My Friends I want to share with you this new release of security acts, the Magazine contains a very interesting articles on Information security.

Thanks for your follow and continues support. Wish you a happy reading!

http://www.securityacts.com/securityacts04.pdf

make sure you subscribe to my RSS feed!

• Security Acts Magazine No.3

WPA2 (Wireless Protected Access ver. 2.0) – is the second version of a set of algorithms and protocols that protect data in wireless networks. As expected, WPA2 should significantly increase the security of wireless networks Wi-Fi compared with previous technologies. The standard provides the mandatory use of more powerful encryption algorithm AES (Advanced Encryption Standard) and authentication of 802.1X.

Panel of researchers reported discovering vulnerability in this protocol while it is widely used as a secure standard for wireless network. AirTight Networks said that this vulnerability concerns networks that match the IEEE802.11 Standard. The first demonstration of this vulnerability will be held in Defcon 18 on this week at Vegas.

Hole 196 is the name of this vulnerability and it uses the Man-in-the-middle method of attack, where the user is authorized in a WiFi network to intercept and decrypt all data transmitted and received by others on the same wireless network. Information that the exploit code will be publicly available, so that everyone can test it and use it, while there will be update by and standardizing bodies have been able to make adjustments in WP2.

Md Sohail Ahmad who will be demonstrating the attack at Defcon says that it took about 10 lines of code in open source MadWiFi driver software, freely available on the Internet, and an off-the-shelf client card for him to spoof the MAC address of the AP, pretending to be the gateway for sending out traffic. Clients who receive the message see the client as the gateway and “respond with PTKs”, which are private and which the insider can decrypt.

We will be following this research especially that all Access points are using this protocol and there should be un update available before the demo to fix this vulnerability.

make sure you subscribe to my RSS feed!

• Security Acts Magazine No.3
• McAfee Announces Major Initiative to Fight Cybercrime
• SecurityTubeCon: first online Hacker Conference
• 60 seconds to Crack Wi-Fi encryption

An online database for a Pizza store chain has been compromised this is According risky.biz, there is no credit card numbers but it contains about 400MB of customer’s information.

Currently Pizza stores are located in New Zealand, England, Australia and Ireland. Customers information are very important for this case as if a hacker managed to get access to these information (full names, addresses, phone numbers, e-mail addresses, passwords and order history ) the emails/phones can be used to extend the spam list and attack while all records and information can be lost.

One source Risky.Biz spoke to says they looked into the security of the website when rumours of the breach started doing the rounds:

Another penetration tester says the Hell Pizza database is an excellent example of “non critical” information
that could still be used by attackers for great benefit.

Now the Hell Pizza invited to notify all costumers about the breach so they can take the security measures regarding thier credentials.

make sure you subscribe to my RSS feed!

• Spreading Ghosts Attacks
• Black Hat USA 2010
• Hacking Approach to VoIP & Skype
• Sniffing/MITM Attacks on Tor network

Leonardo Da vinci is widely considered to be one of the greatest painters of all time, and perhaps the most diversely talented person ever to have lived. Leonardo said that there are three types of people that one may encounter: “Those who see. Those who see when they are shown. Those who do not see.”

But here I want to add a class of people who see even if they are prevented – we are talking about the Hacker class.

One of the first things an attacker will do to compromise a remote system is use a Backdoor. I am referring to a ghost – a piece of software that by running it an attacker can have access to a remote system and collect all activities on the targeted machine.

USBsploit is a tool that is still in beta version and has been created by an Infosec researcher and owner of the popular portal Secubs. This tool makes it simple for any person looking to generate Backdoors within a few steps.

First, you need to start with choosing the right distribution, this can be Backtrack/Debian or Ubuntu with the original dependency from Metasploit, than you can follow the clear and easy steps mentioned on the official website.

When you run USBsploit you will find a menu with the list of action you are looking to perform:

1. Create a Backdoor

2. Create a Backdoor and launch a Listener only for the USB Dump attack

3. Launch a Listener for the USB Dump attack from the last Dump configuration file

4. Update the USBsploit Framework

5. Edit the last Dump configuration file (needs vi)

6. Edit the global options (needs vi)

7. Edit the file extensions set to dump (needs vi)

If you choose to create a Backdoor you will be asked to select the IP address of the listener, and by default it will detect local machine IP.

