Archive | October, 2008

E-mail Scammers Target Microsoft Users

Cybertroopers storming your ship?


Microsoft users are being targeted again by malware via e-mail, scammers/spammers never give up and for once the e-mail looks fairly legitimate.

Usually this kind of ‘baitware’ is riddled with terrible grammar and horrible spellings, do make sure you brief the less security aware friends you have about this though just in case.

Email scams are a common way to spread malware and/or steal personal information. Some great guidelines to help you protect yourself from such scams are outlined here.

We have recently found out about the latest in an ongoing string of email scams that target Microsoft customers. This particular scam contains the Backdoor:Win32/Haxdoor trojan as an attachment. We have seen a few emails targeting Microsoft customers that look like the email below:

It’s not the first time we’ve seen this attack vector used in this way, but most AV software with a recent signature file should catch this e-mail as it comes in.

It shouldn’t be a big problem for corporates.

The email is as follows:

Dear Microsoft Customer,

Please notice that Microsoft company has recently issued a Security Update
for OS Microsoft Windows. The update applies to the following OS versions:
Microsoft Windows 98, Microsoft Windows 2000, Microsoft Windows Millenium,
Microsoft Windows XP, Microsoft Windows Vista.

Please notice, that present update applies to high-priority updates
category. In order to help protect your computer against security
threats and performance problems, we strongly recommend you to
install this update.

Since public distribution of this Update through the official website
http://www.microsoft.com would have result in efficient creation of a
malicious software, we made a decision to issue an experimental private
version of an updatefor all Microsoft Windows OS users.


As your computer is set to receive notifications when new updates are
available, you have received this notice.

In order to start the update, please follow the step-by-step instruction:
1. Run the file, that you have received along with this message.
2. Carefully follow all the instructions you see on the screen.

If nothing changes after you have run the file, probably in the settings
of your OS you have an indication to run all the updates at a background
routine. In that case, at this point the upgrade of your OS will be finished.

We apologize for any inconvenience this back order may be causing you.

Thank you,

Steve Lipner
Director of Security Assurance
Microsoft Corp.

Once again be aware, perhaps stick a rule in your IDS at the mail gateway so you know if this one comes in.

And do tell people about it!

Source: Microsoft Technet (Thanks Navin)


Posted in: Malware, Spammers & Scammers

Tags: , , , , , , , , ,

Posted in: Malware, Spammers & Scammers | Add a Comment
Recent in Malware:
- Mac OS X Ransomware KeRanger Is Linux Encoder Trojan
- Veil Framework – Antivirus Evasion Framework
- YARA – Pattern Matching Tool For Malware Analysis

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,470 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,583 views
- US considers banning DRM rootkits – Sony BMG - 44,977 views

Get 50% off your second year with our 2-year deal!


Firewalk – Firewall Ruleset Testing Tool

Don't let your data go over to the Dark Side!


This is another oldskool tool, but still relevant! TCP and UDP still work in the same way and firewalls/edge devices are still often configured wrongly.

Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.

To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hopcount (at that point the scan is said to be bound) we can begin our scan.

It is significant to note the fact that the ultimate destination host does not have to be reached. It just needs to be somewhere downstream, on the other side of the gateway, from the scanning host.

Read the original 1998 whitepaper here.

You can download Firewalk here:

firewalk.tar.gz

Or read more here.


Posted in: General Hacking

Tags: , , , , , ,

Posted in: General Hacking | Add a Comment
Recent in General Hacking:
- Dradis – Reporting Platform For IT Security Professionals
- Kid Gets Arrested For Building A Clock – World Goes NUTS
- Drones, Tor & Remailers – The Story Of A High-Tech Kidnapping

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,167,403 views
- Hack Tools/Exploits - 620,560 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 431,908 views

Get 50% off your second year with our 2-year deal!


Recent in Password Cracking:
- RWMC – Retrieve Windows Credentials With PowerShell
- 123456 Still The Most Common Password For 2015
- LaZagne – Password Recovery Tool For Windows & Linux

Related Posts:

Most Read in Password Cracking:
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,385,614 views
- Password Cracking Wordlists and Tools for Brute Forcing - 566,092 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 431,908 views

Get 50% off your second year with our 2-year deal!


p0f – Advanced Passive OS Fingerprinting Tool

Don't let your data go over to the Dark Side!


