Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

14 June 2006 | 7,914 views

Spam – A Simple Guide To Keeping Your Inbox Clean

Check For Vulnerabilities with Acunetix

In my opinion, the best way to keep clean of spam is simple:

The first rule is NEVER reply to spam, NEVER click the unsubscribe link and NEVER e-mail to the unsubscribe address.

These are simply underhand tactics to get ‘active’ e-mail addresses.

Some other tips to avoid getting spammed in the first place:

1) Never use your real e-mail address in newsgroups, this is the best place to get picked up by a spam bot. Use something like l33t-no-spam-at-i.hate.spam-darknet.org.uk

Then in your signature put remove -no-spam and i.hate.spam- to reply.

2) Never put your e-mail address on a publically viewable web page as it will be spidered by Google and grabbed by spammers.

If you do need to put an e-mail address use the simple JavaScript below to protect it:

<!-- Begin Darknet E-mail Saver
<SCRIPT language="JavaScript">
randomword = "l33t";
randomword2 = "darknet.org.uk";
append = "?Subject=Enquiry&Body=Please%20Insert%20Your%20Message%20Here.";
document.write('<a href=\"mailto:' + randomword + '@' + randomword2 + append + '\">');
document.write(randomword + '@' + randomword2 + '</a>');
// End -->
</SCRIPT>

3) If you do put your e-mail address anywhere try and obscure it in some way.

4) Create a disposable e-mail address (hotmail or yahoo) that you rarely check for signing up to Web-sites. Most commercial sites will bombard you with spam after you’ve signed up for whatever services they are offering. Some also sell your address to list makers or other spammer so never give your *real* e-mail address to anyone except people you want to e-mail you.

5) Don’t share your e-Mail address & Skip Compulsive Registration* This goes along with number 4, if possible don’t register, and if you do make sure you untick the ‘spam me with a newsletter’ box.

Well 5) maybe a problem. Most of the times, a search on Google shows us a site with the answer to our problem, still, a big part of them requires registration (like Expertexchange)

That’s where BugMeNot comes into play.

BugMeNot is database of login information (usernames and passwords) that you can use to access a site that requires registration. The site has a voting mechanism that enables you to vote for the Username/Password that worked for you, making the login combination with most votes, the first on the list for a specific site.

You can also add new login information to the database for the sites you can’t find a login.

There is also a BugMeNot plugin for Firefox, that enables you to automatically enter the login information for a site, with a single click of the mouse.
The plugin was made for older versions of Firefox, and it has been reported not to work with most recent versions.

BugMeNot is not the solution for everything, and sometimes you need to ‘share’ your e-Mail with others.

DEA – Disposable e-Mail Address – Allows you to share an e-Mail address on doubtful sites without the concern of that information being used to spam.

There are various sites providing DEA’s. Top 10 sites.

In my personal, and humble opinion, I suggest Mailinator and Wuzup Mail. Both of them supporting RSS.

Mailinator will create a random e-Mail address every time you refresh the site, which you can then use to register on the more doubtful sites.

WuzupMail let’s you choose your username and will save the e-Mail’s you receive for 7 day’s.

Using both BugMeNot for compulsive registration and DEA to prevent your personal information from being used to spam, you will reduce the amount of spam you get on your Inbox everyday (if you get any).

Also remember Thunderbird has some pretty good bayesian spam filtering built in, once it’s learn your e-mail pattern it’s very effective, if you are still getting spam you can try that.

* If you need to share your personal e-Mail address, do it in a creative way. Most web spiders – crawlers – are able to spot e-Mail’s like jon at doe dot com.

Be creative, jon at |NO_SPAM_PLEASE| dot com, etc, etc.

Digg This Article



13 June 2006 | 16,175 views

Windows Vista Preview Release Download & Torrent

You can get your hands on the windows vista preview release beta2. This is for those of you who are wondering how the interface of the new windows vista will look like and the new feel of the new operating system. You can find the minimum system requirements here.

You can download vista here. It’s free so try it out and see if you can find any security flaws on the new operating system before it hits final version. It’s 3GB in size so i suggest using your favorite download manager to download the .iso file.

Better still just download it using the torrent.

You can find the latest visa torrent information here:

http://www.vistatorrent.com/


13 June 2006 | 12,505 views

Oedipus – Open Source Web Application Security Analysis

Oedipus is an open source web application security analysis and testing suite written in Ruby by Penetration Testers for Penetration Testers. It is capable of parsing different types of log files off-line and identifying security vulnerabilities. Using the analyzed information, Oedipus can dynamically test web sites for application and web server vulnerabilities.

