Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

13 June 2006 | 3,679 views

Taiwan Kings of Spam from CipherTrust

Prevent Network Security Leaks with Acunetix

Hmm Taiwan are really way ahead of everyone when it comes to being a spam hub, sadly that’s nothing to be proud of and generally it’s due to a large amount of poorly configured/unsecured servers.

Taiwan needs to start doing some vulnerability assessment! Taiwan and Korea have always had loads of open proxies/exploitable machines in my experience and when reporting such problems language is always an issue.

Almost two thirds (64 per cent) of servers controlling spam traffic are located in Taiwan, according to a survey by email security firm CipherTrust.

Such servers, used by internet low lives to relay spam and phishing emails through zombie, compromised PCs, are also commonly located in the US. The US accounts for 23 per cent of the machines identified on CipherTrust’s spam server blacklist with China in a fairly distant third place (three per cent).

Sounds like a pretty neat method they employed to get the figures.

CipherTrust obtained its figures after deploying a network of zombie-like machines across the world to gather intelligence on spamming operations. While machines in this “zombie honey pot” avoid relaying spam or phishing attacks to end-users, they collect messages from spammers trying to control them. By capturing these messages, CipherTrust is able to determine the location of the spam servers. Spammers themselves, of course, may be located somewhere completely different, such as Boca Raton, USA (for example).

Source: The Register



12 June 2006 | 5,439 views

Academic Papers on Web Application Security

I found a useful resource containing a whole list of academic papers on web-application security.

This list represents an attempt to collect academic papers on the subject of Web application security sorted by the year of publication.

Hacking web applications has become a big thing in the last 5 years, just look at the number of holes found in common PHP applications.

It has papers from 2004-2006.

Subjects cover a good range including:

  • SQLrand: Preventing SQL Injection Attacks
  • Bypass Testing of Web Applications
  • Defining a Set of Common Benchmarks for Web Application Security
  • The Essence of Command Injection Attacks in Web Applications
  • A Practical Approach for Defeating a Wide Range of Attacks

You can find the resource here:

Academic Papers in Web Application Security

Vulnerabilities in custom web applications are the most common flaws I find during penetration testing nowadays. It is a very important area and these papers should help your knowledge on both sides of the fence.


11 June 2006 | 3,352 views

Custom Trojans – Isn’t it Old News?

Well it is for me, and I guess anyone who consider themselves a career hacker, or at least has a serious interest..

As a few good trojans are open source (Back Orifice?), you can just mess around with them for a while until you reach the point they are no longer detected by any of the major anti-virus suites, then bind then to a file and off you go, instant access.

I remember once, someone actually believed I’d sent them a notepad.exe upgrade version…oh well, if only everyone was that stupid it would make our jobs so much easier.

Anyone back to the point, it seems customized trojans and malware is being created for specific attacks.

Anti-virus companies employee legions of researchers, honey pots, and customers to find viruses as soon as they appear in the wild. It takes on average about six hours to find, classify, and push out a new definition to your desktop. The Achilles heel of the whole industry is that these research techniques can do nothing to protect you against a custom virus or Trojan.

Custom malware is easy to create. Take the source code of an existing Trojan or virus, and modify it so that existing anti-virus and anti-spyware programs do not recognize it. And even if you or your IT department finds the Trojan, it does no good to report it, because it is not “in the wild.” So the developer of the custom Trojan can reuse his wares against other targets.

Sadly as always the AV industry is way behind, your anti-virus software only works if it has the correct definition, heuristics in the AV field are still very weak.

Anti-virus software is still reactive, not pro-active.

The infamous Trojan developed by Michael Haephrati and used to steal competitive information from dozens of companies in Israel was a custom Trojan. Now China is engaging in industrial-scale fishing expeditions against U.K. businesses and government agencies using a two-pronged attack.

The routine goes like this: First, a custom virus is sent in to harvest email addresses. It stays only within the target domain. Then, emails are sent to those addresses containing the custom Trojan. The reply-to addresses all appear to be within the same organization, making them more likely to be opened. Would you not open an email from your boss that said “Annual Appraisal Attached, Open Immediately”?

Social engineering combined with a custom trojan and some neat code, blended threats are always the most effective.

