Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

23 May 2006 | 3,418 views

Ohio University Compromised for Over a Year!

Check For Vulnerabilities with Acunetix

A year? A whole year? A few days I can take, but surely if an Admin doesn’t know what’s going with his machines for a year….compromised for a year, there is something wrong.

An unprecedented string of electronic intrusions has prompted Ohio University to place at least one technician on paid administrative leave and begin a sweeping reorganization of the university’s computer services department.

Bill Sams, Ohio University’s chief information officer, said he initiated the reorganization on Friday. The Athens, Ohio-based university is reacting to recent discoveries that data thieves compromised at least three campus computer servers.

In a disclosure that hasn’t been widely reported, one of the compromised servers, which held Social Security numbers belonging to 137,000 people, was penetrated by U.S. and overseas-based hackers for at least a year and possibly much longer, Sams said in a phone interview Sunday with CNET News.com.

Pretty bad right? Universities should be on high alert after the previous incidents..

At least one security expert was astonished that a compromise could go undetected for so long.

“That’s unbelievable,” said Avivah Litan, security analyst with research firm Gartner. “I have never heard of that much of a delay. Why would it take a year to discover this? It doesn’t make any sense.”

What’s also alarming to Litan is that a year-long compromise could go undetected at a time when universities should be operating on high alert. Over the past year, numerous media reports have chronicled security breaches at such schools as Notre Dame, Purdue and Georgetown universities.

It is a problem for universities though, they usually have budgets problems and have to make do with Open Source solutions (which is fine if you have skilled people), setup by untrained people, who learn on the fly.

Then they have underpaid, overworked sys-admins, what do they expect? Plus it’s an educational facility, so they have to keep the knowledge free.

Pretty tough situation.

Ohio got screwed this time though, and it got out into the public domain.

The culprits who broke into the other two servers made off with health records belonging to students treated at the university’s health center, as well as Social Security numbers of an additional 60,000 people.

“We had a failure of both policies and procedures,” Sams said. Asked why, when so many schools were succumbing to computer attacks, Ohio University wasn’t quicker to order a security audit, Sams replied: “Should we have? Yes. Did we? No.”

Let’s hope the others learn some lessons.

Source: News.com



23 May 2006 | 3,374 views

Trojan for the Word Vulnerability in the Wild

We all knew it was just a matter of time until the ‘thing’ was out.

PandaLabs has detected the appearance of 1Table.A, a malicious code that exploits a recently detected critical vulnerability in Microsoft Word, and which also affects versions of MS Office 2003 and XP.

Microsoft confirmed today the existence of this vulnerability and apparently is working on a hotfix.

This security problem allows the execution of code on affected systems and, more dangerously, allows the construction of malicious code which is indistinguishable at first glance from a normal Word file.

That’s more than enough to get 70%* of the people who use Microsoft Office to download and execute the file. If they open .BAT, .COM and .EXE, opening a .DOC is everyday work.

This attack is not limited to .DOC files, still, they will be the most used extension. It can take place with a .XLS file with an embedded Word document.

1Table.A – the new trojan – is detected by most of the antivirus software, however, user’s should have they’r eyes open until patch is released by Microsoft (even if they don’t consider it critical)

Source: NHS

* 80% of the statistics are made on the spot!

Digg This Article


22 May 2006 | 6,415 views

PBNJ 1.14 Released – Diff Your Nmap Results

PBNJ is a network tool that can be used to give an overview of an machine or multiple machines by identifying the details about the services running on them. PBNJ is different from other tools because it is based on using a scan from nmap parsed to amap. PBNJ parses the data from a scan and outputs to a CSV format file for each ip address scanned.

However, PBNJ is able to handle additional scans and parse the data while only looking for changes. For example, if a machine was updated with a newer version of OpenSSH than was running when the first scan was performed, the CSV file would contain the difference of the scan. Very useful for vulnerability assessment and penetration testing.

It is included in Backtrack http://www.remote-exploit.org/index.php/BackTrack

Depending on what you need, PBNJ can do various things. It is able to give a layout of a class network. It can also be run as an automated scanning tool parsing the data to CSV format files and growing an in-depth view of a network over time.

CHANGLOG for 1.14
—————-
* fixed bug that crashed PBNJ after scanning a machine with no ports open
* fixed –nodiff banner bug
* Added –delim option to allow custom delimination
–delim [ default set to comma ]
* quick install script for ubuntu and linux systems
* Makefile.PL setup which will install pbnj properly

Version 2.0 will be released sometime in August.

You can find PBNJ Here.


22 May 2006 | 6,813 views

The Ultimate Net Monitoring Tool – Semantic Traffic Analyzer

Packet sniffing goes hi-tech? What’s wrong with ethereal?

The equipment that technician Mark Klein learned was installed in the National Security Agency’s “secret room” inside AT&T’s San Francisco switching office isn’t some sinister Big Brother box designed solely to help governments eavesdrop on citizens’ internet communications.

