Archive | October, 2010

Facebook Introduces OTP (One-time Password) Functionality

Find your website's Achilles' Heel


Nice to see an innovation on the security front for once rather than endless ‘feature’ updates and announcements of ‘the next big thing’. Facebook has had its fair share of security woes so it’s nice to see they are doing something which I think may be genuinely useful for it’s burgeoning user base.

A lot of banks use a similar system labeled as a TAC (Transaction Authorisation Code) or similar when you want to carry out a transaction which involves moving money out from your account (bill payment, fund transfers etc).

Facebook began rolling out new service on Tuesday that allows people using public computers to log into the site without having to enter their regular password.

Instead, users can login with a one-time password that, upon request, Facebook zaps to their mobile phones. The temporary access code is good for 20 minutes only. The new feature is designed to prevent account compromises that result when credentials are entered into machines that have been compromised by keyloggers and similar types of malware.

“We’re launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports,” Jake Brill, a Facebook product manager, blogged here. “If you have any concerns about security of the computer you’re using while accessing Facebook, we can text you a one-time password to use instead of your regular password.”

I think it’s a useful thing for Facebook users on the move who may not want to use their proper password on a public computer in an airport or cybercafe for example as they may be infected with malware.

Of course the pessimists and conspiracy theorists will say Facebook is just running a ruse to gather more mobile phone numbers from their user base to leverage more data and improve their ability to suggest connections.


To use the service, users must first configure their accounts to work with a designated mobile phone number. When they text “otp” to 32665, they should immediately receive a password that’s good for the next 20 minutes. The feature is available to select Facebook users for now. Over the next few weeks, it will gradually become available to everyone.

Brill unveiled two other features that are also intended to give users more control over their accounts. One allows users to remotely sign out of accounts. It’s useful in cases when someone forgets to log off of a computer and only later realizes he’s still logged in. In the past, the person had to access the computer to be logged off, but the new service allows this to happen remotely. Users can check to see if they’re still logged in from their Facebook account settings page.

A third service will regularly prompt users to update their security information, Brill said. Facebook uses the information to verify users in the event a password is lost or compromised.

I’m not sure what country this service is rolling out in, but I’d guess it’s probably US-centric and will stay that way for some time. They should use an international number as it’s most likely you’d want to login from a publication location when traveling.

No doubt they’ll address some issues as for now the service is a testing phase and only available to certain users.

The other new security related features are remote log-out, which Gmail from Google has had forever – if you didn’t know about the feature just scroll to the very bottom of the Gmail window and you’ll see something like this:

Source: The Register


Posted in: Countermeasures, Cryptography, Privacy, Web Hacking

Tags: , , , , , , , , , , ,

Posted in: Countermeasures, Cryptography, Privacy, Web Hacking | Add a Comment
Recent in Countermeasures:
- OpenIOC – Sharing Threat Intelligence
- Cuckoo Sandbox – Automated Malware Analysis System
- Fully Integrated Defense Operation (FIDO) – Automated Incident Response

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,193 views
- Password Hasher Firefox Extension - 117,847 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,740 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Exploit Next Generation SQL Fingerprint (ESF) – MS-SQL Server Fingerprinting Tool

Find your website's Achilles' Heel


SQL Server fingerprinting can be a time consuming process. It involves a lot many trial and error methods to fingerprint the exact SQL Server version. Intentionally inserting an invalid input to obtain a typical error message or using certain alphabets that are unique for a certain server are two of the ways to possibly fingerprint a server.

We have featured some other database-fingerprinting tools before such as SQLmap the automated SQL injection tool, which also carries out fingerprinting and the Microsoft SQL Server Fingerprint Tool aimed specifically at MS-SQL installs similar to ESF.

The Exploit Next Generation SQL Fingerprint (ESF) is a powerful tool which performs version fingerprinting for:

  • Microsoft SQL Server 2000;
  • Microsoft SQL Server 2005; and
  • Microsoft SQL Server 2008.

The Exploit Next Generation SQL Fingerprint uses well-known techniques based on several public tools that are capable to identify the Microsoft SQL Server version (such as: SQLping and SQLver), but, instead of showing only the “raw version” (i.e., Microsoft SQL Version 10.00.2746), the Exploit Next Generation SQL Fingerprint shows the mapped Microsoft SQL Server version (i.e., Microsoft SQL 2008 SP1 (CU5)).