Again things like this can be stopped with education, it’s very hard to protect against such things with currect technology.

Host based intrusion detection can go a little way to helping..

Source: Dark Reading


10 June 2006 | 3,571 views

Predicting Malware – Events Trigger Malware/Phishing Spikes

Apologies for the lack of updates for the past few days, I had to go abroad for an important assessment ;)

It’s sad how people can pray on things as terrible as disasters to make a quick buck, but well we have to face the facts that they do, and will.

And as it seems, they will use anything, we’ve already seen a trojan targetting world cup fans.

For example, consider what we witnessed last year following the Katrina and Rita hurricanes that struck the southern coast of the USA. Within 24 hours of landfall, the Internet Storm Center observed a dramatic increase in fraudulent web sites aimed at good-hearted people wanting to donate to charities or relief efforts. We can predict with fairly high certainty that the same thing is going to happen again this year. We are monitoring DNS registrations and have seen several new names appear in the last few weeks with the strings “alberto”, “beryl”, “donation”, or “hurricane” in them. (Alberto and Beryl are the first two names on the list for 2006.) Are they all legitimate? Well, let’s see what happens as soon as the first storm forms and makes landfall.

People have even gone to the length of pre-registering domains for hurricanes that haven’t even HAPPENED yet, amazing eh?

We really need to focus on the so called ‘layer 8′ protection, beef up the wetware, educate and inform! The world cup will trigger all kinds of tricks, we can pretty much guarantee that, so we have to be on our guards.

In fact, one of our observant readers (thanks, George!) wrote us to say, “I work in a government research lab with a very diverse user population, including many soccer fans. The last World Cup led to a malware spike. I expect another spike this year, but with a potential for more sophisticated attacks.” So George is keeping an eye out for a potential rise in malware attacks, basing his prediction on the fact that during the World Cup many fraudsters and pranksters will likely launch specially crafted emails and set up bogus web sites designed to lure in sports fans around the world.

At least if we are ready, we can thwart the attacks before they happen in most cases, perhaps just a mass e-mail warning people will suffice.

Source: SANS


07 June 2006 | 10,762 views

Graph Analysis of Credit Card Loss

I saw some interesting information recently on a mailing list.

We took one sample of one carding/phishing forum that our Global Surveillance Center was monitoring and sampled the set into a graph that lists the top 10 banks and the losses over the last month. As you can see, it’s obvious who the top credit card companies are out there, but at the same time, we can see an ever increasing on the top targets but not necessarily an increase on the lower tiers over the entire three months, but in the first two we see a significant increase in success with stolen credit cards in general. In this case, the loss that we captured (which probably isn’t nearly the number captured by this forum) was a little over 21,000 credit cards.

Credit Card Loss

Full Sized Image

This is one group, with 21,000 cards per 3 months (that we know about) and law enforcement estimates about $500.00 per card in average loss. At that rate, in 3 months, one carding group causes $10,500,000.00 in loss. And this carding group is at the low end of the totem poll.

As you can see from the graph, Bank of America is highest on all counts, perhaps they need to think about addressing that? First USA bank and Citibank make up the other 2 of the top 3.

Credit:

Lance James
Secure Science Corporation
http://www.securescience.net


06 June 2006 | 7,602 views

RFID & Biometrics Used At World Cup in Germany

RFID, biometrics, hi-tech police officers, yes it’s all going to be happening in Germany for the close approaching World Cup 2006.

Not surprisingly, security is a top priority for the German government, even higher than its desire to see the national team walk off the pitch with the World Cup 2006 trophy.

The list of security precautions the government is taking is substantial. It begins with the use of RFID (radio frequency identification) technology. More than 3.5 million tickets for the 64 matches will be sold with an embedded RFID chip containing identification information that will be checked against a database as fans pass through entrance gates at all 12 stadiums.

Organizers have asked everyone requesting tickets to provide a wealth of personal data, including name, address, date of birth, nationality and number of ID card or passport. Never before have fans attending an event organized by the Federation Internationale de Football Association (FIFA) been required to provide so much information about themselves that can be accessed so quickly.

Seems like a massive anti-terrorism initiative, but well, all of these things can easily be falsified.

There’s a mammoth security control center containing 120 people watching monitors.