Oedipus can be broken down into 4 main components:

1. Analyzer

Capable of parsing several different types of log files, such as Burp, Paros, etc, identifying potential security vulnerabilities using pattern matching – An Oedipus input file is also produced.

2. Scanner

Parsers the Oedipus or IEnterceptor file, feeding each request to a dynamically loaded predefined security plug-in on the fly.

3. Reporter

Using the results from the Analyzer and the Scanner, Oedipus produces several well formatted reports designed for the Penetration Tester. The Scanner report can be interactively used to verify the results of the potential vulnerabilities discovered.

4. Tools

Using the above identified security vulnerabilities, a number of tools are provided to analyze and potentially exploit the vulnerability.

You can read more at:

Oedipus or Download Oedipus Now

Digg This Article


13 June 2006 | 3,679 views

Taiwan Kings of Spam from CipherTrust

Hmm Taiwan are really way ahead of everyone when it comes to being a spam hub, sadly that’s nothing to be proud of and generally it’s due to a large amount of poorly configured/unsecured servers.

Taiwan needs to start doing some vulnerability assessment! Taiwan and Korea have always had loads of open proxies/exploitable machines in my experience and when reporting such problems language is always an issue.

Almost two thirds (64 per cent) of servers controlling spam traffic are located in Taiwan, according to a survey by email security firm CipherTrust.

Such servers, used by internet low lives to relay spam and phishing emails through zombie, compromised PCs, are also commonly located in the US. The US accounts for 23 per cent of the machines identified on CipherTrust’s spam server blacklist with China in a fairly distant third place (three per cent).

Sounds like a pretty neat method they employed to get the figures.

CipherTrust obtained its figures after deploying a network of zombie-like machines across the world to gather intelligence on spamming operations. While machines in this “zombie honey pot” avoid relaying spam or phishing attacks to end-users, they collect messages from spammers trying to control them. By capturing these messages, CipherTrust is able to determine the location of the spam servers. Spammers themselves, of course, may be located somewhere completely different, such as Boca Raton, USA (for example).

Source: The Register


12 June 2006 | 5,445 views

Academic Papers on Web Application Security

I found a useful resource containing a whole list of academic papers on web-application security.

This list represents an attempt to collect academic papers on the subject of Web application security sorted by the year of publication.

Hacking web applications has become a big thing in the last 5 years, just look at the number of holes found in common PHP applications.

It has papers from 2004-2006.

Subjects cover a good range including:

  • SQLrand: Preventing SQL Injection Attacks
  • Bypass Testing of Web Applications
  • Defining a Set of Common Benchmarks for Web Application Security
  • The Essence of Command Injection Attacks in Web Applications
  • A Practical Approach for Defeating a Wide Range of Attacks

You can find the resource here:

Academic Papers in Web Application Security

Vulnerabilities in custom web applications are the most common flaws I find during penetration testing nowadays. It is a very important area and these papers should help your knowledge on both sides of the fence.


11 June 2006 | 3,353 views

Custom Trojans – Isn’t it Old News?

Well it is for me, and I guess anyone who consider themselves a career hacker, or at least has a serious interest..

As a few good trojans are open source (Back Orifice?), you can just mess around with them for a while until you reach the point they are no longer detected by any of the major anti-virus suites, then bind then to a file and off you go, instant access.

I remember once, someone actually believed I’d sent them a notepad.exe upgrade version…oh well, if only everyone was that stupid it would make our jobs so much easier.

Anyone back to the point, it seems customized trojans and malware is being created for specific attacks.

Anti-virus companies employee legions of researchers, honey pots, and customers to find viruses as soon as they appear in the wild. It takes on average about six hours to find, classify, and push out a new definition to your desktop. The Achilles heel of the whole industry is that these research techniques can do nothing to protect you against a custom virus or Trojan.

Custom malware is easy to create. Take the source code of an existing Trojan or virus, and modify it so that existing anti-virus and anti-spyware programs do not recognize it. And even if you or your IT department finds the Trojan, it does no good to report it, because it is not “in the wild.” So the developer of the custom Trojan can reuse his wares against other targets.

Sadly as always the AV industry is way behind, your anti-virus software only works if it has the correct definition, heuristics in the AV field are still very weak.

Anti-virus software is still reactive, not pro-active.