The strengths of Exploit Next Generation SQL Fingerprint are:

  • It uses both TCP and UDP protocols to determine the Microsoft SQL Server version, making it much more reliable than any other public or commercial tool.
  • It is capable to identify multiple Microsoft SQL Server instances and their TCP communication ports.
  • It does not require any authentication method to identify the Microsoft SQL Server version.
  • It uses probabilistic algorithm to identify the Microsoft SQL Server version, combining both TCP and UDP fingerprint.

The Exploit Next Generation SQL Fingerprint can also be used to identify vulnerable/unpatched Microsoft SQL Server version, and it is based on some techniques used by Exploit Next Generation Compliance Methodology to perform automated penetration testing.

SQL Server fingerprinting is necessary before performing any kind of penetration testing on database server and if you find its Microsoft SQL Server then this tool will surely help identifying granular level findings to further exploit database.

You can download ESF v1.10 here:

ESF.exe

Or read more here.


Posted in: Database Hacking, Hacking Tools, Windows Hacking

Tags: , , , , , , , , , , , ,

Posted in: Database Hacking, Hacking Tools, Windows Hacking | Add a Comment
Recent in Database Hacking:
- Onapsis Bizploit v1.50 – SAP Penetration Testing Framework
- OAT – Oracle Auditing Tools For Database Security
- ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 76,884 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,480 views
- SQLBrute – SQL Injection Brute Force Tool - 41,257 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Adobe PDF Reader Rewrite To Include Sandbox Feature

Your website & network are Hackable


A lot of people have complained about the lack of security in Adobe PDF related products and the fact that the very architecture is insecure. There have been a whole spate of PDF related exploits and vulnerabilities lately – some of them being very serious.

It’s good to see Adobe is taking this matter seriously and rather than just issuing patch after patch (firefighting) they are trying to do something fundamentally different with their PDF reader software to fix the root cause.

Now I’m not saying this will solve all the PDF related problems, but it’s good to see them doing a ground up rebuild and implementing safety features like sandboxing.

Adobe has offered more details of the ‘sandbox’ security feature it plans to implement to secure its hugely popular but often-attacked PDF Reader software. First announced last July, the latest description put out by Adobe’s security development team makes clear that Reader’s new ‘protected mode’ will be no mere bolt-on. This is starting to look like a ground-up re-design of how the program operates, almost from scratch.

The new Reader design will see core and risky PDF functions such as font rendering, Javascript execution, 3D rendering and image parsing happen within the confines of the application itself, isolating these from the privileges of the operating system.

This effectively relegates Reader to a new rung of privilege below that if the system user, which stops the application simply accessing key parts of the OS such as the Registry or file system as it likes. Instead all such calls will have to go through a trusted broker process if they want to communicate beyond the sandbox.

It’s a good model though and similar to what Google have done with the Chrome browser.

Separating the ‘dangerous’ parts from the parts that have access to the underlying OS is extremely important, JavaScript execution of course being the main culprit. But other exploits have focused on font and image rendering so they need to be kept away too.


The new design won’t stop exploits targeting Reader but they will limit what can be done from within its confines. At the moment, that is more or less anything the attacker wants, including being able to take over the system.

“The challenge is to enable sandboxing while keeping user workflows functional without turning off features users depend on,” says Adobe’s blog.

As the developers admit, the potential hole in security is always the operating system itself, which can still be compromised, although exploiting such vulnerabilities is as easy as it easy a few years back. Microsoft’s software development lifecycle (SDL) has tightened up code security. The first version sandbox will also not protect against read access to the file system (which allows data theft) or registry, or restricting network access, but future versions will look at this aspect of security.

Adding defence mechanism to specific applications other than browsers is an unusual approach to application design, but Reader’s security troubles have gone beyond that of most applications.

They have a pretty tough challenge on their hands as we know the more security you implement the less usability you have. So they have a precarious balance between retaining features which users require and limiting the amount of damage the software can do to the OS.

But it’s certainly a step in the right direction and as stated above, it certainly wont prevent there being any more exploits in Adobe’s PDF Reader – but it will limit the damage any future exploits can cause.

Source: Network World


Posted in: Countermeasures, Exploits/Vulnerabilities

Tags: , , , , , , , , , , , , ,

Posted in: Countermeasures, Exploits/Vulnerabilities | Add a Comment
Recent in Countermeasures:
- OpenIOC – Sharing Threat Intelligence
- Cuckoo Sandbox – Automated Malware Analysis System
- Fully Integrated Defense Operation (FIDO) – Automated Incident Response

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,193 views
- Password Hasher Firefox Extension - 117,847 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,740 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


OWASP ZAP – Zed Attack Proxy – Web Application Penetration Testing

Your website & network are Hackable


The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who a new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Features

  • Intercepting proxy
  • Automated scanner
  • Passive scanner
  • Spider

Next Release

The next release of OWASP ZAP, planned for later this year, is expected to include:

  • OWASP rebranding
  • Improvements to the passive and active automated scanners
  • Improvements the Spider
  • The addition a basic port scanner
  • The ability to brute force files and directories (using components from DirBuster)

ZAP is actually a fork from Paros Proxy.

