Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

07 June 2006 | 10,760 views

Graph Analysis of Credit Card Loss

Prevent Network Security Leaks with Acunetix

I saw some interesting information recently on a mailing list.

We took one sample of one carding/phishing forum that our Global Surveillance Center was monitoring and sampled the set into a graph that lists the top 10 banks and the losses over the last month. As you can see, it’s obvious who the top credit card companies are out there, but at the same time, we can see an ever increasing on the top targets but not necessarily an increase on the lower tiers over the entire three months, but in the first two we see a significant increase in success with stolen credit cards in general. In this case, the loss that we captured (which probably isn’t nearly the number captured by this forum) was a little over 21,000 credit cards.

Credit Card Loss

Full Sized Image

This is one group, with 21,000 cards per 3 months (that we know about) and law enforcement estimates about $500.00 per card in average loss. At that rate, in 3 months, one carding group causes $10,500,000.00 in loss. And this carding group is at the low end of the totem poll.

As you can see from the graph, Bank of America is highest on all counts, perhaps they need to think about addressing that? First USA bank and Citibank make up the other 2 of the top 3.

Credit:

Lance James
Secure Science Corporation
http://www.securescience.net



06 June 2006 | 7,601 views

RFID & Biometrics Used At World Cup in Germany

RFID, biometrics, hi-tech police officers, yes it’s all going to be happening in Germany for the close approaching World Cup 2006.

Not surprisingly, security is a top priority for the German government, even higher than its desire to see the national team walk off the pitch with the World Cup 2006 trophy.

The list of security precautions the government is taking is substantial. It begins with the use of RFID (radio frequency identification) technology. More than 3.5 million tickets for the 64 matches will be sold with an embedded RFID chip containing identification information that will be checked against a database as fans pass through entrance gates at all 12 stadiums.

Organizers have asked everyone requesting tickets to provide a wealth of personal data, including name, address, date of birth, nationality and number of ID card or passport. Never before have fans attending an event organized by the Federation Internationale de Football Association (FIFA) been required to provide so much information about themselves that can be accessed so quickly.

Seems like a massive anti-terrorism initiative, but well, all of these things can easily be falsified.

There’s a mammoth security control center containing 120 people watching monitors.

Another special group, the Central Sports Intelligence Unit in Neuss near Dusseldorf, is receiving thousands of tips from authorities in nations competing in the World Cup. Its database includes information on 6,000 hooligans who are already known to police and pose a direct threat.

Many of the security systems and procedures were tested during the Confederation Cup soccer tournament in Germany last year.

More than 30,000 federal police officers will be on duty during the games. Some of them will be equipped with mobile “fast identification” fingerprint devices. Fingerprint data captured by the optical devices will also be matched against data stored in the central database of the German Federal Intelligence Service.

Fast identification fingerprint devices…sounds a bit sci-fi right. Technology is indeed catching up, so the hooligans better watch out. But well, if your fingerprints aren’t in the database they can’t flag you right?

Better wear some ultrathin latex gloves ;)

Source: CSO Online


05 June 2006 | 51,918 views

The Top 10 Most Common Passwords

A pretty interesting article that statistically measured the frequency of passwords by taking an aggregate sample of passwords (primarily from the UK).

Here are listed the most commonly occurring from the sample.

10. ‘thomas’ (0.99%)

First off, at number 10, is the most common format of passwords – the name. Thomas is a perennially popular name in the UK (2nd most popular in 2000), so it is perhaps no surprise that it makes the top 10, with nearly 1 in 1,000 people opting for this ubiquitous forename as their password.

We can only guess that there are a lot of fans of Thomas Jefferson or Thomas Edison out there! The high prevalence of Christian names only further reinforces the fact that loved ones are a common choice when it comes to passwords.

9. ‘arsenal’ (1.11%)

Football teams tend to be another popular choice, and the gunners fall in 9th place. This may or may not be reflective of the fact that the word ‘arsenal’ starts with a 4-letter swear word – another popular choice when it comes to passwords.

Arsenal are ranked 6th overall in average attendance rankings, and are the 2nd most popular football-related password.