Ah can’t believe I haven’t posted about this one before, one of my favourite tools! It was a big breakthrough to have a passive OS-fingerprinting tool after relying on Nmap and Xprobe2 for the longest time.

OS fingerprinting is a very important part of a pen-test during the information gathering stage.

P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:

  • machines that connect to your box (SYN mode),
  • machines you connect to (SYN+ACK mode),
  • machine you cannot connect to (RST+ mode),
  • machines whose communications you can observe.

P0f can also do many other tricks, and can detect or measure the following:

  • firewall presence, NAT use (useful for policy enforcement),
  • existence of a load balancer setup,
  • the distance to the remote system and its uptime,
  • other guy’s network hookup (DSL, OC3, avian carriers) and his ISP.

All this even when the device in question is behind an overzealous packet firewall, when our favourite active scanner can’t do much. P0f does not generate ANY additional network traffic, direct or indirect. No name lookups, no mysterious probes, no ARIN queries, nothing. How? It’s simple: magic. Find out more here.

P0f is quite useful for gathering all kinds of profiling information about your users, customers or attackers (IDS, honeypot, firewall), tech espionage (laugh…), active or passive policy enforcement (restricting access for certain systems or otherwise handling them differently; or detecting guys with illegal network hookups using masquerade detection), content optimization, pen-testing (especially with SYN+ACK and RST+ACK modes), thru-firewall fingerprinting… plus all the tasks active fingerprinting is suitable for. And, of course, it has a high coolness factor, even if you are not a sysadmin.

P0f v2 is lightweight, secure and fast enough to be run almost anywhere, hands-free for an extended period of time.

You can donwload p0f v2 here:

p0f.tgz
p0f for Windows

Or read more here.


Posted in: Hacking Tools, Network Hacking

Tags: , , , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Recent in Hacking Tools:
- Recon-ng – Web Reconnaissance Framework
- INURLBR – Advanced Search Engine Tool
- DNSRecon – DNS Enumeration Script

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,968,887 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,385,614 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 673,900 views

Get 50% off your second year with our 2-year deal!


Symantec to Buy MessageLabs (Email Spam and Web Traffic Filter)

Don't let your data go over to the Dark Side!


Some interesting security industry news, it seems like Symantec is really setting itself up to be the Microsoft of the security world.

They are buying up anything and everything and merging it into the Symantec borg…things that are successful of course. Their latest acquisition is the popular MessageLabs, a good example of both cloud computing and the software-as-a-service model.

It’s a large market especial with the level of spam and junk on the web companies have to deal with, not only to keep themselves safe from technical threats but also to stop their employees surfing sites that could potentially cause liabilities in the office.

Symantec will pay $695 million for MessageLabs, a security vendor that offers a hosted spam and Web traffic filtering service.

MessageLabs offers its services as a monthly subscription. The filtering is performed within the company’s 14 data centers located around the world, a type of computing known as “software as a service” or cloud computing. It also can route a company’s Web traffic through its filters to block potentially harmful Web sites as well as scan instant messages.

Software-as-a-service offerings have been increasingly popular with businesses since it frees administrators from installing software upgrades and performing other maintenance tasks they would have to do in-house. MessageLabs’ subscribers turn over the management of their e-mail and Web traffic security to the company and do not have to install on-site equipment

It’s a pretty big some of money, but then I guess MesageLabs has some pretty solid financials. They have been around for quite a long time and have a good subscriber base.

This will jump Symantec right up there above Google and Microsoft in this market. It’s always good to have these kind of subscription services too as they provide a steady and dependable income.

For Symantec, the acquisition of MessageLabs gives it an alternative e-mail security offering to BrightMail, the company’s antispam and antivirus appliance.

“We think the opportunity to expand our footprint in the rapidly growing software-as-a-service market is significantly enhanced by this team becoming part of Symantec,” Symantec CEO John Thompson said in a conference call to discuss the deal.

MessageLabs holds a 29.7% share of the hosted security services market, followed by Google, which owns Postini, at 18.7% and Microsoft at 8.7%, according to Symantec. Before this acquisition, Symantec held just 1.1%.

MessageLabs’ service will be integrated into the Symantec Protection Network, an online-based backup, data restoration and remote access service launched in April 2007 for small to midsize businesses. Symantec will put its Protection Network services within MessageLabs’ data centers.

As part of the Symantec Protection Network I hope it doesn’t get slow and bloaty like some of the other Symantec offerings.

