Archive | April, 2006

Homeland Security Scores an F for Internal Security AGAIN

Find your website's Achilles' Heel


Well I would have thought these guys should have had a little better security..

The Department of Homeland Security received an F (Failing) grade in cybersecurity from the House Government Reform Committee for the third year in a row. The Committee will likely give the Fed a D+ overall for its cybersecurity efforts. The grades will be unveiled today during a Committee oversight hearing, “Is the Government Ready for a Digital Pearl Harbor?” The grades are based on how well the comply with standards defined by the Federal Information Security Management Act (FISMA)

Homeland Scores an F

Better hope the cyber warfare cells from ‘enemy countries’ don’t notice this eh?

Source: Zdnet BlogsFull Chart


Posted in: General News

Tags: , , , , , ,

Posted in: General News | Add a Comment
Recent in General News:
- Teen Accused Of Hacking School To Change Grades
- Google’s Chrome Apps – Are They Worth The Risk?
- Twitter Breach Leaks 250,000 User E-mails & Passwords

Related Posts:

Most Read in General News:
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,441 views
- eEye Launches 0-Day Exploit Tracker - 85,737 views
- Seattle Computer Security Expert Turns Tables On The Police - 44,367 views

Get protected with Sucuri


CIA Employees Identified Online

Find your website's Achilles' Heel


Pretty Scary eh?

Although some people do call them the Central Lack-of Intelligence Agency.

Privacy is a major issue and well people should be a little more careful about what they reveal online, perhaps I’ll rehash my old Google Hacking Presentation and write it up as a post for Darknet. I guess it would be interesting reading for many people.

Remember the Internet has memory now with Google Cache, MSN and Yahoo! are starting to Cache too and there are other services like http://web.archive.org that show the history of a site. So if you slip up and make something public on your domain, it may well come back to haunt you.

The identities of 2,600 Central Intelligence Agency (CIA) employees and the locations of two dozen of the agency’s covert workplaces in the United States can be found easily through Internet searches, according to an investigation by the Chicago Tribune.

The newspaper obtained the information from data providers who charge fees for access to public records and reported on its findings in Sunday editions. It did not publish the identities or other details on its searches, citing concern it could endanger the CIA employees.

I’ll talk about this kind of thing more in depth later as it is one of my areas of expertise, passive information gathering, the things people expose on the net, it’s pretty amazing really..and scary at times as this CIA example shows.

One of the facilities, a CIA training area dubbed “The Farm” at Camp Peary, Virginia, was a well-kept secret for decades. The agency refused to publicly acknowledge its existence, even after former CIA personnel confirmed its presence in the 1980s.

But the Tribune said an Internet search for the term “Camp Peary” produced data identifying the names and other details of 26 people who apparently work there.

Additionally, a review of aviation databases for flights at Camp Peary’s airstrip revealed 17 aircraft whose ownership and flight histories also could be traced.

Really, I think they should at least try and be a little more careful.

Source: Zdnet


Posted in: General Hacking, Privacy

Tags: , , , , , ,

Posted in: General Hacking, Privacy | Add a Comment
Recent in General Hacking:
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- Dradis – Reporting Platform For IT Security Professionals
- Kid Gets Arrested For Building A Clock – World Goes NUTS

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,171,877 views
- Hack Tools/Exploits - 630,955 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 436,487 views

Get protected with Sucuri


Serious Vulnerability/Flaw Found in GPG – GnuPG

Find your website's Achilles' Heel


Just in case you didn’t read it, found this one in the archives.

A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without affecting the signed status of the message. Depending on how gpg is invoked, it may be possible to output just faked data as several variants of this attack have been discovered. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2

The problem is discussed in full here.

This new problem affects the use of *gpg* for verification of signatures which are _not_ detached signatures. The problem also affects verification of signatures embedded in encrypted messages; i.e. standard use of gpg for mails.

Keep it updated.


Posted in: Exploits/Vulnerabilities

Tags: , , , , , ,

Posted in: Exploits/Vulnerabilities | Add a Comment
Recent in Exploits/Vulnerabilities:
- PunkSPIDER – A Web Vulnerability Search Engine
- Dropbox Hacked – 68 Million User Accounts Compromised
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,817 views
- AJAX: Is your application secure enough? - 120,265 views
- eEye Launches 0-Day Exploit Tracker - 85,737 views

Get protected with Sucuri


China taking control of it’s own DNS servers

Your website & network are Hackable


China are moving further away from the rest of the world when it comes to the Internet, taking control, making sure information doesn’t get out and making sure other people don’t have access to anything behind the Great Firewall of China.

