Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

19 May 2006 | 13,504 views

The RFID Hackers Revealed – Real RFID Hacking

Check For Vulnerabilities with Acunetix

This a very interesting read, the tale of an RFID hacker.

I was always sceptical about RFID I have to say, when everything is tagged, criminals can just drive by your house and scan everything, see what TV you have, which DVD player, how many high value electrical goods, and choose which houses they want to burgle.

The governments can install RFID readers in lamposts everywhere to track your movements from the RFID tags in the underpants you just bought..

Am I being paranoid?

James Van Bokkelen is about to be robbed. A wealthy software entrepreneur, Van Bokkelen will be the latest victim of some punk with a laptop. But this won’t be an email scam or bank account hack. A skinny 23-year-old named Jonathan Westhues plans to use a cheap, homemade USB device to swipe the office key out of Van Bokkelen’s back pocket.

“I just need to bump into James and get my hand within a few inches of him,” Westhues says. We’re shivering in the early spring air outside the offices of Sandstorm, the Internet security company Van Bokkelen runs north of Boston. As Van Bokkelen approaches from the parking lot, Westhues brushes past him. A coil of copper wire flashes briefly in Westhues’ palm, then disappears.

The guy can clone the signal, then reverse it and play it back to the card reader in your office, bingo, he just broke in without raising any alarms.

Van Bokkelen enters the building, and Westhues returns to me. “Let’s see if I’ve got his keys,” he says, meaning the signal from Van Bokkelen’s smartcard badge. The card contains an RFID sensor chip, which emits a short burst of radio waves when activated by the reader next to Sandstorm’s door. If the signal translates into an authorized ID number, the door unlocks.

The coil in Westhues’ hand is the antenna for the wallet-sized device he calls a cloner, which is currently shoved up his sleeve. The cloner can elicit, record, and mimic signals from smartcard RFID chips. Westhues takes out the device and, using a USB cable, connects it to his laptop and downloads the data from Van Bokkelen’s card for processing. Then, satisfied that he has retrieved the code, Westhues switches the cloner from Record mode to Emit. We head to the locked door.

Source: Wired



18 May 2006 | 11,175 views

Sprajax – An Open Source AJAX Security Scanner

Denim Group Ltd. announced today the public release of Sprajax, an open source web application security scanner developed to assess the security of AJAX-enabled web applications.

Sprajax is the first web security scanner developed specifically to scan AJAX web applications for security vulnerabilities. Denim Group, an IT consultancy specializing in web application security, recognized that there were no tools available on the market able to scan AJAX. AJAX allows web-based applications a higher degree of user-interactivity, a feature with growing popularity among developers.

You can download Sprajax here.

As AJAX becomes more popular with developers, the security of AJAX-enabled web applications will be a growing concern,” says Dan Cornell, Principal at Denim Group.”Sprajax is a great tool for application security maintenance, and its availability as an open source application places it within reach for organizations of all sizes.”

While expert security scans are more thorough and usually recommended, internal developers and security auditors can use this software to produce an initial vulnerability assessment. This can be invaluable, especially in the wake of government regulations regarding web application security. Organizations must take steps to protect sensitive data in public facing applications, and an assessment using a tool like Sprajax could be the first step

Sprajax homepage.

We have written about the danger of AJAX security her.

Digg This Article


18 May 2006 | 12,251 views

Caller ID Spoofing is Still Easy- FCC Investigates

The FCC wants to clamp down on Caller ID spoofing it seems.

If you’ve ever used one of the half-dozen websites that allow you to control the phone number that appears on someone’s Caller ID display when you phone them, the U.S. government would like to know who you are.

Last week the FCC opened an investigation into the caller-ID spoofing sites — services that began popping up late 2004, and have since become a useful tool for private investigators, pranksters and more than a few fraud artists.

One of the example services that received the 7 page FCC report is called Telespoof.

On their website it says..

Telespoof.com offers the first domestic and international Caller ID spoofing service, allowing business professionals to remain anonymous when calling from anywhere in the world, to anywhere in the world. We like to think of it as “mobile invisibility”, the highest quality Caller spoofing service available anywhere in the world.

Another example is Spoofcard.com that sells a virtual ‘calling card’ for $10 that provides 60 minutes of talk time. The user dials a toll-free number, then keys in the destination number and the Caller ID number to display. The service also provides optional voice scrambling, to make the caller sound like someone of the opposite sex.

