So a new initiative - the Open Source Computer Emergency Response Team known as oCERT has been set up one of the main sponsors being Google (read more here - Contributing to Open Source Software Security).

The oCERT project is a public effort providing security handling support to Open Source projects affected by security incidents or vulnerabilities, just like national CERTs offer services for their respective countries.

The service aims to help both large infrastructures, like major distributions, and smaller projects that can’t afford a full-blown security team and/or security resources. This means aiding coordination between distributions and small project contacts. The goal is to reduce the impact of compromises on small projects with little or no infrastructure security, avoiding the ripple effect of badly communicated or handled compromises, which can currently result in distributions shipping code which has been tampered with.

It’s a pretty interesting project and I hope it takes off - it will be a good place to gather information for small and large open source projects alike and make things more secure for everyone involved.

Check it out here:

http://ocert.org/

Tags:  exploits,  flaws,  google,  ocert,  open source cert,  Open-Source-Software,  vulnerabilities

Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,odp,ods) available on the target/victim website.

It will generate a html page with the results of the metadata extracted, plus a list of potential usernames very useful for preparing a bruteforce attack on open services like ftp, pop3,web applications, vpn and so on. Also it will extract a list of disclosed PATHs in the metadata, with this information you can guess OS, network names, shared resources etc.

This new version extracts MAC address from Microsoft Office documents. Now you can have an idea of what kind of hardware they are using.

All this information should not be available on the net, but most of the companies don’t have policies about information leaking… and most of them don’t know this information exists. So you can show them what information an attacker can obtain, with this simple technique.

You can download Metagoofil v1.4 here:

MetaGooFil 1.4 (tar) (20/04/2008)

Or read more here.

Tags:  data gathering,  Hacking Tools,  information gathering,  information leaking,  metadata,  metadata extraction,  metadata gathering,  metagoofil,  penetration-testing,  Privacy,  surveillance

Microsoft helping the good guys eh? I had someone ask me if I can get a hold of this so I did some checking up on..

I’d guess MS is doing this to sell additional software and services, but either way its a good thing to make a portable, easy to use and effective forensics toolkit.

Would it be better than your average security or forensics LiveCD? I wouldn’t know unless I can indeed get one of these COFEE sticks.

Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.

I’m guessing it’s the common suspects, mostly open source tools bundled together with a nice interface or some batch scripts.

‘Internet History’ - I bet it only works if they use Internet Explorer (history.dat anyone?) and not Firefox with caching turned off.

Passwords? Some rainbow cracking brute forcer and a few of the smaller rainbow tables would suffice.

But then with USB pen drives going up to 8-16gb nowadays you could fit almost a full set of Rainbow Tables for common characters.

Brad Smith, Microsoft’s general counsel, described COFEE in an interview.

“It’s basically a thumb drive that is like a Swiss army knife for law enforcement officials that are investigating computer crimes. If you’re a law enforcement official and let’s say you have access to a computer that might be used, for example, by a child predator, a lot of times they have information on their hard disk that’s encrypted, and you’ve got that information off in order to have a successful investigation and prosecution.

“In the past, people would have to literally unplug the computer, they would lose whatever was in RAM. They’d have to transport it somewhere else, and it would take at least four hours, often more to get at the heart of the information.”

A MS rep has confirmed that the kit is a compilation of publicly available forensics tools and it does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret ‘backdoors’ or other undocumented means.

So who’s gonna send me one?

Source: The Seattle Times

Tags:  cofee,  Computer Online Forensic Evidence Extractor,  computer-forensics,  Forensics,  hacking,  microsoft cofee,  Password Cracking,  password extraction,  windows forensics

Competition time again!

As you know we started the Darknet Commenter of the Month Competition on June 1st 2007 and it’s been running since then! We have just finished the tenth month of the competition in April and are now in the twelfth, starting a few days ago on May 1st - Sponsored by GFI.

We are offering some pretty cool prizes like iPods and PSPs (or similar), along with cool GFI merchandise like shirts, keyrings and mugs.

And now the winner will also get a copy of the Ethical Hacker Kit.

Keep up the great comments and high quality interaction, we really enjoy reading your discussions and feedback.

Just to remind you of the added perks, by being one of the top 5 commenter’s you also have your name and chosen link displayed on the sidebar of every page of Darknet, with a high PR5 (close to 6) on most pages (4000+ spidered by Google).