8. ‘monkey’ (1.33%)

Quite why the monkey makes it into 8th place is beyond me, but the fact that it’s a 6-letter word (6 letters is a typical minimum length for passwords), is easily typed and is memorable probably helps cement its position as ideal password material.

Still, it’s quite worrying that there’s such a trend – perhaps the internet and monkeys are inextricably linked?

7. ‘charlie’ (1.39%)

Another name – nowhere near as common a name as No. 10, Thomas, but it’s our most popular name-based password overall.

Could of course, be a homage to a number of famous Charlies – Chaplin, Sheen, or those of a Chocolate Factory persuasion. Or, of course, it could just be the case that they’re referring to it’s slang usage.

6. ‘qwerty’ (1.41%)

I wonder where the inspiration for this one came from? Perhaps when faced with a blinking cursor and an instruction to choose a password people will tend to look to the things closest to them – which would explain why 1 in 700 people choose ‘qwerty’ as their password.

5. ’123456′ (1.63%)

Can you count to 6? It’s the most common minimum required length of password – and the 5th most common password.

4. ‘letmein’ (1.76%)

A modern-day version of ‘open sesame’ – and 1 person in 560 will type ‘letmein’ as their password. Quite why is beyond me.

I could be mistaken, but I have a hunch that ‘letmein’ has been featured in a movie or TV series – Fox Mulder’s password from the X Files – ‘trustno1′ – also ranked quite highly.

3. ‘liverpool’ (1.82%)

The most popular football team by some margin, Liverpool was the third most popular password overall. Does this mean that 1 in 550 people is such a devout Liverpool fan that they would be willing to entrust private data to the team they love?

Liverpool ranked 3rd in the average attendance ratings – leaving the 2 most popular teams, Manchester United and Newcastle United, out of the top 10 list – perhaps because they’re too long and difficult to type.

2. ‘password’ (3.780%)

Akin to pressing the ‘any’ key, when told to enter a ‘password’, it would seem that users aren’t the sharpest tool in the box – with almost 1 in 250 people choosing the word ‘password’.

1. ’123′ (3.784%)

With nearly 4 people in 1,000 opting for a simple numerical sequence as their password (it should be noted that there was no lower length limit specified), ’123′ must be the first thing a lot of people think of when asked to specify a password. One dreads to think what their PIN number might be!

Source: Modern Life is Rubbish


03 June 2006 | 5,814 views

The MPAA TorrentSpy Hacker – $15,000!

Ah the big boys can’t get in legitimately, so they are starting to use underhand tactics eh?

A lawsuit filed Wednesday accuses the Motion Picture Association of America of hiring a hacker to steal information from a company that the MPAA has accused of helping copyright violators.

The lawsuit (click for PDF), filed in U.S. District Court for the Central District of California by Torrentspy.com parent Valence Media, doesn’t identify the man the company says was approached by an MPAA executive. But the suit calls the man a former associate of one of the plaintiffs and alleges that he was asked to retrieve private information on Torrentspy.com, a search engine that directs people to download links.

Torrentspy’s complaint includes claims that the man whom the MPAA allegedly paid $15,000 to steal e-mail correspondence and trade secrets has admitted his role in the plot and is cooperating with the company.

Torrentspy is taking this really seriously.

Torrentspy alleges in the suit that the man, whom the company refers to as the “informant,” has provided documents that prove the nature of his relationship with the MPAA, including a written agreement signed by the hacker and an MPAA executive, Rothken said.

“We have very significant proof of wrongdoing and the MPAA’s involvement,” Rothken said. “We think it’s ironic for the MPAA to claim that they are protecting the rights of the movie studios and then go out and pirate other people’s property.”

Rothken said that the MPAA also paid the hacker to “gather nonpublic information” about other Torrentspy-related sites. Rothken declined to specify which sites.

Seems like the hacker has had a change of heart too, hopefully Torrentspy kick their monkey asses.

Source: ZDNet


02 June 2006 | 10,892 views

THC Releases Nokia Phone ROM Images

I have to agree with their sentiment, I’m all for open hardware standards.