I wonder in 5 years if any succesful and/or reasonably large security offering won’t be owned by Google, Microsoft or Symantec!

Source: Network World


Posted in: Countermeasures, Spammers & Scammers

Tags: , , , , , , , , ,

Posted in: Countermeasures, Spammers & Scammers | Add a Comment
Recent in Countermeasures:
- PEiD – Detect PE Packers, Cryptors & Compilers
- NAXSI – Open-Source WAF For Nginx
- Defence In Depth For Web Applications

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 119,981 views
- Password Hasher Firefox Extension - 117,688 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,695 views

Get 50% off your second year with our 2-year deal!


NetStumbler – Windows Freeware to Detects Insecure Wireless Networks

Cybertroopers storming your ship?


Another one from the old school, this tool has been around forever since way before wardriving was fashionable and when people still used pringles cans for antenna boosting.

It’s a favourite amongst Windows users, although it can’t do any real hacking (like breaking a WEP key) – it’s extremely fast and effecient in the detection of open WAPs.

What is NetStumbler?

NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It has many uses:

  • Verify that your network is set up the way you intended.
  • Find locations with poor coverage in your WLAN.
  • Detect other networks that may be causing interference on your network.
  • Detect unauthorized “rogue” access points in your workplace.
  • Help aim directional antennas for long-haul WLAN links.
  • Use it recreationally for WarDriving.

General Requirements

The requirements for NetStumbler are somewhat complex and depend on hardware, firmware versions, driver versions and operating system. The best way to see if it works on your system is to try it.

Some configurations have been extensively tested and are known to work. These are detailed at http://www.stumbler.net/compat. If your configuration works but is not listed, or is listed but does not work, please follow the instructions on the web site.

The following are rules of thumb that you can follow in case you cannot reach the web site for some reason.

  • This version of NetStumbler requires Windows 2000, Windows XP, or better.
  • The Proxim models 8410-WD and 8420-WD are known to work. The 8410-WD has also been sold as the Dell TrueMobile 1150, Compaq WL110, Avaya Wireless 802.11b PC Card, and others.
  • Most cards based on the Intersil Prism/Prism2 chip set also work.
  • Most 802.11b, 802.11a and 802.11g wireless LAN adapters should work on Windows XP. Some may work on Windows 2000 too. Many of them report inaccurate Signal strength, and if using the “NDIS 5.1” card access method then Noise level will not be reported. This includes cards based on Atheros, Atmel, Broadcom, Cisco and Centrino chip sets.
  • I cannot help you figure out what chip set is in any given card.

Firmware Requirements

If you have an old WaveLAN/IEEE card then please note that the WaveLAN firmware (version 4.X and below) does not work with NetStumbler. If your card has this version, you are advised to upgrade to the latest version available from Proxim’s web site. This will also ensure compatibility with the 802.11b standard.

You can download NetStumbler 0.4.0 here:

NetStumblerInstaller_0_4_0.exe

Or read more here (tutorial here).


Posted in: Hacking Tools, Network Hacking, Wireless Hacking

Tags: , , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking, Wireless Hacking | Add a Comment
Recent in Hacking Tools:
- Recon-ng – Web Reconnaissance Framework
- INURLBR – Advanced Search Engine Tool
- DNSRecon – DNS Enumeration Script

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,968,887 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,385,614 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 673,900 views

Get 50% off your second year with our 2-year deal!


MI6 Sells Digital Camera on Ebay Containing Terrorist Images

Cybertroopers storming your ship?


Another classic data leakage….and once again it happened on Ebay! This time it’s a British agency known as MI6 (Secret Intelligence Service) demonstrating a distinct lack of intelligence.

How on earth does something like even happen? Even smaller agencies and companies I’ve worked with have rigorous data destruction policies when old equipment is recycled or sold off, I’m sure MI6 has something similar.

The UK government is investigating how a digital camera containing terrorist images apparently taken by MI6 was sold on eBay.

The Nikon CoolPix camera was bought for £17 by a 28 year-old man from Hertfordshire and contained the names of al-Qaeda members, fingerprints and suspects’ academic records as well as pictures of rocket launchers and missiles, according to The Sun.

A Foreign Office spokeswoman said: “We can confirm that a police investigation is under way.”

However she refused to comment on whether the camera was put on sale by an MI6 operative, despite it containing details of MI6’s computer network.