You can download ZAP v1.0 here:

Cross Platform – ZAP_1.0.0b_installation.tar.gz
Windows Installer – ZAP_1.0.0_installer.exe

Or read more here.


Posted in: Hacking Tools, Web Hacking

Tags: , , , , , , , , ,

Posted in: Hacking Tools, Web Hacking | Add a Comment
Recent in Hacking Tools:
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- UFONet – Open Redirect DDoS Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,986,605 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,454,620 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 683,835 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Symantec Expands Security Products To Cover Android & iOS

Your website & network are Hackable


Most of the big companies in the modern age of business are moving to the acquisition model rather than developing new technologies, Symantec has made a few purchases in recent years.

Their latest move is to offer security for the hot smartphone platforms Android and iOS, which powers the new iPhone 4 and iPad. The most recent security flaw on Android was due to an exploit in Flash that could be used to compromise the system.

They can move into this area with the expertise from their purchase of VeriSign earlier this year. They already have mobile security support for Symbian, BlackBerry and Windows Mobile.

Symantec is extending its support of smartphone platforms in a bid to make its security and management technology as ubiquitous in the mobile world as it is on the desktop. The security giant announced added support for Android and Apple iOS platforms to its mobile security and management portfolio during the opening of its Symantec Vision conference in Barcelona today. This is in addition to existing support for Windows Mobile, Symbian and BlackBerry smartphones

The technology covers functions such as device security, encryption and authentication. Password policy enforcement, remote wipe and device inventory functions are also included in enterprise versions of the software.

VeriSign Identity Protection (VIP) Access for Mobile, PGP Mobile and Symantec Endpoint Protection Mobile Edition are the three main products in Symantec’s push to sell both enterprises and service providers on its ability to minimise problems such as mobile network misuse, malware proliferation and spam. The enterprise versions of the product are available immediately, with the telecoms carrier versions coming online next quarter. Symantec paid $1.3bn to buy VeriSign in May and intends to make good of this investment with increased sales in mobile technology.

I’d say those users who have security problems on the iOS platform are most commonly those have executed some kind of jailbreak on the device. The most memorable of course being the rickrolling of users, which was shortly followed by a malicious version of the worm.

From what I know though with a correct implementation of BES aren’t BlackBerry users already covered on all these fronts? And as for iOS as long as it hasn’t been jailbroken and it’s using Mail for Exchange I don’t see any danger.

Same goes for Android, as long as it’s not rooted..it should be safe.


The payment by phone concept has been kicking around the IT industry for some years. It’s an appealing idea but many pieces need to fall in place to realise the vision. Handset manufacturers, mobile telcos, payment providers, banks and retailers all need to be on board – quite apart from the security piece, which Symantec is in as good a place as anyone in the security market to supply.

Salem acknowledged the difficulty of the IT industry as a whole to make the e-wallet concept a reality. Symantec’s strategy is to focus on building bilateral relationships, starting with a small number of retailers and payment providers. “There’s not going to be one ID for the internet,” Salem said. “The idea that there will be one authoritative service is far-fetched. It’s not going to happen.”

Symantec also wants to persuade consumers to buy Norton Mobile Security for Android, possibly in extension to existing desktop versions of Symantec’s consumer-focused security software, to tackle the yet-to-emerge threat of malware capable of infecting Android devices. While it’s true that a couple of SMS Trojans infecting Android smartphones have appeared in Russia, the problem is minuscule compared to the hundreds of thousands of strains of Windows-specific worms, Trojan, viruses, rootkits and botnet agents that have been the mainstay of the security threat landscape for many years.

What I really don’t need is another process swallowing up cycles on my 600mhz mobile processor. As the desktop market is pretty saturated I’d expect to see more security companies coming out with solutions for mobile platforms.

The smartphone market is exploding right now so I’m pretty sure bad things will start to happen soon enough.