Next you will be asked to select the kind of backdoor you are looking to deploy, depending on victim’s Operating system:

1. Windows Meterpreter Reverse_TCP Spawn a shell on victim and send back to attacker.
2. Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64)
3. Windows Meterpreter Egress Buster Spawn a shell and find a port home via multiple ports

And here an important step you will be choosing the kind of encodings to try and bypass weak Antiviruses.

Select one of the below, Backdoored Executable is typically the best.

1. shikata_ga_nai (Very Good)

2. Multi-Encoder (Excellent)

3. Backdoored Executable (BEST)

After encoding you will find the executable file in “/opt/usbsploit/lib/msf/data/usbsploitbackdoor.exe”

This amazing tools helps to create a backdoor that can bypass most popular antiviruses in just a few steps.

My experience was interesting because when testing the generated executable file that had been encoded by msfencode, only 10 out of 42 antiviruses detected it as a Trojan.

(http://www.virustotal.com/analisis/fd17814e613849ae76d9e571f1af037a555f6f8bfd1ab021fc3854c34b6a4c63-1279835899).

You can run the .exe file on a windows machine even if it contains one of the Antiviruses that was not able to detect the malicious code, even with the latest definition such as Kaspersky and activate the listener.

Here you will access all activities on the target machine and have total visibility of the whole system.

make sure you subscribe to my RSS feed!

• Hell Pizza’s Customer Database Hacked
• Black Hat USA 2010
• Hacking Approach to VoIP & Skype
• Sniffing/MITM Attacks on Tor network

TrueCrypt one of the popular tools for encrypting and hiding partition under Linux, MacOS and Windows system has released a new version.

The new features at this release include:

* AES Hardware-accelerated encryption this function is supported by some processors and helps to accelerate encryption performed in a faster way than by purely software implementations on the same processors.

* Now it is possible to configure TrueCrypt container on a USB flash drive to mount the drive automatically whenever you insert the USB flash drive into the USB port. This is cool.

* Partition/device-hosted volumes can now be created on drives that use a sector size of 4096, 2048, or 1024 bytes.

* Favorite Volumes Organizer this means that now you can organize your mounted device upon logon to system as read only or removable medium

* The Favorites menu now contains a list of your non-system favorite volumes. When you select a volume from the list, you are asked for its password (and/or keyfiles) (unless it is cached) and if it is correct, the volume is mounted.

It is always recommended to use Truecrypt instead of other built in encryption system because it can hide your volumes and make it impossible for anyone to note the file existing on the HD, plus it provides a flexible way to choose encryption algorithms.

With TruCrypt your data remains encrypted until you need it. Go get your copy by following this link.

make sure you subscribe to my RSS feed!

• TrueCrypt 6.3 Free Open-Source Disk Encryption Software
• Full disk encryption comes to SSDs for mobile devices, laptops

Tranchulas is an international consulting firm that started a new e-learning services launched from Pakistan. Training includes different IT Security topics from:

1- Web Application Security Workshop
2- PCI-Data Security Standard Training
3- Hands-On Ethical Hacking
4-ISO/IEC 27001 – ISMS Implementation

Before attending the training courses a test are conducted to evaluate the knowledge of attendees and according to the result the student will be associated to the required level.
Today I have attended a small demonstration on the Ethical Hacking course .The course teaches advanced techniques on arp spoofing and scanning the network using Backtrack. There is a very nice scenarios that are made on live to help student deeply understand how it is simple to conduct a Man In the middle attack on a real working environment even if the traffic are encrypted using SSL.

Zubair Khan Chief Executive Officer has conducted security trainings at various forums in Pakistan and abroad. He has previously presented at renowned security conferences including Hack.lu Luxembourg, Hack In The Box Malaysia and Infosek Slovenia. Chairman of Pakistan Engineering Development Board and Chairman of Pakistan Engineering Council recognize his research and work.