The infamous Trojan developed by Michael Haephrati and used to steal competitive information from dozens of companies in Israel was a custom Trojan. Now China is engaging in industrial-scale fishing expeditions against U.K. businesses and government agencies using a two-pronged attack.

The routine goes like this: First, a custom virus is sent in to harvest email addresses. It stays only within the target domain. Then, emails are sent to those addresses containing the custom Trojan. The reply-to addresses all appear to be within the same organization, making them more likely to be opened. Would you not open an email from your boss that said “Annual Appraisal Attached, Open Immediately”?

Social engineering combined with a custom trojan and some neat code, blended threats are always the most effective.

Again things like this can be stopped with education, it’s very hard to protect against such things with currect technology.

Host based intrusion detection can go a little way to helping..

Source: Dark Reading


10 June 2006 | 3,572 views

Predicting Malware – Events Trigger Malware/Phishing Spikes

Apologies for the lack of updates for the past few days, I had to go abroad for an important assessment ;)

It’s sad how people can pray on things as terrible as disasters to make a quick buck, but well we have to face the facts that they do, and will.

And as it seems, they will use anything, we’ve already seen a trojan targetting world cup fans.

For example, consider what we witnessed last year following the Katrina and Rita hurricanes that struck the southern coast of the USA. Within 24 hours of landfall, the Internet Storm Center observed a dramatic increase in fraudulent web sites aimed at good-hearted people wanting to donate to charities or relief efforts. We can predict with fairly high certainty that the same thing is going to happen again this year. We are monitoring DNS registrations and have seen several new names appear in the last few weeks with the strings “alberto”, “beryl”, “donation”, or “hurricane” in them. (Alberto and Beryl are the first two names on the list for 2006.) Are they all legitimate? Well, let’s see what happens as soon as the first storm forms and makes landfall.

People have even gone to the length of pre-registering domains for hurricanes that haven’t even HAPPENED yet, amazing eh?

We really need to focus on the so called ‘layer 8′ protection, beef up the wetware, educate and inform! The world cup will trigger all kinds of tricks, we can pretty much guarantee that, so we have to be on our guards.

In fact, one of our observant readers (thanks, George!) wrote us to say, “I work in a government research lab with a very diverse user population, including many soccer fans. The last World Cup led to a malware spike. I expect another spike this year, but with a potential for more sophisticated attacks.” So George is keeping an eye out for a potential rise in malware attacks, basing his prediction on the fact that during the World Cup many fraudsters and pranksters will likely launch specially crafted emails and set up bogus web sites designed to lure in sports fans around the world.

At least if we are ready, we can thwart the attacks before they happen in most cases, perhaps just a mass e-mail warning people will suffice.

Source: SANS


07 June 2006 | 10,766 views

Graph Analysis of Credit Card Loss

I saw some interesting information recently on a mailing list.

We took one sample of one carding/phishing forum that our Global Surveillance Center was monitoring and sampled the set into a graph that lists the top 10 banks and the losses over the last month. As you can see, it’s obvious who the top credit card companies are out there, but at the same time, we can see an ever increasing on the top targets but not necessarily an increase on the lower tiers over the entire three months, but in the first two we see a significant increase in success with stolen credit cards in general. In this case, the loss that we captured (which probably isn’t nearly the number captured by this forum) was a little over 21,000 credit cards.

Credit Card Loss

Full Sized Image

This is one group, with 21,000 cards per 3 months (that we know about) and law enforcement estimates about $500.00 per card in average loss. At that rate, in 3 months, one carding group causes $10,500,000.00 in loss. And this carding group is at the low end of the totem poll.

As you can see from the graph, Bank of America is highest on all counts, perhaps they need to think about addressing that? First USA bank and Citibank make up the other 2 of the top 3.

Credit:

Lance James
Secure Science Corporation
http://www.securescience.net


06 June 2006 | 7,605 views

RFID & Biometrics Used At World Cup in Germany

RFID, biometrics, hi-tech police officers, yes it’s all going to be happening in Germany for the close approaching World Cup 2006.

Not surprisingly, security is a top priority for the German government, even higher than its desire to see the national team walk off the pitch with the World Cup 2006 trophy.

The list of security precautions the government is taking is substantial. It begins with the use of RFID (radio frequency identification) technology. More than 3.5 million tickets for the 64 matches will be sold with an embedded RFID chip containing identification information that will be checked against a database as fans pass through entrance gates at all 12 stadiums.

Organizers have asked everyone requesting tickets to provide a wealth of personal data, including name, address, date of birth, nationality and number of ID card or passport. Never before have fans attending an event organized by the Federation Internationale de Football Association (FIFA) been required to provide so much information about themselves that can be accessed so quickly.