Rather, it’s a powerful commercial network-analysis product with all sorts of valuable uses for network operators. It just happens to be capable of doing things that make it one of the best internet spy tools around.

I guess the difference is, this one is designed to sit on 10Gbps pipes, and monitor traffic in real time, that is pretty impressive, if it can do 100% throughput..

Narus’ product, the Semantic Traffic Analyzer, is a software application that runs on standard IBM or Dell servers using the Linux operating system. It’s renowned within certain circles for its ability to inspect traffic in real time on high-bandwidth pipes, identifying packets of interest as they race by at up to 10 Gbps.

Internet companies can install the analyzers at every entrance and exit point of their networks, at their “cores” or centers, or both. The analyzers communicate with centralized “logic servers” running specialized applications. The combination can keep track of, analyze and record nearly every form of internet communication, whether e-mail, instant message, video streams or VOIP phone calls that cross the network

VeriSign is also using it, so are many others.

Just remember, they are watching us.

That legal eavesdropping application was launched in February 2005, well after whistle-blower Klein allegedly learned that AT&T was installing Narus boxes in secure, NSA-controlled rooms in switching centers around the country. But that doesn’t mean the government couldn’t write its own code to do the dirty work. Narus even offers software-development kits to customers.

Source: Wired


21 May 2006 | 7,724 views

What Next? The Poker Rootkit of Course!

Ok so the list gets even BIGGER, after the WoW Trojan, Trojan for World Cup Fans, Ransomeware and the buy a spyware kit story

Now we proudly present, the Poker Rootkit!

For online poker players, this was always going to be a losing hand.

A Trojan with malicious rootkit features hidden in a legitimate software package distributed by online gaming tools vendor Check Raised has the ability to hijack log-in information for multiple online poker Web sites, according to a warning from Finnish security vendor F-Secure.

The spying Trojan, identified as Backdoor.Win32.Small.la, was built into a Rakeback calculator application (RBCalc.exe) distributed by Check Raised to help online poker players keep track of scaled commission fees taken by the Web site operator.

Pretty clever stuff.

When the spying component is initialized, it starts a keystroke logger and connects to a remote server that is programmed to send instructions to the infected machines. The instructions range from the downloading of executable files, the uploading of stolen information, the shutdown of the Trojan and the ability to send application screenshots.

The backdoor also sends out sensitive information to remote servers, including keylogger database, computer name, and the username and password of several online poker programs.

What I thought was really clever was the way in which the application took money from users, it’s not direct, it’s very smart in fact!

An anti-virus company says the rootkit is particularly malicious because the hacker could take a victim’s money without making it look stolen — by using the passwords to log on to a poker site, then playing very badly against players controlled by the hacker. The victims are then left with little recourse, since it looks like they just lost their money during normal play.

Smart stuff.

Source: eWeek


20 May 2006 | 14,851 views

The Biggest Web Defacement Ever

A Turkish hacker using the handle iSKORPiTX was able to breach the security of a group of web servers, containing more than 38.500 web sites in less than a day!

Iskorpitx is believed to be 45 years old, sometimes being helped for minor defacement activities by another Turkish “senior cracker” (42) going by the handle of Metlak .

Apparently he doesn’t like a couple of countries:

“HACKED BY iSKORPiTX

(TURKISH HACKER)

FUCKED ARMANIAN-FUCKED FRANCE-FUCKED GREECE-FUCKED PKK TERROR

iscorpitx, marque du monde, presente ses salutations tout le monde. “

Defacement mirror – example

I gotta say:

Script kiddie hack or not, a defacement will always be a ‘cool’ hack to do.

Zone-H is keeping everyone posted of his actions and has compiled a full list of the 21.549 sites he was able to deface.

You can also keep updated with iSKORPiTX latest actions here.

Of all the sites iSKORPiTX was able to hack, 95% of them were using Windows (big part of those same sites, Windows 2003) and running IIS 6. New exploit?

No doubt, the biggest hack ever.

Source: Zone-H


19 May 2006 | 10,438 views

Paros Proxy 3.2.12 Released – MITM HTTP and HTTPS Proxy

Paros 3.2.12 is released. This version is a maintenance release which fix a potental 100% cpu consumption issue. All users are recommended to upgrade to this version.

The changes are:

- Use newest external library for HTTP handling.

- Enable/disable spider to POST forms in options panel to avoid generating unwanted traffic (default to enable). This is requested by many users.

- Decrease the number of possible combinations crawled by spider on forms with multiple SELECT/OPTIONS. This make crawling less resource consuming and lower chance to affect application being scanned.

- Minor UI changes.

Paros labels itself as MITM Proxy + Spider + Scanner plus anything else you want it to be, it is a pretty neat piece of software.

It’s particularly useful for testing web applications and things such as insecure sessions.

Paros is free of charge and completely written in Java. Through Paros’s proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

These proxies have a different purpose than those personal type proxies like Proxomitron which are intended to protect you, clean adverts, block spyware and so on. Proxies like Paros and Burp are meant for examining the security of applications and web application auditing.

You do need Java Run Time Enviroment (JRE) 1.4 (or above) to install Paros.

