Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

06 March 2006 | 7,289 views

Anti-Spyware Software Wars – Can’t they get along?!

Check Your Web Security with Acunetix

Last year, we noted how some security products could cause conflicts that would cause computers to lock up — but there’s another (less troublesome) trend that’s happening as well: security products declaring competing products as malware and removing them.

Just a little over a week ago, the latest version of Microsoft’s anti-spyware offering declared Symantec’s anti-virus offering as malware. However, it looks like Kaspersky Labs has Symantec’s back on this one. Its latest anti-spyware offering flagged some Microsoft anti-virus software as being malware. Of course, this was bound to happen, since many security products often have to do things that look quite like malware.

This is only likely going to get worse — and many of these standalone companies might want to start thinking about proactively trying to deal with the issue. In the meantime, it seems like the security suite providers should be using this as an opportunity to hype up how their combined offering does everything in one package (even if that’s not quite true), so you never need additional, conflicting software.

According to several different support threads over at Microsoft’s user groups forum, the latest definitions file from Microsoft “(version 5805, 5807) detects Symantec Antivirus files as PWS.Bancos.A (Password Stealer).”

When Microsoft Anti-Spyware users remove the flagged Norton file as prompted, Symantec’s product gets corrupted and no longer protects the user’s machine. The Norton user then has to go through the Windows registry and delete multiple entries (registry editing is always a dicey affair that can quickly hose a system if the user doesn’t know what he or she is doing) so that the program can be completely removed and re-installed.

I put in calls to Microsoft and to Symantec on this issue, but am still waiting to hear back from both companies.

Source: Washington Post

I have had similar problems in the past with things detecting HijackThis! or Spybot as Malware..or playing with having two level 7 firewalls installed.



05 March 2006 | 3,424 views

RIAA Dirty Tricks: Gathering Private Info On Kids Of Accused File Sharer

The RIAA’s latest tactic, is to reveal to Santangelo and her new lawyer that they’ve been investigating her children, and have been able to collect a lot of non-public information. The RIAA will probably claim that the info is related to the case, but it certainly borders on using scare tactics, and trying to intimidate Santangelo into backing down.

The Big Four record labels are escalating their attack on Patti Santangelo, the New York mother who’s so far the only person to stand up to them.

And they’ll be using her children as weapons against her.

On Tuesday judge Mark D. Fox presided over a discovery hearing in Elektra v Santangelo and, “Elektra’s attorneys have answered Patti’s objections to their discovery questions,” her lawyer, Jordan Glass, told p2pnet.

“They’ve started to push back aggressively. They’re going after her children – and this time not directly so they can get around certain protections the children have. They had information about the children that wasn’t public, or wasn’t supposed to be public, and it’s of great concern not only that that they were able to obtain it, but also that they wanted it.

“They’re not treating this as a single case or as seeking a verdict for $3,500.00. They’re treating this as a symbol for how the other cases will go and I hope everyone who reads this will recognize the serious impact this case could have on their children.”

The RIAA has spent enough to feed a small country on trying to make the world believe it’s owners, the multi-billion-dollar Big Four labels, are being “devastated” (their word) by people who share music online, that contracted artists are suffering and that support workers are being driven into extreme financial hardship.

They make the completely unsupportable assertion that people using the p2p networks to share files would otherwise have paid $1 or more to buy the song from an online corporate music site or an offline music store.

Source: p2pnet


04 March 2006 | 3,527 views

Your Employees Don’t Care About Your Data

So you better make sure you do.

As we discussed in the article on Social Engineering in Penetration Testing, it’s not that the employees don’t care as such, it’s that they don’t know. They haven’t been educated, they are ignorant, their awareness of best practise is low.

An experiment carried out within London’s square mile has revealed that employees in some of the City’s best known financial services companies don’t care about basic security policy.

CDs were handed out to commuters as they entered the City by employees of IT skills specialist The Training Camp and recipients were told the disks contained a special Valentine’s Day promotion.

However, the CDs contained nothing more than code which informed The Training Camp how many of the recipients had tried to open the CD. Among those who were duped were employees of a major retail bank and two global insurers.

