There’s been a LOT of news lately about attacks from China, Chinese hackers and sites from China propagating malware.

The latest news is that China police have managed to shut down a hacker training operating that was schooling the next generation of Chinese script kiddies.

It seems like China is grooming a huge cyberarmy both in the private section (mostly underground) and in the government sector for cyber-terrorism.

Police in central China have shut down a hacker training operation that openly recruited thousands of members online and provided them with cyberattack lessons and malicious software, state media said Monday. The crackdown comes amid growing concern that China is a center for Internet crime and industrial espionage. Search giant Google said last month its e-mail accounts were hacked from China in an assault that also hit at least 20 other companies.

Police in Hubei province arrested three people suspected of running the hacker site known as the Black Hawk Safety Net that disseminated Web site hacking techniques and Trojan software, the China Daily newspaper said. Trojans, which can allow outside access to a computer when implanted, are used by hackers to illegally control computers. The report did not say exactly when the arrests took place.

Black Hawk Safety Net recruited more than 12,000 paying subscribers and collected more than 7 million yuan ($1 million) in membership fees, while another 170,000 people had signed up for free membership, the paper said.

With over 12,000 paying members they must have been raking in quite a tidy sum in membership fees. Estimated at $1million USD if you take into consideration the economy that’s a lot of money if there’s only 3 guys running the site.

It seems like the group has been around for quite a while, it’s rare to see a fairly underground hacking scene become so commercial.

I’m surprised it took 3 years to get shut-down, but then China has had it’s fair share of more serious problems to deal with.

The case can be traced to a hacking attack in 2007 on an Internet cafe in Macheng city in Hubei that caused Web services for dozens to be disrupted for more than 60 hours, the paper said. A few of the suspects caught in April said they were members of the Black Hawk Safety Net.

Black Hawk’s Web site 3800hk.com could not be accessed, but a notice purportedly from Black Hawk circulating on online forums said that a backup site had been set up. The notice also sought to reassure members of its continued operations and said its reputation was being smeared by some Internet users.

“At this time, there are Internet users with evil intentions who have deliberately destroyed Black Hawk’s reputation, deceived our members and stole material,” the notice addressed to members said. “We must join forces and attack these Web sites.”

A customer service officer contacted by phone, who refused to give his name, said the backup site provides content for its paying members to download course material to allow them to continue their computer lessons — though not in hacking. The Hubei government refused to comment Monday while officials at the provincial public security bureau did not respond to repeated requests for comment.

The site involved seems to be down still but rumors on related forums are that a backup site is already up, I’m sure it’s being kept private though and I suspect only the paying members will be notified of the new URL.

After this bust they’d be foolish not to be a little more cautious.

It’ll be interesting to see if any more news pops up about this Black Hawk Safety Net organization and if so what they are up to.

At least this time we can be pretty sure it’s not a CIA sting operation.

Source: Yahoo! News

Tags:  3800hk.com,  black hawk safety net,  china,  china hacking school,  chinese hacking school,  chinese malware,  chinese police,  chinese-hackers,  hacking school,  learn to hack

As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers.

Typical web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the web that are vulnerable.

SecuBat is a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities.

Software Requirements

• Windows 2000, XP, 2003 or higher
• .NET Framework 2.0 or higher
• MS SQL Server 2000, 2005, Express, MSDE or higher

Known Issues

• If you schedule a crawling run, you have to restart SecuBat for manually selecting this crawling run for
  an attacking run afterwards if you not choose to do a combined run.
• The XSS variants report a not existing vulnerability if the response page contains the injected string within the title tag.
• The “Attack Report” window shows only attacks with an analysis value greater than 0 (indicating a vulnerability).

You can also find out more from the SecuBat paper published here:

secubat.pdf [PDF]

You can download SecuBat v0.5 here:

SecuBat v0.5.zip

Or read more here.