So announcing the winner for April…it’s fever! He had a 10 comment lead on zupakcomputer, fever another new-comer came out of nowhere.

Comments for May have been very low so far, so it might be an easy win for someone this month

April saw some good discussions and was a little more lively than March, I hope May picks up bit! I’d like to thank you all for your participation! I hope it keeps getting better as 2008 develops with more interesting news and tools. Keep up the excellent discussions, it’s very interesting reading especially on some of the more controversial topics.

Thanks to everyone else who commented and thanks for your links and mentions around the blogosphere!

Feel free to share Darknet with everyone you know

Keep commenting guys, and stand to win a prize for the month of April!

We are still waiting for pictures from backbone, Sandeep and TRDQ, dirty and dre, eM3rC, fever, Sir Henry and goodpeople of themselves with their prizes!

Winner for June 2007 was Daniel with 35 comments.
Winner for July 2007 was backbone with 46 comments.
Winner for August 2007 was TheRealDonQuixote with 53 comments.
Winner for September 2007 was Sandeep Nain with 32 comments.
Winner for October 2007 was dre with 19 comments.
Winner for November 2007 was dirty with 38 comments.
Winner for December 2007 was Sir Henry with 84 comments.
Winner for January 2008 was goodpeople with 66 comments.
Winner for February 2008 was eM3rC with 122 comments.
Winner for March 2008 was Pantagruel with 66 comments.

Tags:  april-winner,  blog-comments,  comment-competition,  commenter-of-the-month,  competition,  fever,  gfi,  ipod,  prizes,  psp,  win,  zupakomputer

rtpbreak 1.3a has been released, we initially brought you news of this tool back in August 2007 with the first announcement of rtpbreak.

With rtpbreak you can detect, reconstruct and analyze any RTP session. It doesn’t require the presence of RTCP packets and works independently form the used signaling protocol (SIP, H.323, SCCP etc). The input is a sequence of packets, the output is a set of files you can use as input for other tools (wireshark/tshark, sox, grep/awk/cut/cat/sed and so on). It also supports wireless (AP_DLT_IEEE802_11) networks.

This is a list of scenarios where rtpbreak is a good choice:

• reconstruct any RTP stream with an unknown or unsupported signaling protocol
• reconstruct any RTP stream in wireless networks, while doing channel hopping (VoIP activity detector)
• reconstruct and decode any RTP stream in batch mode (with sox, asterisk)
• reconstruct any already existing RTP stream
• reorder the packets of any RTP stream for later analysis (with tshark, wireshark, …)
• build a tiny wireless VoIP tapping system in a single chip Linux unit
• build a complete VoIP tapping system (rtpbreak would be just the RTP dissector module!)

This project is released under license GPL version 2.

You can download rtpbreak 1.3a here:

rtpbreak-1.3a.tgz

Or read more here.

Tags:  hacking rtp,  Hacking Tools,  hacking-networks,  hacking-software,  Network Hacking,  rfc189,  rtp,  rtp tool,  rtp-analysis,  rtpbreak

As far as I know this has been happening for some time, sometimes a patch comes out for a vulnerability that many people don’t know about (including the hackers) so they will see what problem the patch fixes (possibly through reverse engineering) then develop an exploit to leverage on the flaw.

It seems things are a little more advanced now with some semi-automated tools to do the job.

The length of time between the development of security patches and the development of exploits targeting the security holes they address has been dropping for some time.

Hackers exploit this period of time - the so-called patch window - to launch attacks against unpatched machines. Typically, exploits are developed by skilled hackers versed in the arcane intricacies of reverse engineering.

However, hackers have now begun using off-the-shelf tools to at least partially automate this process, a development that might lead to exploits coming out hours instead of days after the publication of patches.

It certainly does make the time between patch and exploit a lot faster, and this is fairly new. Thankfully someone has taken it upon themselves to research this subject further and educate us all about it.

It’s a scary thought having a working exploit a few minutes after receiving a patch! As you know many people don’t keep patches up to date, and those that do might only apply it after a few days so it gives the bad guys a dangerous windows in which they can mass-exploit people.

Security researchers at Berkeley, the University of Pittsburgh, and Carnegie Mellon have launched a research project investigating the approach [PDF], which relies on comparing the configuration of patched and unpatched machines.