Even if you don’t open it, people will copy it anyway (See the mass of Cisco knock-offs in China for a fraction of the price with almost exactly the same functions and IOS)

So why not open it, let us play with it.

At least let us know how the hardware we are paying for works.

The following webpage contains ROM images from various mobile phone operating systems. Our intention is to motivate other reverse engineers to take a look at the images and to discover other hidden secrets. Other reasons are that it is said to be hard to extract the ROM. Certainly another reason is that Nokia does not release any technical information about the hardware and I find this rather disappointing. (It’s my strong believe that when I buy hardware that I should also be allowed to know what’s in it and how to use it.)

There are ROM images from various models such as NOKIA 6630, NOKIA n70, NOKIA N-GAGE and also from SE the SonyEricsson P900 ROM image.

Mobile Phone ROM Image and Reverse Engineering Invitation


02 June 2006 | 4,855 views

New Spyware Blackmails Users Into Purchasing Software

Ah this is almost like Ransomeware again, messing up your machine then extorting money from you.

Make sure you educate your non tech savvy relatives about such threats, spyware, adware, trojans and worm type viruses. Education is THE most powerful defence against malware and computer security incidents.

Some simple patching, a free Antivirus protection like Avast! Using Firefox or Opera and most people will be safe with a little education.

A new spyware program that lures computer users by claiming to give free access to pornographic Web content ends up by “blackmailing” them into purchasing a program to clean the infection, a security firm said.

US-based Panda Software said the program called DigiKeyGen generates passwords that supposedly enable users to access to pornographic websites.

At the same time, a spyware program and an alleged anti-spyware application are installed on a computer without the users’ knowledge, Panda said.

Ah the age old adage of free porn, won’t people learn? There’s no such thing as a free lunch, if it’s too good to be true…ITS NOT TRUE!

Porn does power the Internet though, that’s another matter entirely..

These guys say basically the same thing.

You must always be suspicious of offers for something in exchange for almost nothing,” said Luis Corrons, director of Panda Software Labs, noting that the technique is not new.

“Cybercrime, which aims to make easy money, simply applies traditional fraud techniques to the Internet and as a result, anybody tempted by the chance to get something for nothing is taken in, unaware of the risks of apparently harmless actions, such as downloading small programs or accessing certain websites.”

In a separate security warning, Sophos Labs warned Tuesday that a security alert claiming to be from Microsoft is in fact a “trojan” that steals passwords.

It seems to never end.

Source: Yahoo! News


01 June 2006 | 5,302 views

SyScan’06 – The Asian Hackers’ Conference

The Symposium on Security for Asia Network aims to be a very different security conference from the rest of the security conferences that the information security community in Asia has come to be so familiar and frustrated with. SyScan’06 intends to be a non-product, non-vendor biased security conference. It is the aspiration of SyScan’06 to congregate, in Singapore , the best security experts in their various fields, to share their research, discovery and experience with all security enthusiasts in Asia.

SyScan’06 – The Hackers’ Conference, will be held in Singapore from 20th to 21st July 2006. This is the third year running for SyScan.

SyScan 06 Day 1 20th July 2006

8:00 a.m. Registration
8:40 a.m. Welcome Speech – Thomas Lim
8:45 am Marc Maiffret Chief Hacking Officer, eEye – Keynote Speech
9:30 a.m. Paul Craig – Unpacking Malware, Trojans and Worms
10:30 a.m. Coffee and Beer Break
11:00 a.m. Thorsten Holz – Towards Automated Botnet Detection and Mitigation
12:30 a.m. Lunch
1:30 a.m. Enrique Sanchez – I-worm.Fuzzer: A New Propagation Type of Virus
2:30 p.m. Andrew Griffth – Securing Unix/Linux Systems
3:30 p.m. Hendrik Scholz – VoIP Security Issues: Problems on the users side and what are the providers doing wrong?
4:30 p.m. Coffee and Beer Break
5:00 p.m. Barnaby Jack – Exploiting Embedded System
6:00 p.m. Alexander Sotirov – Reverse Engineering Microsoft Binaries
7:00 p.m. End of Day 1