Tags:  iseclab,  modular web vulnerability scanner,  secubat,  sql injection vulnerability scanner,  sql-injection,  sql-injection-scanner,  web application security scanner,  Web Hacking,  web vulnerability scanner,  web-application-security,  web-security,  XSS,  xss scanner,  xss vulnerability scanner

Twitter has come under attack fairly frequently in recent months, which is not surprising considering the explosive growth of the platform and the sheer number of users it has.

If you are a Twitter use you may have noticed many people had their password reset automatically yesterday, Twitter today announced the reason for this on their status site here:

Reason #4132 for Changing Your Password

It’s a fairly intricate scam where someone has spent a lot of time effort and exhibited patience in harvesting all of these accounts.

Officials at Twitter linked the resetting of passwords to a malicious Torrent sites and other schemes. According to Twitter, the company began its investigation after noticing a surge in followers for certain accounts during the past five days. Twitter revealed more details about the phishing attacks that caused the company to reset the passwords on some user accounts today.

According to Twitter Director of Trust and Safety Del Harvey, there was a sudden surge in followers for certain accounts during the last five days. For that reason, the company decided to push out a password reset to the accounts, he said. After launching an investigation, Twitter officials linked part of the problem to malicious torrent sites.

“It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own,” Harvey blogged. “However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up.”

The main crux of the story is, if you’ve signed up for any 3rd party private torrent trackers or forums, you’d better go and change your e-mail address and password there. Especially if you were stupid enough to use the same password you use for other sites (such as Twitter).

The trend seems to be continuing with people using the same username, e-mail and password (or at least a variation of the same password) across multiple sites.

I’m pretty sure however, everyone reading this site doesn’t do that as we are fully aware of the danger involved.

“Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information,” he continued. “This information was then used to attempt to gain access to third party sites like Twitter.”

Harvey stated that Twitter has not identified all of the torrent forums involved, but urged anyone who has signed up for one built by a third party to change their password there.

“The takeaway from this is that people are continuing to use the same email address and password (or a variant) on multiple sites,” he blogged. “Through our discussions with affected users, we’ve discovered a high correlation between folks who have used third party forums and download sites and folks who were on our list of possibly affected accounts.”

Not all of the accounts affected were linked to Torrent sites, Harvey added. Earlier today, a Twitter spokesperson told eWEEK that some users had signed up for “get followers fast schemes.”

I see a LOT of people on Twitter falling for these “Get followers fast” or “Get 1000 followers NOW” schemes which require them to give their login credentials to 3rd party sites.

Of course after that the sites use their account to send spam DMs or tweets and often end up in the user account getting locked for spamming.

This of course follows the Twitter DM Phishing Scam and the time the SSL Renegotiation Bug was used on Twitter.

Darknet is on Twitter, if you wish to follow us you can do so here: http://www.twitter.com/THEdarknet

Source: eWeek

Tags:  get followers fast,  hacking twitter,  Password Cracking,  password-hacking,  Phishing,  scams,  twitter,  twitter hacking,  twitter phishing,  twitter privacy,  twitter scam,  twitter security,  web-security

Nmap is of course of the most famous port scanners and hacking tools of all time, the last stable release was back in July 2009.

For those that may not know, Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

Nmap 5.20 offers more than 150 significant improvements, including:

• 30+ new Nmap Scripting Engine scripts
• Enhanced performance and reduced memory consumption
• Protocol-specific payloads for more effectie UDP scanning
• A completely rewritten traceroute engine
• Massive OS and version detection DB updates (10,000+ signatures)

You can download Nmap 5.21 here (more options):

Linux – nmap-5.21.tgz
Windows – nmap-5.21-win32.zip

Or read more here.

Tags:  fingerprinting,  fyodor,  network fingerprinting,  Network Hacking,  network scanner,  networking,  nmap,  nmap scanner,  nmap tool,  nmap-gui,  os identification,  os-detection,  os-fingerprinting,  port-scanner,  port-scanning,  release,  releases,  software,  traceroute,  udp port scanner,  udp scanning,  zenmap

This is a pretty interesting development from Google and also seems to be coming much more common now, companies openly offering payments for bugs/vulnerabilities discovered in their software.