China’s Ministry of Information Industry (MII) has made adjustment to China’s Internet domain name system in accordance with Article 6 of China Internet Domain Names Regulations.

After the adjustment, “.MIL” will be added under the top-level domain (TLD) name of “CN”.

A new Internet domain name system will take effect as of March 1 in China.

A pretty extensive system.

There’ll be 34 domain names for the organizations of China’s provinces, autonomous regions, municipalities directly under central government, and special administrative regions. They are mainly composed of the first letters of the Romanized spelling of the names of the regions, for example Beijing’s domain name is “BJ” and Shanghai’s is “SH”.

Source: People’s Daily Online


Posted in: General News

Tags: , , , ,

Posted in: General News | Add a Comment
Recent in General News:
- Teen Accused Of Hacking School To Change Grades
- Google’s Chrome Apps – Are They Worth The Risk?
- Twitter Breach Leaks 250,000 User E-mails & Passwords

Related Posts:

Most Read in General News:
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,441 views
- eEye Launches 0-Day Exploit Tracker - 85,737 views
- Seattle Computer Security Expert Turns Tables On The Police - 44,367 views

Get protected with Sucuri


AJAX: Is your application secure enough?

Find your website's Achilles' Heel


Introduction

We see it all around us, recently. Web applications get niftier by the day by utilising the various new techniques recently introduced in a few web-browsers, like I.E. and Firefox. One of those new techniques involves using Javascript. More specifically, the XmlHttpRequest-class, or object.

Webmail applications use it to quickly update the list of messages in your Inbox, while other applications use the technology to suggest various search-queries in real-time. All this without reloading the main, sometimes image- and banner- ridden, page. (That said, it will most probably be used by some of those ads as well.)

Before we go into possible weaknesses and things to keep in mind when implementing an AJAX enabled application, first a brief description of how this technology works.

The Basics

Asynchronous Javascript and XML, dubbed AJAX is basically doing this. Let me illustrate with an example, an email application. You are looking at your Inbox and want to delete a message. Normally, in plain HTML applications, the POST or GET request would perform the action, and re-locate to the Inbox, effectively reloading it.

With the XmlHttpRequest-object, however, this request can be done while the main page is still being shown.

In the background a call is made which performs the actual action on the server, and optionally responds with new data. (Note that this request can only be made to the web-site that the script is hosted on: it would leave massive DoS possibilities if I can create an HTML page that, using Javascript, can request thousands of concurrent web-pages from a web-site. You can guess what happens if a lot of people would visit that page.)

The Question

Some web-enabled applications, such as for email, do have pretty destructive functionality that could possibly be abused. The question is — will the average AJAX-enabled web-application be able to tell the difference between a real and a faked XmlHttpRequest?

Do you know if your recently developed AJAX-enabled or enhanced application is able to do this? And if so — does it do this adequately?

Do you even check referrers or some trivial token such as the user-agent? Chances are you do not even know. Chances are that other people, by now, do.

Continue Reading →


Posted in: Countermeasures, Exploits/Vulnerabilities, Web Hacking

Tags: , , , , , , , , ,

Posted in: Countermeasures, Exploits/Vulnerabilities, Web Hacking | Add a Comment
Recent in Countermeasures:
- Bearded – Security Automation Platform
- An Introduction To Web Application Security Systems
- OpenIOC – Sharing Threat Intelligence

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,265 views
- Password Hasher Firefox Extension - 117,882 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,751 views

Get protected with Sucuri


IE Address Bar Spoofing

Find your website's Achilles' Heel


I recently found on securityfocus mailinglist a bug in IE which can be exploited with a simple javascript code to spoof the address bar location…

This allow attacker inject a malicious shockwave-flash application into Internet Explorer while it is display another URL (even trusted sites).

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 + Microsoft Windows XP SP2 and previous versions.
Sample code:


Perform the test

If you are vulnerable you will see the flash intro of buctuong.com while the address bar is http://www.microsoft.com/ If you have a very fast connection you may change my flash application to a larger one to make loading time take longer.

This spoofing technique discovered and proved by

Hai Nam Luke
K46A – NEU, Hanoi


Posted in: Exploits/Vulnerabilities

Tags: , , , , , ,

Posted in: Exploits/Vulnerabilities | Add a Comment
Recent in Exploits/Vulnerabilities:
- PunkSPIDER – A Web Vulnerability Search Engine
- Dropbox Hacked – 68 Million User Accounts Compromised
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,817 views
- AJAX: Is your application secure enough? - 120,265 views
- eEye Launches 0-Day Exploit Tracker - 85,737 views

Get protected with Sucuri


The Tale of a Real Malaysian E-mail Spammer Exposed – Webflexx

Your website & network are Hackable


So a friend of mine received a spam, which is not unusual, but this one was a little different.