SyScan 06 Day 2 21st 2006
9:00 a.m. Joachim De Zutter – Feedback Fuzzing
10:00 a.m. Coffee and Beer Break
10:15 a.m. Angelo Rosiello – Writing behind a buffer
11:15 a.m. Andre Protas – Skeleton in Microsoft closet
12:15 p.m. Lunch
1:00 p.m. Nish Bhalla – Binary Analysis, Finding Secret in ISAPIs
2:00 p.m. Marek Bialoglowy – Are You Sure Phone Banking Is Safe?
3:00 p.m. Coffee and Beer Break
3:15 p.m. Fyodor Yarochkin and Meder Kydyraliev – Yet Another Web Application Testing Toolkit
4:15 p.m. Alexander Kornbrust – Oracle Rootkits and Oracle Viruses
5:15 p.m. Coffee and Beer Break
5:30 p.m. Joanna Rutkowska – Subverting Vista Kernel for Fun and Profit
6:30 p.m. Closing Speech and Lucky Draw
7:00 p.m. End of SyScan 06

For more information check here:

http://www.syscan.org/


01 June 2006 | 3,887 views

My SQL2005 Diary – Part 2

So over a month down the line, our SQL2005 upgrade project should now be in the workable prototype stage. But as with all things that “should” be(More security in IE, Great Britain ruling the world and my kitchen being fitted), it’s not, it’s not even close. On top of this our company is currently undergoing some “painful but neccessary steps to streamline our profitiablility in the european market”. In other words, lots of people are about to get the chop. Anyhow, on with the analysis.

SQL Server 2000 -> 2005 upgrade tool.

Overall I’m impressed with the upgrade tool, it made a fine job of upgrading our code and data, with almost everything going straight into 2005. All our DTS’s were wiped as expected, and our custom written security mod was discarded as a “fault” in the 2000 install(Not a big deal), but everything else looked fine. Little were we to know a shitstorm was about to start when we released the 2005 run site to a small group of testers. As a constant piece of self-evaluation we allow some users to run there own SQL code, it’s nothing major, just simple “Get this from here” stuff, but it allows us to monitor what users can access and when we have to change security or file flow we can be sure that normal users cannot access sensitive data. Unfortunately 2005 didn’t have the same notion of security that we do, and decided that encrypted fields that were created using our custom mod weren’t really that important, so it unencrypted them all using our mod(Hang on, I thought our mod was a “Fault”?) and then removed the permissions, allowing users to get direct access to the data. That’s a bad thing. So we pulled the plug immediately and scrapped the whole server, experiment over.

We learnt a couple of important lessons there, the main one being, dont trust the update tool. It un-encrypted the data without informing us, and removed permissions without raising an error(Allthough the permissions removal was later found buried in the upgrade log).

Initial impressions

There was some fairly impressive(From an MS point of view) changes to how SQL installs that caught our eye, namely the large number of components and features that were disabled by default. Not least XP_cmdshell, that is generally used to execute external programs or hack into sql databases. About fucking time too.

If your an MSSQL2000 regular you’ll be hoping to just boot up 2005 and have your permissions all working, but unfortunately its not that simple. The security model has changed radically, and your going to have to work a lot harder to keep things secure, but the means to do so have actually been provided this time. With principals and securables being included this time around, you will have to be a lot more careful, but once your in the know your a lot more secure. As always the best place to read up on this stuff is the MSDN, particularly this section on the changes between 2000 and 2005.

Enterprise Server Pricing

While I’m harping on about how great MSSQL2005 is, a lot of you are sat there wondering why were not using Oracle. Well the price is the the main reason, and I was going to have a detailed breakdown of the difference in costs between MSSQL2005 and Oracle with our current setup. But as a friend of mine quite rightly pointed out our setup could be radically changed by deploying Oracle, with us maybe needing less servers and therefore less licenses. So I’ll work on the principle that were upgrading to an identical network, but its not a 100% accurate comparison.