USA Today also reported on how Caller ID spoofing has become easier, saying..

Tim Murphy’s office started getting phone calls from constituents who complained about receiving recorded phone messages that bad-mouthed Murphy. The constituents were especially upset that the messages appeared to come from the congressman’s own office. At least, that’s what Caller ID said.

So if you have used one of these services for whatever reason, the federal government is interested in YOU..

The FCC is demanding business records from both companies, as well as the name of every customer that has used TeleSpoof, the date they used it and the number of phone calls they made.

Dated February 24th, the FCC letter gives TeleSpoof 20 calendar days to respond.

Source: Wired


17 May 2006 | 5,397 views

No Your Car CANNOT get a Bluetooth Virus

It’s gone round and round and round, now cars have Bluetooth, that they can get viruses like Cabir, I’m sorry but if an Anti-virus company like F-Secure can’t infect a car with a virus, I don’t have much hope for the others. The rumours came from a Lexus story in SCMagazine (The story is no longer there, and I don’t have a mirror sadly).

So we got a Toyota Prius to test out the myth. Credit has to be given to Toyota for trusting their systems enough to actually lend the car for us for such testing. According to Toyota, this Prius model had identical in-car Bluetooth systems with the Lexus models, so it was suitable for our tests. This Bluetooth functionality is intended to, for example, transfer the phone book from the car owners mobile phone to the built-in phone of the car.

Source: F-Secure

And to be honest, those that benefit from this viral FUD is the anti-virus companies right? So when an anti-virus company comes out and says that it’s not possible, you know it’s not even a vague threat, as if it was, they would come out with some new super car anti-virus protection version 2006.

After fixing the battery problem, we continued tests and Toyota Prius performed admirably. We managed to find one minor issue with the system (a corrupted phone name would freeze the on-board display), but otherwise the Prius Bluetooth system was far more stable than our test phones and PCs. We had to reboot our test systems several times as their Bluetooth systems died on us, while Toyota Prius just kept going.

Seems pretty solid right?

Reuters decided to reinstate the FUD for some reason, pay-off from an AV firm maybe?

Here’s a new excuse for not getting to work on time on a Monday morning: My car caught a virus.

Car industry officials and analysts say hackers’ growing interest in writing viruses for wireless devices puts auto computer systems at risk of infection.

Source: MSN

Not that an anti-virus firm would have anything to gain from spreading such rumours right?

As carmakers turn to computer security, a lucrative market could open for antivirus firms, which have been touting cell phone security for years without notable success. “People will not use the protection before there are several big epidemics. After that they will understand that it is dangerous to use phones to get online, that you need to be protected,” Kaspersky said.

Next up, Kaspersky Car Edition?


17 May 2006 | 5,306 views

Source Code & Software Security Analysis with BogoSec

Bogosec is essentially a tool for finding security vulnerabilities in source code.

BogoSec aims to increase awareness regarding code security vulnerabilities, while encouraging developers to produce more secure code over time. By simplifying the code scanning process, BogoSec achieves a goal of allowing developers to scan their code regularly and more effectively.

BogoSec is a source code metric tool that wraps multiple source code scanners, invokes them on its target code, and produces a final score that approximates the security quality of the code. This article discusses the BogoSec methodology and implementation, and illustrates the output of BogoSec when run on a number of test cases, including Apache Web server, OpenSSH, Sendmail, Perl, and others.

Bogosec seems to use:

  • Flawfinder
  • ITS4
  • RATS

The CERT Coordination Center (CERT/CC) reported 5,990 vulnerabilities in 2005 compared with 171 in 1995. Many software security vulnerabilities occur because of poor programming practices. Some vulnerabilities are algorithmically detectable by static source code scanners designed for identifying potential security issues. As the number and severity of potential security holes per line of code increase, it is reasonable to believe that the overall quality of the source code in terms of security decreases. BogoSec metrics are computed values that attempt to reflect relative ratings of source code security quality for comparative purposes.

The motivation behind BogoSec is to influence developers to produce more secure source code over time. Various scanners exist that point developers to potentially insecure sections of code, but developers are often reluctant to use such scanners because of a seemingly high degree of false positive output as well as the difficulties associated with use. BogoSec attempts to reduce the penalty of false positives while broadening the scope of the source scan by using multiple independent scanners. This produces high-level metrics that allow developers and users alike to comparatively judge the quality of the source code in terms of security.