In some cases hackers are able to develop an exploit just minutes after receiving a patch. Fortunately, for now, the technique is rather hit and miss. More often than not the semi-automated process creates tools that only crash vulnerable applications, rather than creating a means to inject hostile code onto vulnerable machines.

Over time the technique is only likely to get more reliable.

I am certainly sure the technique will get refined and become more effecient over time as with everything, the fact that it exists shows the evolution of hacking and that the boundaries are always going to be pushed aside.

Certainly something interesting to keep an eye on.

Source: The Register

Tags:  exploit-development,  exploits,  hackers,  hacking,  patch window,  patching,  reverse-engineering,  security holes,  security-patches,  vulnerabilities

This is a pretty new tool and a very cool one, Hibernation is a fairly new feature for Windows so it’s good to see a new tool targeting that.

Microsoft provides a feature called Hibernation also know as suspend to disk that aims to save the system state into an undocumented file called hiberfil.sys. This file contains all the physical memory saved by the Operating System and aims to be restored by the user the next time the computer is powered on. Live forensics analysis is used to use physical memory dump to recover information on the targeted machine.

One of the main problems is to obtain a readable physical memory dump, hibernation is an efficient way to save and load physical memory. Hibernation analysis has notable advantages. System activity is totally frozen, therefore coherent data is acquired and no software tool is able to block the analysis. The system is left perfectly functional after analysis, with no side effects.

The hibernation file opens two valuable doors:

The first one is forensics analysis for defensive computing. Hibernation is an efficient and easy way to get a physical memory dump. But the main issue about it was: How to read the hiberfil.sys? This is why SandMan was born.

The second one is a new concept we will be introducing and called “offensics” which is a portmanteau from “offensive” and “forensics”. If we can read hiberfil.sys, can we rewrite it? The answer is: Yes, with SandMan you can.

Sandman is a C Library that aims to read the hibernation file, regardless of Windows version. Thus, it makes possible to do forensics live analysis on the dumped file.

For a good explanation and technical info I suggest you read the whitepaper:

SandMan Project, Whitepaper [PDF]

You can download Sandman here:

SandMan-1.0.080226.zip

Or read more here.

Tags:  hack windows,  hacking hibernation file,  hacking-windows,  hibernation,  hibernation file,  read hibernation file,  sandman,  Windows Hacking

A while back we reported how US customs owns your data, now it’s getting even worse. 10 days ago the US appeals court gave them rights to COPY all your data without notice even if there are no suspicions.

Anyone want to talk about dilution of intellectual property? Privacy? Or just basic human rights..

In a letter dated Thursday, the group, which includes the Electronic Frontier Foundation (EFF), the American Civil Liberties Union and the Business Travel Coalition, called on the House Committee on Homeland Security to ensure searches aren’t arbitrary or overly invasive. They also urged the passage of legislation outlawing abusive searches.

The letter comes 10 days after a US appeals court ruled Customs and Border Protection (CBP) agents have the right to rummage through electronic devices even if they have no reason to suspect the hardware holds illegal contents. Not only are they free to view the files during passage; they are also permitted to copy the entire contents of a device. There are no stated policies about what can and can’t be done with the data.

I hope the government takes some notice of the letter and the worries over this legislation, it is something that would bother a lot of people. Especially those from European countries where privacy is an utmost concern and strongly protected by the government.

The lack of guidelines as to what can be done with the data are worrying too, what if you have commercially valuable or proprietary information there…can they distribute it freely after copying it from you?

Several of the groups are also providing advice to US-bound travelers carrying electronic devices. The Association of Corporate Travel Executives is encouraging members to remove photos, financial information and other personal data before leaving home. This is good advice even if you’re not traveling to the US. There is no reason to store five years worth of email on a portable machine.

In this posting, the EFF agrees that laptops, cell phones, digital cameras and other gizmos should be cleaned of any sensitive information. Then, after passing through customs, travelers can download the data they need, work on it, transmit it back and then digitally destroy the files before returning.

The post also urges the use of strong encryption to scramble sensitive data, although it warns this approach is by no means perfect. For one thing, CBP agents are free to deny entry to travelers who refuse to divulge their passwords. They may also be able to seize the laptop.