Terrorist information, names and more for only £17! What a bargain.

It does puzzle me a bit htouhg, why would all of these documents be stored on a camera? Perhaps someone using the camera to covertly move documents out of MI6?

It seems odd for anything other than images to be on a CoolPix.

MI6 is the foreign intelligence service for the UK government with a broadly similar remit as the US CIA.

Terrorism author Neil Doyle said: “These are MI6 documents relating to an operation against al-Qaeda insurgents in Iraq. It’s jaw-dropping that they got into the public domain.

“Not only do they divulge secrets about operations, operating systems and previously unheard-of MI6 departments, but they could put lives at risk.”

Really bad PR for the agency I must say…at least no harm came of it and it was exposed so hopefully someone in power will do something about it and make sure the policies that I’m sure they have are implemented and enforced properly.

There’s no point having policies and procedures if they aren’t enforced, it’s not just good to do the paperwork, you have to put it in practice too!

Source: Vnunet


Posted in: Legal Issues, Privacy

Tags: , , , , , , ,

Posted in: Legal Issues, Privacy | Add a Comment
Recent in Legal Issues:
- FBI Backed Off Apple In iPhone Cracking Case
- TalkTalk Hack – Breach WAS Serious & Disclosed Bank Details
- More Drama About Hillary Clinton’s E-mail Leak – VNC & RDP Open

Related Posts:

Most Read in Legal Issues:
- Class President Hacks School Grades - 80,681 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,583 views
- One Of The World’s Most Prolific Music Piracy Groups Busted - 43,592 views

Get 50% off your second year with our 2-year deal!


fwknop – Port Knocking Tool with Single Packet Authorization

Don't let your data go over to the Dark Side!


Port Knocking came about in around 2003, but it has various weaknesses. There are plenty of implentations though (some quite advanced). Most of the problems are fixed however by fwknop!

fwknop stands for the “FireWall KNock OPerator”, and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based around a default-drop packet filter (fwknop supports both iptables on Linux systems and ipfw on FreeBSD and Mac OS X systems) and libpcap.

SPA requires only a single encrypted packet in order to communicate various pieces of information including desired access through a firewall policy and/or complete commands to execute on the target system. By using a firewall to maintain a “default drop” stance, the main application of fwknop is to protect services such as OpenSSH with an additional layer of security in order to make the exploitation of vulnerabilities (both 0-day and unpatched code) much more difficult.

With fwknop deployed, anyone using nmap to look for sshd can’t even tell that it is listening; it makes no difference if they have a 0-day exploit or not. The authorization server passively monitors authorization packets via libcap and hence there is no “server” to which to connect in the traditional sense. Access to a protected service is only granted after a valid encrypted and non-replayed packet is monitored from a fwknop client.

  • Single Packet Authorization retains the benefits of Port Knocking (i.e. service protection behind a default-drop packet filter), but has the following advantages over Port Knocking: SPA can utilize asymmetric ciphers for encryption. Asymmetric ciphers typically have larger key sizes than symmetric ciphers, and the data transmission rate of port knocking (which uses packet headers instead of packet payloads as used by SPA) is not sufficient to effectively use an asymmetric cipher. SPA is compatible with 2048-bit Elgamal GnuPG keys, and other asymmetric ciphers can be used as well.
  • SPA packets are non-replayable. There are strategies (such as S/Key-style iteration of a hash function) used by port knocking implementations to reduce the danger of a replayed knock sequence, but these strategies are relatively brittle and not generally very scalable to lots of users.
  • SPA cannot be broken by trivial sequence busting attacks. For any attacker who can monitor a port knocking sequence, the sequence can be busted by simply spoofing a duplicate packet (as though it comes from the source of the real sequence) to the previous port in a sequence.
  • SPA only sends a single packet over the network, and hence does not look like a port scan to any intermediate IDS that may be watching.
  • SPA is much faster because it only sends a single packet. Port knocking implementations must build in time delays between successive packets because there is no guarantee of in-order delivery.

You can download fwknop-1.9.8 here:

fwknop-1.9.8.tar.gz
Windows UI

Or read more here.