You can download the full 23 page article here (PDF Warning).

You can find the BogoSec project here.


16 May 2006 | 39,064 views

Anonymity – Hiding Your Identity in 2006

Introduction

Anonymity is derived from the greek word ἀνωνυμία (anonymia), meaning without a name or name-less. In colloquial use, the term typically refers to a person, and often means that the Ppersonal identity, or personally identifiable information of that person is not known.

The main question is of course, what are you trying to hide? Closely following that is how important is it?

The precautions you take have to weigh up to the value of the data you are trying to protect, in this case, you are trying to protect your anonymity.

In the recent years privacy and anonymity have become big issues with CCTV cameras everywhere, and projects like Echelon reading all your e-mails and reporting back to the Orwellian ‘Big Brother’.

So just for normal surfing, or if you are planning on hacking a foreign governments personnel database (not that we recommend that of course), you need to protect yourself in different ways.

Remember Anonymity is not an absolute, there are varying degrees.

The Myths

Using a proxy I found on the web in my browser is enough.

People have been using proxies for years, normally open proxies found from scanning large IP ranges on the internet, what you have to think though, is this proxy open for a purpose? Is this purpose to listen to what you are doing? To collect your passwords?

Also it’s not infallible, remember the traffic has to go from your computer to the proxy, and come back in, those records can be corelated in your country alone and need to external aid.

Plus the proxy may keep records of who access what and when, it make be a honeypot and keep full packet logs of all completed TCP/IP sessions.

The problem is you just don’t know.

If I chain proxies no one can find me.

Also not true, it doesn’t matter if you cross through Taiwan, Korea, Russia and Iraq, your ISP just needs to see the packets going out and coming in at the right times to your machine from the last proxy hop in your chain.

The Reality

It can be said, pretty much whole heartedly, there is no such thing as real anonymity online, if you do something bad enough, the people in power can find you.

IP Spoofing is misunderstood in 9/10 cases and is no protection against anything (I’ll write an article about this later).

And web proxies, as above, offer little or no protection. They are good enough if you just want to stop your school/parents/office from tracking your surfing habits, but they won’t protect you from doing time if you commit a federal crime.

There are a whole bunch of proxies to surf at school or work in this post.

The next best thing from this is Onion Routing, the common peer to peer implementation known as Tor.

Onion Routing prevents the transport medium from knowing who is communicating with whom — the network knows only that communication is taking place. In addition, the content of the communication is hidden from eavesdroppers up to the point where the traffic leaves the OR network.

Source: Onion Router

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

You can read more at the Tor site.

Getting Tored Up

For most people Tor is enough, I recommend getting the Tor Bundle, which includes Tor, TorCP and Privoxy.

All you need to do is set your applications to use a proxy, host is localhost and port is 8118.

Instructions with screenshots are here.

Then you’re done, it works for most applications.

Just remember though it’s encrypted from your machine to the end point, not from the end point to wherever it’s going, so that Tor node can see whatever traffic you are sending through Tor..

So make sure you encrypt (POPS, SMTP with TLS etc).

An example is here.

We at the h07 unix research team recognized that people paranoid enough to use tor are still dumb enough to use plaintext-authentication protocols like pop3 and telnet.

They might think it’s “secure because tor encrypts it”. This isn’t the case.

it’s encrypted, but …… communication from client to entry node and exit node to server will still remain as is. POP3, telnet and others will still be plain-text and thus subject to sniffing.

So please, always be REALLY careful :)

True Anonymity?

Still the best way is switching your MAC address and jacking an open Wireless Network, which ethics experts say is ok.

It may not be totally legal, but it’s pretty much bulletproof (Unless of course you get caught in a car parking jacking off to porn downloaded from an open Wireless Access Point).

When you do this, you should make sure you are using an anonymous operating system, so what better than a bootable distro especially for this purpose, called Anonym-OS

You can check it out here.

kaos.theory’s Anonym.OS LiveCD is a bootable live cd based on OpenBSD that provides a hardened operating environment whereby all ingress traffic is denied and all egress traffic is automatically and transparently encrypted and/or anonymized.

Simple Checks

The easiest thing you can do to test your anonymity is to go to WhatismyIP.com and see if the IP showing up is yours or not.

After that you can check out services like:

AuditmyPC Privacy & Spyware Check

BrowserSpy

And then there are various proxy tests:

Proxy Test and Proxy Checker.