This is a cutting-edge course and currently outline: Basic Bash Scripting, Information Gathering (Google Hacking and Harvesting, Netcraft, DNS Reconnaissance…), Port scanning, ARP spoofing, Buffer overflow Exploitation ,Bind shells and reverse shells etc..

For more information and details on next trainings you can visit the official website.

make sure you subscribe to my RSS feed!

• Hacking Lotus Domino
• Ways for Effective Network Penetration Testing
• HTTP DoS-attack tool on Apache web server
• Phrack #66 is out

Mozilla has blocklisted a malicious plugin that has been submitted on their official website as an add-on since 6th of June, the add-on named Mozilla Sniffer and contains a serious security vulnerability.

According to a blog post the plugin includes a code that intercepts all login data on any website and sends this credential to a remote location. Mozilla security specialists informed that All current users should receive an uninstall notification and invite all users to remove the plugin and change all web authentication credential they are using.

The Plugin code has not been verified as it has been submitted online directly, it was just checked against malware without reviewing the functionality before make it public. While a new method of work will be considered in the future with a purpose to Review Process & Delightful Add-ons.

On the same post security vulnerability in CoolPreviews version 3.0.1 has been reported. This plugin help users in previewing a link in a website by just putting the cursor on it. The Bug allows an attacker to execute a malicious JavaScript code with local privileges, potentially gaining access to the file system and allowing code download and execution.

Currently, 177,000 users have a vulnerable version installed. All users are invited to update the plugin while the vulnerable versions will be blocklisted soon.

make sure you subscribe to my RSS feed!

• Mozilla Fixes 9 vulnerabilities & adds a Crash Protection to Firefox

Hackers have created a new version of the Zeus crimeware toolkit that’s designed to swipe bank login details of Spanish, German, UK and US banks.

The malware payload, described by CA as Zeus version 3, is far more selective in the banks it targets. Previous versions targeted financial institutions around the world while the latest variant comes in two flavours: one that only target banks in Spain and Germany, and a second that only targets financial institutions in the UK and US.

In addition the latest version of Zeus contains features that makes it far harder for security researchers to figure out what the malware is doing. Zombie drones on the Zeus botnet operate on a need to know basis, CA explains.

“In earlier versions, Zeus handles this configuration file in a way that security researchers can easily manage to reverse engineer and capture the actual full configuration content,” writes Zarestel Ferrer, a senior research engineer with CA’s Internet Security Business Unit.

“This is no longer the case for the latest Zeus bot version 3, which is already in the wild.

“It employs layers of protection by applying the principle of least privilege. It means that the bot must only access remote command, information and resources that are necessary to a specific function and purpose.”

Command and control systems associated with the bot are “mostly hosted in Russia”, according to CA. Banks in Spain, UK, USA and Germany were the most targeted institutions in previous versions of the banking Trojan.

The unknown cybercrooks have tightened this focus with the latest version of the cybercrime toolkit, meeting customer demand in a manner akin to legitimate software developers releasing localised versions of tools in key geographical markets.

[Source: The Register]

• Asprox is back!
• Malware is Hiding in Amazon Cloud
• Guest Blog: Defending against DDoS
• DDoS Attack Target Swedish Police Network

IBM Lotus Domino Server is a solution for the corporate environment that provides different services to manage electronic documents, and it includes many models such as Mail server, Http server and Data base. The current version is Lotus Domino 8.5.1.

To detect the server we start by scanning the network, usually the server runs a web interface Lotus Domino httpd, so we run Nmap and scan the targeted network as follows:

Nmap –sV 172.16.1.0.24 –p 80
Nmap scan report for 172.16.1.7
Host is up (0.017s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
80 open http Lotus Domino httpd

Now as you can see the IP address of the Domino server is found and you can open your web browser to check some nice Domino web pages with the version: http://serverip/homepage.nsf.

You can use the Google Hack method to find all web servers running on Domino by searching for inurl:homepage.nsf. In the results you will find thousands of Domino based web pages. Now it is very important to note that you should not attempt training yourself on these sites.

Usually when you install Lotus client you need to connect as a user to the server, and a screen for authentication appears to make non experienced hackers terrified, but if you concentrate and check everything slowly you will find the gaps and admin faults.