This guy is in Malaysia, and the spam he usually receives is from all over the place, mostly US-centric, but this one was targeting Malaysians, Malaysian spammer producing Malaysian spam, is it the first?

I asked for him to forward the mail to me so I could check it out, pretty standard spam.

Malaysian Spam

I then noticed Thunderbird was blocking some external images so I checked the source of the e-mail (The from address was pretty anonymous “eMarketer in Malaysia” dx8@tm.net.my).

Thunderbird Image Block

The source indeed revealed the location of the imbedded images:

Webflexx Spammer

http://www.webflexx.com/meng/wfx/

Fee Structure
RM288 – 150,000 emails (one day trial)
RM388 – 500,000 emails
RM688 – 1,000,000 emails
RM1376 – 2,000,000 emails
RM2064 – 3,000,000 emails + 1,000,000 emails FREE + ad design FREE!!

Reply with your contact number. Or call Ms Meng 012-205 1591 or Mr Lim 012- 302 3899

It seems this company webflexx does offer spamming services:

Direct E-mail Marketing

“direct email marketing” another term for spam right?

Notice the subdirectory of the spammer is /meng and the registrant of the webflexx domain is also an Ong Meng Foong, no coincidence right?

Webflexx Registration

24-2 Plaza Damansara Jalan Medan Setia 2,
Bukit Damansara,
KL,50490
MY
Tel. +603.22835898

Going up one directory allowed me to browse the /meng directory, quite a nice collection of stuff.

/meng Directory

Browsing through the /meng directory I also found a screenshot of a personal ‘blog’ from Meng Foong.

Meng Foong Blog

Now whilst I couldn’t quite make out the text of the URL I could see the name “Meng’s Fickle Rambling Sessions”, which I of course Googled and found his blog, you can have a read here:

http://omengos.blogspot.com/

Seems like a nice Christian boy…from his blog I also found his Flickr Page (Inactive) and his old Xanga page.

From browsing the sub-directories it seems his clients are sexual based so far, sex toys, condoms and so on.

Kinsei Corporation

Kinsei

I Need House

Ineedhouse

RMXXX

RMXXX

All his spam templates have this ‘disclaimer’ at the bottom:

Note: This email is meant for our potential clients. Should you have received it in error, please reply “unsubscribe” at the subject header. Thank you.

He or a friend named Amanda seems to be a student or ex-student of Help University college and a member of the Christian Fellowship there.

A quick Google Search on his site doesn’t yield much, just a couple more directories nothing interesting (/images and /multimedia).

I know people have to make a living, but spamming is not the way ok.

I hope no-one out there supports these spammers by paying them for these services, and no one of you uses any of these services advertised through spam.

There are plenty of pictures too in the http://www.webflexx.com/meng/ directory, check /tiomans and /kk to see :)

Have fun and remember don’t spam. If you really don’t know why spam is bad, read this.

Note: If you read this post by mistake, please e-mail Darknet with “unsubscribe” in the subject.

Digg This Article


Posted in: Spammers & Scammers

Tags: , , , , , , , , ,

Posted in: Spammers & Scammers | Add a Comment
Recent in Spammers & Scammers:
- Russian Cyber-Crime Market Doubled In 2011
- Android Trojan Targets Japanese Market – Steals Personal Data
- Ramnit Worm Stealing Facebook Account Passwords, E-mail Address & Bank Details

Related Posts:

Most Read in Spammers & Scammers:
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,751 views
- Pro ATM Hacker ‘Chao’ Gives Out ATM Hacking Tips - 36,710 views
- Twitter DM Phishing Scam - 28,969 views

Get protected with Sucuri


Google Safe Browsing Extension for Firefox & Netcraft Toolbar – Anti-Phishing

Your website & network are Hackable


I remember some time back Netcraft developed an anti-phishing toolbar for Internet Explorer Exploder and Firefox.

You can check it out here:

Netcraft Toolbar

  • Protect your savings from Phishing attacks.
  • See the hosting location and Risk Rating of every site you visit.
  • Help defend the Internet community from fraudsters.

Netcraft Toolbar

Then recently Google has come out with the Safe Browsing Extension for Firefox.