Here you can see if your setup is leaking any info.

Good luck, and stay secure :)

Digg This Article


16 May 2006 | 7,489 views

Browser Security Test – Check Your Browser NOW!

I know this is old, but a lot of people still don’t know about it.

It can test for up to date Mozilla, Opera and Internet Explorer flaws, exploits and vulnerabilities.

Browser vulnerabilities are a serious issue now.

You can see which vulnerabilities they test for here and the statistics of the tests results here.

Total tests finished: 739828
Tests that found high risk vulnerabilities: 219614
Tests that found only medium or low risk vulnerabilities: 82803
Tests that found only low risk vulnerabilities: 9493
Tests that found no vulnerabilities: 427918

The FAQ is here.

Check Your Browser Security Now


15 May 2006 | 3,407 views

Microsoft Patching Practises Come Under Fire

Aye…it’s not the first time.

The question came up, is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins?

Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of ‘misleading’ customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11.

That bulletin, rated “critical,” contained patches for a remote code execution hole in Windows Explorer, the embedded file manager that lets Windows users view and manage drives, folders and files.

However, as Murphy found out when scouring through the fine print in the bulletin, the update also addressed what Microsoft described as a “publicly disclosed variation” of a flaw that was reported in May 2004 (CVE-2004-2289.)

In an entry posted to the SecuriTeam blog, Murphy noted that the vulnerability that is documented was privately reported, but the “variation” that was also patched has been publicly known for 700+ days.

What’s the thoughts about this one?

He posted in depth about this in the Full Disclosure list. Interesting reading.

Source: eWeek


15 May 2006 | 7,636 views

OSSEC HIDS – Open Source Host-based Intrusion System

OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response.

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Solaris and Windows.

This is the first version offering native support for Windows (XP/2000/2003). It includes as well a new set of log analysis rules for sendmail, web logs (Apache and IIS), IDSs and Windows authentication events.

The correlation rules for squid, mail logs, firewall events and authentication systems have been improved, now detecting scans, worms and internal attacks.

The active-responses were also refined, with support to IPFW (FreeBSD) added.

The installation process was re-organized, now including simpler configuration options and
translation on 6 different languages (English, Portuguese, German, Turkish, Polish and Italian).

You can download the Unix and Windows versions here.

Read more Here.

The full changelog is here.


14 May 2006 | 5,127 views

Open Source Blamed for Rootkits?

This is the biggest load of shite I’ve read this year I think.

Rootkits are becoming more prevalent and difficult to detect, and security vendor McAfee says the blame falls squarely on the open source community.

In its “Rootkits” report being published today, McAfee says the number of rootkits it has collected as malware samples has jumped ninefold this quarter compared with the same quarter a year ago. Almost all the rootkits McAfee has identified are intended to hide other code (such as spyware or bots) or conceal processes running in Windows systems.

“The predominant reason for the growth in use of stealthy code is because of sites like Rootkit.com,” says Stuart McClure, senior vice president of global threats at McAfee

Excuse me?!

Rootkit.com’s 41,533 members do post rootkit source code anonymously, then discuss and share the open source code. But it’s naive to say the Web site exists for malicious purposes, contends Greg Hoglund, CEO of security firm HBGary and operator of Rootkit.

“It’s there to educate people,” says Hoglund, who’s also the co-author with James Butler of the book Rootkits: Subverting the Windows Kernel. “The site is devoted to the discussion of rootkits. It’s a great resource for anti-virus companies and others. Without it, they’d be far behind in their understanding of rootkits.”

It’s definitely there for education purposes, the Rootkits book is very informative. Sadly this is the same old discussion again and again, non-disclosure vs full-disclosure. Those who really understand the process want to share the information as soon as possible to aid prevention techniques and to promote understanding, not hiding behind ignorance and implementing security through obscurity.

Those pimping anti-virus software, anti-exploit and whatever obviously want to fuel the FUD that opensource software and sharing of knowledge actually exacerbate the problem.

It seems Trend actually understands the issue, unlike McAfee the corporate bitch.

Anti-virus vendor Trend Micro says the Rootkit Web site cuts both ways.

“We need those open source people,” says David Perry, global director of education at Trend Micro. “They uncover things. It’s a laboratory of computer science. They demand the intellectual right to discuss this.”

What more can we say..

Source: Network World