MSSQL2005 has a fairly simple licensing scheme, with no issues involving DC or HT chips, and a clear definition of what a “user” is and where that user can access the data from. On average a 1 processor license of SQL Server standard will set you back £4500GBP($8300USD), which is a tiny cost for any medium to large company. If your a fairly small company you can get a 5 CLT(Not to sure what the acronym is, but its a Client Access License) for around £600GBP($1100USD). Now for us we would be looking at per processor, and we have 23 processors running SQL2000, with the rest of the boxes using MSDN versions for development. So in total for our entire setup to go 2005 it would cost us £103500GBP($192000USD), which is again a fairly small amount of money for us to spend on replacing our entire database setup.

Now, Oracle. Its a little bit harder to find out what Oracles charges, and I’m not going to go into the details, you can find all the relevant info on there website if you wish to check what I’ve come up with. I’ve used the price offered by oracle themselves for a perpetual processor license(£23236GBP($42996USD)), but oracles pricing is per core for there enterprise product, and considering nearly all our servers run on xeons, were looking at a hefty bill. In total we have 43 “Oracle” processors, giving us a total bill of £999148GBP($1900000USD). Yes, thats almost one million pounds. Again thats not an enormous amount of money for a company our size, but when your compairing the two side by side, you have to wonder where all that extra cost comes from.

For next time

Round 3 will involve us upgrading one of our smaller and less mission critical databases(IT Support) and trying to switch over. Then we can have a bash at breaking it.


31 May 2006 | 3,582 views

Without OneCare in the World.

Today sees the launch of “OneCare”, Microsofts “secrity solution”. Combining firewall, anti-virus and anti-spyware in to one handy package…. but would you trust it?

I guess many people will, and over time we will find out if its a well spent $49.99 or not, but for me? I don’t think so. Microsoft do many things, but I think if you ask any one they will say the same thin: Microsoft don’t really do security.

Microsoft have had a firewall in XP for some time now, and the malicious software removal tool has been on windows update as well. I turn off the firewall, and the remover dosn’t really seem to do any thing. Now maybe I am being unfair, but do you dare, to use OneCare?

The last part of OneCare is the AV, now MS must know a thing or two about virus’, and who knows the OS better then them, but still, at the end of the day Microsoft has been the main victim of Virus attacks for years, why now are they trying to combat the problem?

It seems to me that basicly, no matter how good or bad OneCare actualy is, Microsoft have an uphill fight against there already poor security record. I don’t think I would trust them to keep my important data safe, or my network free from nasties. I just wont, and I suspect a lot of other people will feel the same.

In the corparte sector, where most software is paid for, other names are well estabilished and, well, who wants to say to there boss “I thought we where protected, I installed Microsoft…..” the laugthing would echo down the halls. So, for the home with many free, and perfectly good AV out there (http://www.avast.com/) why would home users pay?

All I can think of is that this is just a Microsoft way to expand a little, not to mention I bet it dosn’t install unless you have a “valid” windows key, the new way to force you to give more money to MS, like they need it?


31 May 2006 | 6,397 views

Barclays Rolls Out Free Anti-Virus Protection for Customers

The shocking statistic first, “56% of consumers do not have active anti-virus on their PCs”, ok not that shocking but still a bit worrying. Allthough asking if your average user doesn’t protect themselves on the internet conjures up images of the pope squatting in the woods.

The basic F-Secure anti-virus product protects against viruses and spyware. When installed it scans a machine and alerts users if it finds malicious programs installed.

A spokesman for Barclays denied that the deal was a way to limit its liabilities if customers were defrauded.

“We have a guarantee that if anyone is defrauded through no fault of their own we guarantee their money is safe,” he said.

“We’re trying to stop fraud happening in the first place which is beneficial to them and us,” he added.

Barclays is the latest bank to try to stop customers falling victim to viruses or other computer-borne scams.

So Barclays bank have leapt into action and decided its time to act on it, 4 years after their online service was activated. Their giving all their online customers free AV protection, provided by F-Secure. Barclays have bought 1.6million licenses (I wonder what per unit price they got on that?) and the software will include 2 years free updates. What happens after that? Probably 56% of their customers will be unprotected again.

Source: BBC News