It’s a chance for the white-hat guys to earn a few bucks, but honestly I don’t think it’s going to change anything. Especially not when we’re talking $500 per vulnerability.

A serious browser 0-day exploit that can allow execution of malware will go for 100 times that much on the black market so there’s no real incentive for the bad guys to give up their code for $500.

Google yesterday announced a bug-bounty program that will pay researchers $500 for each vulnerability they report in the Chrome browser and its underlying open-source code.

In a post to the Chromium project’s blog , Chris Evans, who works on the Chrome security team, said the base bounty would be $500, but that “particularly severe or particularly clever” bugs would reap rewards of $1,337 each.

The latter amount is a reference to “leet,” a kind of geek-speak used by some researchers; there, “leet” is rendered as “1337.”

New vulnerabilities in Chrome, Chromium — the open-source project that Google uses to craft Chrome — and plug-ins that ship with Chrome, such as Google Gears, are eligible for bounties, said Evans. Bugs that are ranked “high” or “critical” in Chrome’s rating system get preference, he added, but others may be considered.

Even for the particularly severe or clever bugs they can award up to $1,337, that’s still peanuts compared to what they can sell the exploit for on the open market – or even to companies like TippingPoint ZDI who claim to pay 10 times more (which would be more reasonable, $5000 for a working exploit).

I hope it helps though and gives some legitimate security researches a little more incentive to focus on Chrome, the bad guys won’t pay much attention though as Chrome is still a relatively small player in the browser world.

“We are hoping that … this program will encourage new individuals to participate in Chromium security,” said Evans. “The more people involved in scrutinizing Chromium’s code and behavior, the more secure our millions of users will be.”

“Internet Explorer, Safari, Firefox…those browsers have been out there for a long time,” said Pedram Amini, manager of the security research team at 3com’s Austin, Tex.-based TippingPoint, which operates Zero Day Initiative (ZDI), one of the two best-known bug-bounty programs. “But Chrome, and now Chrome OS, need researchers. Google needs people to put eyes on the target.”

Google’s new bounty program isn’t the first from a software vendor looking for help rooting out vulnerabilities in its own code, but it’s the largest company to step forward, Amini said. Microsoft , for example, has traditionally dismissed any calls that it pay for vulnerabilities. “This will be beneficial to Google,” Amini added. “There are actually very few vendors who play in the bounty market, but Google doing it is definitely interesting.”

I don’t realistically expect any groundbreaking bugs to come out of this initiative, but I think a few people might bust out their browser fuzzing tools and see what they can find.

Worth a bit of effort if you can find 10 decent bugs in a couple of hours and net yourself $5000usd.

Source: Network World

Tags:  bounty for exploits,  Browser-Hacking,  browser-security,  bug bounty,  chrome,  chrome browser,  chrome bugs,  chrome exploits,  chrome security,  chrome vulnerabilities,  exploit bounty,  google chrome,  google chrome security,  google exploit bounty,  paid to hack

Groundspeed is an open-source Firefox extension for web application security testers presented at the OWASP AppSec DC 2009. It allows you to manipulate the web application’s user interface to eliminate annoying limitations and client-side controls that interfere with the web application penetration test.

What can I do with Groundspeed?

Groundspeed allows you to modify the forms and form elements loaded in the page. Some practical uses include:

• Changing the types of form fields, for example you can change hidden fields into text fields so you can easily edit their contents.
• Quickly removing size and length limitations on text fields so you have more space to type your attack strings.
• Changing form target so the form submits in another tab.
• Removing or editing the JavaScript event handlers to bypass client side validation.

You can install Groundspeed here:

https://addons.mozilla.org/en-US/firefox/addon/46698/

Or read more here.

Tags:  firefox security add-on,  groundspeed,  groundspeed firefox add-on,  hacking-websites,  web app security,  Web Hacking,  web-application-hacking,  web-application-security,  web-application-security-testing,  website security,  website security testing

Ah finally some proof of the mythical Playstation 3 exploit released publically. Sadly as always the lack of sales on the PS3 can be partially attributed to the lack of a homebrew scene (aka ability to pirate games).