You can download the latest version of Paros Here.


19 May 2006 | 13,509 views

The RFID Hackers Revealed – Real RFID Hacking

This a very interesting read, the tale of an RFID hacker.

I was always sceptical about RFID I have to say, when everything is tagged, criminals can just drive by your house and scan everything, see what TV you have, which DVD player, how many high value electrical goods, and choose which houses they want to burgle.

The governments can install RFID readers in lamposts everywhere to track your movements from the RFID tags in the underpants you just bought..

Am I being paranoid?

James Van Bokkelen is about to be robbed. A wealthy software entrepreneur, Van Bokkelen will be the latest victim of some punk with a laptop. But this won’t be an email scam or bank account hack. A skinny 23-year-old named Jonathan Westhues plans to use a cheap, homemade USB device to swipe the office key out of Van Bokkelen’s back pocket.

“I just need to bump into James and get my hand within a few inches of him,” Westhues says. We’re shivering in the early spring air outside the offices of Sandstorm, the Internet security company Van Bokkelen runs north of Boston. As Van Bokkelen approaches from the parking lot, Westhues brushes past him. A coil of copper wire flashes briefly in Westhues’ palm, then disappears.

The guy can clone the signal, then reverse it and play it back to the card reader in your office, bingo, he just broke in without raising any alarms.

Van Bokkelen enters the building, and Westhues returns to me. “Let’s see if I’ve got his keys,” he says, meaning the signal from Van Bokkelen’s smartcard badge. The card contains an RFID sensor chip, which emits a short burst of radio waves when activated by the reader next to Sandstorm’s door. If the signal translates into an authorized ID number, the door unlocks.

The coil in Westhues’ hand is the antenna for the wallet-sized device he calls a cloner, which is currently shoved up his sleeve. The cloner can elicit, record, and mimic signals from smartcard RFID chips. Westhues takes out the device and, using a USB cable, connects it to his laptop and downloads the data from Van Bokkelen’s card for processing. Then, satisfied that he has retrieved the code, Westhues switches the cloner from Record mode to Emit. We head to the locked door.

Source: Wired


18 May 2006 | 11,187 views

Sprajax – An Open Source AJAX Security Scanner

Denim Group Ltd. announced today the public release of Sprajax, an open source web application security scanner developed to assess the security of AJAX-enabled web applications.

Sprajax is the first web security scanner developed specifically to scan AJAX web applications for security vulnerabilities. Denim Group, an IT consultancy specializing in web application security, recognized that there were no tools available on the market able to scan AJAX. AJAX allows web-based applications a higher degree of user-interactivity, a feature with growing popularity among developers.

You can download Sprajax here.

As AJAX becomes more popular with developers, the security of AJAX-enabled web applications will be a growing concern,” says Dan Cornell, Principal at Denim Group.”Sprajax is a great tool for application security maintenance, and its availability as an open source application places it within reach for organizations of all sizes.”

While expert security scans are more thorough and usually recommended, internal developers and security auditors can use this software to produce an initial vulnerability assessment. This can be invaluable, especially in the wake of government regulations regarding web application security. Organizations must take steps to protect sensitive data in public facing applications, and an assessment using a tool like Sprajax could be the first step

Sprajax homepage.

We have written about the danger of AJAX security her.

Digg This Article


18 May 2006 | 12,255 views

Caller ID Spoofing is Still Easy- FCC Investigates

The FCC wants to clamp down on Caller ID spoofing it seems.

If you’ve ever used one of the half-dozen websites that allow you to control the phone number that appears on someone’s Caller ID display when you phone them, the U.S. government would like to know who you are.

Last week the FCC opened an investigation into the caller-ID spoofing sites — services that began popping up late 2004, and have since become a useful tool for private investigators, pranksters and more than a few fraud artists.

One of the example services that received the 7 page FCC report is called Telespoof.

On their website it says..

Telespoof.com offers the first domestic and international Caller ID spoofing service, allowing business professionals to remain anonymous when calling from anywhere in the world, to anywhere in the world. We like to think of it as “mobile invisibility”, the highest quality Caller spoofing service available anywhere in the world.

Another example is Spoofcard.com that sells a virtual ‘calling card’ for $10 that provides 60 minutes of talk time. The user dials a toll-free number, then keys in the destination number and the Caller ID number to display. The service also provides optional voice scrambling, to make the caller sound like someone of the opposite sex.

USA Today also reported on how Caller ID spoofing has become easier, saying..

Tim Murphy’s office started getting phone calls from constituents who complained about receiving recorded phone messages that bad-mouthed Murphy. The constituents were especially upset that the messages appeared to come from the congressman’s own office. At least, that’s what Caller ID said.

So if you have used one of these services for whatever reason, the federal government is interested in YOU..

The FCC is demanding business records from both companies, as well as the name of every customer that has used TeleSpoof, the date they used it and the number of phone calls they made.

Dated February 24th, the FCC letter gives TeleSpoof 20 calendar days to respond.

Source: Wired