.com (SoCo) — Thu, 18 Aug 2011 03:07:00 +0000

abazhanyuk.com (August 7, 2011)

<How to find 0-day in browsers>

Linux Version Number Bumped to 3.0

noreply@blogger.com (SoCo) — Wed, 27 Jul 2011 01:53:00 +0000

Linux 3.0 was committed July 22, 2011. The version numbering was bumped up from 2.6.xx to 3.0 in honor of 20 years of Linux, without the large changes a major version number change would normally imply.

InfoWorld (July 22, 2011)

<InfoWorld - Linux 3.0 a steady step forward>

Geany text edittor

noreply@blogger.com (SoCo) — Sun, 22 May 2011 18:47:00 +0000

I wanted to take a second to point out a great tool that some might otherwise have overlooked; <Geany>. Based on <(Wiki)Scintilla>, Geany is a light weight, cross-platform, text editor with a familiar layout. Once the packaged plugins are all enabled, Geany goes from, light weight, simple IDE, to system administration and configuration portal with out missing a beat.

Geany is a tabbed file editor with a familiar layout. A left column shows a tree based navigation panel. This doubles as a file browser, project file browser, and symbol list for the current file. A panel across the bottom can switch between compiler output, messages, and a terminal.

The IDE capabilities of Geany are pretty simple. It has most the text editing bells and whistles one is accustomed to, including code highlighting, text folding, and auto-completion. Aside from the integrated terminal, Geany can be configured to do simple make, build, and execute operations, although there doesn't seem to be any debugger integration.

When run with elevated privileges, Geany makes a handy GUI administration tool. Quick file navigation, tabbed file editing, and a terminal combine to make an efficient GUI administration tool. If your already running a GUI, you can be terminal warrior and still have the luxury of a GUI file editor.

Geany is a very light weight text editor released under the GNU General Public Licence. It's light weight GTK+ base makes it great for most window managers and platforms. Geany is a common project, included in most Linux repositories (like Ubuntu), that even has a Windows binary release available.

Geany is definitely a light weight, handy, and flexible tool that shouldn't be overlooked.