First you start by learning the important resources on the server, on Domino most important files are with the .NSF extension, so we have:

/Names.nsf File in Domino server contains file name and path (Most important database in the Domino environment)

You can find other files using DominoHunter which provides you a list on all .nsf files. But what we need is the names.nsf database which includes all mail addresses, users information, users operating systems, security applications on Lotus notes and other important information.

What is interesting that on most Domino servers this file can be accessed by anonymous users =-).
Now the kind of information that we will need take care of:

1. List of user’s login so we can guess there passwords also which user account is the admin.

2. All information can be used in the social engineering to trick non trained personal.

3. In the names.nsf you will find also OS version as lotus notes client version this will be very helpful to find the 0-days for all users and application and OS. Here an attacker can use even vulnerability in Internet explorer to compromise some accounts.

Gathering information is not all what is possible – in 2005 there someone discovered a vulnerability allows an attacker to get Internet users password hash. The vulnerability is not difficult to exploit because all users hash passwords are stored in Hidden HTTPPassowrd or dspHTTPPassword files, depending on the version.
What is strange that this vulnerability remains unfixed.

Now the number of users can be hundreds or thousands, so you will need to have all hashes in automatic way. On 2007 an exploit has been released for Dumping Password Hash Raptor_dominohash that allows downloading of all users’ hashes.

DominoHashBreaker is also an important tool that tries to find the clear text form of the password by utilizing a dictionary attack. The goal is to make it possible for an administrator to check the robustness of the passwords of its users.

But for the best results, John the Ripper with Jumbo patch – which adds modern password hashes – and all you need is give HASH.txt to JohnTheRipper (in the form username:hash). If you find one account password you will be able to know the password policy for all users and will not consume much time to have all passwords list. And these passwords are for Domino web access.

If we have the administrator password account, then its ok, if not we should repeat the previous steps. Something interesting is that the admin password will allow attacker to open webadmin.nsf (servername/webadmin.nsf) this is for administrating Lotus Domino webserver interface, and by getting access to this resource you can add, remove or modify users.

On domino there is another protocol which is NRPC using port 1352, and this allows users to have client Lotus notes and Lotus designer, and the client should have a certificate to approve his identity with extension ID. There is also a password authentication mechanism.

Passwords are used to decrypt the ID file, so to have access to any Domino account we will need 2 things: an ID file and password for this file. This is more complicated than the Web access but it is always possible.

To get the ID file you can exploit a vulnerability in Lotus Domino where the server keeps a copy of the ID stored on the server, so if you have users login as shown using names.nsf. you will have the ID for the password there is 3 tools that can search for the ID password which is ( ID Password recovery, Lotus Notes Password Recovery or Notes Password Recovery by following this link ,all three tools for free.

This post presents a clear idea about the different configuration faults that can exist in a Domino server with a small vulnerability that can allow an outsider to take full control of the server and manipulate a corporation’s very sensitive information.

Reference: http://dsecrg.com/pages/pub/show.php?id=2

make sure you subscribe to my RSS feed!

• HTTP DoS-attack tool on Apache web server
• Phrack #66 is out
• Q&A: Johnny Long – Professional hacker, Pirate, Ninja
• Hackers are making the Mac a 'first-class target' for Metasploit toolkit

Security researchers at Websense have discovered a new Trojan that are using a windows system to disable and delete antivirus software and compromising victim machine.

The Malicious program installs itself as the Windows input method editor (IME) and then stop all AV processes and delete the executable files and mask itself in the system as an antivirus update package.

Websense has issued a blog post defining the way that this Trojan is able to infect windows system. After running the malware a winnea.ime will be created under the system folder in windows.

By opening the default input method, the previous created file winnea.ime will start to search and detects antiviruses.

At the same time, winnea.ime creates a file called pcij.sys to the system folder and loads it as a driver process.

Next DeviceIOControl kills the running process of any antivirus in the list; the control code is sent to the driver process pcij.sys

As it is clear that the input method in Windows is now a popular way for hackers to inject malicious code.

make sure you subscribe to my RSS feed!

• Building your OWN Malware Lab (Part 2)
• Building your OWN Malware Lab (Part 1)
• Zombies an Increasing Concern
• Conficker.C Overview