There have been rumours and some speculation about the PS3 finally being exploited with news breaking earlier this week about notorious iPhone hacker geohot (George Hotz) finally breaking the protection on the PS3.

I personally don’t own a PS3 so it’s not really news to me, but for some people it seems to have been a reason for them not to buy a PS3 yet.

On Monday, when we reported that the prolific hacker geohot had successfully penetrated the previously impervious PlayStation 3 gaming console, readers were understandably skeptical.

After all, the 20-year-old readily admitted his hack wasn’t reliable, and he provided no evidence he was able to do some of the things modders love to do most, such as run arbitrary code or peel open the device’s synergistic processing elements to take a peak at its most prized internal elements.

On Tuesday afternoon, geohot finally released his exploit so the world could see for itself exactly what the hack does and doesn’t accomplish

If you’re interested in the extremely technical explanation of how geohot achieved this you can check it out here, I’d imagine to understand it properly though you’d need to be fairly familiar with the inner workings of the PS3 and how it manages memory allocation.

The hack isn’t really reliable but it does work to some degree and some of the time and this is enough for others to get started on breaking the PS3 further.

There’s another good write-up here explaining the ins and outs of the system and what repercussions this has:

PS3: Hacked

According to the instructions, it involves compiling and running the kernel module and then pulsing a memory bus on the PS3’s motherboard.

“Try this multiple times,” his instructions state. “I rigged an FPGA button to send the pulse. Sometimes it kernel panics, sometimes it lv1 panics, but sometimes you get the exploit!! If the module exits, you are now exploited.”

While the idea is sound, this hack is clearly not for the faint of heart.

From there, PS3 users get full memory access, including ring 0 access from OtherOS, geohot, whose real name is George Hotz, said here. He’s now turning follow-on work to the PS3 community, directing members to report their findings to the psDevWiki.

His instructions conclude: “The PS3 is hacked, its your job to figure out something useful to do with it.”

It’ll be interesting to watch how this develops over the next 2-3 months and see if anyone is able to successfully modify the OS or even install a new one.

If you are so inclined you can keep up with what is happening on the psDevWiki.

I’d imagine we should be seeing some homebrew code based on this exploit by the middle of year and of course Sony scrambling to come out with a new firmware that blocks this.

Source: The Register

Tags:  geohot,  george hotz,  hacking,  hacking playstation,  hacking playstation 3,  hacking ps,  hacking ps3,  Hardware Hacking,  playstation,  playstation 3,  playstation 3 exploit,  playstation 3 security,  playstation exploit,  ps3,  ps3 exploit

Browser Fuzzer 3, or bf3, is a comprehensive web browser fuzzer. Browser Fuzzer 3 is designed as a hybrid framework/standalone fuzzer; the modules it uses are extensible but also highly integrated into the core. bf3 can be used via command line to set all necessary flags for each fuzzing operation.

After initialization, bf3 creates test cases in a numbered system. Fuzzing is automated through the browser using the refresh method. If error is detected, server logs can provide insight to the offending test case.

Features

• Fuzzes CSS, DOM, HTML, JavaScript and XML
• Attended and Unattended Fuzzing Modes
• 7th Generation Fuzzing Oracle
• Random Data Generator
• Mutation Fuzzing Engine

You can download Browser Fuzzer 3 here:

bf3.tar.gz

Or read more here.

Tags:  application-security,  bf3,  browser fuzzer,  browser fuzzer 3,  browser fuzzing tool,  Browser-Hacking,  browser-security,  fuzz,  fuzzer,  fuzzing,  fuzzing-tool,  Hacking Tools,  krakow labs,  web-security

There have been quite a few security concerns with Facebook, especially with the amount of personal information it collects on it’s users.

Of course there is Koobface and it’s many variants which have been propagating all kinds of spam through Facebook wall posts and messages.