Source: The Register


Posted in: Countermeasures, Security Software

Tags: , , , , , , , , , , , , , , ,

Posted in: Countermeasures, Security Software | Add a Comment
Recent in Countermeasures:
- OpenIOC – Sharing Threat Intelligence
- Cuckoo Sandbox – Automated Malware Analysis System
- Fully Integrated Defense Operation (FIDO) – Automated Incident Response

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,193 views
- Password Hasher Firefox Extension - 117,847 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,740 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Recent in Hacking Tools:
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- UFONet – Open Redirect DDoS Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,986,605 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,454,620 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 683,835 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Police In UK & US Charge & Arrest Multiple People Over Zeus Trojan E-banking Fraud

Find your website's Achilles' Heel


Zeus has been around for quite some time, we reported it about it initially back in 2009 when it was noted Zeus could evade anti-virus software.

In more recent months it was noted that Zeus has become more focused and variations of Zeus were found to be targeting banks and financial organisations in specific geographic regions.

The latest news is both in the UK and US charges and arrests have been carried out on people involved in the Zeus ring that has been stealing money. Some reports claim the ring has stolen up to 200 Million USD since 2006, quite a substantial amount. In the UK alone they have netted £6m in the past 3 months and were all caught in the Essex region.

U.S. authorities have charged more than 60 people in connection with the money-stealing Zeus Trojan program, according to the U.S. Department of Justice. The arrests follow a Tuesday U.K. sweep that led to 11 charges against Eastern European citizens thought to be involved in moving stolen funds out of the country.

Zeus has been a major problem for computer users and financial institutions over the past few years. Once installed on the victim’s PC, the malware can be used to log into a victim’s bank account and transfer funds to another account controlled by the criminals. The malicious software is sold in black market forums and there are more than a dozen Zeus gangs in operation worldwide. Security experts say that the gangs have netted more than US$200 million since Zeus was discovered in 2006.

The U.S. arrests involve so-called money mules, people who are paid to set up accounts that receive stolen funds and then move the money out of the country, typically via a wire service such as Western Union. The DOJ has scheduled a press conference in Manhattan on Thursday afternoon to further discuss the arrests.

All the individuals involved seem to be Eastern European/Russian, this is true for both the US and UK arrests – Police charge 11 over Zeus cybercrime scam in UK.

You can see a list of the people still wanted by the FBI here – Wanted by the FBI for Federal Cybercrime Charges.

It’s good to see this kind of fraud being taken seriously as it is damaging to the economy, the banks and the consumers themselves. Even if protected by insurance it’s a long winded and time intensive process to claim back and money lost to fraud.

According to documents seen by IDG News Service, prosecutors have filed a total of 26 complaints. Investigators from the agencies including the U.S. Federal Bureau of Investigation and State Department special agents describe in the complaints an elaborate network used to launder funds stolen by the Zeus malware.

One of the complaints describes in-depth the use of money “mules” in order to facilitate the transfer of funds into criminal accounts. Mules agree to allow funds to be transferred out of victims’ accounts into their own accounts. Those funds are typically quickly withdrawn and wired elsewhere before banks detect the fraud.

But that was a risky job, involving withdrawing cash from the banks either in person or visiting cash machines, both of which would be under video surveillance.

“The mule organization typically recruited mules from Eastern Europe who were either planning to travel to or were already present in the United States on J1 visas,” according to the complaint lodged against three individuals: Artem Semenov, Almira Rakhmatulina and Julia Shpirko.

The J1 visa is a non-immigrant visa granted to people such as students. When those mules arrived in the U.S., they were given fake foreign passports in order to open more bank accounts. Stolen funds were transferred to those accounts in amounts close to $10,000, according to the complaint.

Most of them seem to be operating in the same way, entering the US under student visas then opening bank accounts with fake passports, laundering the money in small amounts so as not to trigger banking alerts (less than $10,000) then keeping a small cut and sending most of the money off to some larger organisation.

More from The Register here – Feds accuse 37 of being Zeus ‘money mules’

I’m guessing there will be a lot of news about this and more details will be exposed in the following weeks.

Source: Network World


Posted in: Legal Issues, Malware, Spammers & Scammers

Tags: , , , , , , , , , , , , , ,

Posted in: Legal Issues, Malware, Spammers & Scammers | Add a Comment
Recent in Legal Issues:
- The Panama Papers Leak – What You Need To Know
- FBI Backed Off Apple In iPhone Cracking Case
- TalkTalk Hack – Breach WAS Serious & Disclosed Bank Details

Related Posts:

Most Read in Legal Issues:
- Class President Hacks School Grades - 80,715 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,651 views
- One Of The World’s Most Prolific Music Piracy Groups Busted - 43,629 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95