Google Safe Browsing is an extension to Firefox that alerts you if a web page that you visit appears to be asking for your personal or financial information under false pretences. This type of attack, known as phishing or spoofing, is becoming more sophisticated, widespread and dangerous. That’s why it’s important to browse safely with Google Safe Browsing. By combining advanced algorithms with reports about misleading pages from a number of sources, Safe Browsing is often able to automatically warn you when you encounter a page that’s trying to trick you into disclosing personal information.

Google Safebrowsing

Apparently Firefox 2 will include this anti-phishing technology, you can read more about the Safe Browsing Extension here.

There are various metrics you can use to sniff out Phishing sites such as local SSL certificates, domain names registered within the last 3 months, encoded URLS, redirects from Yahoo,
Google or AOL and so on.

Digg This Article


Posted in: Phishing, Security Software

Tags: , , , , , , , , ,

Posted in: Phishing, Security Software | Add a Comment
Recent in Phishing:
- Phishing Frenzy – E-mail Phishing Framework
- Gophish – Open-Source Phishing Framework
- sptoolkit Rebirth – Simple Phishing Toolkit

Related Posts:

Most Read in Phishing:
- Twitter DM Phishing Scam - 28,969 views
- yahoo password grabber - 19,161 views
- Digital Underground Offering Cheap Botnets For Hire - 15,535 views

Get protected with Sucuri


Slashdot Effect vs Digg Effect Traffic Report

Your website & network are Hackable


As I’ve been Digged about 5 times now…and somehow got Slashdotted (whilst I was sleeping) until my server crashed and my host started crying..and my bandwidth went out.

I can give a reasonable comparison between Slashdot and Digg traffic.

From what I’ve seen Digg traffic is between 4,000 and 20,000 hits depending what time it hits the front page, what position it’s in and what the article is about, this on the first day, of course the traffic keeps coming after that, but not as much as in the first few hours.

I can’t totally accurately measure the Slashdot traffic either, as by 40,000 unique visitors my server died when I woke up I did a 302 redirect to the Coral Cache version to take the load off my server.

Here are the traffic spikes for the recent 1st Slashdot, followed by the 4th Digg.

Slashdot vs Digg Traffic

As for RSS subscribers, Digg brought around 200 (20 to 200), Slashdot brought around 400 (180 to 540).

Slashdot vs Digg RSS

So from what I’ve seen Slashdot still seems to be doubling or tripling the traffic generated by Digg.

Still an amazing acheivement for Digg, it being a new site in comparison to Slashdot.

Pretty interesting to see the traffic, getting Slashdotted is amazing.

Digg This Story


Posted in: Site News

Tags: , , , , , ,

Posted in: Site News | Add a Comment
Recent in Site News:
- A Look Back At 2015 – Tools & News Highlights
- A Look Back At 2014 – Tools & News Highlights
- Yes – We Now Have A Facebook Page – So Please Like It!

Related Posts:

Most Read in Site News:
- Welcome to Darknet – The REBIRTH - 36,616 views
- Get the ball rollin’ - 19,006 views
- Slashdot Effect vs Digg Effect Traffic Report - 12,274 views

Get protected with Sucuri


P*rn Database Hacked – Buyers Exposed!

Your website & network are Hackable


Haha, well serves them right, get out and get laid guys.

Online payment company iBill on Thursday said a massive cache of stolen consumer data uncovered by security experts did not come from its database.

“I’m the first person that would have taken this to the FBI and the first person to have gone on 60 Minutes to say ‘we screwed up,’ if that were the case,” said iBill President Gary Spaniak Jr.

Two caches of stolen data were discovered separately by two security companies while conducting routine research into malicious software online. Both had file names that purportedly linked them to iBill.

Losers..but well iBill seems to be off the hook anyway, could be part of a massive Phishing scam.

He says as long as iBill stays in business, it will try to repay those webmasters. “Over $20 million has been paid back, we have plans for paying back another $18 million.”

James says the actual source of the stolen data remains a mystery. An FBI spokeswoman says the bureau wouldn’t investigate the breach unless the source of the leak comes forward to make a complaint.

Source: Wired News


Posted in: Database Hacking, Web Hacking

Tags: , , , , , , ,

Posted in: Database Hacking, Web Hacking | Add a Comment
Recent in Database Hacking:
- DBPwAudit – Database Password Auditing Tool
- VTech Hack – Over 7 Million Records Leaked (Children & Parents)
- Onapsis Bizploit v1.50 – SAP Penetration Testing Framework

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 77,222 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,522 views
- SQLBrute – SQL Injection Brute Force Tool - 41,445 views

Get protected with Sucuri