I’m glad someone is offering a solution for free, yes they benefit from it too by being able to gather data on Facebook activity and the quantity of malicious posts occurring on Facebook.

Security vendor Websense if offering Facebook users and businesses a new free ‘firewall’ service that monitors their pages for malicious posts, links and spam.

Defensio 2.0 checks all posts to Facebook in real time against Websense’s ThreatSeeker Network, a database of problem URLs, before deciding whether to categorise a post as malicious or unwanted. This also draws from data gathered by US ISP Radialpoint and URL shortening service bit.ly before performing further heuristic analysis as a final check.

If a bad post is detected, the system logs and informs the user who makes the final decision. As with the original Defensio system – acquired a year ago when Websense bought the company of the same name – it can also monitor web pages for rogue posting, pre-emptively blocking those it deems unwanted.

“We are seeing real threats to Facebook such as Koobface,” said Websense senior research manager, Carl Leonard.

It seems to work on a ‘moderation’ model so if the software detects any suspicious automated messages/links or other dodgy activity it will block the post/message and allow the user to approve/deny the request.

But then it’s only going to be effective if take-up is good amongst the non-tech savvy users where the problems tend to be a lot more common.

Sadly this seems highly unlikely as only people who read sites like this will know about it, unless it get’s heavily promoted on Facebook..but then you have to contend with ad-blindness problems.

According to Leonard, an advantage of Web 2.0 monitoring was that it gave security companies a way of following criminals inside the otherwise closed world of social media, something that many security vendors can’t yet do. “We can have visibility into threats on these social networks, and have a fantastic feed of information that can benefit all our customers,” he said.

Leonard was not able to say when or if the monitoring might be available other social media sites or feeds such as twitter, where rogue behaviour can be difficult to spot.

The service is free for anyone with fewer than 50,000 posts per month, and for companies with 15 employees of less. For professional sites or sites with larger volumes of posts, the service starts at $5 (£3) per month, per site.

It’s free for most people, I’d imagine very few companies are making 1500 posts per day! Even if you need to pay it’s pretty cheap.

I hope to see more initiatives from companies like this, and ideally someone working with Facebook themselves to increase pro-active security measures on the site.

Obviously that’s not their first priority and with the recent brouhaha about their new privacy terms and default settings..you should be concerned about what information of yours they intend to utilise.

Source: Network World

Tags:  defensio,  facebook,  facebook firewall,  facebook malware,  facebook scam,  facebook security,  facebook spam,  koobface,  threatseeker,  web app firewall,  web application firewall,  web malware,  web-application-security,  web-security,  websense

Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, persistence, authentication, upstream proxies, logging, alerting and extensibility.

Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, scan, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.

It’s been quite a while since the release of Burp Suite v1.2 back in December 2008.

This is a major upgrade with a host of new features, including:

• A new message editor/viewer optimised for HTTP requests and responses, with colourised syntax, mouse-over decoding, and quick conversion functions.
• Facility to add comments and highlights to the proxy history and site map.
• Support for viewing and editing AMF-encoded messages.
• Improved handling of SSL server certificates, to eliminate browser SSL warnings and connection problems with thick clients.
• Copy to file / paste from file to facilitate working with binary content.
• New display filters.
• Greatly enhanced extensibility.
• Configurable DNS resolution, to override your computer’s own resolution, facilitating work with non-proxy-aware clients.
• Fine-grained upstream proxy rules.
• Exporting of HTTP messages and metadata in XML format.

Burp Suite is a Java application, and runs on any platform for which a Java Runtime Environment is available. It requires version 1.5 or later. The JRE can be obtained for free from java.sun.com.

Full release details can be found here.

You can download Burp Suite v1.3 here:

burpsuite_v1.3.zip

Or read more here.

Tags:  burp,  burp-proxy,  burp-suite,  Hacking Tools,  web app proxy,  web app security,  web application proxy,  web site security,  web-application-security,  web-proxy,  webapp security