Posted in: Countermeasures, Network Hacking, Security Software

Tags: , , , , , , , , , ,

Posted in: Countermeasures, Network Hacking, Security Software | Add a Comment
Recent in Countermeasures:
- PEiD – Detect PE Packers, Cryptors & Compilers
- NAXSI – Open-Source WAF For Nginx
- Defence In Depth For Web Applications

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 119,981 views
- Password Hasher Firefox Extension - 117,688 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,695 views

Get 50% off your second year with our 2-year deal!


THC-ePassports – THC Clones Biometric ePassport – Elvis Presley Passport

Don't let your data go over to the Dark Side!


I guess most people have been led to believe this new generation of ePassports or biometric passports are more secure, will help us keep our privacy intact and help us mitigate against identity theft.

Well how wrong the propaganda is! THC (famous for their tools and research in security) has just released some technical information, tools and a video which shows their cloned passport being read and verified by a passport reader.

The government plans to use ePassports at Immigration and Border Control. The information is electronically read from the Passport and displayed to a Border Control Officer or used by an automated setup. THC has discovered weaknesses in the system to (by)pass the security checks. The detection of fake passport chips does not work. Test setups do not raise alerts when a modified chip is used. This enables an attacker to create a Passport with an altered Picture, Name, DoB, Nationality and other credentials.

The manipulated information is displayed without any alarms going off. The exploitation of this loophole is trivial and can be verified using thc-epassport. Regardless how good the intention of the government might have been, the facts are that tested implementations of the ePassports Inspection System are not secure.

The passport reader appears to be in the Netherlands from my guise, but all the passports in use are the same just the templates slightly different.

Nice to see you again Mr Presley…imagine what could be done with this flaw in the sytem? I wonder if anything will be done about this or it’ll just be brushed under the carpet and remain knowledge of the security community.

Source: freeworld.thc


Posted in: Cryptography, Hardware Hacking, Privacy

Tags: , , , , , , , , ,

Posted in: Cryptography, Hardware Hacking, Privacy | Add a Comment
Recent in Cryptography:
- DROWN Attack on TLS – Everything You Need To Know
- Dell Backdoor Root Cert – What You Need To Know
- ISIS Running 24-Hour Terrorist Crypto Help-desk

Related Posts:

Most Read in Cryptography:
- The World’s Fastest MD5 Cracker – BarsWF - 47,613 views
- Hackers Crack London Tube Oyster Card - 44,571 views
- WPA2 Vulnerability Discovered – “Hole 196” – A Flaw In GTK (Group Temporal Key) - 32,841 views

Get 50% off your second year with our 2-year deal!


Superscan v4.0 – Fast TCP & UDP Port Scanner for Windows

Don't let your data go over to the Dark Side!


This is another tool that has been around for a long time and I’ve been using it for years since it’s earliest versions, oddly however I’ve never posted about it.

So here it for the few of you that haven’t heard of it, probably the best port scanner on the Windows platform, very fast and compact and has good banner grabbing functionality.

SuperScan 4 is an update of the highly popular Windows port scanning tool, SuperScan.

Windows XP Service Pack 2 has removed raw sockets support which now limits SuperScan and many other network scanning tools. Some functionality can be restored by running the following at the Windows command prompt before starting SuperScan:

Same goes if you’re using nmap for Windows.

Features

Here are some of the new features in this version.

  • Superior scanning speed
  • Support for unlimited IP ranges
  • Improved host detection using multiple ICMP methods
  • TCP SYN scanning
  • UDP scanning (two methods)
  • IP address import supporting ranges and CIDR formats
  • Simple HTML report generation
  • Source port scanning
  • Fast hostname resolving
  • Extensive banner grabbing
  • Massive built-in port list description database
  • IP and port scan order randomization
  • A selection of useful tools (ping, traceroute, Whois etc)
  • Extensive Windows host enumeration capability

You can download Superscan v4.0 here:

Superscan v4.0

Or read more here.

Note that SuperScan 4 is intended for Windows 2000 and XP only. Administrator privileges are required to run the program. It will not run on Windows 95/98/ME. You may need to try SuperScan v3 if this will not work with your system.


Posted in: Hacking Tools, Network Hacking, Windows Hacking

Tags: , , , , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking, Windows Hacking | Add a Comment
Recent in Hacking Tools:
- Recon-ng – Web Reconnaissance Framework
- INURLBR – Advanced Search Engine Tool
- DNSRecon – DNS Enumeration Script

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,968,887 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,385,614 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 673,900 views

Get 50% off your second year with our 2-year deal!