The CD packaging even contained a clear warning about installing third-party software and acting in breach of company acceptable-use policies – but that didn’t deter many individuals who showed little regard for the security of their PC and their company.

Rob Chapman, CEO of the Training Camp, who carried out the stunt to promote a course in security for non-IT professionals, said: “Fortunately these CDs contained nothing harmful. No personal or corporate data was transmitted due to the actions of these individuals but the fact remains that this could have been someone wanting to cause havoc in the City.”

Chapman claimed the “potential outcome could have been disastrous”.

Source: Silicon

It shows what you can do with a little bit of imagination, a Japanese bank fell victim to a Spyware infection last year that led to the thieves almost getting $300 million.

The moral of the story is, educate your staff, it IS important that you tell them. People don’t inherently know what is right and wrong when it comes to computers, what they should and shouldn’t do.


03 March 2006 | 9,200 views

Norton Internet Security ‘Keylogger’ IRC Bug

It seems like script kiddies have been taking full advantage of the bug we talked about in the Symantec software. Do companies never learn?

Script kiddies have been taking advantage of intrusion prevention features of Symantec’s Norton Firewall and Norton Internet Security Suites to knock users offline in IRC channels, according to an amusing post at Washingtonpost.com. From the article: ‘Turns out that if someone types “startkeylogger” or “stopkeylogger” in an IRC channel, anyone on the channel using the affected Norton products will be immediately kicked off without warning.

These are commands typically issued by the Spybot worm, which spreads over IRC and peer-to-peer file-swapping networks, installing a program that records and transmits everything the victim types (known as a keylogger).’ Makes you wonder what other magic keywords produce unexpected results with Symantec’s software.

Reminds me somewhat of the whole ++ATH0 thing.

startkeylogger
phonex has quit (Read error: Connection reset by peer)
TomA has quit (Read error: Connection reset by peer)
something3280 has quit (Read error: Connection reset by peer

It’s kind of ironic, using the software that’s supposed to be protecting someone..to disrupt their Internet experience ;)

Now if only the script kiddies could put their group brain together and come up with something useful.


02 March 2006 | 12,223 views

Norton Antivirus Funny Bug

the following exploits (if we can call it this way) was published on securityfocus bugtraq mailinglist… it is entirely reproduced in the following lines:

Norton Internet monitoring tools issues
Versions Affected : *
Fix : No

What im writing about is how to stop the internet of some user that is
using the norton tools and IRC / any other chat at the same time.

By default norton monitor checks for words like “keylogger” , “start
keylogger” , “key logger” and etc.etc.

Example for irc :
Start a mIRC or any other IRC client that u like and connect to some
server.
Type down /ctcp yournick start keylogger . By default norton monitors
your mIRC Process and your logs of it so it sees “star keylogger” and
automaticly blocks mIRC.exe from starting and automaticly blocks port
6667 or whatever port ure using to connect to IRC. Nice eh ?

Aleksander Hristov

So you should be in a small manner paranoic when using Norton tools…


02 March 2006 | 4,941 views

The RSS Tools That Diggers Use

Interesting to see which RSS aggregators and readers Digg users are using.

As you can see after being ‘digged’ on Monday February 27th, the RSS subscriber base spiked from about 21 up to 182 at the highest point, after a day it receded back to around 150, and now it’s about 130.

Darknet RSS Spike

The biggest Agent in the graph by a large margin is Google Desktop.RSS Reader Distribution

Some of the figures are not so accurage as services like Kinjo don’t give the number of subscribers.

Firefox Livebookmarks is also high, which I was expecting.

3rd place goes to Bloglines, probably the most popular web-based blog/RSS aggregator.

The RSS subscription percentage is quite high aswell, as around 20,000 people came on that day, and around 160 subscribed.

The above pictures were taken from the shiny new updated Feedburner control panel.


02 March 2006 | 15,890 views

How Computers Work – Free E-book

This is a tutorial web book. All 152 pages of the large paperback book with 96 diagrams are on 38 web pages here.

Even if you know nothing about electronics, you have come to the right place.

If you are wondering how microprocessors work, you have come to the right place. A microprocessor is a small processor.

How Computers Work

If you already know something about electronics, don’t be put off by the fact that the book starts out very simple and uses relays instead of transistors. You will get through the first chapter quickly. See web page 24, below, for just how complex it gets.