If you don’t give up YOUR passwords to YOUR private information, they can refuse you entry, isn’t that just charming?

I agree clean everything before you travel, work from online data…it may be inconvenient but it’s surely better than having the US government copy it.

Oh well, I’ve never been to the US and I’m not planning to…so here is even less reason to go.

Source: The Register

Tags:  cbp,  congress,  customs border protection,  data-security,  dohs,  eff,  electron frontier foundation,  homeland,  immigration,  Legal Issues,  Privacy,  us,  US law

CDPSnarf if a network sniffer exclusively written to extract information from CDP packets. It provides all the information a “show cdp neighbors detail” command would return on a Cisco router and even more.

The application is written in C using the popular PCAP library.

Sample Output

Cisco AIR-AP1231G-E-K9 Access Point:

$ sudo ./cdpsnarf eth2
Waiting for a CDP packet...

[#0] Sniffed CDP advertisement with a size of 367 bytes.
——————————————————-
CDP Version: 2
TTL: 180 ms
Checksum: 0×7282

Device ID: cisco-ap.mydomain.net

Software version: Cisco IOS Software, C1200 Software (C1200-K9W7-M),
Version 12.3(8)JEA, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 23-Aug-06 16:42 by kellythw

Platform: cisco AIR-AP1231G-E-K9

Addresses:  1
   Address #: 1
   Protocol type: [1] NLPID format
   Protocol: [0xCC] IP
   IP Address: 157.228.87.1

Port ID: Dot11Radio0

Capabilities:
   [0x02]       Transparent bridge

You can download CDPSnarf here:

CDPSnarf 0.1.6

Or read more here.

Tags:  cdp,  cdp packet sniffer,  cdpsnarf,  cisco,  hacking routers,  Hacking Tools,  hacking-cisco,  hacking-networks,  Network Hacking

Now this is a pretty interesting contest from the guys at Defcon, antivirus evasion! It’s a question that gets asked a LOT…how do I avoid AV?

There are various ways to do it and I’ll be interested to see which are used in the contest, the most elegant solutions of course get better prizes.

Security firms have split over the merits of a hacking contest aimed against anti-virus packages planned for August’s Defcon conference.

Anti-virus firm Sophos reckons the exercise will serve only to increase the volume of malware in circulation, further taxing the resources of already hard-pressed security firms. However, net security services firm MessageLabs reckons the proposed Race to Zero competition has some merits as an exercise. It compared the wheeze to penetration testing against corporate networks.

During the proposed Race to Zero contest, delegates to the Defcon hacker conference will be invited to develop techniques to modify supplied virus samples so that these variants are able to evade detection by anti-virus packages. The contest will progress in difficulty leading to awards at its conclusion including “most elegant obfuscation” and “most deserving of beer” as well as an overall winner.

I am of course pro-knowledge, so I think this contest is a great idea. As stated similar research conducted in the past has been useful..so why not this time?

Personally I think signature based virus detection is very weak and heuristic scanning is nowhere near as good as it should be. The AV vendors needs to get their collectives acts together and develop some cool new stuff that effectively blocks unknown malware rather than permanently playing a catch-up game.

Contest organisers said that the exercise will help to demonstrate shortcomings in signature-based virus detection. They also want to highlight weaknesses among anti-virus vendors exposed by the testing process, which will involve passing modified samples through a number of antivirus engines housed on a closed portal. Modified samples will not be released into the wild, the organisers explain. Results of the contest, a fringe event planned outside the main Defcon conference programme, are due to be presented during the annual Las Vegas-based hacking jamboree.

Despite these assurances some security vendors are less than impressed. Graham Cluley, senior technology consultant for Sophos, said: “The last thing the world needs is more malware. It’s really disappointing to see that Defcon appears to be condoning the creation of malware in this way.

“If people really want to test the quality of different anti-virus products there are well established ways of doing it - and testing industry initiatives like ATMSO are working hard at improving standards,” he added.

I would have thought Sophos were amongst the more progressive AV vendors, but it seems not so. Anyway it’s definitely something to watch and we’ll be keeping an interested eye on it.

Source: The Register

Tags:  antivirus,  antivirus evasion,  av detection,  av evasion,  defcon,  evade antivirus,  evade av,  malware,  messagelabs,  morphing,  race to zero,  sophos,  trojans,  viruses