Seems like a massive anti-terrorism initiative, but well, all of these things can easily be falsified.

There’s a mammoth security control center containing 120 people watching monitors.

Another special group, the Central Sports Intelligence Unit in Neuss near Dusseldorf, is receiving thousands of tips from authorities in nations competing in the World Cup. Its database includes information on 6,000 hooligans who are already known to police and pose a direct threat.

Many of the security systems and procedures were tested during the Confederation Cup soccer tournament in Germany last year.

More than 30,000 federal police officers will be on duty during the games. Some of them will be equipped with mobile “fast identification” fingerprint devices. Fingerprint data captured by the optical devices will also be matched against data stored in the central database of the German Federal Intelligence Service.

Fast identification fingerprint devices…sounds a bit sci-fi right. Technology is indeed catching up, so the hooligans better watch out. But well, if your fingerprints aren’t in the database they can’t flag you right?

Better wear some ultrathin latex gloves ;)

Source: CSO Online


05 June 2006 | 51,998 views

The Top 10 Most Common Passwords

A pretty interesting article that statistically measured the frequency of passwords by taking an aggregate sample of passwords (primarily from the UK).

Here are listed the most commonly occurring from the sample.

10. ‘thomas’ (0.99%)

First off, at number 10, is the most common format of passwords – the name. Thomas is a perennially popular name in the UK (2nd most popular in 2000), so it is perhaps no surprise that it makes the top 10, with nearly 1 in 1,000 people opting for this ubiquitous forename as their password.

We can only guess that there are a lot of fans of Thomas Jefferson or Thomas Edison out there! The high prevalence of Christian names only further reinforces the fact that loved ones are a common choice when it comes to passwords.

9. ‘arsenal’ (1.11%)

Football teams tend to be another popular choice, and the gunners fall in 9th place. This may or may not be reflective of the fact that the word ‘arsenal’ starts with a 4-letter swear word – another popular choice when it comes to passwords.

Arsenal are ranked 6th overall in average attendance rankings, and are the 2nd most popular football-related password.

8. ‘monkey’ (1.33%)

Quite why the monkey makes it into 8th place is beyond me, but the fact that it’s a 6-letter word (6 letters is a typical minimum length for passwords), is easily typed and is memorable probably helps cement its position as ideal password material.

Still, it’s quite worrying that there’s such a trend – perhaps the internet and monkeys are inextricably linked?

7. ‘charlie’ (1.39%)

Another name – nowhere near as common a name as No. 10, Thomas, but it’s our most popular name-based password overall.

Could of course, be a homage to a number of famous Charlies – Chaplin, Sheen, or those of a Chocolate Factory persuasion. Or, of course, it could just be the case that they’re referring to it’s slang usage.

6. ‘qwerty’ (1.41%)

I wonder where the inspiration for this one came from? Perhaps when faced with a blinking cursor and an instruction to choose a password people will tend to look to the things closest to them – which would explain why 1 in 700 people choose ‘qwerty’ as their password.

5. ‘123456’ (1.63%)

Can you count to 6? It’s the most common minimum required length of password – and the 5th most common password.

4. ‘letmein’ (1.76%)

A modern-day version of ‘open sesame’ – and 1 person in 560 will type ‘letmein’ as their password. Quite why is beyond me.

I could be mistaken, but I have a hunch that ‘letmein’ has been featured in a movie or TV series – Fox Mulder’s password from the X Files – ‘trustno1′ – also ranked quite highly.

3. ‘liverpool’ (1.82%)

The most popular football team by some margin, Liverpool was the third most popular password overall. Does this mean that 1 in 550 people is such a devout Liverpool fan that they would be willing to entrust private data to the team they love?

Liverpool ranked 3rd in the average attendance ratings – leaving the 2 most popular teams, Manchester United and Newcastle United, out of the top 10 list – perhaps because they’re too long and difficult to type.

2. ‘password’ (3.780%)

Akin to pressing the ‘any’ key, when told to enter a ‘password’, it would seem that users aren’t the sharpest tool in the box – with almost 1 in 250 people choosing the word ‘password’.

1. ‘123’ (3.784%)

With nearly 4 people in 1,000 opting for a simple numerical sequence as their password (it should be noted that there was no lower length limit specified), ‘123’ must be the first thing a lot of people think of when asked to specify a password. One dreads to think what their PIN number might be!

Source: Modern Life is Rubbish