If you have a very fast connection (DSL or cable modem), then you can click the following link to see an easier to read (PDF) version of the book. It is 783 kilobytes, so it will take a while.

PDF Version

Full information here:

How Computers Work


01 March 2006 | 17,247 views

Should Social Engineering be a part of Penetration Testing?

This is actually a very interesting debate.

Just to introduce if you don’t know..

What is Penetration Testing

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious cracker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

Wikipedia

What is Social Engineering

It’s a bit cheesy, but we often call this hacking the wetware (hardware, software and wetware meaning people).

Social Engineering is a form of intrusion making use of weaknesses in the non-technical aspects of the system, the wetware also known as people. A common phrase would be ‘Con man’, the most well known form of social engineering. In the technological realm, social engineering relates to unauthorized access of computing resources or network by exploiting human weaknesses.

In the historical sense con men would engineer their way into certain resources, someone’s bank account, shoe box under the bed and so on. In this context the social engineer would target someone that is authorized to use the network, or resource they wish to access and attempt to leverage some confidential information out of them that would compromise the network security.

This is what Mitnick was famous for, and what his book The Art of Deception is about.

I’ll probably cover this more later.

Does Social Engineering have a place in Penetration Testing?

Some people say yes, it’s the most effective way..Actually I’ve found this true, the human element and the lack of education in the workplace is often the weakest link in the chain.

Does it have any place in security testing, I would say definately yes. Some people would say perhaps it should be a seperate project, not in the ‘technical’ assessment of a security perimeter.

Or course it depends on the scope given by the client, but it should be part of any good Penetration Test or Vulnerability Assessment.

Why Social Engineering Should be in a Pen Test

For me whatever you do to get into the network, or escalate your access is part of a pen-test. If you are able to get users to divulge some kind of information that assists you in compromising or gaining access to something, then you are doing exactly what a real attacker would have been able to do. You might be able to trick them into telling you something via phone or e-mail, get them to physically do something like open a door or unlock a machine, or get them to run an executable or disable a firewall. You might be able to get them to do under false pretenses, through their own ignorance or carelessness, or by other means. Whatever you do can be considered part of a pen-test.

Many recent studies have shown people are still incredibly gullible and especially when presented with a ‘Free CD‘ or something, they will happily put it in their drive and run it.

This mean in reality social engineering is an easy option to attack a network no problem of IDS, no fear of being tracked by log analysis while attacking. Some attackers try to take out the information of network and internal devices bycalling the IT staff and pretending like a sales guy who is trying to sell a log analyzer or IDS. They will often say “No we don’t need a new Firewall we already have a Cisco PIX”.

Why Social Engineering Shouldn’t be in a Pen Test

Some would say social engineering is a altogether a different game, the pen testing results could be used to socially engineer someone within the company, perhaps an extension of the pen-test rather than a part of it.

The target of the pen-test might be in a physically different location (Makes the SE more difficult) or the native language of the target may be different (Makes the SE pretty much impossible).

Some people say don’t bother, because you WILL suceed with social engineering.

The main problem being technical testing is fairly scientific, you can apply metrics to it, you can measure it and you can track its effectiveness.

With social engineering, it’s still pretty much an artform and totally differs from person to person, it’s very hard to be scientific when it comes to conning people. Social Engineering may well be left out by large corporations unless it can be scientifically defined and metrics applied to it.

Things to Keep in Mind

However, there are a few important things to keep in mind. You want to definitely lay down the ground rules with whomever it is you are pen-testing for. They might just want to see what machines an exploit can break into. You might really upset some people and get in trouble if you start trying to gain physical access or send trojans to executives. Make sure they are aware of what you are doing and that you have approval. Get everything in writing or in your agreement somewhere.

Also there are many questions to be answered before doing an SE test – questions of legality, ethics and possible personal consequences for the people who were “duped”. These have to be taken into consideration and could mean the social engineering part is not possible.

Please bear in mind the wellfare of the employees too, consider also adding a clause that protects the end-user from getting fired. Human nature is to be helpful, the problem is a lack of education, not a mistake from the user.