Another special group, the Central Sports Intelligence Unit in Neuss near Dusseldorf, is receiving thousands of tips from authorities in nations competing in the World Cup. Its database includes information on 6,000 hooligans who are already known to police and pose a direct threat.

Many of the security systems and procedures were tested during the Confederation Cup soccer tournament in Germany last year.

More than 30,000 federal police officers will be on duty during the games. Some of them will be equipped with mobile “fast identification” fingerprint devices. Fingerprint data captured by the optical devices will also be matched against data stored in the central database of the German Federal Intelligence Service.

Fast identification fingerprint devices…sounds a bit sci-fi right. Technology is indeed catching up, so the hooligans better watch out. But well, if your fingerprints aren’t in the database they can’t flag you right?

Better wear some ultrathin latex gloves ;)

Source: CSO Online


05 June 2006 | 51,961 views

The Top 10 Most Common Passwords

A pretty interesting article that statistically measured the frequency of passwords by taking an aggregate sample of passwords (primarily from the UK).

Here are listed the most commonly occurring from the sample.

10. ‘thomas’ (0.99%)

First off, at number 10, is the most common format of passwords – the name. Thomas is a perennially popular name in the UK (2nd most popular in 2000), so it is perhaps no surprise that it makes the top 10, with nearly 1 in 1,000 people opting for this ubiquitous forename as their password.

We can only guess that there are a lot of fans of Thomas Jefferson or Thomas Edison out there! The high prevalence of Christian names only further reinforces the fact that loved ones are a common choice when it comes to passwords.

9. ‘arsenal’ (1.11%)

Football teams tend to be another popular choice, and the gunners fall in 9th place. This may or may not be reflective of the fact that the word ‘arsenal’ starts with a 4-letter swear word – another popular choice when it comes to passwords.

Arsenal are ranked 6th overall in average attendance rankings, and are the 2nd most popular football-related password.

8. ‘monkey’ (1.33%)

Quite why the monkey makes it into 8th place is beyond me, but the fact that it’s a 6-letter word (6 letters is a typical minimum length for passwords), is easily typed and is memorable probably helps cement its position as ideal password material.

Still, it’s quite worrying that there’s such a trend – perhaps the internet and monkeys are inextricably linked?

7. ‘charlie’ (1.39%)

Another name – nowhere near as common a name as No. 10, Thomas, but it’s our most popular name-based password overall.

Could of course, be a homage to a number of famous Charlies – Chaplin, Sheen, or those of a Chocolate Factory persuasion. Or, of course, it could just be the case that they’re referring to it’s slang usage.

6. ‘qwerty’ (1.41%)

I wonder where the inspiration for this one came from? Perhaps when faced with a blinking cursor and an instruction to choose a password people will tend to look to the things closest to them – which would explain why 1 in 700 people choose ‘qwerty’ as their password.

5. ‘123456’ (1.63%)

Can you count to 6? It’s the most common minimum required length of password – and the 5th most common password.

4. ‘letmein’ (1.76%)

A modern-day version of ‘open sesame’ – and 1 person in 560 will type ‘letmein’ as their password. Quite why is beyond me.

I could be mistaken, but I have a hunch that ‘letmein’ has been featured in a movie or TV series – Fox Mulder’s password from the X Files – ‘trustno1′ – also ranked quite highly.

3. ‘liverpool’ (1.82%)

The most popular football team by some margin, Liverpool was the third most popular password overall. Does this mean that 1 in 550 people is such a devout Liverpool fan that they would be willing to entrust private data to the team they love?

Liverpool ranked 3rd in the average attendance ratings – leaving the 2 most popular teams, Manchester United and Newcastle United, out of the top 10 list – perhaps because they’re too long and difficult to type.

2. ‘password’ (3.780%)

Akin to pressing the ‘any’ key, when told to enter a ‘password’, it would seem that users aren’t the sharpest tool in the box – with almost 1 in 250 people choosing the word ‘password’.

1. ‘123’ (3.784%)

With nearly 4 people in 1,000 opting for a simple numerical sequence as their password (it should be noted that there was no lower length limit specified), ‘123’ must be the first thing a lot of people think of when asked to specify a password. One dreads to think what their PIN number might be!