Summary

Social Engineering, you can include it or not based on the above information, if you don’t include it, you can always demonstrate it for information purposes to the management team or contact of the target organisation.

References: Discussion on SF Pen Test List


01 March 2006 | 8,427 views

Prostitutes want GTA (Grand Theft Auto) Banned

A little bit crazy eh?

Sex workers cry foul, say game “accrues points to players for the depiction of rape and murder of prostitutes.”

The Grand Theft Auto franchise is getting attacked from all angles. Joining the ranks of politicians, policemen, and attorneys in their crusade to see the game lifted from shelves are the nation’s sex workers. On its Web site, the Sex Workers Outreach Project USA is asking parents to assist them in calling for a ban of Take-Two Interactive’s controversial game.

Citing a 2001 document from the National Institute on Media and the Family’s David Walsh, SWOP is calling “on all parents and all gamers to boycott Grand Theft Auto.”

The organization quotes various points from Walsh’s paper, including, “Children are more likely to imitate a character with whom they identify with. In violent video games the player is often required to take the point of view of the shooter or perpetrator.”

Source: Gamespot

Apparently, the sex workers of the Sex Workers Outreach Project aren’t too happy about their ingame counterparts being treated violently in the GTA games. They note that the games are a bad influence on children, and might encourage rape and violent behavior towards prostitutes in real life.

SWOP Statement on Grand Theft Auto
The game Grand Theft Auto demonstrates attitudes and behaviors that reflect broader social attitudes toward prostitutes, who are made vulnerable because of their criminal status. Our outrage and disgust at the depictions of prostitutes in games such as GTA renew our call for absolute de-criminalization and repeal of all laws that outlaw the exchange of sex for money in order to end the violence directed at people believed to be prostitutes.

It’s a bit ridiculous if you ask me, are Soldiers going to start suing me because I enjoy blowing them up in Castle Wolfenstein?

Or Special Forces operatives…they will start suing Tom Clancy, omg Rainbow 6, YOU TRAUMATISED ME!?!


01 March 2006 | 7,165 views

Who is Navaho Gunleg?

Following the recent post by backbone, I decided to post a short introduction as well.

Background
I am from The Netherlands, Europe — a country most people probably have heard about. Either because of the legendary HackTic-foundation that later started the ISP XS4ALL and otherwise undoubtably because of our liberal stance towards soft-drugs and prostitution.

I have always been drawn to computers and remember tinkering with them ever since my parents bought one, a Commodore 64. At that time, we didn’t have that much money to spend so I was forced to write my own programs and games. This experience basically laid the basis for my profession as a programmer, later in life.

As time passed, other computers came into our house-hold, mainly because of my dad’s job. Things started getting really interesting on the PC. MSDOS, PCDOS, various programming languages such as BASIC and Pascal, applications suchs as DBASE.

In contrast to people who have only experience with graphical user interfaces such as Microsoft’s and Apple’s, because of the experience with the command-line, UNIX-flavoured operating systems don’t scare me.

In the Present
Currently, I am a programmer for a media company. The operating systems I work on are all UNIX-flavours. I can ‘speak’ most relevant (programming) languages available on those machines: C(++), Shell scripting, PHP, Javascript, SQL and HTML to name but a few. I have had the privilege to tinker with J2ME (that’s Java for mobile devices such as phones) as well.

I mainly implement the technology behind web-sites, such as content-management systems and various types of server-to-server communication. Additionally, I write plugins for interactive voice response systems such as Bayonne.

Additionally, I also do system administration on few of those servers so I have grown quite interested in server security as well.

In my spare time, because I’m cheap, I still write my own software. If I’m out of suggestion, my girlfriend sometimes has a request for something. For the last couple of years I love to make everything web-based. This fuelled my interest in web-based user-interfaces and the technology behind it, databases, scripting and secure communications.

Future
Being a coder, my articles will mainly focus on programming. How to, and how not to implement stuff safe and secure. Fact is, programs that rely on end-user input are by definition un-safe.

Knowing the business-side of the chain so to speak, I have come to discover that a lot of companies, simply because of the lack of knowledge, money or time, fail to implement online systems secure enough.

Technology is going faster than most people can keep track of it and this has implications that some people might ignore.