Source: Modern Life is Rubbish


03 June 2006 | 5,814 views

The MPAA TorrentSpy Hacker – $15,000!

Ah the big boys can’t get in legitimately, so they are starting to use underhand tactics eh?

A lawsuit filed Wednesday accuses the Motion Picture Association of America of hiring a hacker to steal information from a company that the MPAA has accused of helping copyright violators.

The lawsuit (click for PDF), filed in U.S. District Court for the Central District of California by Torrentspy.com parent Valence Media, doesn’t identify the man the company says was approached by an MPAA executive. But the suit calls the man a former associate of one of the plaintiffs and alleges that he was asked to retrieve private information on Torrentspy.com, a search engine that directs people to download links.

Torrentspy’s complaint includes claims that the man whom the MPAA allegedly paid $15,000 to steal e-mail correspondence and trade secrets has admitted his role in the plot and is cooperating with the company.

Torrentspy is taking this really seriously.

Torrentspy alleges in the suit that the man, whom the company refers to as the “informant,” has provided documents that prove the nature of his relationship with the MPAA, including a written agreement signed by the hacker and an MPAA executive, Rothken said.

“We have very significant proof of wrongdoing and the MPAA’s involvement,” Rothken said. “We think it’s ironic for the MPAA to claim that they are protecting the rights of the movie studios and then go out and pirate other people’s property.”

Rothken said that the MPAA also paid the hacker to “gather nonpublic information” about other Torrentspy-related sites. Rothken declined to specify which sites.

Seems like the hacker has had a change of heart too, hopefully Torrentspy kick their monkey asses.

Source: ZDNet


02 June 2006 | 10,901 views

THC Releases Nokia Phone ROM Images

I have to agree with their sentiment, I’m all for open hardware standards.

Even if you don’t open it, people will copy it anyway (See the mass of Cisco knock-offs in China for a fraction of the price with almost exactly the same functions and IOS)

So why not open it, let us play with it.

At least let us know how the hardware we are paying for works.

The following webpage contains ROM images from various mobile phone operating systems. Our intention is to motivate other reverse engineers to take a look at the images and to discover other hidden secrets. Other reasons are that it is said to be hard to extract the ROM. Certainly another reason is that Nokia does not release any technical information about the hardware and I find this rather disappointing. (It’s my strong believe that when I buy hardware that I should also be allowed to know what’s in it and how to use it.)

There are ROM images from various models such as NOKIA 6630, NOKIA n70, NOKIA N-GAGE and also from SE the SonyEricsson P900 ROM image.

Mobile Phone ROM Image and Reverse Engineering Invitation


02 June 2006 | 4,856 views

New Spyware Blackmails Users Into Purchasing Software

Ah this is almost like Ransomeware again, messing up your machine then extorting money from you.

Make sure you educate your non tech savvy relatives about such threats, spyware, adware, trojans and worm type viruses. Education is THE most powerful defence against malware and computer security incidents.

Some simple patching, a free Antivirus protection like Avast! Using Firefox or Opera and most people will be safe with a little education.

A new spyware program that lures computer users by claiming to give free access to pornographic Web content ends up by “blackmailing” them into purchasing a program to clean the infection, a security firm said.

US-based Panda Software said the program called DigiKeyGen generates passwords that supposedly enable users to access to pornographic websites.

At the same time, a spyware program and an alleged anti-spyware application are installed on a computer without the users’ knowledge, Panda said.

Ah the age old adage of free porn, won’t people learn? There’s no such thing as a free lunch, if it’s too good to be true…ITS NOT TRUE!

Porn does power the Internet though, that’s another matter entirely..

These guys say basically the same thing.

You must always be suspicious of offers for something in exchange for almost nothing,” said Luis Corrons, director of Panda Software Labs, noting that the technique is not new.

“Cybercrime, which aims to make easy money, simply applies traditional fraud techniques to the Internet and as a result, anybody tempted by the chance to get something for nothing is taken in, unaware of the risks of apparently harmless actions, such as downloading small programs or accessing certain websites.”

In a separate security warning, Sophos Labs warned Tuesday that a security alert claiming to be from Microsoft is in fact a “trojan” that steals passwords.

It seems to never end.

Source: Yahoo! News